Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hooked functions (SSDT)


  • Please log in to reply

#1
x86

x86

    New Member

  • Member
  • Pip
  • 1 posts
Hello everybody,

this is my first post here :-) I recently had an issue with some virus or malware infected program wrinting a "b.exe", "msa.exe" and "msxml.dll" to my windows directory. But gladly, my antivirus software detected it and seemingly could delete those files.

Neither of these filese are present anymore, furthermore two registry keys ("NordBull" and "PopRock") have been deleted, and b.exe has been taken out of the HKLM "Run" Key. Nothing strange is loaded in the background. Rootkit Revealer finds neither hidden files nor processes. The system behaves absolutely normal, and there is also no strange network activity or the such.

Of course, if the previous admin would have created an image of that box (which he did not...), I would have restored it just for sure - but for a completely new setup I just don't have the time at that point. And with some years of eXPerience, I actually would consider that system clean again.

But today, I stumbled across "RootkitRepeal", and I thought it would be a good idea to give it a try just to be sure...
And what did I see: No hidden files, or processes, but... the SSDT tab showed up 11 hooked processes (red entries)!

This looks somewhat suspicious to me, as these functions seem to be responsible for writing and reading from the Windows registry. Thus, my question to you experts: Is it normal that these processes are hooked? If not, are there (or can you imagine that there would be any use for) tools that might hook into those processes? Which ones could that be (then I can check if any of these is installed on that box...)

Thank you VERY much in advance for having a look at that log (see below) and answering my questions.

With the best regards,
x86

-----

ROOTREPEAL © AD, 2007-2009==================================================Scan Start Time:		2009/10/30 11:24Program Version:		Version 1.3.5.0Windows Version:		Windows XP SP3==================================================SSDT-------------------#: 041	Function Name: NtCreateKeyStatus: Hooked by "<unknown>" at address 0xb0ee01ee#: 053	Function Name: NtCreateThreadStatus: Hooked by "<unknown>" at address 0xb0ee01e4#: 063	Function Name: NtDeleteKeyStatus: Hooked by "<unknown>" at address 0xb0ee01f3#: 065	Function Name: NtDeleteValueKeyStatus: Hooked by "<unknown>" at address 0xb0ee01fd#: 098	Function Name: NtLoadKeyStatus: Hooked by "<unknown>" at address 0xb0ee0202#: 122	Function Name: NtOpenProcessStatus: Hooked by "<unknown>" at address 0xb0ee01d0#: 128	Function Name: NtOpenThreadStatus: Hooked by "<unknown>" at address 0xb0ee01d5#: 193	Function Name: NtReplaceKeyStatus: Hooked by "<unknown>" at address 0xb0ee020c#: 204	Function Name: NtRestoreKeyStatus: Hooked by "<unknown>" at address 0xb0ee0207#: 247	Function Name: NtSetValueKeyStatus: Hooked by "<unknown>" at address 0xb0ee01f8#: 257	Function Name: NtTerminateProcessStatus: Hooked by "<unknown>" at address 0xb0ee01df==EOF==

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP