Re: Removal of RisinG / sds2d21.exe / sdsxd.exe

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

| Sorry if this is the wrong group, I'm having trouble finding any
| group to post to!

| At a local (Mexico) Internet Cafe, a program advertised
| itself as malware by repeatedly failing.  Every time,
| Microsoft offered to log the failure: sds2d21.exe

| So I knew that something was amiss before I used my USB
| memory stick, but there were some web pages that I needed
| to view later, offline.

| When I put the USB stick in my computer, I noted that the
| malware had created an autorun.inf and a phony folder
| called "Recycle" (sic) containing the malware.  I deleted
| both, but ...

| The next time I woke the computer from suspend, there was
| the dying sds2d21.exe   I was infected!

| And a Recycle folder on my c: drive, which I was quickly
| able to eliminate. AVG Free would report sdsxd.exe as
| malware and shut it down (heal or put in vault didn't make
| any difference), but immediately it would reappear.  AVG
| alone was not able to deal with this malware, which it
| described as a Trojan horse Dialer.UVP

| There was an associated prefetch (.pf) file, which would
| reappear some moments after being deleted.

| I discovered that RisiNG.exe
| or RisinG.exe in folder Recycle (sic) associated with this
| Trojan. In Process Explorer, I found (Ctrl-F) then deleted
| the handles (Rising) and that allowed me to delete RisinG.
| exe and the Recycle folder.

| For good measure, I deleted all references to RisinG.exe in
| the Registry (using regedit).  This left any USB drive self-
| infecting, but a reboot cleared that up.

| YMMV !

| I am OK with the idea that putting my USB flash drive in an
| infected machine would result in the USB drive becoming
| infected. But isn't there a way of putting an infected USB
| drive in a friendly computer, in quarantine so that the
| infection doesn't spread?  In the old days, we'd call it
| "DOS".  I have autorun turned off.  Am I missing some other
| trick?

| Also, shouldn't AV programs be able to deal with these sorts of
| malware?   I was very lucky that the steps I took actually
| worked.  A little more sophistication in the malware and my
| computer would still be infected.

| --
| Jonathan Berry

Turn off AutoPlay/AutoRun on the PC and if you insert infected media it will NOT
the PC.  Then you would scan the media with your anti virus application.  Also
you can
enable viewing of Hidden System files and view the possibly infected read/write
media for
EXE files and AutoRun.INF and if present, they can be manually deleted.

Multi-AV -

Site Timeline