Video Screencast Help

Norton Power Eraser

Created: 14 May 2011 | 12 comments

Hello. I have used Norton Power Eraser to scan for rootkits. It allways finds an issue on 'System32/Drivers/RIKVM_9EC60124.SYS', I have it solving the problem, but every time I restart the computer and have a new scan made the issue is again detected by Power Eraser, and it keeps happening over and over again. Did anyone had same problem before? Did you manage to get rid of this? I use Windows 7.

 

Thank You

Comments 12 CommentsJump to latest comment

riva11's picture

The sys file RIKVM_9EC60124.SYS shoud be a wifi driver ( Intel ). Check on device manage this driver if there is something not correct.

Thomas K's picture

I recommend submitting a sample to the Security Response team or ThreatExpert for analysis.

 

http://bit.ly/nSluFl

http://www.threatexpert.com/submit.aspx

fastfire's picture

Thank you for your replies. The thing is that I can not find it where Norton says it is located. Power Eraser only gives me the chance to erase the file, not to submit it for analysis. Do you have any other sugestion? Thank you.

Thomas K's picture

Run the SEP Support tool. Select the "Load Point Analysis" option. It should be able to find the location of the threat. please keep me posted on your progress.

 

Best,Thomas

 

http://bit.ly/tlzg25

About the Load Point Analysis feature in the Symantec Endpoint Protection Support Tool

http://bit.ly/tWlkIJ

fastfire's picture

Thank you for your reply. When I click on the link provided, the following message is shown on a blanc page, and I can not download SEP st:´"The requested resource (/kb/apps/infocenter/custom/templates/index) is not available".

fastfire's picture

Hello! I have now been able to donwload the SEP Tool, but (tried five times) when it is generating reports, an error message shows up saying that symantec support tool has quit functioning due to a problem and windows will shut it down...

Thomas K's picture

Can you tell us what AV product and version you are running? Have you tried running a full scan in safe-mode with the latest definitions?

 

Here is a helpful article, How to find Suspected Threats on your computer -

https://www-secure.symantec.com/connect/articles/h...

vilig's picture

hey baitie i have this problem too,

 

intel updater says wifi is unknown and to please contact the manufacturer.

how to get to the boot and copy this file at boot ?

vilig's picture

When I run symantec endpoint support tool

It crashes

 

and says

 

Loading unloaded module list
............
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(1614.2e0): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=0124ea28 ecx=00000007 edx=00000073 esi=00000002 edi=00000000
eip=777f014d esp=0124e9d8 ebp=0124ea74 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!NtWaitForMultipleObjects+0x15:
777f014d 83c404          add     esp,4
0:024> .ecxr
eax=78f4ac6a ebx=78f4ac6a ecx=00000007 edx=00000073 esi=6b9e1692 edi=7ffffffe
eip=6fbc6b1d esp=0124f05c ebp=0124f4dc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
msvcr90!_woutput_l+0x94c:
6fbc6b1d 66833800        cmp     word ptr [eax],0         ds:002b:78f4ac6a=????
0:024> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify timestamp for Rpt_InstallClient.dll
*** ERROR: Module load completed but symbols could not be loaded for Rpt_InstallClient.dll
*** WARNING: Unable to verify timestamp for ST_Gui.exe
*** ERROR: Module load completed but symbols could not be loaded for ST_Gui.exe
*** WARNING: Unable to verify timestamp for BfLLR.dll
*** ERROR: Module load completed but symbols could not be loaded for BfLLR.dll
GetPageUrlData failed, server returned HTTP status 404
URL requested: http://watson.microsoft.com/StageOne/ST_Gui_exe/1_...

FAULTING_IP:
msvcr90!_woutput_l+94c [f:\dd\vctools\crt_bld\self_x86\crt\src\output.c @ 1624]
6fbc6b1d 66833800        cmp     word ptr [eax],0

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 6fbc6b1d (msvcr90!_woutput_l+0x0000094c)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 78f4ac6a
Attempt to read from address 78f4ac6a

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  ST_Gui.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  78f4ac6a

READ_ADDRESS:  78f4ac6a

FOLLOWUP_IP:
msvcr90!_woutput_l+94c [f:\dd\vctools\crt_bld\self_x86\crt\src\output.c @ 1624]
6fbc6b1d 66833800        cmp     word ptr [eax],0

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  4000

APPLICATION_VERIFIER_FLAGS:  0

FAULTING_THREAD:  000002e0

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 6fba4f24 to 6fbc6b1d

STACK_TEXT:  
0124f4dc 6fba4f24 0124f4f8 6b9e1680 00000000 msvcr90!_woutput_l+0x94c [f:\dd\vctools\crt_bld\self_x86\crt\src\output.c @ 1624]
0124f518 6fba4f46 6fbc61d1 6b9e1680 00000000 msvcr90!_vscwprintf_helper+0x51 [f:\dd\vctools\crt_bld\self_x86\crt\src\vswprint.c @ 441]
0124f530 6d995d37 6b9e1680 0124f568 6d995d6a msvcr90!_vscwprintf+0x17 [f:\dd\vctools\crt_bld\self_x86\crt\src\vswprint.c @ 450]
0124f548 6d995d7e 6b9e1680 0124f568 00000007 mfc90u!ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t> > >::FormatV+0x25 [f:\dd\vctools\vc7libs\ship\atlmfc\include\cstringt.h @ 1891]
0124f558 6b9d6786 0124f57c 6b9e1680 78f4ac6a mfc90u!ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t> > >::Format+0x14 [f:\dd\vctools\vc7libs\ship\atlmfc\include\cstringt.h @ 2284]
WARNING: Stack unwind information not available. Following frames may be wrong.
0124f5b8 6fbd3c3a 1c5dce42 0124f5a4 0124f5a8 Rpt_InstallClient+0x6786
0124f5f0 6db9df70 00000000 00010000 00000000 msvcr90!free+0xec [f:\dd\vctools\crt_bld\self_x86\crt\src\free.c @ 115]
0124f5f8 00010000 00000000 6db9df70 6db9df70 mfc90u!afxStringManager+0x14
00000000 00000000 00000000 00000000 00000000 0x10000

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  msvcr90!_woutput_l+94c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: msvcr90

IMAGE_NAME:  msvcr90.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4d2c14d2

STACK_COMMAND:  ~24s; .ecxr ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_msvcr90.dll!_woutput_l

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_msvcr90!_woutput_l+94c

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/ST_Gui_exe/1_...

Followup: MachineOwner
---------

 

I cant attach file .dmp

 

vilig's picture

It seems i had run the sep wrong and clicked the wrong check boxes,

 

It scanned and said it failed two .lnk files in startup, how to send them for analysis?

It also warned about and autorun inf in external harddriver.

Thomas K's picture

Hi vilg, you can submit files to Security Response or Threat Expert (owned by Symantec) for analysis..

http://bit.ly/threatsubmission

http://www.threatexpert.com/submit.aspx

You shouls also disable Autorun to prevent threats from spreading from your removable drives - http://support.microsoft.com/kb/967715/en-us?p=1

How to prevent a virus from spreading using the "AutoRun" feature

http://bit.ly/disableautorunfeature

 

deepak.vasudevan's picture

It allways finds an issue on 'System32/Drivers/RIKVM_9EC60124.SYS', I have it solving the problem,

This is actually mentioned in Power Eraser page that PE is not a normal day to day tool but a rescue addon to the system when normal traditional AVs are unable to determine and/or ascertain if a particular file is loaded with malware.

Because Norton Power Eraser uses aggressive methods to detect threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully.

Quoted from http://security.symantec.com/nbrt/npe.aspx?lcid=1033