apiqq.dll registers a hidden process that can not be killed using standard methods. taskkill fails to see the task PID. It has no file path, size or date and has a 32 K memory footprint.
The program injects modules apiqq0.dll, apiqq1.dll or apiqq2.dll into each process after a small time after logon. The rootkit is poorly written and to insure the dll is intact, the process with the freshest, "active" dll forces a handle on the dll and rewrites it every few hundred milliseconds. It also tries to access previously removed registry entries.
The file has been submitted to virustotal. The report is available here: http://www.virustotal.com/file-scan/report...b09e-1284565024
It's surprising to see that packing the exe using a simple tool like ASPack reduces the detectability to 14%.
The dll is created in the active user's temp directory. Since the targetted machine is an EEE PC, it's running XP with the default user on admin privilidges.
Sysinternals tools don't list the process (obviously) and looking through autorun's results I don't see anything out of the ordinary nor anything that wasn't masked well enough. I did run autoruns a few days ago and removed a few suspicious entries, to no avail.
RkUnhooker and rootkitanalytics' spydllremover were the only software that managed to detect the program. It's currently disabled however will likely return on next boot. I could use procmon to try and catch the point where the rootkit comes active, but I'm not quite sure how to set-up the filtering for that.
My gmail account has also been compromised, a single access from a chinese IP - I nmap'ed it shortly after, but it appears to have gone offline or protected by a properly configured firewall - not a typical result for botnet machines.
The password used was not possible to brute-force in any reasonable amount of time and it's not used or stored elsewhere online or on paper.
What kind of logs do you guys need and what steps should I take to remove this rootkit?