Reader_s.exe (Reader_s) Trojan Virus Removal

Danger Reader_s.exe has been identified as a trojan downloader \ trojan backdoor. This file is unsafe.

Type: Virut Trojan Downloader \ Trojan Backdoor (Click Here To Learn More)
Location: C:\WINDOWS\system32\reader_s.exe (Click Here To Learn How To Locate)
Risk Level: High (Learn More About Risk Levels)

Reader_s.exe can download additional forms of malware and can create a backdoor for hackers by opening a port. Reader_s.exe establishes a connection with a server outside the user’s computer. The virus will infect other executable files, making it hard to eliminate.

Below is our recommended removal tool for Reader_s.exe . The removal tool has been rated 5 cows out of 5 by Tucows and was previously CNET’s Editor’s Choice. Feel free to download it below.


Manual Removal – Please read the many suggestions below by users on how to manually remove Reader_s.exe. If you have a suggestion, please feel free to express it by commenting below.

Reader_s.exe File Details -
File Type – EXE – Reader_s.exe is a executable file
First Identified – Feb 14 2019
File Size – Varies – Generally small

We recommend that you follow our safety tips so that you can keep your computer clean. Please click here to view our safety tips

Please post comments below. Your comments are both useful to visitors and to us.


This entry was posted on Sunday, March 22nd, 2019 at 10:00 pm and is filed under Suspicious File. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

158 Responses to “Reader_s.exe (Reader_s) Trojan Virus Removal”

Olja February 16th, 2019 at 9:07 pm

Somewhere I had picked up this virus. Immediately it started to multiply in a shape of a virus called “Win32.Heur” detected by AVG hundreds of times.I have two OS – XP and Vista, and I couldn’t enter any of them. When I had formated partition in order to set up new XP, it had also been infected. Activities I announced were file reader_s in system32 folder, in Documents and settings/User folder and also in startup (HKLM/Software/Microsoft/Windows/CurrentVersion/Run). Before I had tried to install new OS I deleted manualy these files, but after it I couldn’t enter any of my OS. I solve the problem when I formatted whole HDD with Maxtor format, but data were lost, and set up new OS again. Horrible.
If somebody knows what was happening with protection, please let me know.
Thank you

Ori February 18th, 2019 at 7:05 pm

I tried to do a regular format, but the bastard came back, whether this is due to some network logging or some really advanced coding I don’t know, but the fact is that this virus survived a format.

Muadib February 19th, 2019 at 4:07 pm

this is indeed a nasty virus/malware.
I had this one on my laptop and it took me almost 2 days to remove it and still it isn’t removed completely. Only Bitdefender Total security 2009 cleared my system for about 95%.

It installs itself in several directories and replaces several system-files, like NDIS.SYS.
I also discovered that it created a rootkit.
I used Bitdefender, ComboFix and SDfix to remove most part of this virus/malware.

There is still a part of this virus left on my laptop, because every time I get connected to the internet I get a message from Bitdefender that it has blocked a virus.
It looks like this virus downloads itself from another location on the internet; connecting to the internet WITHOUT bitdefender immediately installed the virus and I could start all over again.

Jake the ripper February 20th, 2019 at 2:34 am

I am seeing this infection on a grand scale right now. it is one of the worst i have ever tangled with. The Reader_s.exe is nothing i have seen before i know its a small part of the infection but it creates tons of .tmp files in the system32. these all run as spamming agents for who knows what. Cports will show me that svchost has been compramised but wont tell me with what. process explorer gives me the same response. what we have done thus far is wipe computers clean. If you have any info on how to clean this up please let me know.

Nguyen Minh Tan February 21st, 2019 at 2:30 am

Thank you very much!

dbdm February 21st, 2019 at 3:59 pm

I currently have the reader_s.exe virus on my computer. I spent a day in safe mode deleting every malicious file on my computer – manually – even the registry entries, THEN FORMATTED, and as soon as I connected my computer back to the internet, reader_s was back.

Deleting the files does nothing so the virus must be logging my IP from somewhere else and download itself to my computer every time I connect to the internet.

I get wireless internet from an unsecure connection and this is seemingly making it impossible to stop the virus. I’ve read that SP2 has a critical update dealing with this, but it seems like most people already have SP2 and can still get this, so I don’t know.

If anybody figures out a way to get rid of this please let me know as I work on my computer and it hijacks any search pages I use as well as makes my entire system run like garbage until it won’t even work.

Steven February 21st, 2019 at 10:50 pm

Umm yeah I cannot get rid of this virus no matter what virus scanner or mal ware program ive installed windows xp 10 times and it just keeps coming back. format after format. Im starting to think it inbeds itself in music files or exe or .sys files. I have an external WD 650gb with music and im starting to think this virus searches for a place to infect on other resouces

leonard hulsey February 23rd, 2019 at 7:26 am

yes i was infected as well as my wifes DELL laptop which seemingly survived a restore from its internal ghost image and i know for a fact that it infected my son’s mp3 player because as soon as he put it in the usb port and played ONE song off it the laptop was infected right then so far we’ve had 2 restore the lappy 3 times and it is still infected it survives reformat by infecting the bios because now the lappy brings up a thing about bios out of date

Aejaaz Kamal February 25th, 2019 at 12:07 am

Have spent abt 4 days fighting this virus. I have not been able to remove it as it has also survived a format on my computer. I think it came back from me backing up my files on a USB disk and restoring it to the new installation.

Here is my progress so far and you can do these thing too if you are infected.:
1) First download process explorer from here:

2) Using it try and locate the active process(es) for this virus and suspend these processes. Remember that it may also use svchost.exe to run itself. You can know if you have suspended all processes correctly by periodically checking Windows\Temp and Windows\System32 directory as this infection leaves .tmp and some other extension files in these directories (turn on “show hidden files” and sort your files by date/time modified in these dirs).

3) If you are reinstalling remember not to use any backed up files/devices as it copies itself to these devices too. Also, it infects various kind of files while copying them around specially if it is not properly suspended. However, if some data is really important, you may want to rar and upload it to yahoomail (I am positive that yahoo’s virus scanner is detecting this infection even if the file were inside a rar).

4) Format completely and reinstall and download your data back from yahoomail

I will keep everyone posted if I am able to remove it completely. But for now, suspending the processes created by it, is working fine for me.

If anyone else tries the steps I mentioned, do let us know if it worked for you.

Mikael March 5th, 2019 at 4:08 pm

Wow, I’ve never heard of something this nasty. Any more news on it, maybe some speficically designed removal tool?? I need to get rid of it!! I was gonna try format and reinstall but you’re telling me it doesn’t help :/ Also, it seems that the virus keeps checking that you don’t tinker with it, cus it shuts down my computer if I or any antivirus tries to mess with its processes !! :/

balding1 March 5th, 2019 at 6:38 pm

Been messing around with this 1 for 2 days.
Now even when I try to scan looking for it will shut down pc when it finds it.
SOB it is.

Mikael March 6th, 2019 at 2:37 am

I have looked around a bit more on the net. It seems this virus has just started to spread in feb 2009. All experts seem to agree that this is nasty, and forums suggest users to reformat hard drives, cus trying to get rid of it otherwise is just too complicated. I also found a removal tool called ComboFix.exe, and it did find some of the virus files (reader_s.exe et al), but it failed to remove it. That a virus can survive a format sounds insane to me, but since all else failed, I guess I have to try that tomorrow anyway. What weird exploit is this virus using? I think I got this virus via IE. Man does the security of that browser suck or what.

dhritiman March 7th, 2019 at 11:00 am

i can’t even download the tool. as soon as it downloads the file gets corrupted. is there any other way by which i can remove this virus….

EVILness March 8th, 2019 at 4:11 am

This little thing is defintely EVIL! apparently it messes up both services.exe AND svchost.exe. So i copied the original services/svchost from the windows XP disk, but nope it still uses the new ones as well. This actually came WITH a bigger attack on my comp, and after clearing all/most of them…this one still remains!!!

This bugger is defintely using the internet to start up, so maybe its actually somewhere there? Cause when i manually connect my internet cable, it magically creates itself and other .tmp files and runs. I don’t get how it is doing that!

The only thing harmful about this that i can see, is it is taking up a lot of process space. it just fills it up with: IEXPLORER.exe and svchost.exe processes, which i guess can just slow down your computer…

Hopefully someone can find a solution to this problem soon! I just hope they don’t use this as a backdoor >.>

Sam March 11th, 2019 at 3:22 am

Removed it using Malwarebytes, but had to do it in safe mode, as AV360 shut it right down when I tried to scan. Even had to do it 2 times in a row to get all of it.

Tom March 12th, 2019 at 7:03 pm

I found the trick to getting rid of it! delete your partitions and reinstall windows.
By not deleteing the partitions the virus has a place to hide… I only did it once and it worked for me.


Zach March 12th, 2019 at 9:57 pm

I did a format/ re-install and had the virus right away on my new install. I fought with it for a day. I finally disconnected all of my drive except my C: drive and my dvd drive, did a format, re-installed and now it is clean. That leads me to see that all of my other drive have the virus on them somewhere. By removing them from the bus, it was not able to pull itself back into windows. Until I know of a way to clean my other four hard drives, they will remain unconnected.

The best thing I can recommend to everybody, is don’t use any file that was on the hard disk at any point after initial infection. Download all new files for drivers, installers and anything else that you can easily replace. Otherwise, just don’t touch / use the drives that have any of your other files on them.

Good luck with it.

anne01 March 13th, 2019 at 2:48 am

this thing keeps coming back. i did a lot of reformatting, but i cant get rid of this one! spent hours of finding ways to remove this virus on my pc. i desperately need help

superworm711 March 15th, 2019 at 2:12 am

I have a new way for you:
first, you must unconnected with internet
and, delete 2 files in C:\windows\system32\reader_s.exe and C:\Documents and Settings\User\reader_s.exe.
Delete in regedit too (HKLM\software\windows\currentversion\run\reader_s.exe and HKCU\software\microsoft\windows\currentversion\run\reader_s.exe) and remove Internet Explorer
after that, restart computer and enjoys!

