Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • This topic is locked This topic is locked
6 replies to this topic

#1 LewofViriginia


  • Members
  • 12 posts
  • Local time:08:43 AM

Posted 12 November 2011 - 11:06 PM

I recently ran Norton Power Eraser and found what appears to be a root kit, rikvm_C6F09094.sys. NPE allegedly deleted this file, but when I rebooted, it return upon another scan. I found a discussion thread on Bleeping Computer and followed some of the early advice to verify that this code is in my \Windows\System32\drivers folder. As per MBR_Check it is still on my computer, see below. However, when I try to find it using Windows Explorer, it does not show up, even after checking Show Hidden files and unchecking Hide protected operating system files.

I am a little leery of simply following the steps in the previous thread and prefer to interact with someone from this site who has experience in dealing with malware.

BTW, what does rikvm_C6F09094.sys do?

Here is the MBR_Check log. The file in question shows up at the 153rd listing in the kernel driver list. After running MBR_Check, I did not take any action, but simply exited out.:

MBRCheck, version 1.2.3
© 2010, AD

Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: PEGATRON CORPORATION
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Hewlett-Packard
System Product Name: HPE-580t
Logical Drives Mask: 0x000003fc

Kernel Drivers (total 203):
0x02E55000 \SystemRoot\system32\ntoskrnl.exe
0x02E0C000 \SystemRoot\system32\hal.dll
0x00BB8000 \SystemRoot\system32\kdcom.dll
0x00C63000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00CB2000 \SystemRoot\system32\PSHED.dll
0x00CC6000 \SystemRoot\system32\CLFS.SYS
0x00D24000 \SystemRoot\system32\CI.dll
0x00DE4000 \SystemRoot\System32\drivers\SMR210.SYS
0x00C00000 \SystemRoot\System32\drivers\FLTMGR.SYS
0x00E8F000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F33000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00F42000 \SystemRoot\system32\drivers\ACPI.sys
0x00F99000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00FA2000 \SystemRoot\system32\drivers\msisadrv.sys
0x00FAC000 \SystemRoot\system32\drivers\pci.sys
0x00FDF000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00E00000 \SystemRoot\System32\drivers\partmgr.sys
0x00E15000 \SystemRoot\system32\drivers\volmgr.sys
0x00E2A000 \SystemRoot\System32\drivers\volmgrx.sys
0x01023000 \SystemRoot\System32\drivers\mountmgr.sys
0x01219000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x01423000 \SystemRoot\system32\DRIVERS\jraid.sys
0x01441000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0x01470000 \SystemRoot\system32\drivers\amdxata.sys
0x0147B000 \SystemRoot\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS
0x014EC000 \SystemRoot\system32\drivers\fileinfo.sys
0x01500000 \SystemRoot\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS
0x0103D000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01646000 \SystemRoot\System32\Drivers\msrpc.sys
0x016A4000 \SystemRoot\System32\Drivers\ksecdd.sys
0x016BF000 \SystemRoot\System32\Drivers\cng.sys
0x01731000 \SystemRoot\System32\drivers\pcw.sys
0x01742000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x018CB000 \SystemRoot\system32\drivers\ndis.sys
0x01800000 \SystemRoot\system32\drivers\NETIO.SYS
0x01860000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01A38000 \SystemRoot\System32\drivers\tcpip.sys
0x01C3C000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01C86000 \SystemRoot\system32\drivers\volsnap.sys
0x01CD2000 \SystemRoot\System32\Drivers\spldr.sys
0x01CDA000 \SystemRoot\System32\drivers\rdyboost.sys
0x01D14000 \SystemRoot\System32\Drivers\mup.sys
0x01D26000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01D2F000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01D69000 \SystemRoot\system32\DRIVERS\disk.sys
0x01D7F000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x04E5A000 \SystemRoot\system32\drivers\cdrom.sys
0x04E84000 \SystemRoot\System32\Drivers\Null.SYS
0x04E8D000 \SystemRoot\System32\Drivers\Beep.SYS
0x04E94000 \SystemRoot\System32\drivers\vga.sys
0x04EA2000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x04EC7000 \SystemRoot\System32\drivers\watchdog.sys
0x04ED7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x04EE0000 \SystemRoot\system32\drivers\rdpencdd.sys
0x04EE9000 \SystemRoot\system32\drivers\rdprefmp.sys
0x04EF2000 \SystemRoot\System32\Drivers\Msfs.SYS
0x04EFD000 \SystemRoot\System32\Drivers\Npfs.SYS
0x04F0E000 \SystemRoot\system32\DRIVERS\tdx.sys
0x04F30000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x04F3D000 \SystemRoot\system32\drivers\afd.sys
0x0174C000 \SystemRoot\System32\DRIVERS\netbt.sys
0x04FC6000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x04FCF000 \SystemRoot\system32\DRIVERS\pacer.sys
0x04C00000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x04C16000 \SystemRoot\system32\DRIVERS\SymIMv.sys
0x04C24000 \SystemRoot\system32\DRIVERS\netbios.sys
0x01DBD000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x01DD8000 \SystemRoot\system32\drivers\termdd.sys
0x01791000 \SystemRoot\system32\drivers\NISx64\1206000.01D\SYMNETS.SYS
0x01A00000 \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
0x0188B000 \SystemRoot\system32\drivers\NISx64\1206000.01D\Ironx64.SYS
0x019BE000 \SystemRoot\system32\drivers\NISx64\1206000.01D\SRTSPX64.SYS
0x0403A000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x0408B000 \SystemRoot\system32\drivers\nsiproxy.sys
0x04097000 \SystemRoot\system32\drivers\mssmbios.sys
0x040A2000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\IPSDefs\20111111.030\IDSvia64.sys
0x0411F000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
0x04198000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0x041BE000 \SystemRoot\System32\drivers\discache.sys
0x041CD000 \SystemRoot\System32\Drivers\dfsc.sys
0x041EB000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x0483D000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\BASHDefs\20111027.001\BHDrvx64.sys
0x0495C000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x04982000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x0F41E000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x1008B000 \SystemRoot\System32\Drivers\nvBridge.kmd
0x1008D000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x10181000 \SystemRoot\System32\drivers\dxgmms1.sys
0x101C7000 \SystemRoot\system32\drivers\HDAudBus.sys
0x04998000 \SystemRoot\system32\DRIVERS\e1y62x64.sys
0x101EB000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x05047000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x0509D000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x050AE000 \SystemRoot\system32\DRIVERS\netr28x.sys
0x051AA000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x051B7000 \SystemRoot\system32\drivers\1394ohci.sys
0x05000000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x0500D000 \SystemRoot\system32\drivers\CompositeBus.sys
0x0501D000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x04800000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x05033000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x04000000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x0F400000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x019D4000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x049E1000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x04824000 \SystemRoot\system32\drivers\kbdclass.sys
0x01DEC000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x0503F000 \SystemRoot\system32\DRIVERS\serscan.sys
0x051F5000 \SystemRoot\system32\drivers\ksthunk.sys
0x01600000 \SystemRoot\system32\drivers\ks.sys
0x051FB000 \SystemRoot\system32\drivers\swenum.sys
0x056CE000 \SystemRoot\system32\DRIVERS\MarvinBus64.sys
0x05712000 \SystemRoot\system32\drivers\umbus.sys
0x05724000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x0577E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x05793000 \SystemRoot\system32\drivers\nvhda64v.sys
0x057B6000 \SystemRoot\system32\drivers\portcls.sys
0x05600000 \SystemRoot\system32\drivers\drmk.sys
0x06A00000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x00000000 \SystemRoot\System32\win32k.sys
0x06C5D000 \SystemRoot\System32\drivers\Dxapi.sys
0x06C69000 \SystemRoot\System32\Drivers\crashdmp.sys
0x04C33000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x06C77000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x06C8A000 \SystemRoot\system32\DRIVERS\monitor.sys
0x005C0000 \SystemRoot\System32\TSDDD.dll
0x00620000 \SystemRoot\System32\cdd.dll
0x00860000 \SystemRoot\System32\ATMFD.DLL
0x06C98000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x06CB3000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x06CB5000 \SystemRoot\system32\drivers\luafv.sys
0x06CD8000 \SystemRoot\system32\drivers\WudfPf.sys
0x06CF9000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x06D16000 \SystemRoot\System32\Drivers\nx6000.sys
0x06D23000 \SystemRoot\System32\Drivers\usbvideo.sys
0x06D51000 \SystemRoot\system32\drivers\usbaudio.sys
0x06D6C000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x06D81000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x06DD4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x06DE7000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x05622000 \SystemRoot\system32\DRIVERS\vwifimp.sys
0x0562C000 \SystemRoot\system32\drivers\hidusb.sys
0x0563A000 \SystemRoot\system32\drivers\HIDCLASS.SYS
0x05653000 \SystemRoot\system32\drivers\HIDPARSE.SYS
0x04A66000 \SystemRoot\system32\drivers\HTTP.sys
0x04B2F000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x04B3C000 \SystemRoot\system32\drivers\kbdhid.sys
0x04B4A000 \SystemRoot\system32\DRIVERS\bowser.sys
0x04B68000 \SystemRoot\System32\drivers\mpsdrv.sys
0x04B80000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x04BAD000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x04A00000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x0682A000 \??\C:\Windows\system32\Drivers\rikvm_C6F09094.sys
0x0806E000 \SystemRoot\system32\drivers\peauth.sys
0x08114000 \SystemRoot\System32\Drivers\secdrv.SYS
0x0811F000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x08150000 \SystemRoot\System32\drivers\tcpipreg.sys
0x08162000 \SystemRoot\System32\DRIVERS\srv2.sys
0x0A2E5000 \SystemRoot\System32\DRIVERS\srv.sys
0x0A200000 \SystemRoot\system32\drivers\NISx64\1206000.01D\SRTSP64.SYS
0x0AA05000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\VirusDefs\20111111.036\EX64.SYS
0x0A2C0000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\VirusDefs\20111111.036\ENG64.SYS
0x0A37D000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x77270000 \Windows\System32\ntdll.dll
0x48070000 \Windows\System32\smss.exe
0xFF590000 \Windows\System32\apisetschema.dll
0xFF360000 \Windows\System32\autochk.exe
0xFF570000 \Windows\System32\lpk.dll
0xFE7E0000 \Windows\System32\shell32.dll
0xFE700000 \Windows\System32\advapi32.dll
0xFE690000 \Windows\System32\gdi32.dll
0xFE640000 \Windows\System32\ws2_32.dll
0xFE460000 \Windows\System32\setupapi.dll
0xFE440000 \Windows\System32\imagehlp.dll
0x77170000 \Windows\System32\user32.dll
0xFE3C0000 \Windows\System32\difxapi.dll
0xFE3B0000 \Windows\System32\nsi.dll
0x77050000 \Windows\System32\kernel32.dll
0xFE1A0000 \Windows\System32\ole32.dll
0x77440000 \Windows\System32\normaliz.dll
0xFE100000 \Windows\System32\clbcatq.dll
0xFDFF0000 \Windows\System32\msctf.dll
0xFDF10000 \Windows\System32\oleaut32.dll
0x77430000 \Windows\System32\psapi.dll
0xFDE70000 \Windows\System32\comdlg32.dll
0xFDE40000 \Windows\System32\imm32.dll
0x76EF0000 \Windows\System32\wininet.dll
0xFDD70000 \Windows\System32\usp10.dll
0x76CE0000 \Windows\System32\iertutil.dll
0xFDD50000 \Windows\System32\sechost.dll
0x76B90000 \Windows\System32\urlmon.dll
0xFDCF0000 \Windows\System32\Wldap32.dll
0xFDC50000 \Windows\System32\msvcrt.dll
0xFDB20000 \Windows\System32\rpcrt4.dll
0xFDAA0000 \Windows\System32\shlwapi.dll
0xFDA30000 \Windows\System32\KernelBase.dll
0xFD990000 \Windows\System32\comctl32.dll
0xFD970000 \Windows\System32\devobj.dll
0xFD930000 \Windows\System32\wintrust.dll
0xFD7C0000 \Windows\System32\crypt32.dll
0xFD780000 \Windows\System32\cfgmgr32.dll
0xFD770000 \Windows\System32\msasn1.dll
0x75510000 \Windows\SysWOW64\normaliz.dll

