I would like a question answered if anyone can; Is there any thing on your system that needs to be hooked or is the presence needed for some other uses? I have some detecters and a remover but I don't know if I should unhook them all or not? the ones that are hooked are unknown.. If someone can tell me that I will be very happy... Thanks glenn

Well, you should post the logs from whatever detectors you use. But, to answer your question, yes, a number of things do legitimately use hooks. Almost all firewalls have to hook to work properly, so too with other anti-malware software, particularly MIPS software like ProcessGuard and Prevx1. In addition, so do virtual machines, and some anti-virus software. System files are hooked to each other, and depending on the discovery software you are using, they may or may not report those hooks. Some report almost everything, others have a "white list" and ignore legitimate known hooks.

Whatever you do, do not start removing hooks yourself. It takes a lot of training and experience to know what you should remove, and what you shouldn't. Do it wrong and you can really mess up your system to the point where it might be unfixable other than with a system reinstall. Best to post here and let someone look it over for you.

However if you do decide to do it yourself, make a full system backup using something like Acronis TrueImage or Ghost, etc. before doing anything. At least that way, you can always restore from the backup if you wind up killing your OS.

ok I had something called mssync20 that kept coming up and was told it was a root kit. I deleted the exe and sys. part in the registery and have not been bothered so far with it coming up anymore I just don't know what all is left from it. I will run a log and post it and work from there. Thanks again for your time with this matter. Glenn

It was wise to rid yourself of mssync20 because it is a password stealing trojan called Troj/LdPinc-LZ that also installs a backdoor and a keylogger to harvest your personal info.

I don't know if you conduct any personal banking or financial transactions on your computer, but if you do you should follow the directions provided in How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?. Even if you do not conduct any transactions online, you should still change all your passwords, to be safe.

If you removed successfully the EXE and SYS files, you may just have a lingering autostart for the service - or that may have been removed by automatic scanners which I am sure you already run:
HKLM\SYSTEM\CurrentControlSet\Services\mssync2020\
It would be helpful if you would describe how your removed SYS and EXE files (ie with a rootkit tool or manually in safe mode) and what scanners you have used.

Many security programs hook the SSDT and some legit ones will be listed as unknown, especially if you use Symantec products.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Ok I used rootkit revealer and then I went into safe mode and deleted those and all others that had mssync 20 in them so far so good. I have webroot spysweeper and norton internet 2005, spybot I really have too much but I guess you just have to have them to keep a watch out for all the bad stuff.
The mssync started to come up back in june and at first no one had heard of it in searches online. Then I saw something about rootkit unhooker and boy never knew so I did some reading and was told to delete those and all with mssync20 in them so that is what I did. In safe mode, I'm new but I am interested in learning more to be able to spot them faster. I have no idea how it got on my computer. I will get back to you with more info. Glenn

I did change all of my passwords.

OK - thanks for the background info. We'll be here when your ready.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

can I post a log file here? negster22

Sure!

_________________
Negster22 - MS MVP - Consumer Security 2006-2008