Adam March 15th, 2019 at 6:25 pm

Tried everything you must format partitions, get rid of everything full reformat and fresh install of windows. I only formatted one of my drives twice and it came back both times after a day or two. Although there was nothing on the other drive infected for some reason had to reformat it in order to get rid of this nasty virus.

helt.... angry helt March 16th, 2019 at 2:53 am

im really mad. ( >:( ) i got this thing it wont leave me alone. i have avg and it seems to set it off every few minutes. does any one know how to get rid of it “totaly”???

help would be GREATLY appreciated. email me at [email protected] to help. ty

Pete March 16th, 2019 at 6:45 am


Yesterday i got infected, i try to fix it in safe mode it didn’t work for me, i formatted my hd usin the windows cd, installed windows and the virus came back, it came back when I restore some files from the other HD and connect the inet, at this point i didn’t know that the virus infect .exe and .rar so i decided to do everything from the begining (yeah once again), i read that the low level format works but I’m some kind of ignorant when it comes to low level format, so this time I used a ubuntu live CD to format the HD, i did an ext2 partition, i was not sure, so i reformatted and I end up whit a swap partition (hahahaha O.o?), it looks like i get rid of the virus ’cause my xp is doing fine at this time, I’m not sure about what files are infected, so i deleted .exe .rar .ini .dll .db only keep .jpg .mp3 .docx .pdf, this means that i lost all my data …
I hope this help u guys

_stroker March 16th, 2019 at 10:13 am

I had this virus for 8 hours before I was able to get rid of it. I believe the quickest and easiest way to get rid of this virus is to perform a low level format. Download a utility called “killdisk”. Make a killdisk boot cd or floppy and follow the instructions. Allow killdisk to erase your hard drive by writing all 1’s to the disk. Select the whole drive in question, not just a partition on it. This may take several hours to complete depending on the size of the drive. My 200 GB drive took about 4 hrs to complete. Re-install windows normally after this. Even after all this it is possible to get re-infected because the virus will attach itself to some executable files you may have had stored on your hard drive. If you decide to back up those files make sure they are not infected before re-installing them. This is not an issue if you are installing new drivers and software from a cd but if the executables were on the infected drive and you backed them up before you formatted it you need to make sure that they did not get infected.

pinyusz March 16th, 2019 at 7:09 pm

I tried these and had no result:
Nod32, AVG, VIPRE, AVAS, Avira

It is necessary to prevent the return of the virus!

After formatting your hard drive, use Kaspersky Internet Security 2018 Final.
The virus will not be able to return.

Best Wishes!

_stroker March 16th, 2019 at 9:44 pm

Viruses do not just come back on their own. They do not have brains or the ability to make that decision. If it’s coming back it’s because you either did not get rid of it or you are re-installing it yourself. The virus resides in the MFT table of the hard drive. This is not erased by a standard format. A low level format will make the hard drive like it came from the factory, therefore no more virus. If it comes back after you re-install windows its because you are running an executable file that contains the virus which means you are putting it back yourself. Check everything. Even things like display driver, audio driver, lan and any other driver. You should download all new drivers after you install windows. The virus does not reside in the memory, but if you need to clear your memory just unplug the pc for a few minutes.

uros_belgrade March 17th, 2019 at 12:03 am

alright we all agree that this virus is very, very bad one…you must format every ntfs partition.After first format, the virus came back from second ntfs partition through the driver executables … so i went into suse, destroy two ntfs partitions, cry a little and then install a fresh copy of XP. Now, everything is alright.

Jake March 17th, 2019 at 1:27 pm

try this. this actually worked good for me. I know that it’s pretty hard to get rid of reader_s.exe and this is just a make-shift solution. first, go activate DEP (choose “Turn on DEP for all programs and services except those that I select”). now, click on “add” and select the reader_s.exe file (it doesn’t matter where the reader_s.exe file you choose is from). once added, don’t bother with the checkbox (make sure it’s an empty checkbox). click on “OK” and delete all the reader_s.exe and TMP. files you can locate. VOILA!

Tony Montana March 18th, 2019 at 4:08 am

superworm is right, follow his advise posted on March 15th it worked for me to kill the reader_s.exe and if you still have problems opening .exe files probably you have the win32/virut virus on your disk, but try this: www * symantec * com/business/security_response/writeup.jsp?docid=2009-022016-4444-99
download the file, follow the instructions and that´s all, you don´t need to do any format or low level format.

Brian March 18th, 2019 at 3:11 pm

Quote:”Delete in regedit too (HKLM\software\windows\currentversion\run\reader_s.exe and HKCU\software\microsoft\windows\currentversion\run\reader_s.exe) and remove Internet Explorer
after that, restart computer and enjoys!”

I have a similar problem and have tried the above but don’t understand the “remove Internet Explorer” part. Can anyone explain?


jim March 18th, 2019 at 11:31 pm

I’ve tried superworm’s 711’s instructions, all while disconnected from internet. I rebooted, still disconnected, and reader_s processes and *.tmp processes did not startup and response time was much better.

Unfortunately, the instant I connected the lan cable to the computer, reader_s processes and associated processes sprouted before my eyes in the task manager window. Could be it has infected files associated with TCP/IP protocol? Dunno, but superworm’s instructions teased me with partial success, but ultimately failed ;-(.

Brian March 19th, 2019 at 11:32 am

Mine is exactly the same Jim.

Now in the process of extracting what I can and prepping for a rebuild. The worst thing about all this is that I really have no idea where it came from ;(

jim March 19th, 2019 at 11:52 pm

A followup, somehow, I finally did get reader_s.exe process from showing up when I boot. Unfortunately, I’m not sure how I did it ;-) . But, I’m not sure reader_s was the root of my problem in the first place. I was able to use AVG’s rescuecd to create a bootable CD that runs AVG from dos. It detected a ton of files infected with W32.Virut, including a lot of executables in the windows system directory and also a number of antivirus executables (like StopZilla) that were infected.

Since Virut is known for opening a port and allowing other viruses to be downloaded to your computer, It’s possible Virut was leading to reader_s. I do have a router with a firewall, though, so I’m not sure that’s the case.

I still have a ton of unwanted processes, and they crop up on me when I connect to internet, so even though I don’t see the reader_s executable anymore I’m still unclean. Probably just going to have to isolate that box, bleed data (non exe) files I need off it gradually, and reformat it low level later on down the line. It was time for me to buy another box anyway – the infected one is about six or seven years old now. New one will be linux or mac OS10 – no more windows boxes for me.

Brian March 20th, 2019 at 12:20 am

Thanks for the info Jim. Is that rescue cd from AVG a freebie?

I want do to the same as you and rescue what data I can, then LL format and start from scratch.

The OSX route looks more attractive by the day…

Brian March 20th, 2019 at 1:06 am

Either way, I have found an Avira Rescue Cd image and done pretty much the same as you Jim. My PC is infected badly with the Virut signatures on exe and other files. Seems like the process will take a while but I’ll post my findings and hopefully results at the end.

Brian March 20th, 2019 at 4:03 pm

Avira rescue shows many infections but is unable to fix anything – not really what I understand by “rescue”. Any details on the AVG fix would be welcome

fotia March 20th, 2019 at 11:30 pm

I have same problem also. T found this remover from AVG.

www * avg * com/virus-removal.ndi-67762

Pavel Kupka March 21st, 2019 at 6:29 pm

I also have the same problem with this virus.
I recommend use cureit.
It really cleaned up my PC!!!
Then I had to reinstall windows xp (recovery install)

jim March 22nd, 2019 at 3:15 am

Hi Brian,

Yup the rescuecd from Avira was unable to repair the Virut infected files for me as well. I do feel slightly better knowing what files are infected, though. I tried several Virut removal tools, all without success, and several of them got me stuck in a boot loop and required some effort to recover from the damage done by removal tools.

I think LL format is the only way to go. I’m siphoning off files, and keeping an eye on Mac prices ;-) .

Pradeep March 24th, 2019 at 11:29 am

Hi all,

I finally was able to remove the reader_s.exe trojan from my notebook without formatting the partitions, using Avast antivirus.

Followed the steps below.

1) Install avast antivirus 4.8 version; update the virus definitions.

2) Enable boot time scan once you install the antivirus.

3) Restart your system and avast will remove reader_s.exe; delete all the other trojans which are infected…

This has fixed the problem for me; it really works….

All the best…..

uros March 26th, 2019 at 11:27 am

Hi all,

Yes, Avast can solve the problem with Win XP. To be sure, I did it this way:

1. Disable “system restore”
2. Download Avast and AVG, install and update definitions
3. Enter in safe mode
4. Run both AV – full scan (include removable storage!)
5. Enter registry and clean reader_s.exe entry if there is still any (I had two of them)
6. Turn on Win firewall and configure to use only IE and MSNGlike (avoid torrent and other P2P sw)
7. Later you can enable other software and system restore, but in steps to see what is using this nasty trojan

I hope it will work for you.

KK March 26th, 2019 at 4:35 pm

Virut calls out on port 65520 so block it before you connect to the internet.

John Nielsen March 29th, 2019 at 9:59 pm

I have done a few searches on Mcafee . com for this threat and can not find any. Are they not aware of it or am I searching wrong?

Fenderwim March 30th, 2019 at 9:46 pm

I found a solution.

I first removed thew worm with Hitman Pro.
Then disconnected from the internet and you will see that the worm does not show up again.
Then reset your browser to the original state.

I have Firefox Mozilla and there it works as follows – Start/Run and type in Firefox -safe-mode and than ok.
A menu pops up and I check all options.

Now the worm does not come back anymore.


pattaya G March 31st, 2019 at 2:08 am

My computer is infect with this spyware. I try to remove it but it will not remove. Can anybody tell me what program can deleted it. Thanks

quirkly March 31st, 2019 at 3:50 pm

I too have malware that survives OS reinstall, low level formats by professionals. AV disabled. Registry indicates virtumonde/vundo virut? Sophos has quit supporting my problem, refers me to reseller to whom I paid over $1K for cleaning computers unsuccessfully. Started last year before recent insights into rootkits/boot sector malware. Low level formats (reportedly done by pro) did not remove this.

The Lawmaker March 31st, 2019 at 7:01 pm

I’ve recently got this virus on my laptop like 5 days ago, since then i have been trying different procedures, like malwarebytes, combofix and formatting. But nothing worked. Now it seems to be loading my hard drive with unknown data, every second i loose capacity. Yesterday i had like 40gb of space now i am left with 3gb. I don’t want to know what is going to happen to this laptop when it gets full. I could use some drastic help as well as others. Wow even typing this message is taking a long time, my laptop is as good as dead now!

Fenderwim April 1st, 2019 at 2:59 pm

I have some additional info. After my PC stayed clean for one day, I did run Hitman Pro again and it found the rootkit which is part of this problem.

I removed it and now the computer stays clean.


MiCompTech April 2nd, 2019 at 2:16 pm

This is a nasty little bugger. There are many ways to remove it but the easiest is a format and reinstall. This virus will infect any and all .exes, .htm, .html, and many windows system files. It is safe to back-up pictures and music but thats about it. It will even infect .exes that are in a compressed folder.

vic - HERE'S MY SOLUTION April 4th, 2019 at 4:47 pm

i had the same virus 2 days ago and i came here searching for answers. I did what superworm711 said above, then formatted my pc on (03/04/2009) and restored backups from the same external drive where i’d backed up files and ‘what not’ while i had the virus.As soon as i went online, the virus came back. Now i’ve fixed it and as u can see, i don’t have it anymore.

Here’s My Solution:
-Disconnect from the net
-Boot into safe Mode
-Used ’search companion’ to search for ‘reader_s.exe’
– right clicked on the first find, clicked ‘open containing folder’, which in my case was ’system 32 folder’.
– In the ‘view option’, i arranged folder by ‘modified’ date. There i deleted everything that was under 03/04/09. Including all stuff like ‘a.tmp’ etc.
-Ran ‘regedit’ and searched for and deleted everything ‘reader_s.exe.
-Went back to the search companion and right clicked on the other ‘reader_s.exe’ find, which was inside ‘documents & setting’. Deleted it.

Ran ‘Hijack this’ and ‘clicked & fixed’ everything relating to the virus. Usually on numbers 04 and 23. (though this got rid of the virus but files on the system had been corrupted)

Then inserted my windows cd and did a clean instal. Installed my antivirus and went straight online to let ‘windows update’ and ‘uniblue drivers scanner’ look for new drivers for me.

\the trick is, if your data or driver backup was on an external drive which had been connected to your system while you had the virus, do not reconnect it as that external drive is more than likely infected.

And if you have to nick something from it other than driver backups & sotfwares, disable ‘auto run’ first, otherwise the virus will creep back into your system.

Sorry for the long write but i hope this helps.

John Nielsen April 5th, 2019 at 4:54 pm

It seems to be able to infect BIOS. I boot , hit F2 to go to bios setup. Turn off all boot devices except CD. Exit and save. Boot with WinXP setup cd in drive. Following a moment of checking system configuration a message appears:
Line 1 of the INF file \i386\setup.sif is invalid. Setup cannot continue.

Then when you hit any key, the system boots from the hard drive!!

Now what???

_stroker April 7th, 2019 at 4:10 am

I don’t think it’s your bios. You said it yourself that you are able to get into the bios and change the boot sequence. The problem occurs after you exit the bios and try to boot from the cd. The bios is doing exactly what you told it to do and that is to boot from the cd. It seems your drive can’t read your windows cd properly. Try another windows cd if you have one. Since you are also able to boot into windows you can always make another copy. Resetting the bios to factory default is quite easy but I wouldn’t touch it right now.

VirutKiller April 9th, 2019 at 5:38 am

Hi everyone..i had this virus on my computer a few hours ago..after fighting against it for like a week or so i finally get rid of it :D this is what i did:

Starting with the steps that vic said:
-Disconnect from the net
-Boot into safe Mode
-Used ’search companion’ to search for ‘reader_s.exe’
- right clicked on the first find, clicked ‘open containing folder’, which in my case was ’system 32 folder’.
- In the ‘view option’, i arranged folder by ‘modified’ date. There i deleted everything that was under 03/04/09. Including all stuff like ‘a.tmp’ etc.
-Ran ‘regedit’ and searched for and deleted everything ‘reader_s.exe.
-Went back to the search companion and right clicked on the other ‘reader_s.exe’ find, which was inside ‘documents & setting’. Deleted it.

Ran ‘Hijack this’ and ‘clicked & fixed’ everything relating to the virus. Usually on numbers 04 and 23. (though this got rid of the virus but files on the system had been corrupted)

I did this and the virus was still on the computer so i decided to do this too after:

-Run the computer in normal mode and download the virus removal from avg:
and scan your computer
-reboot your computer and download this application: Dr.Web CureIt! from here:
-Scan your whole pc in normal mode (be sure to include the drives that were connected since ou got the virus)
-Reboot your computer in safe mode once again and rescan your whole pc again including all the drives that were connected since you got the virus.
-Once the virus is removed i formatted the drive were windows was installed and reinstalled windows…dunno if thats necessary but im telling you what i did.

Thats all i dont have the virus…a lot of steps tho…

Thats my experience…hope this work for you too…let me know if it works for you.

Fran April 9th, 2019 at 9:59 pm

The nasty thing actually deleted my windows service packs 2 and 3 leaving me vulnerable with sp1 and disabled all my windows updating. I have done a regular format but not yet back online. I fear it will not have cleared the virus like many of you have said! :( had it going on 4 days now

Max B (LA) April 10th, 2019 at 8:06 am

I run Task Manager constantly while I’m online reading these forums just to shut down Internet Explorer when it pops up (i use Mozilla so i know its reader_s).

I ran a couple of virus removal programs. Whenever it found the source it rebooted automatically. I scanned windows32 personally. I went into Prefetch etc.

One thing helped a little and that was deleting the source for Internet explorer and all of its code and using only Mozilla. I believe reader_s needs Internet explorer to go online. I don’t know what else. A dozen removal programs have been beaten by this virus. It is truly amazing programming.

The guy who wrote this is definitely living in his mother’s basement.

Visio April 13th, 2019 at 6:31 am

Well Im not a pc geek. I just opened registry editor in safe mode and searched for reader_s.exe then I found 03 results. I didnt delete any thing but changed the names and extensions to arbitrary names then right clicked on each and changed and changed the binary values arbitrarily. Then restarted pc and so far didnt get it back!

Joe April 13th, 2019 at 4:42 pm

A format and a new install takes care of this virus. Just make sure that you don’t connect any external or additional hard drives that where connected while the virus spread. Clean them out before reconnecting them.

Faul April 15th, 2019 at 1:22 am

This one is by far the nastiest virus I have ever seen…

It seems coded so that it infects a lot of files in your computer resulting sooner or later in a useless system unable to propagate it.

Some versions also infect html files in the machine to spread the infection.

It does a lot of bad things, if you do a netstat you’ll see a lot of connections to several hosts. It installs an IRCbot which will be used to download other malwares to the infected system.

The complete removal of it will almost certainly incur in data loss, unstable system or even useless system.

You should really not waste more time trying to remove it from your system. Do yourself a favor and completely reformat and reinstall your system. Don’t try to open any executables or html files you’ve backed up. They will probably reinfect your machine.

If you really want to try to remove it from your system:
first disable system restore.
Boot from a clean media (you can try ERD in an USB Stick prepared in a clean system with grisoft rmvirut.exe and run it
try to boot your system, check it with Dr Web Cureit.
rmvirut may not be able to remove your version

another approach is to plug your hard disk in a clean system and running dr web cureit on it to disinfect your system.

Anyways you’ll probably need to do a repair install of your system if it isn’t able to boot or run sfc if your system manages to boot.

Steven April 15th, 2019 at 10:22 am

apparently i cant run any anti-virus programs … i have tried everything. sigh
its still here

j April 16th, 2019 at 5:36 am

I just got this virus today. I tired to use a usb key in an attempt to back up some files when I found out I got infected, but my pc wouldn’t even be able to read the usb key. After reading all these posts, I decided I am going to reformat my pc. But my question is that would my usb key be infected as well since I had it connected to the pc after it got the virus? Any help appreciated, thanks!

weaponsuser April 17th, 2019 at 2:50 am

wow this thing ,turns off my firewall, does not let me use my system restore, and removes my folders options, it’s nasty.

Paril April 18th, 2019 at 4:55 am

I’ve got some new information about the virus I just picked up while infected with it myself.

Here’s a piece of fun info: Virut infects AVG’s cleanup tool when you run it, it will be picked up by AVG after it :p

Some variants, like the one I have, will do a few things too:

1) Change several policies that make it very difficult, if not impossible, to change specific settings:
a) Disabling Folder Options
b) Allowing hidden files
c) Removing extensions for known types
2) Creates a hidden log file in root with information on files downloaded to your computer and where they are gotten from!
If you can access this log, you will see several lists of links such as (made up) :// / bababa.exe and a bunch of chinese host redirection services (such as 6688 . org). If you can, submit this list to your favored site or as many anti-virus sites as possible and list this as possible sources for the Virut virus. Hopefully we can get some of these hosts blocked!

Also, I found out with the Group Policy editor in Windows XP Pro, you can actually PREVENT reader_s from opening, by adding a policy to disallow the following program names:

Of course this may just impede the virus from going anywhere, you still have the damn thing.

Currently doing a second run on my hard drive to rid of Virut.

I’ve also noticed that it doesn’t just target ran executables but will also find it’s way to executables in the same FOLDER as the ran executable (one example is MSN Messenger: it loaded it with MsgPlus (an addon), but it also targeted the uninstallers for the specific software).

Hopefully we can rid ourselves of this (likely) Chinese pest.


W Tomas April 19th, 2019 at 12:27 am


I’ve been battling with this virus for nearly a week – it installed itself from an exe from a program I’d downloaded, and installed something called HeroCodec – I don’t know if that’s relevant. It infected everything – every single .exe file on both my internal and external hard drives, as well as most of the files in Windows\system32 and some of the registry. It also created some .dll files, a bunch of .exes – especially efawig.exe, which tried to take over the entire system resources. If you see this disconnect from the internet. I was able to get into safe mode and delete out as much as I could, and AVG was good at getting as much of it as possible.

It got rid of my folder options and my ability to change them too though and as a result I was unable to see hidden files – watch for that because the virus will infect these too.

I’ve killdisked both hard drives, after saving pictures, music and videos to another external via safe mode, and I hope that’s okay.

But from what I hear and my AVG scan showed, .exe, .srf, .src, .htm, .html, .php, .lnk, and all system files are likely to be got by this. We shall see how it goes after I’ve reinstalled everything and reconnected to the net…

Paril April 19th, 2019 at 10:13 pm

Also, as a counter-note to W TOMAS here, the virus will actually REMOVE specific \windows\*.exe files, such as ‘cmd’ and scandisk. It seemed to happen after I rebooted my system.

Thanks for confirming my Folder Options thing though. On XP Pro, as seen in my notes above, you can use the group policy editor (grpedit.msc I believe) to change these back to normal.


W Tomas April 20th, 2019 at 12:31 am

Killdisk works – it wiped my hard drives, and on reinstall and reconnection to the internet the virus hasn’t come back. It also wasn’t on any of the files I was able to save either, so it looks like if you killdisk, format, and reinstall windows you do eliminate the virus.

The other thing I’d add is don’t copy any .rar or .zip files either, added to the list in my last post. It can get those too…

SHANE April 20th, 2019 at 5:42 am

Wow. This one was a challenge. I spent over 2 days worth of fighting, numberous system formats, and just about every single anti-virus and malware scanner out there, to NO success. This “malware” will reconfigure and patch every single important operating system file making your computer non responsive and it will lock you out of even safemode.


The backdoor connects to the pre-defined IRC server (ircd[dot]zief[dot]pl in the last variants) and joins the “virtu” channel. The author of the virus can give commands to all or to specific bots created by the virus in the channel.

See this link for more info: (

Removal instructions:
1. Disconnect from the internet (pull the plug).
2. Install a firewalled router.
3. Call your ISP and change your IP address. (or wait 48 hours disconnected from net).
4. Backup your must keep files to an external harddrive.
6. Re-install your operating system.
7. Reconfigure all your drivers and settings.

Enjoy your new computer!
If you need assistance doing this contact me [at] www[dot]ocgfx[dot]com

pgrill April 20th, 2019 at 2:35 pm

I had reader_s.exe all over and it was shutting down windows until i increased virtual memory & disconnected network. i ran malwarebytres, S&D, and windows mal. software remover, then went to registry and renamed randomly all instances of reader_s. then searched hard drive for all instances and deleted them. rebooted and it doesn’t show up in processes anymore (before it showed twice using tons of vm). reconnected network and so far so good!

Brian April 21st, 2019 at 5:17 am

Screwed. Can’t backup any files.

Disabled my internet connection. Does not detect any usb’s or external storage. Can’t repair without wiping my hardrive. Can’t slave the hard drive- I have another laptop, but I don’t think it supports another drive.

Any suggestions as to saving my files?

J April 21st, 2019 at 2:32 pm

burn your files to dvds. That’s what I did, and that took me hours!

ak April 22nd, 2019 at 12:00 am

darn, i got infected about 20 hours ago. havent slept since… trying to remove it. the virus disables my dvd drive from booting my xp cd.

So i cant do a reformat just yet.

ak April 22nd, 2019 at 11:40 am

now i have used avg’s virut removal tool on both my external drive and internal ones but the virus comes back even after formatting and not connecting to the net. -_-

waz April 22nd, 2019 at 5:25 pm

I picked up a trojan in mid-February. First I tried about 15 good programs to get rid of it (Malwarebyes, SuperantiSpyware, Nod32, Webroot SpySweeper, etc). Then I tried reformatting, then several times used Linux random data and zeros to wipe the drive and re-install Windows Vista; took the battery out of the computer for a day, tried everything I could think of… still there. I even got a totally new computer system and modem and a new DSL account, but every time I connected to the Internet I got it back. This is crazy!

I ordered new recovery disks in the chance that mine were infected, am going to wipe the drive again or possibly load Vista on a brand new drive with the new disks… if that doesn’t work, I’m totally at a loss.

ak April 22nd, 2019 at 8:55 pm

still having problems now…. seems that one of my laptop is cured… but my desktop still carries this virut virus

pgrill April 23rd, 2019 at 3:24 pm

still no sign of virus and no crashes after doing re-naming thing in registry!!

nismo April 24th, 2019 at 8:44 am

i deleted mine from the registry and the virus files wont go away but the virus doesn’t work any more so my comp is saved

Mason Brown April 24th, 2019 at 1:35 pm

I’ve tried the method of deleting all the reader_s.exe’s and that dosnt work…

Charactoristics of my Reader_s.exe
1. Reboots with error messages
2. Mass svchost
4. Internet down
5. explorer.exe wont load unless in safe mode

I don’t know if these are the same characteristics as you guys but tell me if so, i’ll be on the phone today to reformat my computer.

Mason Brown April 24th, 2019 at 1:53 pm

does anyone know how to find out if your reader_s.exe is virut? or which is associated with your reader_s.exe?

Fuad April 24th, 2019 at 6:04 pm

This little thing deactivated my windows XP and cannot load it up anymore. It’s nasty

Gr3yW0lf April 24th, 2019 at 11:08 pm

Finally, I’ve found a solution how to remove completely this Virut. Check this out:

This tool can disinfect the infected files. The whole scanning procedure is quite long, but with this removal you can rid of that nasty virus. I’ve tried it, worked, problem solved. (Some important files were needed to be deleted, so a Win reinstall became necessary.)

Ltoth April 26th, 2019 at 12:19 pm

The problem solved (I’m happy), I found here:
Download these files: rmvirut.exe, rmvirut.nt and decription how to use for different drives.
Take care, examine all your install program setup.exe , most of them were infected, and that’s why XP reinstall coold’nt helped.
I use NortonGhost save method,in 2-3 minutes to I can get back all in may system partition “C” (cca. 5-6GB).

ABC April 27th, 2019 at 9:16 am

Did it looks like it i doing the job

ABC April 27th, 2019 at 5:45 pm

I think you should try Spyware Doctor it looks like the solution

JD April 27th, 2019 at 6:39 pm

I think that spywareDoctor can clean that . I ran it and for now it looks clean

adley April 27th, 2019 at 10:56 pm

Give up… It takes too long to remove it. The file replicates itself everywhere. Just give up and format. Save docs and pics. Removing it is possible. The amount of work is too much. Here is a link for a successful removal.

JD April 28th, 2019 at 5:45 am

The virus is on the memory, reinstall won’t help.
Spyware Doctor did not solve it the virus came back as another name all activating files for the virus are at c:\windows\temp

Erik April 30th, 2019 at 2:20 am

Is it possible to get the files off of an infected computer without this little bugger tagging along?

sandeep May 1st, 2019 at 5:04 pm

the virus is in the system memory,how do i remove it??

JD May 5th, 2019 at 3:59 am

You need to reinstall windows but before you need to format the hard drive and than shutdown the computer take out the power cord and the memory and wait 3-5 min for the power to discharge. than install the memory plug the power and install windows fresh. I sopke to norton / Symantec, and spyware Doctor. they don’t have a full solution for this virus yet.and even if the virus is cleaned when you reboot it will come back from any RAR or EXE or SCR file on your old data.

May May 10th, 2019 at 11:51 pm

my comp got reader s and it advanced to the point where it wouldnt let me reformat my drive! couldnt do it in OS or in dos XD. oya it also broke my network adapter and wouldnt let me connect to the internet OMG!XDD

May May 10th, 2019 at 11:53 pm

lol so ya wat i dit wa s buy a new HD and dats the end of dats

TheFrog May 12th, 2019 at 3:10 pm

Hi all,
Thanks for the suggestions you all gave here. :) O.K. this virus is insanely smart and also a pain. This is the Conflicker virus also known as Win32:Vitro. If you ctrl + Alt + del and see reader_s.exe in the task manager… you are infected. If you see reader_sl.exe that is adobe reader and it’s cool.First Educate yourself on this virus here
All of you gave different suggestions which bits & pieces were correct.Scroll down to bottom of page for free removal tools
Deleting a couple reg keys and a couple reader_s.exe files won’t fix it sorry to say. It is stealthy and hides within other EXE files and creates a rootkit. NOTHING except a complete format ( INCLUDING PARTITIONS ) will get rid of this. So don’t mess around trying to rid it. Oh, and don’t be a bonehead like myself and space out formatting Zip drives , Thumb drives , Floppys , Back-up Drives , DVD’s Etc that were created at the time of infection. It comes right back and you need to start at square one again.
Good Luck Everyone, TheFrog :)

navr May 18th, 2019 at 4:31 am

If we leave comp turned off for let’s say 6 months (until the science of virus malware fighting makes a giant step forward in fighting this virus), can we hope this strategy will payoff at the end? I mean polimorphic viruses were in the past, and they spread, that’s what the viruses do, so I think what is needed is just to see the algorithm of this virus, from many infections around the globe. When all info is gathered only then I believe it would be possible to produce a tool to remove it? Otherwise, this would mean the end of anti-virus and anti-malware business as a whole, globally. This profession would be destroyed, wouldn’t it?

Therefore, should we wait 6-12 months until efficient removal tools are produced for this virus?

E.cuni May 20th, 2019 at 7:29 pm

This little thing is driving me mad!
things I know so far:
It has connection with
it keeps downloading exes from there. Isn’t it funny: It says it’s a company that sells an antivirus!!
main files infected: all the files in the Windows/TEMP folder. it doesn’t originate from there though..
restore.sys msncache.dll, winlogon.exe, winlogn.exe, service.exe, in Windows/system32.
I think it starts from winlogon.exe at startup time.

Sinzofthesic May 28th, 2019 at 3:01 am

I think I have killed it

I used this program called malwarebytes and turned on Windows firewall and it looks like my connections are good now mt processes are not high anymore.

try it out

zyborg June 5th, 2019 at 12:10 am

after reading all your exploits, i took out the hard drive and slaved it into another comp known to be virus free. went to disk manager and erased all logical drives and partitions, and started a clean install. it spread in my LAN.

Ajay June 8th, 2019 at 4:13 am

Thanks For That Tool.It Realy Worker

Sonu June 10th, 2019 at 9:01 pm

Well I Also got hot by This Virus today…yup it’s a NAsty Shit.. but i Managed to get it out Just in 1 hour or So….

The Software u have been Missing Is UNHACKME ( D dad Of All Apps)& MalwareBytes by EMCO , just Google It..

well i can post whole Procedure…But To Know more mail me @ [email protected]

i am free of it..forThose who tried Well after Removing it came Again once ,well it comes back when u connect to the NET , it installs itself…So a TIp Would be After Removing CLEAN Al OF Ur TEMP Folders using a Good Cleaning App..

Davet June 30th, 2019 at 11:27 pm

Tried many solutions but none worked. The one recommend here manually asked if I wanted to remove virus from over 400 files. After running the suggest solution above the computer would not reboot.

This is a very well written virus and is impossible to destroy or remove from a machine.

Virus is spread via executing a executable on network drive or pluging in a thumb drive into an infected machine and then pluging same thumb drive into non-infected machine. It even runs in safe mode without networking. It looks like if you run in safe mode and remove virus and reboot that virus is gone, but it comes back as soon as you enable networking.

If you try to delete virus the virus montors this and moves location of executable to another directory. Virus has at least 2 parts. One that runs as part of svchost, and reader_s.exe. It seems there is another part that somehow runs when you plug in network cable even though your hard drive appears clean to virus scanners.

It appears as if microsoft has fixed the second infection route in latest updates for windows xp

vista and windows 7 do not seem to get virus because virus writes to protected area which is not allowed in vista and windows7

Only solution is to backup system, format hard drive and reinstall operating system. Do not execute any restored executables until you run a virus scan like (malwarebytes) on all files restored.

Virus creates an autorun.ini which executes an executable. These are hidden, protected os files so they do not show up normally. Plug thumb drive into mac to see if thumb drive, camera, ipod, etc are infected.

This virus downloads other viruses from internet and causes computer to send spam shutting down your outbound mail server.

some of the virus scanners crashed os so os would not boot.

I hope someone comes up with a solution that does not require reformating hard drive. I had to scan 25 computer and restore os to 4 machines. Total man hours (48)

Hansel July 2nd, 2019 at 8:52 am

win32:virut reside under system32/cmmon32.exe
delete it, together with the instructions mentioned above to delete away reader_s.exe (including registries), under those folders affected by reader_s.exe, create a notepad naming it reader_s.exe and check it as read-only file to prevent the virus from resurracting.


Naveen D. July 2nd, 2019 at 8:50 pm

Got infected by the virus yesterday and after cleaning up a number of times manually, it would come alive.

Am using the W32.Virut Removal tool from

Will post results if negative.

Naveen D. July 3rd, 2019 at 12:56 am

no go guys – after scanning the whole system, rebooting and scanning it again – it declared it all clean, but as soon as I plugged it to my cable modem – BOOM ! All these processes started up and reader_s.exe was back in windows and user directory

I guess I give up and am off to a low level format…

sciman July 6th, 2019 at 3:32 pm

idk about anyone else, but i am finding that this is one tough bugger to crack! after running several FULL scans with Malwarebytes, i am still trying to get it to go away for good after 12 straight hours of fighting it, im thinking that if the people who are convicted of making viruses or spamming should get community service, they should be forced to work at Microsoft, making their products even harder to do without! (as if it isnt hard enough already)

sciman July 6th, 2019 at 5:51 pm

finally, ran 2 consecutive scans with malwarebyrtes’ in safe mode (no networking, no cmd prompt) with a reboot in-between, then ran a third just to be shure, and i also switched which physical port i was using on my router, now no sign of it

So, my process was:
1. acquire virus
2. “what the heck is going on here”
3. start malwarebytes and do quick scan, remove found items, reboot
4. realise that its still there using task manager (time for the big guns)
5. reboot windows in safe mode
6. run malwarebytes full scan on all drives including every usb drive i own (2)
7. repeat step 5-6 two times more, for a TOTAL of 3 reboots to safe mode and 3 malwarebytes full scans
8. buy 3 pack of Spyware Doctor with anti-virus and install on all the home computers
9. make shure i got rid of it

Cousin_eddy July 8th, 2019 at 3:40 am

this thing sucks.. reformatting ur computer is useless.. it is still there.. how can i remove this thing?

Eric H July 12th, 2019 at 7:01 am

Here’s another unlucky guy with reader_s.exe, Virut and Cryptor as guests on my hard drive Two partitions, 50/50.
No antivirus software has been helpful, (yet)
Have removed both partitions, changed them to 30/70 and reinstalled XP.
So far so good… Will continue today following the tips above.
Next to clean are my two addtional drives (500G and 250G), guess both probably are infected!
.. but first I need a working, virusfree C-drive.

Eddie A July 12th, 2019 at 5:46 pm

I just got it. Two laptops down and hopefully this one seems ok. Not even going to try to bother get rid of the thing anymore. Tried for 3 days now. Does anyone have any idea where this came from? Must be the worse virus ever.

EDDIE A July 13th, 2019 at 3:11 am

How can you get rid of this thing if its on a Thumb drive? Soon as you plug it into a computer it infects the computer. Any help appreciated.

retex July 17th, 2019 at 8:38 pm

Let me tell some tips to remove reader_S:

1.Format entire hard disk with Ubuntu
2.Insert windows cd and re-create the partitions
3.install antivirus program
4. install Zone Alarm firewall anb block reader_s to connect to internet ( if it appears again )
5. If he appears again go to START>RUN>REGEDIT . There use ctrl+F to search in the registry reader_s and delete it. Then use again and again and again ctrl+F and search in the registry all reader_s files and delete them.You will get a message and you will know that reader_s doesnt exist there anymore :) .

USE THE SAME TIP TO GET RID OF CSRCS.EXE FILE. CSRCS.EXE is a trojan downloader like reader_s. Attention: Do CSRCS.EXE is not the same thing with CSRSS.EXE wich is a Windows File.
Good luck !

Almog July 24th, 2019 at 10:32 pm

There is a way to remove this Virus. I got to say it was on of the best engineered virus I have ever met. Tried many methods to remove it (I didn’t use format or Low Level format) I got all my files and the computer working virus free.

You will need a few tools:
Google to find them:

Hiren’s cd 9.9
Avast recovery CD
And your original Windows XP installation (Repair not clean install)
* you can use Nlite to slipestram updates and SP3.

Boot first Avast recovery cd and change in the configuration to delete the infected files. (I couldn’t chose this option, When I chose it I couldn’t click on anything. So if you can’t just click on try to disinfect and rename). Avast will find this bugger in many files. Every exe file will have .XXX after its name if that is a virus.

After that boot Hiren’s cd and choose Windows XP mini. Search for *.xxx , ms18 and reader_s delete everything it finds. Then open Remote registry editor (In the Autorun menu – Last slider.) And follow the easy steps. now you can see your remote registry, search for ms18 and reader_s and delete every entry with these names, (on run entry delete regedit too.)

It won’t harm if you will run spybot to clean even more your system (In Hiren’s autorun)

Now you have a clean computer that will boot to windows but you won’t be able to enter your desktop there are a lot of important files that were deleted it Hiren’s Windows XP mini. Insert windows XP cd. Click enter on the first blue screen- in the Eula click F8. Now you will see an option to click R to repair your Windows . Do that. If you can’t see the R option you entered the wrong XP version. After that your system will boot fine (If it logs in and then immediately out check if you have in your system32 folder a file named userinit.exe, If not search for it and copy it to system32.)

Now you have a clean system that will work great. (Don’t forget to reinstall all the updates to fix strange error messages)

That’s it. You are clean.

Pambos July 24th, 2019 at 11:00 pm

This is not a virus this is the devil itself. I take it today from a usb external drive, as i pluged it in the virus get in pc in seconds from autorun , i use nod32 business edition but it seems that the virus is very strong to get caught. Pc after 2nd restart not boot on normal mode on windows xp sp3. Only safe mode work . I try this

Clean pc with
nod32 on dos mode
virut avg
delete all keys on registry with reader_s
delete from windows folder reader_s
delete from user profile reader_s
scan with karspensky tool _7.0.0.290_24.07.2009_09-18
scan from iso cd with Dr.WEb
and finally with Hitmanpro35

All this do nothing except Hitmanpro35 which clean something and after repair windows with windows xp cd boot on normal mode and looks clean. After put internet cable on ethernet all back. Is pain in the a** this one poooooooo.

I think this is a virus writen in many different places which cover each other and the one is on ram. So all clean after restart or shut down write it back from memmory. Is hiding in many places and change many names. Also use names that you thing is windows files like services.exe , hp1200.exe . a.tmp and many more. Is writen on windows/prefetch , windows folder, windows system32, windows/drivers, document and settings/username, and i dont know where else i found it in all those place and of course on registry and virtual memmory maybe on cache too.

The only solution on that i found is format delete all partitions and install vista . Vista is ok for now not get infect by this. People not get it yet disable usb autorun. Be carefull what you download and dont open emails you dont know. And make a pray.

Sunshine August 4th, 2019 at 6:31 pm

I only saw one person get it right – this virus is in your memory, people. Scan, reboot, format – who the h*** cares??

