UnHackMe Version 4.0

Discussion in 'other anti-malware software' started by JerryM, Dec 20, 2006.

Thread Status:
Not open for further replies.
  1. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    UnHackMe has updated to Version 4. If I understand it correctly it includes their new Partizan rootkit detection/removal technology, and Fixed bugs and improved stability.

    It looks good, and I have upgraded mine without incident. I do not have a clue as to the Partizan tecknology.
    Anyone know anything about it at this early date?

    Thanks,
    Jerry
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
  3. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Boot time analysis, if they did it well then my applause. But boot time drivers loads before bootexecute option, lol
     
    Last edited: Dec 21, 2006
  4. controler

    controler Guest

    Thanks for the info JerryM

    People can always download Regrun Reanimator for free and check things out.

    I was wondering if you have tried some of the features of Regrun Platinum yet EP_X0FF? I would be interested to see what you have to say about it.

    controler
     
  5. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Interesting! Didn't consider the last UnHackMe to be one of the main detectors but this is Ver4.0 so I'm gonna test it out.
     
  6. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    I think it new features will help only against user mode rootkits, because kernel mode drivers will loads before Partizan. I'm sorry, but I do not want to test Unhackme, because I see no potential here.
     
  7. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Hi controler,

    No, I have not tried Regrun. Sorry I can't help there.

    I have been using UnHackMe for at least a year, and like it. However, like a lot of applications my judgment is colored by others, and the facts that it has not caused problems, and I have not been infected. I have no way to measure the effectiveness of much that I use.
    I just use them and my computers stay clean.

    I also use Snoopfree, and don't know what any application has done, as I seem to get no attacks. They do warn when changes are made however, and that is some indications that they work.

    Best,
    Jerry
     
  8. controler

    controler Guest

    EP_X0FF

    Thank You

    I was thinking more of you looking at RegRun Platinum.
    Here is a screen shot of a scan with reanimator using the advanced scan. I used the free standalone version of Reanimator and not the one included in Regrun Platinum. I do however like his use of colors.
    I have not used this program much but the kernel auto boot function was seeing the kernel loading drivers at boot up. I could be wrong though.

    controler
     

    Attached Files:

  9. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Hi again, controler,
    Looking at your last post, I have no idea what all that means. I am not computer savvy enough to get very deep in these type of things.

    Best,
    Jerry
     
  10. controler

    controler Guest

    JerryM

    yes I have a lic for Unhackme too. I got it for finding some bugs a few years ago. I try just about anything once. I think EP_XOFF explained how Unhackme works in another thread or forum but regrun has almost too many features and can be hard to get around in the program. I have not actualy tried regrun on any rootkits lately. I was leaving that up to Spanner LOL
    the only purchaced lic I have were for process guard, regdefend, and BoClean
    I only have Boclean installed at present but am using EP_XOFF's program now and then too. I tried Gmer but not since he worked some serious bugs out.
    I am only running a hardware firewall at present also.
    I am still waiting for LinkLogger's post on the meanest nastiest attacks he is testing on his system. The only thing he mentioned so far was thet is is not affraid of anything he has seen yet. We sent him to some pretty nasty site to find maleware. he did mention he has been too busy this time of year to do much testing and posting a write-up.

    controler
     
  11. controler

    controler Guest

    JerryM

    What EP_XOFF is trying to say is that you need a program that can detect
    drivers which load up during the early stage of windows starting up. The main goal is to start your driver before any othere software drivers reach the kernel. I could be wrong but I have always though that the first driver to reach the kernel before any other drivers do, gains the most control.
    I think the first program I saw doing this was anti-keylogger. Usualy programmers try to show you a splash icon on the early windows bootup of what program is being loaded.

    I hope this helps a little bit

    controler
     
  12. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Thanks, and I do truly appreciate the help.
    For now, however, I have all the programs I want. I know that one can keep going with sandboxes, and various other security programs until the system fails due to the load.

    But all the short time, 7 years or so, that I have had a computer I have only had about three attempts to infect, and the AV caught them. I am not convinced that in the real world of average, safe users we need anywhere near all the applications available.
    If that were not true, then most folks that I know would be infected all the time, but they aren't.

    I think I have probably more that I need, and if I compare with others I know I do have more.

    Most that I know have an AV, generally either the big 2 or AVG free; Windows firewall; AdAware and Spybot; and maybe a stand alone AS like Spysweeper, although not many have SS.

    So as much as I appreciate the advice, I am going to "hold what I got" for now.

    Best,
    Jerry
     
  13. controler

    controler Guest

    JerryM

    yes you do have a pretty good setup already. Everybody has their ideal setups which all very. A good firewall and AV are good enough for most normal surfing and you are right about a sandbox program as well.
    The only thing I noticed is what was adiquite a few years ago for protection doesn't hold true anymore, then you have companies like Sony & Symantec which tried rootkits in their programs without informing customers. drive by threats are more wide spread now and everybody wants their peice of the kernel. You also need to remember a lot of the posts here are not aimed at average users. The mom, pop, granparents that still click on e-mail attachments LOL.
    Good luck to ya

    controler
     
  14. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    I agree. Like the rest of the world those who want to do damage to others keep increasing and getting better at it.

    Thanks, again for the help and advice. I need all I can get.

    Merry Christmas.
    Jerry
     
  15. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041


    I'm not sure how or what they have done but partizan seems to load before ssm - that loads early under boot as a kernel driver?
     
  16. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    I was wondering if you might be able to help me. I am interested in UnHackMe 4 but I don't know if it is worth it. I have Dr Web and see no curent infections. I also have and use HJT, Sophos Anti-rookit, GMER, Blacklight, and Rootkit revealer. All say that I have no infection. The problem is sometimes GMER detects somethings. No other software does, including UnHackMe. Is this a false positive? UnHackMe can constantly scan in the background, which is nice. No other can do that. But how effective is it?
     
  17. MP_ART

    MP_ART Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    25
    Location:
    Krsk
    @n8chavez

    Can you show here your GMER log? BTW This detector can generate GIANT log, that full of false positives on clean system
     
  18. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @Controler
    That is an interesting screenie:
    "everybody wants their piece of the kernel"
    There appears to be a HUGE list of loaders in that "kernel auto boot" window if the scroll bar is any indicator :eek:
    What else have you got going on there. ??
    Is that list a load order?
    (BOC right in there if it is)

    @n8chavez:
    BOClean is a great "scanner" and VERY effective.
    I dont know of any comparisons but would suspect that BOC is at least 'the equal' of UHMe.?

    uumm: EP_XOFF and MP_ART may have some comments re effectiveness of BOC v UHMe.
    See the screenie as above for where BOC loads.

    Come to think of it has anyone given BOC a run against EP_XOFF's menagerie?

    Thanks for all the info coming from right at the "kernel's edge".
     
    Last edited: Dec 22, 2006
  19. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    I vote for BOClean. Unhackme - :gack:
    Just read their site and their adv of Partisan "technology". Probably they don't knows that their application will start after rootkits drivers :D
     
  20. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Because of the nature of anti-rootkit tools(as with HIBS) they are hard pressed to tell the difference between *legitimate* object and *bad*.They soley identify various events/occurances and report back the data they recover.
    It is up to the enduser to discover whether something reported is *bad* or *legitimate* and to take the appropiate actions if required.

    I note you use 4 RK tools,combined they are still behind EP_XOFF's tool for overall effectiveness versus RK's in my experience with them
    Please bear in mind i deal with many malware infections on a daily basis to test many softwares/tools against to get a better grasp on the state of play.

    RootKit Unhooker for example detects the legitmate calls/drivers/hidden process's on my machine of rootkit based software(and memory walker's)made by some common well known tools and some obscure personal tools that i utilize during the course of business.Thats not a bad thing because it demonstrates that it is looking in all the right places to *see* the bad things when they go native ;)

    I like the fact that RKU suspects rootkit activity because it see's ProcessGuards hooks on my system.Why is that because ProcessGuard is of course a *legitimate* software but because plain and simple PG is a rootkit software :D

    So my verdict would be hold onto your $'s there is more effective freestuff around at the moment.
     
  21. controler

    controler Guest

    From what I see Unhackme 4.0 does not detect EP_Xoff's Demo rootkit.
    It doesn't appear reanimator is seeing it either bu I have not tried the latest Regrun. I did otice the rootkit demo does time out and the clicking in the speaker stops after a while. because this demo does not load on boot, alot of detectors might not see it at all.


    controler
     
  22. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Well even before testing its capabilities I'm not happy. Had a look on test machine which froze on partizan.rri screen. Second boot the same and third finally got to desktop but it all takes alittle longer than normal.
    Greatis forum abit of joke needs moderating.
     
  23. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    I've just tested it versus 2 true current "state of art" malware rootkits and not some *test* rootkit.

    Unhackme vs Rustock A = p4wned:'(
    Unhackme vs Rustock B = p4wned:'(

    Thankfully they offer a free trial of this tool so hopefully not to many users will get mugged ;)

    BTW it dose'nt clean up very well after you uninstall it.You will have manually delete folder and some files in Program folder and some files in system32.Although at least the uninstall sequence lets you know in advance....
     
    Last edited: Dec 22, 2006
  24. controler

    controler Guest

    fcukdat


    I am strill curious to see if the latest Regrun can detect anything of those two rustock's . By that I don't mean the scanner ot partizen, I mean any of the other tools included. I can also tell you BoClean does not detect the "TEST" rootkit demo but it might detect those two rustocks. I don't have those samles.

    controler
     
  25. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Not wishing to go too OT with reguards *other* software too often,start another topic and i will contribute what i can grep there but all *test* rootkits are just that *tests*,they carry no malware payload just new concealment techniques and until they do they should not be detected by the antimalwares using signature based detectors.

    Also we need to differentiate between code that is installing vs code that has installed and running.A lot of signature based software can detect *malware rootkits* as they attempt to install(if they know the devil then he is own3d),same with HIPS software they catch the events triggered(so again the devil can be own3d,the end user decides his fate)but this is the big difference is past the installing stage and dealing with the malware rootkit once its native,hiding itself,payload and activity.

    This is where antirootkit tools are in their arena,not prevention of installation but detection and/or removal once the malware rootkit/payload is native.

    HTH:)

    If you want samples the PM me an email addy i can send the "droppers" to :)
     
Loading...
Similar Threads
  1. Victek
    Replies:
    14
    Views:
    960
Thread Status:
Not open for further replies.