I repaired "trojan-backdoor-stinkbreath" on a friend's PC (running Vista O.S.) by using the following procedure:
Webroot AntiVirus with Spysweeper finds "trojan-backdoor-stinkbreath" and quarantines it, but after rebooting, it's always back again, even though Webroot Spysweeper displays the following message:
Files Infected:
C:\Windows\System32\drivers\tfdsucp.sys (Rootkit.Agent) -> Quarantined and deleted successfully. (But it was still there after re-booting.)[/I]
I found that the file that was causing it to replicate was: C:\Windows\System32\Drivers\tfdsucp.sys", which is impossible to rename or delete in Windows and apparently Webroot AV (and several other Malware programs) are unable to remove it during re-boot.
The method that I used to remove it was to download a Vista "Recovery Console" ISO image and burn it to CD. I then booted from that CD to a "DOS" prompt and did a directory display: "Dir C:\Windows\System32\drivers" to verify that it was actually there and not re-locating during the boot priocess. I then renamed it: "Ren C:\Windows\System32\drivers\tfdsucp.sys(space)C:\Windows\System32\drivers\XXtfdsucp.syX"(enter) - no quote marks in actual DOS command -
and rebooted Vista. I could have Deleted it, but was reluctant to "burn any bridges" until I verified that the PC was able to boot with that file changed.
After rebooting, I again ran Webroot full Scan and quarantined "Stinkbreath" Shortly afterward the Spysweeper function displayed a message that it had found a Trojan "C:\Windows\System32\drivers\XXtfdsucp.syX" with the option to remove it. After doing so and rebooting, the Webroot Full Scan ran clean without finding any malware.
It would have been better to use the following DOS command:
"Del C:\Windows\System32\drivers\tfdsucp.sys"(enter) and delete it, but I wanted to verify that the PC was able to boot with that file changed, before deleting it.
XP and Vista "Recovery Console" ISO's can be found by Googling (You may have to download a "Torrent" utility to access some of them.)
Webroot AntiVirus with Spysweeper finds "trojan-backdoor-stinkbreath" and quarantines it, but after rebooting, it's always back again, even though Webroot Spysweeper displays the following message:
Files Infected:
C:\Windows\System32\drivers\tfdsucp.sys (Rootkit.Agent) -> Quarantined and deleted successfully. (But it was still there after re-booting.)[/I]
I found that the file that was causing it to replicate was: C:\Windows\System32\Drivers\tfdsucp.sys", which is impossible to rename or delete in Windows and apparently Webroot AV (and several other Malware programs) are unable to remove it during re-boot.
The method that I used to remove it was to download a Vista "Recovery Console" ISO image and burn it to CD. I then booted from that CD to a "DOS" prompt and did a directory display: "Dir C:\Windows\System32\drivers" to verify that it was actually there and not re-locating during the boot priocess. I then renamed it: "Ren C:\Windows\System32\drivers\tfdsucp.sys(space)C:\Windows\System32\drivers\XXtfdsucp.syX"(enter) - no quote marks in actual DOS command -
and rebooted Vista. I could have Deleted it, but was reluctant to "burn any bridges" until I verified that the PC was able to boot with that file changed.
After rebooting, I again ran Webroot full Scan and quarantined "Stinkbreath" Shortly afterward the Spysweeper function displayed a message that it had found a Trojan "C:\Windows\System32\drivers\XXtfdsucp.syX" with the option to remove it. After doing so and rebooting, the Webroot Full Scan ran clean without finding any malware.
It would have been better to use the following DOS command:
"Del C:\Windows\System32\drivers\tfdsucp.sys"(enter) and delete it, but I wanted to verify that the PC was able to boot with that file changed, before deleting it.
XP and Vista "Recovery Console" ISO's can be found by Googling (You may have to download a "Torrent" utility to access some of them.)
