This is a bit of Lochness monster bug, so bare with me. I’ve been working in IT for awhile now (over a decade), with a fair knowledge of Windows systems – in this instant Windows XP Pro SP3 x86, fully patched running Comodo CIS (Free) 5.10.228257.2253.
I keep regular offline back-ups and builds of my systems. In recent months, I’ve noticed some strange occurrences. The computer(s) connected to the internet, firewalled with Comodo, would crash, then upon reboot the below Kernel sections were modified. Restarting the system doesn’t do anything to clear them and the only way to get rid of them is to rebuild the computer. There are sometimes days or weeks in between these crashes, but it’s always the same scenario, and it’s only the machines with Comodo.
I’ve implemented very strict security measures, disabling every port and every service I can think of and I’m running a fairly tight firewall policy. I run a very tight ship when it comes to these computers, so this modification is a glaring red flag to me. I’m fairly certain these machines are being directly targeted and compromised, despite only this seemingly benign remnant of evidence. I have other reasons to believe this as well, outside of these computer related artifacts. I’d rather not go into too much detail regarding the rationale behind this on a public forum.
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2CF8 805045F0 4 Bytes CALL EAECFD78
.text ntkrnlpa.exe!ZwCallbackReturn + 2D00 805045F8 4 Bytes [86, EA, 83, B7]
From what I could find on Google, ZwCallbackReturn, if I understood it correctly, is used to let user-land processes know when a driver has finished it’s operations. Other than that, I have no knowledge as to why it would be modified. However, it’s a fairly common thing among other gmer logs running Comodo, although the byte offsets are usually different.
Anybody with in-depth knowledge know what might be happening?