Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
1 reply to this topic

#1 archont


  • Members
  • 2 posts
  • Local time:12:09 AM

Posted 17 September 2010 - 01:53 PM

Good day,

apiqq.dll registers a hidden process that can not be killed using standard methods. taskkill fails to see the task PID. It has no file path, size or date and has a 32 K memory footprint.

The program injects modules apiqq0.dll, apiqq1.dll or apiqq2.dll into each process after a small time after logon. The rootkit is poorly written and to insure the dll is intact, the process with the freshest, "active" dll forces a handle on the dll and rewrites it every few hundred milliseconds. It also tries to access previously removed registry entries.

The file has been submitted to virustotal. The report is available here: http://www.virustotal.com/file-scan/report...b09e-1284565024
It's surprising to see that packing the exe using a simple tool like ASPack reduces the detectability to 14%.

The dll is created in the active user's temp directory. Since the targetted machine is an EEE PC, it's running XP with the default user on admin privilidges.

Sysinternals tools don't list the process (obviously) and looking through autorun's results I don't see anything out of the ordinary nor anything that wasn't masked well enough. I did run autoruns a few days ago and removed a few suspicious entries, to no avail.

RkUnhooker and rootkitanalytics' spydllremover were the only software that managed to detect the program. It's currently disabled however will likely return on next boot. I could use procmon to try and catch the point where the rootkit comes active, but I'm not quite sure how to set-up the filtering for that.

My gmail account has also been compromised, a single access from a chinese IP - I nmap'ed it shortly after, but it appears to have gone offline or protected by a properly configured firewall - not a typical result for botnet machines.

The password used was not possible to brute-force in any reasonable amount of time and it's not used or stored elsewhere online or on paper.

What kind of logs do you guys need and what steps should I take to remove this rootkit?

BC AdBot (Login to Remove)


#2 Broni


    The Coolest BC Computer

  • BC Advisor
  • 42,735 posts
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:09 PM

Posted 17 September 2010 - 06:02 PM

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread and post a DDS log HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

My Website


My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users