Endpoint Protection

 View Only
Expand all | Collapse all

reader_s.exe variant, here is what I did to resolve it.

  • 1.  reader_s.exe variant, here is what I did to resolve it.

    Posted Mar 20, 2009 02:57 PM

    Hello:

    A new variant of the win32/Virut infection is popping up, and many people have had a hard time removing it completely, and have been resorting to format/rebuilds.

    The virus, reader_s.exe , resides in C:\documents and settings\USERNAME\  as well as c:\windows\system32\
    It prevents the machine from running executables, and basically turns the machine into a glorified, lit-up brick.

    I performed the following tasks to clean the machine, and from my inspection it appears to be resolved.

    1) Download the Virut removal tool and put it on a flash drive (note that both files must be copied , .exe and .nt)
    http://www.avg-antivirus.com.au/avg_virus_removal.htm

    2) Boot into ERD with usb drive connected (or some type of PE disc)

    3) From there, delete the reader_s.exe files, as well as the TEMP folders (c:\documents and settings\user, windows, etc)

    4) check the registry for startup entries (local user, current user, software > microsoft > windows > currentversion> run) and delete htem.

    5) Delete any items in C:\ and c:\windows\system32\ that look suspicious (a bunch of tmp, exe files) *** NOTE most of them have very recent DATE MODIFIED dates.  (This is just precautionary, but still good to do, and only takes a minute)

    6) Run the RMVIRUT.exe tool from within ERD's command prompt ( rmvirut c: will check the c: drive only). This tool will scan your DLL and EXE files and repair the ones that are corrupted. (Can take 1-2 hours to run)

    7) Log back into Windows, check msconfig and remove any calls to reader_s.exe, and check c:\windows\system32\ and c:\documents and settings\username\    for the file, it should be gone.

    8) Lastly, update the AV defs and run a full scan just to ensure the machine is clean. 

    9) Upon reboot, the machine worked fine, I could open executables, and connect to the internet.  The machine did not show any symptoms that the malicious software was resurrected.


    Hope this helps.

    Respectfully,
    DHS



  • 2.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Mar 20, 2009 04:19 PM

    Nice methodological approach. I must say. Though not sure if the tools that you mentioned would get an approval so easily to be run to clean the machine's.

     

     



  • 3.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Apr 03, 2009 01:29 PM

    Hi There DHS,

    Please if you may, what is your name rather?
    anyways, I have the same virus reader_s.exe and i am battling to get rid of it.

    I dont understand the ERD step you mention in your solution, please ca you assist me it is driving me nuts, i feel like killing myself
    I dont have a stiffy drive and i tried NTBackup but it is not the same looking as what i see in the forums so i dont know what the hell planet or world i am living on.

    I have trojan remover which is shareware but fully functional and maybe a little bit spastic and it tells me that i have an a suspicious userinit.exe file or wrong size. I tried to expand it from the windows xp cd using expand -r D:\i386\userinit.ex_ C:\windows.0\system32\
    anyways , it says expanded and something about the file size wada wada wada but this trojan remover program still tells me it is a suspisous file.

    I also used superantispyware which is available in free and pro versions and it scans and finds a trojan backdoor generic not sure even myself when i see it as that, but when the scan is done then u can see what files and it mentions reader_s.exe and services.exe so i hit clean or remove and it shows that it is removing, and it asks me to reboot fot it to remove the virus and then it does, but the virus is back when i re-scan so it is as if nothing hapenned. I deleted reg entries like in runonce/run and thos eplaces deleted my prefetch files and deleted *.tmp /s in windows dos prompt  and all that stuff but i dont come right.
    My idea is to try and patch all the files in the system32 folder from the i386 folder on cd but i dont know how the hell you do files which are locked such as services.exe. Anyways, i dont even know if i am expansing the files correctly? is it as i mentioned above ?

    Anyways, thanks, i hope to hear from you.


    Oh, ps. i also re-installed windows to C:\windows\ since i was using windows.0 and anyways i dont get it, it is also  infected with this reader_s.exe , is this maybe because they are on the same partition and when windows does the setup or general boot up it some how touches the dirty files? -> exmaple...my friend told me once that his windows was not booting it , he did see the logo and then it would just freeze and even safe mode... or maybe blue screem cant remember clearly...but he said when he conected a nother bootable drive which also had windows xp on it it some how fixed the one that was not booting. so this is why i reckon something funny can be possible with touching or whatever , of files.

    Please let me know what u suggest further?

    Oh, sorry one more thing, when it seemed tghat my machine was clean in safe mode cleaning with superantispyware and deleting of *.tmp and prefetch files i.e. *.pf and also regediting and removing entries of anything in run and runonce (yes everything , even if it is msn or nvidia junk) then even in normal boot mode things looked hundreds! and then boom, when i connected my ethernet cable from my router to my machiine then i noticed in the task manager that vrt1.tmp or vrt2.tmp or a.tmp or 2.tmp (some unique number or numeric.tmp ) woudl start up and then eventually the reader_s.exe also starts.

    So yeh my guess something to do with services.exe starting an infedted service for the network thingy or just that services is fucked also. The thing is even though i said my machine didnt have anything strange running before i plugged my network cable in, it was still messed up because things like mplacerc.exe (media player classic) would crash when i open it, on module ntdll.dll
    So i have no idea - got to be some dirty windows system32 components.

    Thanks.

    Regards
    Imre



  • 4.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Jun 30, 2009 07:21 PM
    This is a very well written virus and is impossible to destroy or remove from a machine.

    Virus is spread via executing a executable on network drive or pluging in a thumb drive into an infected machine and then pluging same thumb drive into non-infected machine.  It even runs in safe mode without networking.  It looks like if you run in safe mode and remove virus and reboot that virus is gone, but it comes back as soon as you enable networking.

    If you try to delete virus the virus montors this and moves location of executable to another directory.   Virus has at least 2 parts.  One that runs as part of svchost, and reader_s.exe.  It seems there is another part that somehow runs when you plug in network cable even though your hard drive appears clean to virus scanners.

    It appears as if microsoft has fixed the second infection route in latest updates for windows xp

    vista and windows 7 do not seem to get virus because virus writes to protected area which is not allowed in vista and windows7

    Only solution is to backup system, format hard drive and reinstall operating system.  Do not execute any restored executables until you run a virus scan like (malwarebytes) on all files restored. 

    Virus creates an autorun.ini which executes an executable.  These are hidden, protected os files so they do not show up normally.  Plug thumb drive into mac to see if thumb drive, camera, ipod, etc are infected.

    This virus downloads other viruses from internet and causes computer to send spam shutting down your outbound mail server. 

    some of the virus scanners crashed os so os would not boot.

    I hope someone comes up with a solution that does not require reformating hard drive.  I had to scan 25 computer and restore os to 4 machines.   Total man hours (48)



  • 5.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Jul 13, 2009 03:06 PM
    Ok hopefully this will help you guys eradicate this monstrocity of a virus. We had one of our users navigate to one of those famous web sites that tell you that your computer has been infected with a virus... pay us money and we will fix it for you. Little does the user realize that the same web site also infected the machine. So as Dave322 mentioned, this virus moves around and is extremely smart at knowing when someone is on to it. It starts spawning so many programs that you can possibly kill them all. If you are sucessful at killing most of them using ProcessExplorer then another program spawns with a damaged file name so you can't disable or shut that one down. And then you have more spawned programs and it just gets away from you.

    So then I read DHS and I did as they suggested word for word. That did not work, and it angered the virus further.

    So then I read some more and found a viable fix.

    http://www.softpedia.com/progViewOpinions/Kaspersky-Virus-Removal-Tool-90524,.html

    Kaspersky Virus Removal Tool identified the culprit and killed the virus. Unfortunately we lost the network portion of the system so we had to run Windows XP in repair mode to get it back. Also note if problems arise and you find that programs keep abending, try deleting the user profiles NTUSER files (which will pretty much reset the profile).

    ICSOKA: ERD is Emergency Repair Disk... ERD Commander was a program you could use to boot Windows XP from CD and that way you could remove files (even system files) because only the files on the CD were in use. In any case I did use ERD and that solution did not work so try Karpersky. We could not Nuke and Reload the system because it was a production system.

    Good Luck to all who get this evil vile virus! 

    MS



  • 6.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Aug 17, 2009 07:17 PM

    Don't download and install Adobe anything if some download request pops up in the middle of the program. That's where the virus are! I uninstall all the adobe thing in addition to the above process.
    when you do the above cleaning process, Internet should be off line.



  • 7.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Aug 21, 2009 02:54 PM
    With everything I saw during this virus experience, I know that it's very hard to be completely secure on the internet.

