Jump to content

Reader_s.exe found but no other associated files/registry entries


Recommended Posts

Have a bit of a strange issue. We have multiple workstations that, per a Malwarebytes scan, show that they are infected by reader_s.exe in the root of each user profile as well as the c:\windows\system32 folder. On attempt at removal the files are not found. If a search is conducted on the workstations the files are not found. If the workstation is booted into safe mode (with networking) and Malwarebytes is run then the scan shows as clean and the files are also not found. We have ensured that Windows system recovery is disabled when scanning and have tried with the systems on/offline. We have also run both Symantec and Kaspersky AV scans and have found no issues. There are no coresponding registry entries associated with the virus and an active port scan shows no untoward network activity conducted by unknown services. The workstations are showing no symptoms of the Virut virus. We have also run various other spyware detection software which has come up with no results.

Is this a true false-positive?


Link to post
Share on other sites

  • Staff

Those are well known kicking off points to several infections including some truly nasty ones (virut and a ndis patcher) .

Something tells me you are having some sort conflict between security apps as if you had the real infection the symptoms would be quite obvious .

We have also run both Symantec and Kaspersky AV scans and have found no issues.

I hope that you are not running both of those in real time as those both do extensive (and conflicting) system hooking and could be the cause here .

Link to post
Share on other sites

The Kaspersky AV is the current antivirus. Symantec was only run from a boot disk scan. We are currently leaning toward bad NTFS tables but the same thing is happening on multiple systems. As another odd point, if the workstations are booted into Safe mode, the reader_s.exe file can be created in the known locations and on boot back to standard Windows the files are gone again.

Link to post
Share on other sites

As further testing I created the reader_s.exe files in safe mode as Read-only and System files. On reboot the files were still visible in Windows. Ran a Malwarebytes scan and it again came back stating that the system was infected with reader_s.exe. Allowed Malwarebytes to remove-on-reboot. On reboot re-ran the scan and Malwarebytes is still stating the system is infected with reader_s.exe.

I am almost certain this is a false positive at this point.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.