Boot into Safe Mode and run your scans. Upon cleaning, shut down the PC. Remove the memory (have to open the case – google it) and boot until it beeps. leaveit out for about 3-5 minutes. Replace memory – reboot into Safe Mode, scan again.

No reformat, no reinstall.

Aranel Surion August 6th, 2019 at 3:37 am

PS: Sorry for my language mistakes.

Curing it was not that hard for me.

1) Scan with NOD32. If it warns you about Win32/Virut.NBP, your pc is infected.
2) If its infected recently, you are really lucky.
3) Immediately kill all unnecessary processes.
4) NOD32 can find and clean some of infected executables but it cant purge it.
5) Download
6) Click rmvirut.exe and reboot, it’ll scan with next start-up. Watch some TV episodes, find yourself a book etc. cause it takes a long time to clean everything.
7) If everything went good, Virus will be removed from all your partitions and it will not “come back”. After boot-up, deep-scan with NOD32 to be sure and use Hijackthis and remove startup HKEYs of reader_s.exe

This method will NOT remove your executables or system files-some antivirus software does- it will heal them. I removed virus that way and so far so good, it didnt return and my system is clean and working.

PS: If this method doesnt work for you or you want to erase your partitions, dont do it with WinXP cd. Use Ubuntu LiveCD instead. Format it to ext3, and format again to NTFS.

Aranel Surion August 6th, 2019 at 3:42 am

Forgot to add my post, and i cant edit it:

* You MUST kill all unnecessary processes. Because when your Windows got infected, virus can and will spread to all working applications. So you cant just kill reader_s.exe . And its nearly impossible to remove it when your Windows is up, ’cause antivirus programs cant reach your system files when they already in use.

* Even when you clean your system perfectly, you may still have issues with broken applications and executables. Virut brokes them and you cant fix them easily, just forget it and install again.

Khortoom August 7th, 2019 at 12:11 am

OK. I’m not a security guru, but I did so much investigation on this s*** I think I got to the final solution:A CLEAN REFORMAT OF THE WHOLE MACHINE! BELIEVE ME THERE’S NO OTHER SOLUTION:( This shit is made to last:(
This thing is not about reader_s, otherwise you could make 2 txt files and rename them to reader_s.exe and replace them with the 2 reader_s in both the documents and system32 folders as I did, and voila :) NO MORE READER_S pop-ups on task manager:) but the virus is still alive and kicking, it’s code is literally injected into as much EXE files as you’ve installed on program files… You gotta understand the term VIRUT (virus+trojan) to know why this thing is a pain in the a**.
Virut has been around for many years now, and if a remedy existed some antivirus company would have solved it already:) This one generating the so called reader_s is a newer generation, it basically has 2 parts hidden in a small executable binary file, in my dumb case: recover_my_files_3.9…_key.exe :( and now I know it’s 2 components from checking with
1. the “PE infection code”, this is the code which gets incorporated into any installed *.exe file, or screensaver (*.scr) and even *.html, *.htm or *.php webpages stored on the drive
2. The “IRC BOT”, which communicates with the mother server… Then the virus waits for commands from the server, mostly the acceptance of a myriad of other trojan horses (The ones your antivirus warns about on every reboot).

Check the warnings given by your antivirus in chronological order, it’s obvious that Virut is first incorporated into some heavy grounds, some system file (NDIS.sys, winlogon, svchost…), the next warning is about a weired communication with some IP address (https:// put * ghura * pl, https:// dretis * cn /, https:// www * ugintadam * cn ) Interestingly all are IP from CHINA, even the one ending in .pl !
and if you’re lucky enough your antivirus is warning many times about rejecting trojans etc :)
All of the above is done by the IRC BOT, what happens on your machine is another story! It even gets copied onto connected external hard drives, Pen drives, etc … ! I saw with my own two eyes a *.TMP file generated in my pendrive directory:) The only method recommended by experts is to make a DEEP FORMAT AND CLEAN REINSTALL OF THE OPERATING SYSTEM, a mere re-install of windows is not enough coz’ Virus is everywhere else ! Deleting is stupid, how many system files and program executables do you want to delete and have a reasonable machine or a Frankenstein?:)

Khortoom August 7th, 2019 at 12:18 am

LOL forgot to say the virut is so aggressive it even gets incorporated into an EXE file compressed in a RAR or ZIP :) so consider that when backing up.

Khortoom August 7th, 2019 at 12:12 pm

I was right: it’s half an hour now that Eset smart security is CONTINUOUSLY warning about infection of major system files (all in windows and system32)with Win32/Virut.NBP virus, warning messages still popping up.
LOL dunno what’s gonna happen if I reboot now :(
K enough f*** around… Got to reformat and clean reinstall.

Daniel August 8th, 2019 at 11:10 pm

I’ve seen this virus in a customer’s PC. It appears to be removed by rmvirut removal tool by AVG, without formating, even without reinstalling windows.

khortoom August 11th, 2019 at 11:11 pm

Daniel August!
U sell pc’s or you are some expert?
AVG’s rmvirut didn’t work for me and I doubt it will work for anybody having the “win32/virut.NBP virus”, you know why? because virut’s are around from 2007, and many generations of them exist, rmvirut removes virut.A and some other older generation ones, but not the NBP one.

muggl August 16th, 2019 at 6:34 pm

ahhh good ole virut !! create image of infected drive. restore image to clean drive. slave to noninfected pc and scan to clean files. connect back to pc restart with xp cd < enter recovery console < rewrite mbr. viola no data lost :)

Dervius August 16th, 2019 at 8:41 pm

Honestly, I had the virus till last night and I did finally get rid of this bastard. It took a low-level format to remove it but you have to do this to ALL drives you’ve connected to your computer while infected.

Also, I wrote down all the info in reader_s.exe’s properties.. though not sure if it will help with anything. It talked about a program called PE Explorer and the Hosts file was altered to have some .pl url at the very top..

Drew August 22nd, 2018 at 11:38 am

This thing copies itself to USB mediums and attached devices. Make sure you clean those before you do a reformat or it will re-appear.

Mrs Knowitall(not) August 24th, 2018 at 3:42 pm

Having read almost all I can on this clever little chinese bug (may the author rot in hell).The smartest advise by far, is – REFORMAT. The issues this bug creates in your essential executable OS files, will catch you up one days – so just reinstall.

Incidently, I remember scanning the compressed file I downloaded containing this bug, with AVG before running it – got a clean bill. But then AVG alerted the minute I ran it – unless this was all conisidence ?

Ronald August 26th, 2018 at 4:40 pm

I was hit by the virus reader_s. It gave me blue screen and disable my anti virus and zone alarm and cause so much havoc. So I cut off the internet, use the avg, antimalaware, virut semantic cleaner and free fixer to clean up the drive. Next I backup all my files. Then i delete partition, reformat and reinstall but the virus still came back. I was determine to find out how the virus came back and it took me more than a week to determine the cause. When you are hit by the virus, almost all .exe files in the computer or any media connected are infected by it with win32:vitro which when executed while you are online will initiate the svchost.exe to download the virut causing the reader_s virus to be back again. So what I finally did was to reformat and reinstall first with basic XP. Then I install Avast anti-virus free home edition. Then I update the database before installing the sp2 and sp3 or anything else. The reason is that if you have them in the computer, they may get infected too. Your thumbdrive may get infected if they contain .exe files. AS for me, it detected all the viruses in my thumbdrive. I deleted all of them. And so far so good nothing came back again. Hope this helps.

kp2600 August 26th, 2018 at 4:52 pm

OK, I think I found a solution to this nasty bug, at least this worked for me. First, locate and delete these files:
C:\windows\system32\reader_s.exe and C:\Documents and Settings\User\reader_s.exe. Next, Please delete in regedit too by simply go to Start and then Run. Type in regedit and it will goes to Registry Editor. Delete these in Regedit HKCU\software\microsoft\windows\currentversion\run\reader_s.exe and HKLM\software\windows\currentversion\run\reader_s.exe. Third, download this virut virus removal program by AVG designed to specifically remove viruses like this. Here is the link: Once that is finished downloading, attempt to run the program and an error message will pop up saying that the virus is cuurently running in memory and that the program will remove it upon rebooting of your machine. Reboot immediately and the virus scanner should begin. This may take awhile depending on your PC. Let it finish and it should be removed completely. Let me know if this worked for anyone else as I am now virus free thanks to this!!

Khortoom August 27th, 2018 at 7:59 am

Almost all antiviri boast with detecting this virus, the thing is they detect the side effects of it… I also checked the binary executable keygen file with Eset smart security before executing it… and got a clean bill… after executing it, ESS immediately started alerting about infection of any running operating system file with a myriad of malwares and viruses, but hey… it’s too late by that time :( these are just the offsprings downloaded thru the IRC channel by the IRC bot of the virus, and by cleaning them you just don’t acheive anything, the “mothership” is still there… I rechecked the keygen with and, it turned out some antiviri would have detected the “PE.exe” component, and some others the “IFrame” one (but none detected both), and moreover, the stupid ESS detected none, a big minus for ESET! and a big lesson for me:run any suspicious file SANDBOXED (check “sandboxie”) after checking it with the above mentioned online multi-scanners first, also download and install the free Panda USB vaccine (google it) in the future.

KC August 30th, 2018 at 6:19 pm

Did you run it in save mode or not?

sybian September 7th, 2018 at 12:54 am

just unique your harddisk, remove all the file fresh install the system. then check the task.mgr you’ll se the little bastard’s gone

Tony Slug September 8th, 2018 at 8:03 am

Reader_s.exe is a real bastard. It CONSTANTLY disables the firewall, greates a large number of tmp files, and is present in mem during bootup.

It seems to have the ability to “jump” to non active disk. I got rid of it by creating a new partition and a clean install.

Kobayashi September 8th, 2018 at 12:54 pm

This virus does not come back after a full format! That is the best soulution to fully get rid of it. YOU NEED TO FORMAT.