    This virus is a real PITA to remove. (Pain in the a.....)

    Look,it's since 3 work day im working on it and...he's still there. But I got the goods weapon to kill it, im just want to know who is the creator of this sh....


    I will give you somes information first : It seem to come from Russia or something poor european country. He is working as decribed previously in somes specialised forum : Data injection in process.

    He's also working with a lot of thing....He's opening a back door and he use your computer to send spam all around the world. He lets his friend enter into your system by creating others virus. I got a lot of proof of this.

    As I see on my test system, I got two theory of his function:

    1 - He modify your AV system to work against you! Yes, it modify the way your AV work to crash your system. In fact, your AV become a weapon for him. He use it to delete all your software because your AV dont see that he is deleting all your important file.

    2 - He inject himself into all your software.

    I used a bunch of software to recolt information :
    - Process Explorer : To see each process ID Tree and process data protection
    - CurrPorts to see every tcp connection going out my system
    -Jetico Personal Firewall : A good an light firewall to block it from reporting
    -AVG virus removal tools
    -Microsoft malicious software remover : This tools help a lot in case of major infection. The virus had infiltrated.....986 of my .DLL and .EXE file on my system.
    So, As I see, the virus is reporting him to a lot of server all around the world. This is a real devil. Look at this :





    And when you close the TCP Connection, it open 100 others connexion in 3 seconde to said : "Hey, im the boss, get out moron, let's me do my work"


    I found that he is reporting to server ip :
    218.93.205.24:65520 203.146.251.62:3305 218.93.205.24:65520 216.245.213.194:80 221.5.74.39:65520 67.43.236.67:10324 61.120.62.28:3305 

    After discover this, I found thise file on a site treating of malware :

    http://cgi.mtc.sri.com/popups/binaries/08-12-2009/d41d8cd98f00b204e9800998ecf8427e.html

    32 AV SYSTEM : MISSED.

    Really Dangerous, really hard to clean! Good luck, I got a lot of information on it, e-mail me if needed. (After readed 300 forums talking about that I mean...)













  • 8.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Sep 07, 2009 03:41 AM
    I have a very simple solution.
    this was my case: i have 1 hard disk and it's system C.
    i have another hard disk wich is devided in two particions (D:,E).
    no antyvirus was successfull killing this virus.
    i reinstalled C: (system) disk. didn't help.
    My conclusion was the virus copied itself to the second hard disk (D,E).
    I simple changed drive letters D and E to S and K (it doesen't matter how you rename it). then i pulled out hard disk (the one within S and K particion) from the power source and reinstalled windows again. then downloaded Avast, pluged in the hard disk (the one within S and K particion) and scanned it.
    Avast cleaned copyed files from D and E.
    Everething works fine.


    Conclusion: changeing drive letters may cause some programs not to work ! - this is exactly what we want. Virus is not aible to get back where it came from since drive letter now doesen't match the one at the time when it copied itself.

    Maybe you do not need to do everything exactly i did, but i hope it gave you an idea to fight this thing and save your data.
    if you have only 1 particion at the time and data you do not want to lose you can splitt your particion in two and name your data partition N (try to avoid D,E,F since those are system's first option to name your drives ), reinstall only C. after login into system emediatelly change N to something else and virus is not aible to copy itself back.

    I am not an expert in security area and I don't know if all this have too much sence but it worked for me, i hope it'll wotk for you too!
    Good luck!


  • 9.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Sep 07, 2009 03:42 AM
    I have a very simple solution.
    this was my case: i have 1 hard disk and it's system C.
    i have another hard disk wich is devided in two particions (D:,E).
    no antyvirus was successfull killing this virus.
    i reinstalled C: (system) disk. didn't help.
    My conclusion was the virus copied itself to the second hard disk (D,E).
    I simple changed drive letters D and E to S and K (it doesen't matter how you rename it). then i pulled out hard disk from the power source (the one within S and K particion) and reinstalled windows again. then downloaded Avast, pluged in the hard disk (the one within S and K particion) and scanned it.
    Everething works fine.


    Conclusion: changeing drive letters may cause some programs not to work ! - this is exactly what we want. Virus is not aible to get back where it came from since drive letter now doesen't match the one at the time when it copied itself.

    Maybe you do not need to do everything exactly i did, but i hope it gave you an idea to fight this thing and save your data.
    if you have only 1 particion at the time and data you do not want to lose you can splitt your particion in two and name your data partition N (try to avoid D,E,F since those are system's first option to name your drives ), reinstall only C. after login into system emediatelly change N to something else and virus is not aible to copy itself back.

    I am not an expert in security area and I don't know if all this have too much sence but it worked for me, i hope it'll wotk for you too!
    Good luck!


  • 10.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Sep 09, 2009 01:34 PM
    hi, I have this shity virus, I`ve tried several aplicattions to delete it, it seems that my hard disc is clean, but I still have lots of net connections that slows my net ( Start/ execute/cmd/netstat -n) caused by the virus, also I ran the avg fix posted above, and at half of the scann it closes itself, any suggestion???

    thanks very much


  • 11.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Oct 15, 2009 07:24 PM
    Fallout 3 Russian version,English version,Addons,fallout launcher everything have reader_s & servises.exe,restorer,etc.
    Warning:  launcher is Boss.  And next ,exist remote control and this malware always have progress.
    After scaning always exist in computer,like hidden and again starting with destruction .When you start work with internet you activate this malware.Next this malicios code can activate self in more different ways.
    First create for self .dll file and .temp files in system 32 folder TEMP! In this moment create reader_s and servises.exe.....  


  • 12.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Oct 26, 2009 04:19 PM

    This devil has got two parts, 1. a PE executable part and 2. an IFrame component (this opens the backdoor, to hell... you might as well say :) actually it opens backdoor for a few recognized web sites to recieve a myriad of other viruses, trojans which can overwhelm your AV even by their shear number...
    Virus is resident in memory, runs when system starts, and "may be" even running in safe mode... The more times you run the machine the virus gets injected into more executable files, OS/System32 and 3rd party software alike. it also gets injected into resting installation exe files, into windows screensaver files, into stored html, htm, etc... files, it also spreads by USB thumb drives (infecting autorun file), some guy mentioning he got infected back through his daughter's MP3 player after a clean format !...
    After a couple of days you'll notice you can't open any antivirus company website, security forums, help forums... NOTHING. But open disneyland.com and it's ok... :))) because the virus is using a big chunk of your bandwidth to send spams out, and put malware in, your browsing speed comes to a crawl, virus is highly variable, hiding, disguising, getting injected everywhere, but because of this character it is also highly unstable (sorry for you), OS executables infected by virus may crumble and stop running at any time, rendering windows un-bootable, this scenario actually reminds me of the end parts of some horror movies (Zombie town nuked and burned) hehe.. And the story goes this virus can survive even a clean format of the hard drive too (not only a low level one) so some experts reccomend wiping the drive with dBAN or some other software.

    and Pifane, France is not that far from Poland...

    Robert Siebielski
    This might be your guy… Dunno who's the original virus creator (while this is the 3rd, 4th generation virut !), but considering usage everything really points to Poland as origin of this crap. The real persons are located in Poland, their hosting is from China, Hong Kong. The IRC backdoor channel is downloading malware from jl.chura.pl, google this site and see how interconnected your search results are with the term VIRUT.
    Check all these domains with whois.org, As you'll see , the thing is the domain registrator for jl.chura.pl is a fictive consulting firm with no person name behind it, but the domain registrator for the consulting firm is this guy... DUMB HACKER.
    sources:

    http://www.teamfurry.com/wordpress/2007/09/04/so-who-is-behind-virut/
    http://www.siteadvisor.be/sites/zief.pl/summary/

    Get a filtering list from http://www.malwaredomainlist.com/  and add it to your personal firewall, Internet security suite firewall or even some site blocking plugin for your browser to block these sites. I'm actually considering blocking the whole of China, Russia and some eastern European countries :)


  • 13.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Nov 02, 2009 07:30 PM
    Hi,

    Okay , after months of on and off investigating this is what i have found :-

    Use the latest Combofix and optional Hitmanpro, they are both freeware. (google)
    You can actually pay for Hitmanpro but it is fully functional and free.

    You can run Combofix in safemode if you like or in normal.
    Hitmanpro does not work in safemode - at least not for me, i was not able to click on the next button. 

    Those programs can fix the problem but not always (only C:)

    You then need to scan all your drives using Kaspersky or Aviru. (you can use Kaspersky trial)
    Kaspersky is RECOMMENDED since it finds the VIRUT.CE version.
    Symantec anti-virus does not detect this variant of the Virut which is a bummer.
    It can detect the VIRUT but not the win32/virut.ce
    I hope they fix it because i actually prefer using Symantec more than any anti-virus.

