Solve : Reader_s / virut removal (formatting)?

1.	Solve : Reader_s / virut removal (formatting)?
Answer» Hi so basically i've had the reader_s / win32 virut infect my system and after a week of trying to sort it i have accepted the fact that i'm going to have to give in and format my pc I am aware that i can backup some of my FILES (images, videos, songs etc...) but no others (exe,zip,rar etc..) My PC has two hard drives, one of which is partioned in two, one bieng my c drive... and i have another hard drive In regards to the virus: if i was to back my files onto the other hard drive in there would that be fine? i dont think there are any exe's on there and in regards to the formatting: would it delete the partition on the hard drive - or would i have to partion it again thanks for any help, LiamIf you can delete the partition and format the entire drive that would be best. Backing up any file is risky with this new variation of Virut. Here are a few things to take into consideration. Note that if you decide to try and clean this you must be extremely careful on what is backed up as these new infections can get into many different file extensions ( DLL, EXE, SCR, HTM, HTML, MP3, AVI, WMV, PDF.....etc). A complete reformat and reinstall is highly SUGGESTED! Avoid backing up compressed files (zip/cab/rar.....etc). Virut can also penetrate compressed files that have .exe or .scr inside them. If you backup any files they should be scanned from a clean properly protected PC before restoring. Also be careful what scanner is used as some are very poor at detecting and even worse at protecting from this infection. In fact due to the nature of these new infections there are probably no tools that will properly protect you from the infection. Be very selective and only backup files you can not replace! Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups. I suggest running at least 3 of the below scanners on the backup files. Run the first scan then reboot before running the second then reboot after the second before running the third. -) Dr.Web CureIt! -) AVG Win32/Virut Removal Tool -) Symantwc W32.Virut Removal Tool -) McAfee Avert Stinger -) Microsoft Windows Malicious Software Removal Tool If you do not know how to perform a fresh install, use this website -> http://www.windowsreinstall.com/ I strongly suggest you do the following immediately! If you have done any online transactions, call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all of your account numbers. From a clean computer change all of your online passwords including for email, banks, financial accounts, PayPal, eBay, online credit card companies and any online forums or groups you belong to etc. DO NOT change passwords or do any transactions while using the infected computer. The attacker will get the new passwords and transaction information. Quote from: evilfantasy on April 21, 2009, 04:59:17 PM If you have done any online transactions, call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all of your account numbers. Jesus... didn't realise it was that serious! cheers, will look into those programsYep. Virut was created to steal. wow, reader_s is virut. Wish I knew THAT a MONTH ago... don't worry liamb123, your not the only one affected by this bugger. Anyway, changed the pw on all the sites I frequent. Oh yeah, btw, I had it too. discovered through it's little HTML modifying habit. then I noticed, that when I expanded explorer.ex_ from my windows CD, it grew 18KB- but only with the "right" extension. that was when I knew something was seriously wrong. it's a nasty, so I'm in the process of reinstalling windows on my system partition as well. I already tried the AVG removal tool, which was fairly useless. After install I'm going to recursively delete all EXE,DLL, OCX, and SCR files. from my D: drive. I haven't used my external in ages; so if the MP3 files on there are smaller then those on my data drive, a replacement will be in order unfortunately since I cannot know which of my compilations of programs are infected I have removed ALL the known locations where I have them up for download. This explains the mysterious errors I would get right after compiling that I was attributing to my manual replacement of Visual Basic 6's C2.exe compiler with my own so I can add extra options. the idea is to conserve the data from the installed programs- then I can likely reinstall them, and they will place fresh executables in the respective folders and use the old data files (such as savegames). what about RAR and so forth? will it infect files if I haven't opened the zip/rar what have you? I'm probably going to keep any ZIPS- a lot of them don't contain any executables.adobe\reader_s is not Virut. Quote %System%\reader_s.exe %UserProfile%\reader_s.exe Those are Virut. http://www.threatexpert.com/files/reader_s.exe.html Quote what about RAR and so forth? will it infect files if I haven't opened the zip/rar what have you? It can penetrate compressed files as well as find it's way into and back out of quarantined files. Nasty bugger!!Also how the heck does it infect a mp3? isn't that a data file format?Remember the article titled "Virut is a weird freak amongst malware"... http://www.teamfurry.com/wordpress/2007/02/15/under-the-hood-virut/ I'm not "authorized" or allowed to help you remove spyware/trojans ect as im not a malware removal specialist on the forums, but ive had my own problems with reader_s.exe, And i RECENTLY defeated it.. i could never remove the infection but I found the infection was caused by an mp3 file, Napalm-cruel tranquility-mind melt.mp3 .. I Reformatted my pc and the virus was gone, but i feel i should let you know, that reader_s.exe isnt it, thats just one of many the things it installs, in addition to reader_s.exe there was a large number of .dll files in the system32 folder , as well as a large number of .TMP files.. i found it was necessary to use the windows intallation cd and system repair in the install during boot-up to remove the files and not even safemode/administrator would remove them, the only thing i could recommend is deleting your %tmp% folder, not just the files but the folder itself, that seemed to slow it down alot.. but i think you should reformat it, I tryed AVG/nod 32/bitdefender 8/ and a number of malware removal tools that had no effect.Without a reformat the problem is impossible to fix. You have to remove all system files and start fresh.

