Do ESET hook System Calls?

Discussion in 'ESET Smart Security' started by __Nikopol, Aug 13, 2008.

Thread Status:
Not open for further replies.
  1. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    193
    Location:
    Germany
    Hi,

    yesterday i used Helios (Antirootkit Scanner) to Scan my System for Rootkits. Helios found seven hooked System Calls. I used Helios to fix them, but after the next reboot they're back. Today i got an Idea: It must be Eset Smart Security that do hook system calls for realtime Antivirus Scan!
    If not, i got an Rootkit - and thats bad ...

    Here is what is hooked:
    [14:41:39] Function: [247] 'NtSetValueKey (sppw.sys)' hooked
    [14:41:39] Function: [177] 'NtQueryValueKey (sppw.sys)' hooked
    [14:41:39] Function: [160] 'NtQueryKey (sppw.sys)' hooked ^
    [14:41:39] Function: [119] 'NtOpenKey (sppw.sys)' hooked |
    [14:41:39] Function: [73] 'NtEnumerateValueKey (sppw.sys)' hooked |
    [14:41:39] Function: [71] 'NtEnumerateKey (sppw.sys)' hooked |
    [14:41:39] Function: [41] 'NtCreateKey (sppw.sys)' hooked
    [14:41:39] Processing system call information....

    The sppw.sys cannot be found by MS SearchEngine. I tryed to find it with a Hex Editor, but it needs 153,82198125h (best case) to complete -.- . Therefore I do not believe this file do exist anymore.
    The name of that file changes after every boot. But it seems to start everytime with 's'. (spax.sys f.e.)

    Today its: spnc.sys
    ... spkk.sys

    MfG
     
    Last edited: Aug 16, 2008
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.