Unknown SSDT Entries

I just ran a a rootkit scan and noticed that I have 18 <unknown> entries when I scan the SSDT table which doesn't seem right to me. When I scan the shadow SSDT table no unknowns show up. Is there any way to find out what is doing the hook and if it's ok or not?

• 
  ROOTREPEAL (c) AD, 2007-2009
  ==================================================
  Scan Start Time: 2011/07/22 16:04
  Program Version: Version 1.3.5.0
  Windows Version: Windows XP SP3
  ==================================================
  
  SSDT
  -------------------
  #: 041 Function Name: NtCreateKey
  Status: Hooked by "<unknown>" at address 0xba800008
  
  #: 063 Function Name: NtDeleteKey
  Status: Hooked by "<unknown>" at address 0xba800058
  
  #: 065 Function Name: NtDeleteValueKey
  Status: Hooked by "<unknown>" at address 0xba8000a8
  
  #: 068 Function Name: NtDuplicateObject
  Status: Hooked by "<unknown>" at address 0xba8002b0
  
  #: 071 Function Name: NtEnumerateKey
  Status: Hooked by "<unknown>" at address 0xba800120
  
  #: 073 Function Name: NtEnumerateValueKey
  Status: Hooked by "<unknown>" at address 0xba800148
  
  #: 098 Function Name: NtLoadKey
  Status: Hooked by "<unknown>" at address 0xba8001e8
  
  #: 119 Function Name: NtOpenKey
  Status: Hooked by "<unknown>" at address 0xba800030
  
  #: 122 Function Name: NtOpenProcess
  Status: Hooked by "<unknown>" at address 0xba800288
  
  #: 160 Function Name: NtQueryKey
  Status: Hooked by "<unknown>" at address 0xba800170
  
  #: 161 Function Name: NtQueryMultipleValueKey
  Status: Hooked by "<unknown>" at address 0xba8001c0
  
  #: 177 Function Name: NtQueryValueKey
  Status: Hooked by "<unknown>" at address 0xba800198
  
  #: 192 Function Name: NtRenameKey
  Status: Hooked by "<unknown>" at address 0xba8000f8
  
  #: 204 Function Name: NtRestoreKey
  Status: Hooked by "<unknown>" at address 0xba800260
  
  #: 207 Function Name: NtSaveKey
  Status: Hooked by "<unknown>" at address 0xba800238
  
  #: 226 Function Name: NtSetInformationKey
  Status: Hooked by "<unknown>" at address 0xba8000d0
  
  #: 247 Function Name: NtSetValueKey
  Status: Hooked by "<unknown>" at address 0xba800080
  
  #: 255 Function Name: NtSystemDebugControl
  Status: Hooked by "<unknown>" at address 0xba8002d8
  

Thanks, Al

 

Possibly an A/V or another security software?

 

Up to now, I've been able to identify the security programs by the module names that do the hooking such as Prevx, etc. I have one other application that I recently installed (Returnil), but I disabled all of its' startup services, so it is not running. Maybe disabling the app and rebooting is not enough to get rid of the hooks. I need to uninstall Returnil and then do the check. I will post back.

Al

 

Okay, these entries are caused by Returnil. What I don't understand is why
the application is not easily identifiable as doing the hooks.

Al

 

It might be a matter of self protection? I know Avira shows up as the same way..