Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
2 replies to this topic

#1 Russd


  • Members
  • 3 posts
  • Local time:02:16 PM

Posted 27 March 2012 - 03:17 PM

Norton Internet Security reported Error: "5013,3"
and instructed me to download and run Norton Power Eraser (NPE).
I did that and it reported a "bad" file: rikvm_C6F09094.sys
The file did/does not show at the location reported:
even with file options set to view everything including
protected OS files.
I let NPE "remove" the file, and it claimed it did (the scan and
removal together take 3 reboots).
But then upon rerunning NPE, the same file always reappears
(multiple iterations, same result).
Then I ran MBRcheck.exe, which reported a non-Windows 7 MBR on C:.
I corrected this by booting from recovery disc and running
bootrec.exe /FixMbr and then
bootrec.exe /FixBoot
Both reported success.
But again, NPE found the file and removed it, even though the file
could not be seen in Windows Explorer.
However, MBRcheck reported a good Win7 MBR on C:
I ran NPE with removal followed by MBRcheck many times.
Always yielded the same result: file found, removed, MBR good.

I have run malwarebytes (quick scan) and it found nothing. I am now rerunning it as
full scan (C: and D:). D: is HP recovery partition.

My OS is Windows 7 Home Edition Premium, SP1.

I am looking for advice on this. My thanks to anyone who can help!

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,528 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:05:16 PM

Posted 27 March 2012 - 09:41 PM

Hello, we will need a deeper look.. Repost the above with these logs.

Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Russd

  • Topic Starter

  • Members
  • 3 posts
  • Local time:02:16 PM

Posted 28 March 2012 - 01:07 PM

Thanks for your reply. I apologize for not posting in the proper forum. I was in a rush to resolve the matter quickly and posted hastily.

I would like to report that I have resolved the matter to my satisfaction. I found that the service rikvm_C6F09094.sys is spawned by Cyberlink's kmsvc.exe (PC1 News) and is "legimate". There is some question as to the purity of Cyberlink's motive and intent (tom's hardware). For the benefit of others who might interested, I would note that the name of the process can be of the form rikvm_xxxxxxxx.sys, where xxxxxxxx is one of several strings of eight hexadecimal digits. Also, two of my PC's (both by HP), the Cyberlink software was pre-installed and the "offending" executable (kmsvc.exe) was of a different size (different version?) and found in other locations (subfolders of HP and LG).

I now consider my issue closed.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users