Do ESET hook System Calls?

Discussion in 'ESET Smart Security' started by FreakySmiley, Aug 13, 2008.

Thread Status:
Not open for further replies.
  1. FreakySmiley

    FreakySmiley Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    5
    Hi,

    yesterday i used Helios (Antirootkit Scanner) to Scan my System for Rootkits. Helios found seven hooked System Calls. I used Helios to fix them, but after the next reboot they're back. Today i got an Idea: It must be Eset Smart Security that do hook system calls for realtime Antivirus Scan!
    If not, i got an Rootkit - and thats bad ...

    Here is what is hooked:
    [14:41:39] Function: [247] 'NtSetValueKey (sppw.sys)' hooked
    [14:41:39] Function: [177] 'NtQueryValueKey (sppw.sys)' hooked
    [14:41:39] Function: [160] 'NtQueryKey (sppw.sys)' hooked ^
    [14:41:39] Function: [119] 'NtOpenKey (sppw.sys)' hooked |
    [14:41:39] Function: [73] 'NtEnumerateValueKey (sppw.sys)' hooked |
    [14:41:39] Function: [71] 'NtEnumerateKey (sppw.sys)' hooked |
    [14:41:39] Function: [41] 'NtCreateKey (sppw.sys)' hooked
    [14:41:39] Processing system call information....

    The sppw.sys cannot be found by MS SearchEngine. I tryed to find it with a Hex Editor, but it needs 153,82198125h (best case) to complete -.- . Therefore I do not believe this file do exist anymore.
    The name of that file changes after every boot. But it seems to start everytime with 's'. (spax.sys f.e.)

    Today its: spnc.sys
    ... spkk.sys

    MfG
     
    Last edited: Aug 16, 2008
Thread Status:
Not open for further replies.