The only way for it to come back is that you re-install an exe.file that has already been compromised. Most people keep set up files on another drive or USB stick. If you re-install these files you will re-install the virus.

By the way AVAST virus checker is the best freebie with Spybot the best spyware checker

Another point, its abvious most people are getting this through KEYGEN or patches to cracked software. I caught it off a friends USB stick!

Rahul September 8th, 2018 at 5:02 pm

Avast with the latest virus definitions worked for me.Update your Avast and run a boot time scan, that did the trick.Wiped out the bastard.The problem is that the virus spreads real fast infecting your exe, htm, tmp files.So you have to delete those that have been infected.Avast will do that for you.

Tony Slug September 8th, 2018 at 9:09 pm

Apparently, from what I understand, the reader_s.exe virus is a bulk spam mailer.
It is very tenacious. It also changed the system date in my case.

Saud September 12th, 2018 at 9:02 pm

I get into thin when i tried to install a stupid utility from a friend’s flash disk.
Its nasty virus but easy to remove, just download “Symantec W32.Virut Removal Tool 1.1.2″
and use up-to-date AntiVirus software,i use Avira.
I tried to remove it manually but its infects exe and dll,so i cannot be removed manually.
I use internet through my cell connected as modem, it also try to call a internation no via modem,

most advanced virus i ever faced,

Harikumar September 14th, 2018 at 8:12 pm

Hey i seem to have found a way to remove this virus without even having to format your system!!!!
1.Reinstall windows using the delete folder option while leavin the current file system intact.
2.After installation completes log into windows but just dont touch anything at all. For now your computer s free from the virus as it is fresh and you have not given it an instance to run.
3.Run Internet Explorer and download an antivirus (I prefer ZoneAlarm) and make sure it s upto date.
4.Click on Search. Search for files and folders wit name *.exe. Make sure to include system files and search hidden folder.
5.Wait for it to list out all the exe files. My zonealarm has a on access scan and hence all i had to do was scroll through the list of exe files and leave the virus removal to my antivirus!!!

Well this s all i had to do to remove it. Been running my pc for a day after removing it and it has not popped up yet. So i guess it must have been totally removed. Will post any changes if it happens. :D

mncz September 20th, 2018 at 4:22 pm

The rmvirut.exe definitely did not work. I sat there for some 4 hours waiting for a full scan to complete. All looked fine, then I proceeded to look at my user profile folder and what do I see? reader_s.exe sitting pretty. As well as a bunch of numbered tmp files (that are known part of the virus) in system32. Trying symantec tool now.

Jorge Oliveira September 22nd, 2018 at 5:26 pm

I also noted a malfunction in my PC yesterday, or a day before.

Then I noted a series of iexplorer.exe opened in Windows XP Process Listing, when I was not using any navigator window open.

Then I noted the reader_s.exe, as well as another named sys64_nov.exe, e another named dfhaegeh.exe, that I don’t any information about it.

Besides this, the virus create several files in \Windows\Temp, named *.tmp – the names are letters that change each time I booted the PC.
Also the files reader_s.exe and sys64_nov.exe were found in \Windows\system32. As well as another 3 EXE files I located at C:\ .

In Windows Registry it was in several keys, and I noted it in the start menu, using MSConfig.

The solution? Format full C:\, I don’t found any other way to solve the problem.

AVG was unable to solve the thing. Spyware Doctor cleaned only the registry entries and the files located at \system32, but do not located the EXE in C:\, and some files in C:\Windows\Temp.

It is really a very strange virus.

This is all.

Khortoom September 23rd, 2018 at 8:59 pm

These are the different names antivirus companies use for this virus, in the future I wouldn’t even approach those who didn’t detect the virus :)

Khortoom October 1st, 2018 at 5:47 pm

This is your guy… go find him and put a bullet in his head :) Anybody here from Poland? Go get the mother f*¤¸#-er :) The IRC backdoor channel is downloading malware from this guy’s domain.

WHOIS.ORG results:
registrant’s handle: sibr62259 (INDIVIDUAL)
nameservers: [] []
created: 2005.07.25 15:58:55
last modified: 2008.09.25 10:49:06
REGISTRAR: Consulting Service
ul. Domaniewska 35A lok.1B
02-672 Warszawa
+48.22 8538888

Khortoom October 1st, 2018 at 6:28 pm

Everything really points to Poland as origin of this crap. The physical real guys are located in Poland, their hosting is from China, Hong Kong…
The HTMLs’ IFRAME points to PL registered, China hosted. Now what a combination.
id abonenta: sibr77370 (osoba fizyczna)
serwery nazw:,
utworzona: 2009.03.02 13:09:58
ostatnia modyfikacja: 2009.08.08 15:09:43
opcja: brak

osoba: Adam Zakrzewski
ulica: ul. Nowowiejska 4/9
miasto: 00-649 Warszawa, PL
telefon: +48.790436650
ostatnia modyfikacja: 2009.02.25

Consulting Service
ul. Domaniewska 35A lok.1B
02-672 Warszawa

The registrator is the same damn Consulting service these guys use as a legal wall to hide behind it… How come there is nobody in PL to put a stop of this kind of “usage” of the domains? As an EU country, maybe they should be more aware of supporting fair busienss and inhibiting the unfair one.

Rhys October 5th, 2018 at 7:43 am

Ok… A Little Tip for all of u guys
Install avast! anti virus home addition

This virus also attacks any flash drives, Cd’s, external hard drives and hard drives. When you reinstall do not backup onto any of these things because when you plug them in to get your backup off them it will automatically transfer back onto your computer!!!!!!

I am excellent at computers and this virus just doesn’t go away
I have had to format 8 Times!!!!

Heres another tip for you
DONT CONNECT TO A NETWORK WHILE YOU HAVE THE VIRUS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
This virus transfers to all computers on your home network!!!

This is what happens when you are on a network

1. Your PC has virus
2. Virus goes over network onto other computer
3. You get your computer fixed
4. Virus goes from other computer back to yours!

This is why i hate viruses


Robin October 5th, 2018 at 1:10 pm

Have been battling this virus for almost nine months and have decided to buy a Mac. It’s impossible to remove and I don’t have the time or patience any more.

el que podria salvarlos October 13th, 2018 at 2:15 am

a mi tambn me ha pasado algo familiar, tengo ese h******** virus en 2 computadores conectados en LAN y con los 2 tengo accesoa internet, el caso es, que uno de los computadores comenzo a reiniciarse cada 2 minutos aprox. y se fue a utilidades del sistema y estaba activado en inicio el reader_s.exe, lo desactive con mi papà, y seguia esa hp virus ahi, con sus problemas, (tambn tenia el iiiii y otro que no me acuerdo), en fin, llamamos a un amigo de mi papà, y parece que lo logro borrar de uno de mis pc, lo que hizo fue, entrar a la plataforma de windows la D.O.S, y comenzo a buscar carpeta por carpeta, y a borrar temporales y virus conocidos, ahi aparecio el Reader_s.exe, y entro a ver que tenia, y fue borrando toda carpeta donde estaba el virus. aunque, despues de haberlo borrado, entrando a internet se pega, descargando cualquier maricada, entonces se volvió a hacer el proceso. CREO QUE ESTE PROCESO ES EL QUE MEDIO TE PUEDE SALVAR TU INFORMACIÓN Y TU ORDENADOR. ¿y que paso con el otro computador?, el otro computador es, uno de los años 90 con windows xp desatendido con SP2, pero esta desactivado casi toda actualizacion. aunque le cayo el virus a este pc, el computador (YO CREO)lo adapto, y aunque este activado, no le pasa ni mierda, es inmune a este y a otros virus que tambn tiene, sin ceramente no se que tiene este pc pa sobrevivr.

espero que lo que mencione, les ayude para hacer algo contra ese virus que contamino el mundo.

Robin October 16th, 2018 at 9:09 pm

I have finally rid myself of this bugger, My 3 machines on my home network have been clean for 13 days now. I have had almost 12 clean installs that haven’t worked but after a lot of trial and error I have beaten it.

This is how you get rid of it. Trust me it works.I have done this 3 times now on infected machines and the outcome was always good. The one thing you must have is PATIENCE … A lot of it.

Disconnect your PC from the power for at least 5 minutes. Some motherboards have an LED on them to show you when there is still battery power to your RAM and other ancilleries wait for that to go out.

Disconnect your ADSL router from the power for at least an hour, some have software in them that is stored on a RAM chip, I am not 100% positive this can get infected but better to be safe than sorry.

Disconnect all other PC’s from any Office/Home network. You will want to have exclusive access to the internet for your driver downloads and you will only want to have the one machine connected at a time. If another machine is connected it may contain the virus and will infect you as soon as it can detect you.

You HAVE to do a LOW LEVEL FORMAT on your Main hard drive. Make sure there are no slave hard drives connected or external drives or USB sticks. You then do a clean install of Windows XP off Original CD-ROM/ restore disk. Any drivers you need will have to be installed off the original CD_ROMS or downloaded from the net from a reputable source ie: direct from the manufacturer not a third party.

First only install Windows XP and do all the Windows updates until it is up to date, this takes a lot of time but be patient.

Once you have done this, download Avast Anti Virus Free Home Edition. When it is installed, make sure it is up to date. To make sure you are clean right from the beginning, you must schedule a Boot Scan. This will make sure you don’t have it hidden anywhere.

If you are clean then download Zone Alarm Free Firewall and make sure it is up to date. This software will make sure that you are in control of what software can connect to the internet, it can also isolate you from other PC’s on your network and stop you getting infected that way.

The virus is spread by the autorun function on PC’s that runs when you plug anything into the USB sockets. You must disable the AUTOPLAY function and the easiest way is to download Windows XP Powertoys Tweak UI. It has the ability to diable this function quite easily. there other ways to do this with REGEDIT which can found on the web but this is the easiest.

In Powertoys you go to My Computer, Autoplay, Drives and basically unselect all but your CD-ROM and the C drive and restart your computer to make sure this option is saved.

