UnHackMe Version 4.0

UnHackMe has updated to Version 4. If I understand it correctly it includes their new Partizan rootkit detection/removal technology, and Fixed bugs and improved stability.

It looks good, and I have upgraded mine without incident. I do not have a clue as to the Partizan tecknology.
Anyone know anything about it at this early date?

Thanks,
Jerry

 

they have a page explaining Partizan, i myself dont know much though.

 

Boot time analysis, if they did it well then my applause. But boot time drivers loads before bootexecute option, lol

 

Thanks for the info JerryM

People can always download Regrun Reanimator for free and check things out.

I was wondering if you have tried some of the features of Regrun Platinum yet EP_X0FF? I would be interested to see what you have to say about it.

controler

 

Interesting! Didn't consider the last UnHackMe to be one of the main detectors but this is Ver4.0 so I'm gonna test it out.

 

I think it new features will help only against user mode rootkits, because kernel mode drivers will loads before Partizan. I'm sorry, but I do not want to test Unhackme, because I see no potential here.

 

Hi controler,

No, I have not tried Regrun. Sorry I can't help there.

I have been using UnHackMe for at least a year, and like it. However, like a lot of applications my judgment is colored by others, and the facts that it has not caused problems, and I have not been infected. I have no way to measure the effectiveness of much that I use.
I just use them and my computers stay clean.

I also use Snoopfree, and don't know what any application has done, as I seem to get no attacks. They do warn when changes are made however, and that is some indications that they work.

Best,
Jerry

 

EP_X0FF

Thank You

I was thinking more of you looking at RegRun Platinum.
Here is a screen shot of a scan with reanimator using the advanced scan. I used the free standalone version of Reanimator and not the one included in Regrun Platinum. I do however like his use of colors.
I have not used this program much but the kernel auto boot function was seeing the kernel loading drivers at boot up. I could be wrong though.

controler

 

Hi again, controler,
Looking at your last post, I have no idea what all that means. I am not computer savvy enough to get very deep in these type of things.

Best,
Jerry

 

JerryM

yes I have a lic for Unhackme too. I got it for finding some bugs a few years ago. I try just about anything once. I think EP_XOFF explained how Unhackme works in another thread or forum but regrun has almost too many features and can be hard to get around in the program. I have not actualy tried regrun on any rootkits lately. I was leaving that up to Spanner LOL
the only purchaced lic I have were for process guard, regdefend, and BoClean
I only have Boclean installed at present but am using EP_XOFF's program now and then too. I tried Gmer but not since he worked some serious bugs out.
I am only running a hardware firewall at present also.
I am still waiting for LinkLogger's post on the meanest nastiest attacks he is testing on his system. The only thing he mentioned so far was thet is is not affraid of anything he has seen yet. We sent him to some pretty nasty site to find maleware. he did mention he has been too busy this time of year to do much testing and posting a write-up.

controler

 

JerryM

What EP_XOFF is trying to say is that you need a program that can detect
drivers which load up during the early stage of windows starting up. The main goal is to start your driver before any othere software drivers reach the kernel. I could be wrong but I have always though that the first driver to reach the kernel before any other drivers do, gains the most control.
I think the first program I saw doing this was anti-keylogger. Usualy programmers try to show you a splash icon on the early windows bootup of what program is being loaded.

I hope this helps a little bit

controler

 

Thanks, and I do truly appreciate the help.
For now, however, I have all the programs I want. I know that one can keep going with sandboxes, and various other security programs until the system fails due to the load.

But all the short time, 7 years or so, that I have had a computer I have only had about three attempts to infect, and the AV caught them. I am not convinced that in the real world of average, safe users we need anywhere near all the applications available.
If that were not true, then most folks that I know would be infected all the time, but they aren't.

I think I have probably more that I need, and if I compare with others I know I do have more.

Most that I know have an AV, generally either the big 2 or AVG free; Windows firewall; AdAware and Spybot; and maybe a stand alone AS like Spysweeper, although not many have SS.

So as much as I appreciate the advice, I am going to "hold what I got" for now.

Best,
Jerry

 

JerryM

yes you do have a pretty good setup already. Everybody has their ideal setups which all very. A good firewall and AV are good enough for most normal surfing and you are right about a sandbox program as well.
The only thing I noticed is what was adiquite a few years ago for protection doesn't hold true anymore, then you have companies like Sony & Symantec which tried rootkits in their programs without informing customers. drive by threats are more wide spread now and everybody wants their peice of the kernel. You also need to remember a lot of the posts here are not aimed at average users. The mom, pop, granparents that still click on e-mail attachments LOL.
Good luck to ya

controler

 

I agree. Like the rest of the world those who want to do damage to others keep increasing and getting better at it.