Processes (total 81):
0 System Idle Process
4 System
380 C:\Windows\System32\smss.exe
564 csrss.exe
640 C:\Windows\System32\wininit.exe
664 csrss.exe
704 C:\Windows\System32\services.exe
720 C:\Windows\System32\lsass.exe
728 C:\Windows\System32\lsm.exe
832 C:\Windows\System32\svchost.exe
892 C:\Windows\System32\nvvsvc.exe
932 C:\Windows\System32\svchost.exe
960 C:\Windows\System32\winlogon.exe
340 C:\Windows\System32\svchost.exe
572 C:\Windows\System32\svchost.exe
848 C:\Windows\System32\svchost.exe
1116 C:\Windows\System32\svchost.exe
1200 C:\Windows\System32\svchost.exe
1364 C:\Windows\System32\spoolsv.exe
1396 C:\Windows\System32\svchost.exe
1436 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
1452 C:\Windows\System32\nvvsvc.exe
1524 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
1612 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1772 C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe
1820 C:\Program Files\Bonjour\mDNSResponder.exe
1872 C:\Windows\System32\svchost.exe
1896 C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
1976 C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
2024 C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
1040 C:\Program Files\Microsoft LifeCam\MSCamS64.exe
1160 C:\Program Files (x86)\Norton Internet Security\Engine\\ccSvcHst.exe
1496 C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
1664 C:\Program Files (x86)\PDF Complete\pdfsvc.exe
2104 svchost.exe
2124 C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
2172 C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
2236 C:\Windows\System32\svchost.exe
2260 C:\Windows\System32\Wacom_Tablet.exe
2360 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2508 C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
2604 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2752 C:\Windows\System32\dwm.exe
2824 C:\Windows\explorer.exe
2660 C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
3088 C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
3096 C:\Program Files\Windows Sidebar\sidebar.exe
3376 C:\Windows\System32\taskhost.exe
3632 C:\Program Files (x86)\Norton Internet Security\Engine\\ccSvcHst.exe
3064 C:\Windows\System32\WTablet\Wacom_TabletUser.exe
3364 C:\Windows\System32\Wacom_Tablet.exe
3428 C:\Windows\System32\SearchIndexer.exe
4224 C:\Windows\System32\svchost.exe
4288 WUDFHost.exe
4804 C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
4136 C:\Program Files\Windows Media Player\wmpnetwk.exe
2372 C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
3084 C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
4444 C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
4448 C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe
3468 C:\Program Files (x86)\iTunes\iTunesHelper.exe
4772 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
2856 C:\Program Files (x86)\CodePlex\XPS2OneNote\XPS2OneNote.exe
5308 C:\Program Files\iPod\bin\iPodService.exe
6056 C:\Windows\System32\svchost.exe
4716 dllhost.exe
5584 C:\Windows\SysWOW64\svchost.exe
5792 C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
5788 C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
776 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
2324 C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
5328 C:\Windows\System32\taskeng.exe
6108 C:\Windows\System32\taskeng.exe
6132 C:\Windows\System32\SearchProtocolHost.exe
4760 C:\Windows\System32\SearchFilterHost.exe
2408 C:\Windows\System32\audiodg.exe
5756 dllhost.exe
4672 dllhost.exe
4872 C:\Users\Lew and Kathy\Downloads\MBRCheck.exe
1332 C:\Windows\System32\conhost.exe
5896 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000015a`0bc00000 (NTFS)

