<Me Tiara..>

Pernah gak sih lo denger si smithfraud bisa ngubah desktop elo tiba2 jadi biru..hebat banget yah bsa ngunci desktop lagi..ck..ck..ternyata si smithfarud itu bukan jenis manusia, dia adalah salah satu jenis virus yang sekarang ini sudah ramai beredar dipasaran dan korbannya pun sudah lumayan banyak diindonesia..

Apakah ciri khas dari virus ini..??
ciri khas yang paling di gampang diketahui dari virus ini adalah desktop anda tiba2 berubah menjadi warna biru dan tampil tulisan seperti dibawah ini :
Security Warning

A fatal error in IE has occurred at 0028:C0011E36 in VXD VMM(01) +
00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c
* System can not function in normal mode.
Please check your security settings.
* Scan your PC with any availabel antivirus / spyware remover
program fix the problem.

wah lumayan bikin kaget juga kok tiba2 desktop background qt jadi warna biru dengan tulisan seperti diatas, ternyata komputer qt udah terinfeksi oleh virus trojan-spy.HTML.Smitfraud.c. anda tidak bisa mengganti desktop anda karena virus tersebut telah mendisable properties desktop anda, meng-hijack start page IE, pop-up bisa masuk, dan menghijack query search qt ke search popular sehingga membuka jalan virus-virus dan spyware lain untuk masuk ke komputer.

Bagaimana membasminya??
untuk membasmi virus jenis ini, ada beberapa tools yang qt butuhkan yaitu :
1. hijackthis (tools yang sudah teruji ampuh untuk menendang virus 2 yang sedang running), bisa di donlod di http://www.soft32.com/download_19015.html
2.killBox (samely as hijackthis tapi tools ini akan menendang aplikasi/virus running setelah melakukan reboot), bisa di donlod di www.bleepingcomputer.com/files/killbox.php
3. Smithfraud.reg , registry untuk merepair si smith bisa di donlod di http://www.bleepingcomputer.com/files/reg/smitfraud.reg
4. Hoster
5. Deldomains.inf

Setelah anda punya tools diatas, ikuti langkah removal di bawah ini, sori masih males nerjemahin..
In order to remove this infection we will need to use HijackThis to manually remove the infection:

1. Print out these instructions as we will need to shutdown every window that is open later in the fix.

2. Download HijackThis and save it to your C:\ folder. Extract the hijackthis.zip file to c:\hijackthis. We will use this program later.

3. Enter the Windows Control Panel and double-click on Add/Remove Programs.

4. When the installed programs list appears, double-click on the following entries if they exists and allow them to uninstall.

Security IGuard
Virtual Maid
Search Maid
PSGuard

Then exit the Add/Remove Programs screen and the Control Panel.

5. Right-click: HERE and select Save As (in Internet Explorer it’s labeled Save Target As) in order to download the Smitfraud.reg file. Save this file to your desktop.

Locate the smitfraud.reg file on your desktop and double-click it. When asked if you want to merge with the registry, click the YES button. Wait for the “merged successfully” prompt then follow the rest of the instructions below.
6. Configure your computer so you can see all hidden files.

How to see hidden files in Windows

7. Download the Killbox by Option^Explicit and save it to your desktop. Extract killbox.zip to your desktop. Then double-click on the killbox.exe program.

8. When the program is open, select the option labeled Delete on reboot.

9. Do not close killbox, and open open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.

10. When notepad is open, copy and paste the following bolded text into the notepad screen. You do this by highlighting each of the below bolded filenames and then pressing Control-C on your keyboard. Then click on the open notepad windows and press Control-V to paste the contents into the notepad.

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\zloader3.exe
C:\Windows\system32\wp.bmp
C:\Windows\System32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\system32\perfcii.ini
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C:\WINDOWS\system32\oleadm.dll
C:\WINDOWS\system32\oleadm32.dll

11. Return to Killbox, go to the File menu and select Paste from Clipboard.

12. Still in Killbox, click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

13. While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then press the enter button on your keyboard.

14. Using Windows Explorer, delete the following files, if found, (please do NOT try to find them by “search” because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard
C:\Program Files\PSGuard
15. While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Double-click on C:\hijackthis\hijackthis.exe that you had downloaded and extracted earlier. When the program starts place a check next to each of the following bolded entries, if found, then click FIX CHECKED button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http:://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =http:://www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http:://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http:://www.startsearches.net/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp6DD8.tmp
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\ZLOADER3.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O9 - Extra button: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll
O9 - Extra ‘Tools’ menuitem: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra ‘Tools’ menuitem: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll (HKCU)
16. When it is done fixing the entries, exit the HijackThis program and restart your computer so its back into normal mode.

17. Download The Hoster and run hoster.exe. Press the Restore Original Hosts button and then press the press OK button. When it is done, exit the program.

18. Right-Click HERE and select Save As to download DelDomains.inf to your desktop.

19. Now RIGHT-CLICK on the DelDomains.inf file on your desktop and select the Install option.

Note: This will remove all entries in the “Trusted Zone” and “Ranges” also.
20. Gunakan anti spyware anda untuk menscan spyware di komputer anda. anda bisa menggunakan microsoft anti spayware, atau lavasoft.
21. Scan komputer anda dengan mengunakan anti virus dengan update-an terbaru..

Semoga berhasil .
Dikuti dari : http://www.bleepingcomputer.com