Remove Smitfraud.c Trojan (0028.C0011E36 VXD)?

Dennis Faas's picture

Infopackets Reader 'Faskia' writes:

" Dear Dennis,

One of my PCs is now failing to connect to the Internet, and is showing a Security Warning screen on a Blue Screen of Death (BSOD). The blue background reads, 'A fatal error in IE has occured at 0028.C0011E36 in VXD VMM(01)+00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c.' Would you please give me some simple steps to remove Smitfraud from my PC? "

My response:

The problem is that your computer has been infected with Spyware. According to the F-Secure web site, Trojan-Spy.HTML.Smithfraud.c is a phishing scam where "a fake screen is presented to user [may even be a fake Blue Screen of Death], in an attempt to collect user account information" (Source: f-Secure.com).

I did some in-depth research and from what I understand, this Trojan is difficult to remove. It may because it's a new Spyware variant and from what I read, the majority of Spyware / anti-virus programs cannot remove it.

I was, however, able to find two manual removal solutions posted on bullGuard.com and experts-Exchange. I've looked over both postings and they are very similar in instruction (but vary slightly). The posting on BullGuard.com was easiest to follow, so I've included the instructions in this posting.

From bullGuard.com:

" Follow these steps in to remove Smitfraud and restore your desktop.

Print out these instructions and then close all windows including Internet Explorer.

Step 1: Go to Start -> Control Panel -> Add or Remove Programs and remove the following programs, if they are found: Security IGuard, Virtual Maid, and Search Maid. Once complete, exit the Add/Remove Programs window.

Step 2: View All Hidden Files on your computer; to do this: Open Windows Explorer, go to Tools -> Folder Options -> View and within hidden files and folders. Once you're there, checkmark 'Show hidden files and folders' and uncheck: 'Hide protected operating system files'.

Step 3: Run HijackThis and place a checkmark in front of the following entries:

O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [TaskMonitor] C:\Windows\taskmon.exe

O4 - HKLM\..\Run: [oxpFt] C:\Windows\VAUVPMOV.EXE

O4 - HKLM\..\Run: [Yqjya] C:\PROGRAM FILES\TMXD\TFUFB.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com ...

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com ...

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) http://a840.g.akamai.net ...

Step 4: Reboot your computer into Safe Mode.

Step 5: Once in Safe Mode, delete these files or directories. If the files / directories do not exist, do not be concerned.

C:\wp.exe

C:\wp.bmp

C:\bsw.exe

C:\bsw.bmp

C:\Windows\sites.ini

C:\Windows\popuper.exe

C:\Windows\System32\wldr.dll

C:\Windows\System32\helper.exe

C:\Windows\System32\intmonp.exe

C:\Windows\System32\msmsgs.exe

C:\Windows\System32\ole32vbs.exe

C:\Windows\system32\msole32.exe

C:\Windows\System32\Log Files

C:\Program Files\Search Maid

C:\Program Files\Virtual Maid

C:\Program Files\Security IGuard

C:\Windows\Temp\icsupp95.exe

C:\Windows\taskmon.exe

Step 6: Reboot your computer. Your desktop should be restored, and the background may appear as black.

Step 7: In order to restore your desktop settings download smitfraud.reg (link below). Save this file to your desktop; once it's there, double click it and when Windows asks you to merge the data, click Yes.

http://www.bleepingcomputer.com/files/reg/smitfraud.reg

Step 8: Reboot your computer. You should now be able to change your desktop settings back to how you would like it. If your desktop still looks strange, go into your display properties and click on the Themes tab. Change the theme to Windows XP and you will now be using the default Windows XP settings. Then change them as you see fit. " (Source: bullGuard.com)

Good luck!

Rate this article: 
No votes yet