Approx Date Of Appearance: Oct-Nov 2005
Samples of infected PC:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\system32\j3t53zit6tthd.exe(harder version to remove)
O20 - AppInit_DLLs: v5pbrv56gdx8n4ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
So far, there is no 'canned fix' as of yet. However, a couple involve using Killbox, to kill the offending files, of which there can be several. Variants with [Control Hnadler] in O4 entry of HJT log, must be killed first.
Also, it seems users who are using AVG are easier to clean up, as it defines the trojan, and does not let whole infection load.
This fix is a work in progress.
This fix has come around and is pretty much routine. Experts from around the poular security forums banded together to figure it out. Several items to be aware of when fixing.There also are not too many of these infections popping up currently.