Tried many solutions but none worked.
This is a very well written virus and is impossible to destroy or remove from a machine.
Virus is spread via executing a executable on network drive or pluging in a thumb drive into an infected machine and then pluging same thumb drive into non-infected machine. It even runs in safe mode without networking. It looks like if you run in safe mode and remove virus and reboot that virus is gone, but it comes back as soon as you enable networking.
If you try to delete virus the virus montors this and moves location of executable to another directory. Virus has at least 2 parts. One that runs as part of svchost, and reader_s.exe. It seems there is another part that somehow runs when you plug in network cable even though your hard drive appears clean to virus scanners.
It appears as if microsoft has fixed the second infection route in latest updates for windows xp
vista and windows 7 do not seem to get virus because virus writes to protected area which is not allowed in vista and windows7
Only solution is to backup system, format hard drive and reinstall operating system. Do not execute any restored executables until you run a virus scan like (malwarebytes) on all files restored.
Virus creates an autorun.ini which executes an executable. These are hidden, protected os files so they do not show up normally. Plug thumb drive into mac to see if thumb drive, camera, ipod, etc are infected.
This virus downloads other viruses from internet and causes computer to send spam shutting down your outbound mail server.
some of the virus scanners crashed os so os would not boot.
I hope someone comes up with a solution that does not require reformating hard drive. I had to scan 25 computer and restore os to 4 machines. Total man hours (48)
virus solutions that failed
malwarebytes
symantic version 9.0 enterprise
stopzilla
http://www.virusremovalguru.com/?p=1511
drweb
David Talmage