    The stories about formatting your hard drive and the virus still remaining resident is rubbish.

    One more thing, Microsoft Malicious Software removal tool is great but it does not detect the win32/Virut.ce also which is also too bad.


    Thanks,
    Imre


  • 14.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Nov 13, 2009 01:21 AM
    I have 2 machines with the reader_s.exe infected. Both machines received a face email from DHL with att. xls file.
    Both machines are SEP clients.
    The virus kill tcp ip services from windows (Windows XP). I try all the posible ways to clen but no luck.Any Help????


  • 15.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Dec 12, 2009 11:28 AM
    Thanks for this post!

    This has helped me solve my problem!

    I would like to add that :

    5) not precautionary but >must do< especially <Number>.exe files in system32 and temp

    7) log back into windows in >Safe mode< and use sysinternals Autoruns to clear startup items
    and disable FCI service "svchost.exe:ext.exe" and use sysinternals Streams to delete alternate file stream (not svchost.exe!!)

    HTH


  • 16.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Dec 26, 2009 06:01 AM
    Hi all,

    I had been fighting with this virus for three days already. (24 and 25 of dec included).
    I run spyware doctor (pctools) and this helps somehow, but process 6.exe appears allways after rebooting.

    I want to run Kaspersky but because I am working without network connection, Trial version can not be activated, therefore, it does not run.
    Question 1: Any suggestion how to activate a trial version without Internet connection? I am using a notebook now.

    After a lot of "manual" work looking (and deleting most of) files modified in the last three days (and corresponding softwares as well). After rebooting many times, 6.exe (or similars) were not there any longer.

    Then, I run Microsof Malicious Software Removal Tool. It found only one infection (not too bad). It was C:\windows\system32\drivers\ndis.sys, it was a Cutwail.F virus.
    Q2: I have another 6 files modified after dec 23:
    klin.dat
    klick.dat
    klif.sys
    qtdbf53.sys
    jnq7794.sys
    jmqdc70.sys
    Should I kill them all? or are those files important for windows? I can not delete any of them from windows.

    I boot PC from Windows CD and I enter to recovery. I killed ndis.sys from here.
    Now, I want to run rmvirut.exe (as DHS did) but I can not find the way.
    Q3: I do not find a run command (neither in help or internet) or any thing how to run it. I follow the procedure step by step but no chance. May anyone let me know hot to run the rmvirut? It did not run in windows environment neither.

    I admit that I am a begginer user and any support will be welcome.
    Thanks,
    Fernando





  • 17.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Dec 28, 2009 09:24 AM
    Fernando,

    Follow this post and you will come right:


    ******************************************************************************************************************************************************

    READER_S.exe or *B.tmp processes - similar

    Hi,

    Okay , after months of on and off investigating this is what i have found :-

    Use the latest Combofix and optional Hitmanpro, they are both freeware. (google)
    You can actually pay for Hitmanpro but it is fully functional and free.

    You can run Combofix in safemode if you like or in normal.
    Hitmanpro does not work in safemode - at least not for me, i was not able to click on the next button. 

    Those programs can fix the problem but not always (only C:)

    You then need to scan all your drives using Kaspersky or Aviru. (you can use Kaspersky trial)
    Kaspersky is RECOMMENDED since it finds the VIRUT.CE version.
    Symantec anti-virus does not detect this variant of the Virut which is a bummer.
    It can detect the VIRUT but not the win32/virut.ce
    I hope they fix it because i actually prefer using Symantec more than any anti-virus.

    The stories about formatting your hard drive and the virus still remaining resident is rubbish.

    One more thing, Microsoft Malicious Software removal tool is great but it does not detect the win32/Virut.ce also which is also too bad.

    Thanks,
    Imre
    *****************************************************************************************************************************************************



    I didnt have an internet connection and my Kaspersky works fine in Demo mode - it doesnt seem to expire.
    You can register optionally.




  • 18.  RE: reader_s.exe variant, here is what I did to resolve it.

    Posted Feb 05, 2010 08:43 AM
     My Computer is infected with Unek.exe and incontino.exe viruses .but symantec antivirus corporate edition does not detect these viruses.My computer is slow down.