To access any drives from now on you use windows explorer and select the folder side bar and access from there. Explorer won’t run the malicious software unless you click on the drive in the main window directly. You can now plug in any USB sticks or hard drives and right click Scan with Avast Anti Virus. You can also see the virus on the drive if you use the Show Hidden Files/Folders. There is normally a collection of files that now appear and one of them is autorun.ini. You can delete those directly and anything else you are not sure of but empty the recycle bin straight away. Avast will take a long time to check the drives but believe me it is worth it. You will not be able to leave it running overnight as it will stop at every virus it finds and ask what to do. It will be a slow boring process so watch TV or play some PS3.
You will want to be brutal and may have to lose some stuff you may be annoyed about but you have to get rid of it. Avast is pretty good at this sort of thing and is almost always right.

One of my 1TB hard drives took 8 hours to check. If you want to remove stuff you don’t want anymore to speed up the virus scan. Delete any .exe, .ini, .dll, .pdf, .htm, .html, .scr, .rar, .zip, .cab files as these are the most likely to be infected.

So far I have been able to scan and clean most of my hard drives without losing any pictures, documents, or video/music files.

I would suggest that you don’t use pirated copies of any software, Keygens seem to be the most common thing to be infected and always scan anything before installing. Freeware or Shareware should be okay if it’s from a reputable source ie, CNET.

You should now do this to all the computers that are on your private business or home network but ONE AT A TIME until they are all clean then you should be able to connect them all at once and not have any issues. DO NOT connect a machine to your network unless you are sure it is clean as it will spread the virus to every machine connected and you will have to start again.

If you keep your autoplay disabled and your Avast running and up to date I don’t think it will return. You could also do a Boot Scan with Avast once a week to be sure. Avast free is good for 60 days but that should be enough to make up your mind if you want to buy it, I would highly RECOMMEND it for peace of mind.You will also need to keep your XP up to date as some of the Security fixes actually do some good and can stop this happening.

Steer clear of dodgy websites and all all the usual blah blah and you should be okay at least until the next web nasty comes along.

Other virus software doesn’t catch this Virus until it’s too late. My AVG Free was up to date and missed it completely but Avast catches it every time.

Until the next virus, happy hunting.

Andre Jansen October 28th, 2018 at 1:15 am

I also got the W32.Vitro virus onto my Windows XP-Pro_SP3 systems. Now two laptops are infected. I also see the reader_s.exe file onto the systems. On the first laptop I did a full killdisk and reïnstalled Windows Vista. Looks like this laptop is virusfree for now. Now I have to try to restore my Ghost image from Windows XP (I sure know that this backup is virus free). We’ll se what happen. Cost me three full days of work now and I’m really sick about this f****** virus.

Andre Jansen October 28th, 2018 at 1:40 am

I’ve used the Symantec removal tool and it says that one threat was found and the W32.Virut virus was removed from my system (scanned in save mode). Bullshit!!! After reboot and reconnect to the internet the shit happens again. Connection to and ton’s of tmp files and other very strange files came into my PC. Als the reader_s.exe and the restorer32_a.exe were back again! After trying several scans with several software packages I give up. I think that only killdisk works. I also connected my USB harddrive where copied my data to even after the virus was started (I have lot’s of websites I had to backup with php code). Until some hours nothing strange happend with Windows Vista. Now I’m going to try an Avast boot scan. I’ll report this as soon as I have the results.

With kind regards,
André Jansen
The Netherlands

And Yes, even in Holland computers get sick!

Andre Jansen October 28th, 2018 at 9:32 am

Avast bootscan only removed some files to the safe just as scanning in Windows. My Windows is sucked now. No network available anymore. Explorer failes to open, etc. MNever seen a virus whith such a brute force.

Kev October 28th, 2018 at 2:20 pm

OMG, just got the virus, and I found out that ad-aware has found it in my /User/doc’andset’/ folder, and so I deleted that one, btw, I got the virus from Ware seeker * com, SO DONT GET ANYTHING FROM THEM! It happened when I was downloading a trial version of something, and I saw it happened to come with a keygen, and, regretfully, I used it.
Going to try some non-system-wiping things, and if that doesn’t work, I’m going to cry

SO I will get back to all if it doesn’t work. BTW, I need 2 know if just having two comps connected to a router, but not on a network, will give both the virus. :( ***** ****** *** **** VIRUS!

walidiasis November 6th, 2018 at 1:21 pm

I got red of the virus after formatting both my C and d drivers and I didn’t use my DVD which I was using as Backup CD ( It was infected by the virus).Thank God finally I get red of the virus. As most of people it’s a nasty but powerful virus It can replicate itself in many locations and the main problem that it can reinfect the computer even after format.

Newguy November 21st, 2018 at 5:30 pm

Superantispyware and Ad-Aware don’t detect this thing at all.

Spybot S&D *detects* it but will by no means remove all of it.

Kapersky anti virus, with all scan settings enabled, in safe mode, seems to work.

I found 3000 instances of this thing hidden in various .exe files all over my drive. It tries to hide everywhere…

Don’t forget to check your USB drives. It hides there as well.

Newguy November 21st, 2018 at 5:36 pm

This thing also blocked me out of safe mode. If this happens to you do this:


This will force windows to start in safe mode, allowing you to run the kapersky scan.

daqyre November 25th, 2018 at 11:37 pm

Hi where do you go to run the command prompt you listed to force windows to start in safe mode

Kev December 14th, 2018 at 11:11 pm

PLEASE READ!!!!!!!!!!!!!!!!!!!

Hey i’m back, okay, I did what I think the worm guy said up in the earlier part of this webpage(forgot his name).
I installed avast and did a boot scan, deleting all infected files, un-installed IE8 from my comp, then did another scan after disconnecting from the internet. After checking the .tmp files and doing a search for reader_s, I found them and deleted them, and THEN I DELETED THE ENTIRE FOLDER IN WHICH I FOUND THE .exe THAT IT CAME FROM IN THE FIRST PLACE.

I think that I was just in time when I found it, which was about 1-2 days after I got it, because my computer has been fixed ever since. And it has been months and I have found no more traces of it.
All im gonna say is that be careful of what executables you run, im never gonna forget how I got mine.


schinnerl December 18th, 2018 at 9:03 pm

A quick first help, just delete reader_s.exe in the %userprofile%, do with the editor an empty textfile and rename it to reader_s.exe. Give a Readonly-Security on the file. With this the virus seems to be inactive. After this clean the stuff.

Thymic December 30th, 2018 at 10:29 am

I had noticed this virus from CCleaner in Tools>Start-up. There I found the location of the said .exe file. I searched for any information about this in the net. Didn’t try to open it because I found out thet this was a virus. But even before I found reader_s.exe in C:/Windows/System32, my Avira antivirus detects hundreds of detections in C:/Windows/Temp (all w/ file extension .tmp).


Blue Speed January 6th, 2019 at 4:55 pm

wrestled with reader_s for weeks. used AVG’s virut removal tool, it found numerous executables infected, safe mode was disabled, had to use winternals to do anything. i could get into my computer after using spybot to delete startup keys which came back every reboot. backed up my files onto an external hard drive. couldnt install any software, i would get multiple errors while installing software like “CTF loader needs to shutdown” “microsoft register server needs to shut down” “runtime error ‘0′”. couldnt install anything like kaspersky or malwarebytes. used the dell system recovery feature (CTRL + F11) and reformatted and reinstalled windows. then purchased kaspersky at best buy and installed it before connecting to the net, connected to the net to get updates, downloaded all windows updates and spyware blaster which immunizes the browsers. used the kaspersky vulnerabilities scan to find weaknesses, updated and patched all results. virus is gone. when i reconnected removable storage which i had backed up files on kaspersky detected viruses, torjans and malware all over them. luckily kaspersky cleaned and deleted them although a thumb drive put up a good fight with the kaspersky but kaspersky won. i dont know about you guys but this reader_s seemed to come bundled with tons of other viruses and trojans. didnt matter how much i cleaned my system before, when i would reconnect to the internet it would all be back. it was also hiding in svchost and when i would terminate that svchost i would get a shutdown countdown with the message “remote procedure call has terminated unexpectedly and must be shut down. this shutdown initiated by NT authority/system.” with a 60 second countdown. i wouldnt waste my time trying to clean it if i were you, it corrupts windows to the core. backup, format, reinstall and get a great virus software (i recommend kaspersky) and then connect removable drives. i also disabled autoplay and autorun before connecting removable storage. good luck!!

Dorie January 14th, 2019 at 10:16 pm

Try this!
Open notepad create a file and save “reader_s.exe”, Goto ‘Save As Type’ prompt of notepad choose ‘All Files’
It would create a dummy executable file called reader_s.exe.

copy it to the following paths
…..These are the locations where the virus resides and expand from……
now go cmd (COMMAND PROPMT)
type this commands
cd %userprofile% [ENTER]
attrib reader_s.exe +a +r +h +s [ENTER]
(This will make your dummy reader_s.exe “Hidden”)
cd %systemroot%\system32 [ENTER]
attrib reader_s.exe +a +r +h +s [ENTER]

This will make reader.s.exe virus powerless, The Original READER-S.exe sees another copy exist already with a stronger attribute.

You should use taskmgr and end all .tmp task running in your PROCESSES.

None of these methods worked for me - Anything New? February 1st, 2019 at 9:06 pm

This virus won’t even let me boot in safe mode. I can’t even log on – the logon screen lets me select a user, then the only thing you can select is “Turn off Computer”
I tried unplugging the memory, clearing the cmos jumper, removing and replacing the battery. I can’t boot from the XP CD – the BIOS won’t reset when I tell it to boot from CD.
Any new solutions?

JC March 30th, 2019 at 5:23 am

This is the father of all viruses. It is the worse virus i ever saw as an IT.
the only way to remove it is on safe mode with no network connection . try using the new malwarebytes with memory scan option version from end of Mar 2018. it might work.

Leave a Reply