Reader_s.exe + W32 Virut

Discussion in 'Malware Help (A Specialist Will Reply)' started by iamtensai, Jun 3, 2009.

  1. iamtensai

    iamtensai Private E-2

    Hello,

    I made a dumb mistake of clicking on a suspicious exe file while having no virus protection of any kind, and I have been paying the price...and spent the last 3 days battling the malware.

    I first noticed that my system was running multiple copies of iexplore.exe and reader_s.exe. Something was also infecting almost every single exe file in my computer, and it was preventing me from installing any anti-virus software.
    Well, after much work scanning and working under safe mode, i was able to get Symantec AV installed.
    It has picked up ALOT of exe files on first complete scan, and was able to delete/clean all the problems.
    Now the problem of the reader_s.exe is gone from my processes.

    However, there is something persistent about this malware(s) that I have. Almost every time I turn on the internet connection, Symantec comes up with an alert window, stating some kind of security threat in either the System32 folder, or a temp folder. (windows/temp, temp directories for IE, also a temp folder under system 32) so it seems like this thing is downloading stuff on its own.
    I had alerts stating vrt1.tmp, vrt2.tmp, vrt3, 4, 5..etc
    Symantec identified most of the things it picked up as W32 Virut, and they could be EXE, TMP or HTM files.
    Whenever it's under a temp folder, I always choose to delete permanently, I dont delete any files found in system32.

    Anyways, I went through the WinXP cleaning procedure line by line, and I have attached the logs below. I also attached a history log from Symantec, it seem to only record the most recent threats, as you can see, some of them are fairly repetitive and it seems like the virus keeps on trying to infect one single file.

    note that I was not able to run combofix since when i run combofix.exe, it just pops up a blank box with the title "Error", and all I can click is "OK", then it closes and combofix deletes itself.
    I read somewhere that the reader_s and the W32 is really persistent, and they sure have been driving me nuts.

    Any help is appreciated and can really make my day.

    Thank you!
     

    Attached Files:

    iamtensai, Jun 3, 2009
    #1
  2. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to MajorGeeks!

    I'm sorry to give you this bad news:

    dr.m
     
    dr.moriarty, Jun 3, 2009
    #2
  3. iamtensai

    iamtensai Private E-2

    Thanks for your reply. I will be sure to back up my documents. But I'm unable to go through the formatting process right now since I need to use the computer regularly.
    Are there any preventative measures I can do for now to slow this thing down?

    How did those logs look?

    Thanks again.
     
    iamtensai, Jun 3, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The more you use the computer in this state. The more potential problems you could run into. You could potential loose all ability to boot your PC at any point and you could potentially being having additional infections downloaded and installed and you could suffer loss of personaly information and/or identity theft.


    No not really! We could attempt to try some fixes but odds are very high that they will not work. And even if they appear to work, your system still cannot be trusted to be clean since we are not going thru every file on your PC to verify that they are clean. These newer forms of Virut are not always detectable and they cannot be 100% reliable cleaned/removed. Also while attempting to remove the infection, you PC could at any point become unbootable since we will be trying to repair/replace files necessary for Windows to operate.

    If you would still like to attempt to fix this now even after reading all of what was stated above and knowing that you could be potentially loosing personal data then let us know and we will try to give you a first attempt at a fix.

    The logs show that your Windows system files have become infected and they are system files that run everytime you boot up. The infection is most likely spreading to more and more files as you run other applications, as you download new files, or as soon as you simply access a folder containing any ot the type of files that can carry the infection.

    The logs also show that you are using an illegal copy of Windows which is not helping matters since you cannot properly get all updates or download all security patches from Microsoft. In addition, you need to read our policy on this: Warning about Keygens, Cracks, and other Illegal Software
     
    chaslang, Jun 5, 2009
    #4
  5. iamtensai

    iamtensai Private E-2

    Thanks for the reply, this system was purchased from another owner, now I have more than enough reasons to go ahead and reload it with my own copy of XP.

    I read somewhere that other users saw Virut coming back even after they formatted and reinstalled windows. How could I format it where this can be avoided?
     
    iamtensai, Jun 6, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In most cases the problem is not due to the infection surving the format. It is more frequently due to users not heading the warning we are giving you. If you have made any backups and reinstall anything from these backups, you could just be reinstalling the infection. No executable type files can be trusted. Anything you have download could be infected. EXE, ZIP, RAR, DLL, COM, PDF, HTML, MP3, AVI, ASP......any many more type file extensions can carry this infect. If just one single infected file remains anywhere, it could spawn the infection again once it is accessed/run.

    You need to delete all partitions ON ALL HARDDISKS and format then and then reinstall Windows from clean original uninfected media. And then you need to download and install all new protection software. You cannot use any copies of backups you have made since they could be infected. You also need to format all removable devices like flash drives or external hard disks since they also could be carrying the infection. Also, if this PC is used on a network with other computers, all other computers in the network need to be checked for this infection.
     
    chaslang, Jun 6, 2009
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds