[thisisu]

Ok, there's a service too
eType Manager
And IB...something

Once the 2 services removed, not more IAT hooks nor processes

I must be doing something wrong :(
I tried rinn's instructions and they were successful except the last step (delete .DLL)! The .DLL is still being loaded as a "module". See OTL logs examples:

OTL Scan log:

MOD - [2012/08/14 20:26:51 | 001,697,312 | ---- | M] () -- C:\ProgramData\Browser Manager\2.2.565.25\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe
MOD - [2012/08/14 20:26:50 | 002,049,056 | ---- | M] () -- C:\ProgramData\Browser Manager\2.2.565.25\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.dll

OTL Fix log:

Releasing module c:\Documents and Settings\All Users\Application Data\Browser Manager\2.2.565.25\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.dll
c:\Documents and Settings\All Users\Application Data\Browser Manager\2.2.565.25\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.dll moved successfully.

How do I "release a module"?

Regarding calcs I got: "Successfully processed %path of dll%", rebooted. Nulled APPINIT_DLLs - OK, reset perms using calcs again - OK. But then the .DLL still failed to delete. And this is all after both eType Manager and IBUpdaterService services were stopped and deleted. Processes killed.

[thisisu]

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REMPLACÉ (0)

Is this related to eType / Browser Manager?

[thisisu]

No rootkit here, it does only protect the LoadAppInitDll

This?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\LoadAppInit_DLLs

So it changes this value to 0x1?

[EP_X0FF]

LoadAppInitDll is hidden, but AppInit_DLLs is nullify fine.
Sow how does it restart?

EDIT.
Ok, there's a service too
eType Manager
And IB...something

Once the 2 services removed, not more IAT hooks nor processes
No rootkit here, it does only protect the LoadAppInitDll

LoadAppInit_Dlls has no effect on Windows XP. It has meaning only from Vista and above.

http://blogs.msdn.com/b/nickkramer/arch ... 77962.aspx
http://msdn.microsoft.com/ru-ru/library ... s.85).aspx

[thisisu]

How do I "release a module"?

I found this: http://msdn.microsoft.com/en-us/library ... 85%29.aspx
Am I on the right track? Can someone provide a simple example of how to use versus etypemngr.dll ?

[EP_X0FF]

How do I "release a module"?

I found this: http://msdn.microsoft.com/en-us/library ... 85%29.aspx
Am I on the right track? Can someone provide a simple example of how to use versus etypemngr.dll ?

No. This dll uses hooking. In any time there can be any code executing inside hook handlers. Additionally It can execute threads. Unloading this dll will crash target process in 100% cases.

[thisisu]

How do I "release a module"?

I found this: http://msdn.microsoft.com/en-us/library ... 85%29.aspx
Am I on the right track? Can someone provide a simple example of how to use versus etypemngr.dll ?

This dll uses hooking.

How do I stop the hooking :lol:

[EP_X0FF]

How do I stop the hooking :lol:

http://www.kernelmode.info/forum/viewto ... 741#p16741

[thisisu]

How do I stop the hooking :lol:

http://www.kernelmode.info/forum/viewto ... 741#p16741

Thanks I did try these steps, all successfully except the very last one (delete .DLL)

Regarding cacls I got: "Successfully processed %path of dll%", rebooted. Nulled APPINIT_DLLs - OK, reset perms using cacls again - OK. But then the .DLL still failed to delete. And this is all after both eType Manager and IBUpdaterService services were stopped and deleted. Processes killed.

[Tigzy]

Hello

Don't try to unload modules, this is wide hook so in every process. As EP said, it will crash for sure

Target only the AppInit key + RUN key + Services keys
Kill processes + Stop services and reboot.

Look last RK log to see what has to be delete.
The key you asked isn't malware ;)