Thanks, again for the help and advice. I need all I can get.

Merry Christmas.
Jerry

 

I'm not sure how or what they have done but partizan seems to load before ssm - that loads early under boot as a kernel driver?

 

I was wondering if you might be able to help me. I am interested in UnHackMe 4 but I don't know if it is worth it. I have Dr Web and see no curent infections. I also have and use HJT, Sophos Anti-rookit, GMER, Blacklight, and Rootkit revealer. All say that I have no infection. The problem is sometimes GMER detects somethings. No other software does, including UnHackMe. Is this a false positive? UnHackMe can constantly scan in the background, which is nice. No other can do that. But how effective is it?

 

@n8chavez

Can you show here your GMER log? BTW This detector can generate GIANT log, that full of false positives on clean system

 

@Controler
That is an interesting screenie:
"everybody wants their piece of the kernel"
There appears to be a HUGE list of loaders in that "kernel auto boot" window if the scroll bar is any indicator
What else have you got going on there. ??
Is that list a load order?
(BOC right in there if it is)

@n8chavez:

BOClean is a great "scanner" and VERY effective.
I dont know of any comparisons but would suspect that BOC is at least 'the equal' of UHMe.?

uumm: EP_XOFF and MP_ART may have some comments re effectiveness of BOC v UHMe.
See the screenie as above for where BOC loads.

Come to think of it has anyone given BOC a run against EP_XOFF's menagerie?

Thanks for all the info coming from right at the "kernel's edge".

 

I vote for BOClean. Unhackme -
Just read their site and their adv of Partisan "technology". Probably they don't knows that their application will start after rootkits drivers

 

Because of the nature of anti-rootkit tools(as with HIBS) they are hard pressed to tell the difference between *legitimate* object and *bad*.They soley identify various events/occurances and report back the data they recover.
It is up to the enduser to discover whether something reported is *bad* or *legitimate* and to take the appropiate actions if required.

I note you use 4 RK tools,combined they are still behind EP_XOFF's tool for overall effectiveness versus RK's in my experience with them
Please bear in mind i deal with many malware infections on a daily basis to test many softwares/tools against to get a better grasp on the state of play.

RootKit Unhooker for example detects the legitmate calls/drivers/hidden process's on my machine of rootkit based software(and memory walker's)made by some common well known tools and some obscure personal tools that i utilize during the course of business.Thats not a bad thing because it demonstrates that it is looking in all the right places to *see* the bad things when they go native

I like the fact that RKU suspects rootkit activity because it see's ProcessGuards hooks on my system.Why is that because ProcessGuard is of course a *legitimate* software but because plain and simple PG is a rootkit software

So my verdict would be hold onto your $'s there is more effective freestuff around at the moment.

 

From what I see Unhackme 4.0 does not detect EP_Xoff's Demo rootkit.
It doesn't appear reanimator is seeing it either bu I have not tried the latest Regrun. I did otice the rootkit demo does time out and the clicking in the speaker stops after a while. because this demo does not load on boot, alot of detectors might not see it at all.


controler

 

Well even before testing its capabilities I'm not happy. Had a look on test machine which froze on partizan.rri screen. Second boot the same and third finally got to desktop but it all takes alittle longer than normal.
Greatis forum abit of joke needs moderating.

 

I've just tested it versus 2 true current "state of art" malware rootkits and not some *test* rootkit.

Unhackme vs Rustock A = p4wned
Unhackme vs Rustock B = p4wned

Thankfully they offer a free trial of this tool so hopefully not to many users will get mugged

BTW it dose'nt clean up very well after you uninstall it.You will have manually delete folder and some files in Program folder and some files in system32.Although at least the uninstall sequence lets you know in advance....

 

fcukdat


I am strill curious to see if the latest Regrun can detect anything of those two rustock's . By that I don't mean the scanner ot partizen, I mean any of the other tools included. I can also tell you BoClean does not detect the "TEST" rootkit demo but it might detect those two rustocks. I don't have those samles.

controler

 

Not wishing to go too OT with reguards *other* software too often,start another topic and i will contribute what i can grep there but all *test* rootkits are just that *tests*,they carry no malware payload just new concealment techniques and until they do they should not be detected by the antimalwares using signature based detectors.

Also we need to differentiate between code that is installing vs code that has installed and running.A lot of signature based software can detect *malware rootkits* as they attempt to install(if they know the devil then he is own3d),same with HIPS software they catch the events triggered(so again the devil can be own3d,the end user decides his fate)but this is the big difference is past the installing stage and dealing with the malware rootkit once its native,hiding itself,payload and activity.

This is where antirootkit tools are in their arena,not prevention of installation but detection and/or removal once the malware rootkit/payload is native.

HTH

If you want samples the PM me an email addy i can send the "droppers" to