Answer»

Hi

so basically i've had the reader_s / win32 virut infect my system and after a week of trying to sort it i have accepted the fact that i'm going to have to give in and format my pc

I am aware that i can backup some of my FILES (images, videos, songs etc...) but no others (exe,zip,rar etc..)

My PC has two hard drives, one of which is partioned in two, one bieng my c drive... and i have another hard drive

In regards to the virus: if i was to back my files onto the other hard drive in there would that be fine? i dont think there are any exe's on there

and in regards to the formatting: would it delete the partition on the hard drive - or would i have to partion it again

thanks for any help,
LiamIf you can delete the partition and format the entire drive that would be best. Backing up any file is risky with this new variation of Virut.

Here are a few things to take into consideration.

Note that if you decide to try and clean this you must be extremely careful on what is backed up as these new infections can get into many different file extensions ( DLL, EXE, SCR, HTM, HTML, MP3, AVI, WMV, PDF.....etc). A complete reformat and reinstall is highly SUGGESTED! Avoid backing up compressed files (zip/cab/rar.....etc). Virut can also penetrate compressed files that have .exe or .scr inside them.

If you backup any files they should be scanned from a clean properly protected PC before restoring. Also be careful what scanner is used as some are very poor at detecting and even worse at protecting from this infection. In fact due to the nature of these new infections there are probably no tools that will properly protect you from the infection. Be very selective and only backup files you can not replace!

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

I suggest running at least 3 of the below scanners on the backup files. Run the first scan then reboot before running the second then reboot after the second before running the third.

-) Dr.Web CureIt!
-) AVG Win32/Virut Removal Tool
-) Symantwc W32.Virut Removal Tool
-) McAfee Avert Stinger
-) Microsoft Windows Malicious Software Removal Tool

If you do not know how to perform a fresh install, use this website -> http://www.windowsreinstall.com/

I strongly suggest you do the following immediately!

If you have done any online transactions, call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all of your account numbers.

From a clean computer change all of your online passwords including for email, banks, financial accounts, PayPal, eBay, online credit card companies and any online forums or groups you belong to etc.

DO NOT change passwords or do any transactions while using the infected computer. The attacker will get the new passwords and transaction information.
Quote from: evilfantasy on April 21, 2009, 04:59:17 PM

If you have done any online transactions, call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all of your account numbers.

Jesus... didn't realise it was that serious!

cheers, will look into those programsYep. Virut was created to steal. wow, reader_s is virut.

Wish I knew THAT a MONTH ago...

don't worry liamb123, your not the only one affected by this bugger.

Anyway, changed the pw on all the sites I frequent.

Oh yeah, btw, I had it too.

discovered through it's little HTML modifying habit.

then I noticed, that when I expanded explorer.ex_ from my windows CD, it grew 18KB- but only with the "right" extension.

that was when I knew something was seriously wrong.

it's a nasty, so I'm in the process of reinstalling windows on my system partition as well. I already tried the AVG removal tool, which was fairly useless. After install I'm going to recursively delete all EXE,DLL, OCX, and SCR files. from my D: drive.

I haven't used my external in ages; so if the MP3 files on there are smaller then those on my data drive, a replacement will be in order

unfortunately since I cannot know which of my compilations of programs are infected I have removed ALL the known locations where I have them up for download. This explains the mysterious errors I would get right after compiling that I was attributing to my manual replacement of Visual Basic 6's C2.exe compiler with my own so I can add extra options.

the idea is to conserve the data from the installed programs- then I can likely reinstall them, and they will place fresh executables in the respective folders and use the old data files (such as savegames).

what about RAR and so forth? will it infect files if I haven't opened the zip/rar what have you?

I'm probably going to keep any ZIPS- a lot of them don't contain any executables.adobe\reader_s is not Virut.

Quote

%System%\reader_s.exe
%UserProfile%\reader_s.exe

Those are Virut. http://www.threatexpert.com/files/reader_s.exe.html

Quote

what about RAR and so forth? will it infect files if I haven't opened the zip/rar what have you?

It can penetrate compressed files as well as find it's way into and back out of quarantined files. Nasty bugger!!Also how the heck does it infect a mp3? isn't that a data file format?Remember the article titled "Virut is a weird freak amongst malware"... http://www.teamfurry.com/wordpress/2007/02/15/under-the-hood-virut/
I'm not "authorized" or allowed to help you remove spyware/trojans ect as im not a malware removal specialist on the forums, but ive had my own problems with reader_s.exe, And i RECENTLY defeated it.. i could never remove the infection but I found the infection was caused by an mp3 file, Napalm-cruel tranquility-mind melt.mp3 .. I Reformatted my pc and the virus was gone,

but i feel i should let you know, that reader_s.exe isnt it, thats just one of many the things it installs, in addition to reader_s.exe there was a large number of .dll files in the system32 folder , as well as a large number of .TMP files.. i found it was necessary to use the windows intallation cd and system repair in the install during boot-up to remove the files and not even safemode/administrator would remove them,

the only thing i could recommend is deleting your %tmp% folder, not just the files but the folder itself, that seemed to slow it down alot.. but i think you should reformat it,

I tryed AVG/nod 32/bitdefender 8/ and a number of malware removal tools that had no effect.Without a reformat the problem is impossible to fix. You have to remove all system files and start fresh.

Solve : Reader_s / virut removal (formatting)?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment