Removal of RisinG / sds2d21.exe / sdsxd.exe

  • Thread starter Thread starter Jonathan Berry
  • Start date Start date
J

Jonathan Berry

Sorry if this is the wrong group, I'm having trouble finding any
group to post to!

At a local (Mexico) Internet Cafe, a program advertised
itself as malware by repeatedly failing. Every time,
Microsoft offered to log the failure: sds2d21.exe

So I knew that something was amiss before I used my USB
memory stick, but there were some web pages that I needed
to view later, offline.

When I put the USB stick in my computer, I noted that the
malware had created an autorun.inf and a phony folder
called "Recycle" (sic) containing the malware. I deleted
both, but ...

The next time I woke the computer from suspend, there was
the dying sds2d21.exe I was infected!

And a Recycle folder on my c: drive, which I was quickly
able to eliminate. AVG Free would report sdsxd.exe as
malware and shut it down (heal or put in vault didn't make
any difference), but immediately it would reappear. AVG
alone was not able to deal with this malware, which it
described as a Trojan horse Dialer.UVP

There was an associated prefetch (.pf) file, which would
reappear some moments after being deleted.

I discovered that RisiNG.exe
or RisinG.exe in folder Recycle (sic) associated with this
Trojan. In Process Explorer, I found (Ctrl-F) then deleted
the handles (Rising) and that allowed me to delete RisinG.
exe and the Recycle folder.

For good measure, I deleted all references to RisinG.exe in
the Registry (using regedit). This left any USB drive self-
infecting, but a reboot cleared that up.

YMMV !

I am OK with the idea that putting my USB flash drive in an
infected machine would result in the USB drive becoming
infected. But isn't there a way of putting an infected USB
drive in a friendly computer, in quarantine so that the
infection doesn't spread? In the old days, we'd call it
"DOS". I have autorun turned off. Am I missing some other
trick?

Also, shouldn't AV programs be able to deal with these sorts of
malware? I was very lucky that the steps I took actually
worked. A little more sophistication in the malware and my
computer would still be infected.
 
Back
Top