A couple of my clients came to me because their computer seemed to be infected with a virus. I hear this often and never know what exactly I’m getting myself into when I arrive to fix the issue. Recently, “reader_s.exe” has been the pain that I have been encountering, but I think that I have finally figured out how to completely rid the infected machine of the lil bugger.
Symptoms:
- Internet not working
- Constant pop-ups (scareware) indicating that the machine was “infected” and prompting the user to pay a certain amount of money to purchase and download their “antivirus” software, which was actually a bogus program that simply removed the pop-ups that they, themselves, created.
- USB drives not working
Resolution:
- Booted the computer into Safe Mode by pressing the F8 key on the keyboard when the computer is booting up and the Windows XP logo screen appears. Select Safe Mode from the boot menu and hit Enter.
- Once in Safe Mode, delete the Reader_s.exe files from the C:WindowsSystem32 and C:Documents and SettingsYourUserName directories
- Most essential Windows Services had also been disabled, so I used a “clean” XP machine as master list of what needed to be re-enabled. To re-enable the services:
- Click on your Start menu and then click on Run.
- In the Run box type “services.msc” and press OK.
- When the Services list appears, open (by double-clicking) each of the below services (if currently “disabled”) and changing their Startup type to “Automatic” and press OK to save the changes.
- Automatic Updates
- Computer Browser
- Cryptographic Services
- DCOM Server Process Launcher
- DHCP Client
- Distributed Link Tracking Client
- DNS Client
- Error Reporting Service
- Event Log
- Help and Support
- IPSEC Services
- Logical Disk Manager
- Plug and Play
- Print Spooler
- Protected Storage
- Remote Procedure Call (RPC)
- Remote Registry
- Secondary Logon
- Security Accounts Manager
- Security Center
- Server
- Shell Hardware Detection
- System Event Notification
- System Restore Service
- Task Scheduler
- TCP/IP NetBIOS Helper
- Themes
- WebClient
- Windows Audio
- Windows Firewall/Internet Connection Sharing (ICS)
- Windows Management Instrumentation
- Windows Time
- Wireless Zero Configuration
- Once all of the above Services have have been re-enabled and the “reader_s.exe” files deleted, reboot the computer.
- You should notice that your machine booted into Windows faster and that you can now plug USB devices and drives into your computer and have them recognized by Windows; this is because the Plug and Play Service was previously disabled.
- Your network connections probably don’t work still, so on another machine, copy this [ndis.sys] file (copied from my Windows XP SP3 CD) to a thumb drive.
- Now, plug the thumb drive into your “infected” PC and copy the ndis.sys file from the thumb drive into the C:WindowsSystem32Drivers folder and overwrite the existing file
- Reboot the computer one more time, and the network adapters should all be working!
- Have a beer to celebrate that you didn’t lose all of your files!
It’s scary to think that you might lose all of your files because of a scamware/scareware program, so BACKUP YOUR FILES REGULARLY! I recommend purchasing an external hard drive and either manually copy your important files to the disk, or setup an automatic backup program on your PC to copy the files for you. Here is a [link] to the backup script that I use personally.