PhysicalDrive0 Model Number: ST31500341AS, Rev: HP23

Size Device Name MBR Status
1397 GB \\.\PhysicalDrive0 Unknown MBR code

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:


BC AdBot (Login to Remove)


#2 Broni


    The Coolest BC Computer

  • BC Advisor
  • 42,772 posts
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:43 AM

Posted 12 November 2011 - 11:23 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box and paste it into the main textfield:
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE


#3 LewofViriginia

  • Topic Starter

  • Members
  • 12 posts
  • Local time:08:43 AM

Posted 13 November 2011 - 12:01 AM


(Let's try this again). Thank you for the prompt reply. I ran System Look. It said it did not find anything, see below.

SystemLook 30.07.11 by jpshortstuff
Log created at 23:55 on 12/11/2011 by Lew and Kathy
Administrator - Elevation successful

========== filefind ==========

Searching for "rikvm_C6F09094.sys"
No files found.

-= EOF =-

I could not find this file using Windows Explorer, even after turning on Show Hidden files and turning off Hide Protected Systems files.

Why does NPE still say that it exists?

#4 Broni


    The Coolest BC Computer

  • BC Advisor
  • 42,772 posts
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:43 AM

Posted 13 November 2011 - 12:53 AM

Does it give you file location?

If I remember correctly it's some Norton's bug.
If you Google that file name you'll see a lot of hits.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE


#5 LewofViriginia

  • Topic Starter

  • Members
  • 12 posts
  • Local time:08:43 AM

Posted 13 November 2011 - 11:13 AM


If the problem is with Norton, why does MBRCheck find it? (Although I don't understand why the path name is preceded by ??)

Here is the line from the MBRCheck that indicates that rikvm is on my computer.
0x0662E000 \??\C:\Windows\system32\Drivers\rikvm_C6F09094.sys

#6 Broni


    The Coolest BC Computer

  • BC Advisor
  • 42,772 posts
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:43 AM

Posted 13 November 2011 - 12:05 PM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.


Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE


#7 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,112 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:43 AM

Posted 14 November 2011 - 02:12 AM


Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic427711.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users