Reader_s.exe Fix is 100% Not Available (for now)
So, after the 3rd attempt at getting my computer back to normal, I thought I would type up a little post about the Reader_s.exe virus that I have been fighting.
First off, realize there is not a single way around this Virut type virus at this point. When you get it, unplugged from the internet and prepare for a full format of your hard drive.
The Reader_s.exe attaches itself to other .exe files on your computer, thus making other programs a “breeder” for the virus. If you do a backup, which I recommend, I would forget about those types of files. The virus can be triggered again if you are trying to access a backed-up .exe file on your new install.
The virus doesn’t look good, can be downloaded many different ways, but since it attaches itself to .exe type files, it could be transferred through file sharing networks the fastest. I am not 100% sure if it can be detected AND stopped if you have anti-virus software. It was too late by the time I knew what was happening.
Symptoms of the virus usually include an over load in your processes to the tune of almost 100%. You will notice lagging and even some popups. Task manager might be disabled, as well as, the regedit command. These allow the virus to get around your machine and infect as much as possible.
From what I have read, the virus is controlled remotely, so unplugging network cables, or turning off your WiFi is the first thing you should consider. From there, take a deep breathe and prepare for a long day of backups and reformatting.
Reading more about the virus here, you can see there aren’t many people that think this is a little virus. This one is no joke and can mess things up very quickly. There is also a nice list of what name the virus goes by so you know what to look out for.
Pass this one to everyone you know and understand that if you have the reader_s.exe process running, it’s already too late.
[...] devastating it can’t be detected by FREE software? I mean it’s not like the reader_s.exe Virut Virus that you cannot get rid of, [...]
I’ve been dealing with someone else that has this virus remotely for a few days. From what I can gather, the virus implements itself in your winlogon.exe, so that you can’t get rid of it while running a copy of windows. I’ve yet to try a few more tricks on it, including running a scan for infected files and removing the main infected files before booting into a linux kernel and swapping the system32 folder with an uninfected version.
with any luck, this should be able to take care of it.
what a horrible virus.
by the way, when you unplug your networks and scan and take care of the virus, it has a few infected files left, all core system files, such as winlogon.exe, services.exe, and svchost.exe, which (as soon as you log back online) connect to a set of hosts and re-download the main portion of the virus.
beautiful internet we have, right?
Hi John. I’m also not sure if you can prevent reader_s.exe from getting onto your computer. My experience was noticing that it was in my start up options (after being removed from the list many times). I found instructions that seem to have nuked it here:
http://www.bleepingcomputer.com/tutorials/tutorial101.html
Note, as that post says, you need to make sure you find all files with “reader_s” in their names in the “right” suspicious places. I run WinXP Pro and used the native search to scan the hard drive for all files named “reader_s”. It was lurking in my User Profile and C:Windows/Prefetch folders.
So far so good. Hope this post helps.
i am using a HCL leaptop a error message saying that “The memory is being dumped to drives” coming what to do to solve this problem…….. please help me
This is a very well written virus and is impossible to destroy or remove from a machine.
Virus is spread via executing a executable on network drive or pluging in a thumb drive into an infected machine and then pluging same thumb drive into non-infected machine. It even runs in safe mode without networking. It looks like if you run in safe mode and remove virus and reboot that virus is gone, but it comes back as soon as you enable networking.
If you try to delete virus the virus montors this and moves location of executable to another directory. Virus has at least 2 parts. One that runs as part of svchost, and reader_s.exe. It seems there is another part that somehow runs when you plug in network cable even though your hard drive appears clean to virus scanners.
It appears as if microsoft has fixed the second infection route in latest updates for windows xp
vista and windows 7 do not seem to get virus because virus writes to protected area which is not allowed in vista and windows7
Only solution is to backup system, format hard drive and reinstall operating system. Do not execute any restored executables until you run a virus scan like (malwarebytes) on all files restored.
Virus creates an autorun.ini which executes an executable. These are hidden, protected os files so they do not show up normally. Plug thumb drive into mac to see if thumb drive, camera, ipod, etc are infected.
This virus downloads other viruses from internet and causes computer to send spam shutting down your outbound mail server.
some of the virus scanners crashed os so os would not boot.
I hope someone comes up with a solution that does not require reformating hard drive. I had to scan 25 computer and restore os to 4 machines. Total man hours (48)
I have Reader_s.exe in my mashine . Infections spread by the whole HDD and I have found a temporary solution. Mamout program used for monitoring the process and change their work. I am managed my computer to ban Reader_s.exe process. 2 days, but I have no problems, and infection care.
Update .
I found that Reader_s.exe secret run IE.exe (Internet explorer) and download it self. Must block IE.exe
Hi, the blog is quite good and rich in content, I would constantly visit you!
I was hit by the virus reader_s. It gave me blue screen and disable my anti virus and zone alarm and cause so much havoc. So I cut off the internet, use the avg, antimalaware, virut semantic cleaner and free fixer to clean up the drive. Next I backup all my files. Then i delete partition, reformat and reinstall but the virus still came back. I was determine to find out how the virus came back and it took me more than a week to determine the cause. When you are hit by the virus, almost all .exe files in the computer or any media connected are infected by it with win32:vitro which when executed while you are online will initiate the svchost.exe to download the virut causing the reader_s virus to be back again. So what I finally did was to reformat and reinstall first with basic XP. Then I install Avast anti-virus free home edition. Then I update the database before installing the sp2 and sp3 or anything else. The reason is that if you have them in the computer, they may get infected too. Your thumbdrive may get infected if they contain .exe files. AS for me, it detected all the viruses in my thumbdrive. I deleted all of them. And so far so good nothing came back again. Hope this helps.
Got hit by this virus , incredibly hard to get rid of.
could not load regedit , could not download any software links off net (would redirect to ad site) , popups , could not even boot into safe mode.deleted virus but windows reloaded it during boot.am running on same machine with an older hd (windows installed) i had lying around.
very nasty , very hard to get rid of , wish i was able to access DOS still to remove it manually.would be best option after safe mode was unable to boot.
yeah this virus is a tough on to beat, but since i have cleaned my hard drive up and installed PC Tools, I haven’t had any issues for about 6-8 months. You should look into it and good luck.
[...] the others. It’s called “RD2010″ and it basically works similar to the “reader_s.exe” virus from last year. You computer [...]
I don’t agree with everything in this posting, but you do make some very good points. Im very interested in this topic and I myself do alot of research as well. Either way it was a well thoughtout and nice read so I figured I would leave you a comment. Feel free to check out my website sometime and let me know what you think.