Hi,

yesterday i used Helios (Antirootkit Scanner) to Scan my System for Rootkits. Helios found seven hooked System Calls. I used Helios to fix them, but after the next reboot they're back. Today i got an Idea: It must be Eset Smart Security that do hook system calls for realtime Antivirus Scan!
If not, i got an Rootkit - and thats bad ...

Here is what is hooked:
[14:41:39] Function: [247] 'NtSetValueKey (sppw.sys)' hooked
[14:41:39] Function: [177] 'NtQueryValueKey (sppw.sys)' hooked
[14:41:39] Function: [160] 'NtQueryKey (sppw.sys)' hooked ^
[14:41:39] Function: [119] 'NtOpenKey (sppw.sys)' hooked |
[14:41:39] Function: [73] 'NtEnumerateValueKey (sppw.sys)' hooked |
[14:41:39] Function: [71] 'NtEnumerateKey (sppw.sys)' hooked |
[14:41:39] Function: [41] 'NtCreateKey (sppw.sys)' hooked
[14:41:39] Processing system call information....

The sppw.sys cannot be found by MS SearchEngine. I tryed to find it with a Hex Editor, but it needs 153,82198125h (best case) to complete -.- . Therefore I do not believe this file do exist anymore.
The name of that file changes after every boot. But it seems to start everytime with 's'. (spax.sys f.e.)

Today its: spnc.sys
... spkk.sys

MfG