How to Repair "trojan-backdoor-stinkbreath"

By MrBobber
Apr 14, 2010
  1. I repaired "trojan-backdoor-stinkbreath" on a friend's PC (running Vista O.S.) by using the following procedure:
    Webroot AntiVirus with Spysweeper finds "trojan-backdoor-stinkbreath" and quarantines it, but after rebooting, it's always back again, even though Webroot Spysweeper displays the following message:
    Files Infected:
    C:\Windows\System32\drivers\tfdsucp.sys (Rootkit.Agent) -> Quarantined and deleted successfully. (But it was still there after re-booting.)[/I]

    I found that the file that was causing it to replicate was: C:\Windows\System32\Drivers\tfdsucp.sys", which is impossible to rename or delete in Windows and apparently Webroot AV (and several other Malware programs) are unable to remove it during re-boot.
    The method that I used to remove it was to download a Vista "Recovery Console" ISO image and burn it to CD. I then booted from that CD to a "DOS" prompt and did a directory display: "Dir C:\Windows\System32\drivers" to verify that it was actually there and not re-locating during the boot priocess. I then renamed it: "Ren C:\Windows\System32\drivers\tfdsucp.sys(space)C:\Windows\System32\drivers\XXtfdsucp.syX"(enter) - no quote marks in actual DOS command -
    and rebooted Vista. I could have Deleted it, but was reluctant to "burn any bridges" until I verified that the PC was able to boot with that file changed.
    After rebooting, I again ran Webroot full Scan and quarantined "Stinkbreath" Shortly afterward the Spysweeper function displayed a message that it had found a Trojan "C:\Windows\System32\drivers\XXtfdsucp.syX" with the option to remove it. After doing so and rebooting, the Webroot Full Scan ran clean without finding any malware.
    It would have been better to use the following DOS command:
    "Del C:\Windows\System32\drivers\tfdsucp.sys"(enter) and delete it, but I wanted to verify that the PC was able to boot with that file changed, before deleting it.
    XP and Vista "Recovery Console" ISO's can be found by Googling (You may have to download a "Torrent" utility to access some of them.)
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Mr. Bobber, perhaps you are trying to help. But we don't 'share' malware fixes. Each system is unique and so it what we do to find and fix malware.

    You might be interested to know that there is no entry on the internet for C:\Windows\System32\Drivers\tfdsucp.sys"- except yours- no description of tfdsuscp.sys as a Rootkit Again. This means that you likely made a spelling error.

    There is another thread on Tchspot about this 'Trojan', but it wasn't solved. The most interesting thing is that it was also found by Webroot. One has to wonder if this could be a False Positive report.

    Your inappropriate "help" is obvious by your suggestion that someone might need a file sharing program to fix malware. If you had any knowledge or experience with computers, you would know that file sharing itself is often the source of malware.

    Webroot has this description: Called Trojan-Backdoor-Stinkbreath, it spreads via bogus emails bearing the names of shipping companies including FedEx, DHL, UPS and USPS – brands many shoppers expect to see this time of year.November 18, 200
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...