Fri, 20 Nov 2009 19:32:20 -0600 1800 This is the RSS feed of the last ten file submissions accepted into our database. This RSS feed is always up to date as it is dynamically updated.
Supported NT versions :
XP/Vista


Kernel Detective gives you the ability to :
1- Detect Hidden Processes.
3- Detect Hidden Threads.
2- Detect Hidden DLLs.
3- Detect Hidden Handles.
4- Detect Hidden Driver.
5- Detect Hooked SSDT.
6- Detect Hooked Shadow SSDT.
7- Detect Hooked IDT.
8- Detect Kernel-mode code modifications and hooks.
9- Disassemble (Read/Write) Kernel-mode/User-mode memory.
10- Monitor debug output on your system.

And other interesting features !


Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Special undocumented detection algorithms were implemented to detect hidden processes.

Detect hidden and suspicious threads in system and allow user to forcely terminate them .

Enumerate a specific running process Dynamic-Link Libraries and show every Dll ImageBase, EntryPoint, Size and Path. You can also inject or free specific module.

Enumerate a specific running process opened handles, show every handle's object name and address and give you the ability to close the handle.

Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Undocumented detection algorithms were implemented to detect hidden drivers.

Scan the system service table (SSDT) and show every service function address and the real function address, detection algorithm improved to bypass KeServiceDescriptorTable EAT/IAT hooks.You can restore single service function address or restore the whole table.

Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table

Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.

Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective.

A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing your nice disasm engine .With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess.

Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter.]]> Thu, 16 Jul 2009 12:37:18 -0500 201
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Note: Geeks to Go no longer hosts a mirror of Combofix, but you can download it from one of the mirrors below, or click the Download File button to be connected to one of the mirrors automatically.

mirror 1
mirror 2

Please visit this webpage for instructions on running the tool.]]> Sun, 12 Jul 2009 14:08:20 -0500 197

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.]]> Thu, 28 May 2009 12:25:27 -0500 187
Usage: Download SysRestorePoit.exe and save this file to your hard drive. Double click to run, it will leave a dialog telling you whether or not the Restore Point was successfully created.

NOTE: If you get an error because you don't have .NET Framework, you can get it free from Microsoft here: http://www.microsoft.com/downloads/details...;displaylang=en]]> Fri, 10 Apr 2009 17:15:03 -0500 170
Application Info URL
http://personalfirewall.comodo.com/index.html

Download URL
http://download.comodo.com/cis/download/se...P_Vista_x32.exe]]> Mon, 23 Mar 2009 13:50:06 -0500 165
This program is good for successfully removing unwanted video card drivers / files if you recently updated your video card drivers or you are switching from ATI to NVIDIA or vice versa. It will clean up the unwanted files that might give you errors from the information listed above.

------------------------------------------------------------------------------------------------------------

Guru3D's Description - Driver Sweeper is a fast tool to remove driver leftovers from your system. It's very important to remove your drivers on a proper way, because driver leftovers can cause problems like stability and startup problems. You can use it if you want to update/remove drivers from your system.]]> Fri, 02 Jan 2009 13:16:22 -0600 151
WinAudit was made by Parmavex Services. Uploaded with permission of Parmavex Services.]]> Thu, 04 Dec 2008 05:03:19 -0600 144
Backing up the registry with ERUNT
----------------------------------

Note: To ensure proper operation of ERUNT, you should be logged in as a system administrator.

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry files should be saved, or click "..." to browse your computer's drives and select a folder. You can also simply leave the default, which is afolder named ERDNT inside your Windows folder, the advantage being that you have access to this folder from the Windows Recovery Console in case Windows does not boot anymore.

Note that in the folder edit field, ERUNT by default appends a folder named the current date to the restore folder, which allows you to keep as many registry backups as you wish in the same restore folder, separated into the different creation dates. This feature, as well as the appearance of the date string, can be configured via the ERUNT.INI file, described later in this document. If you want the registry backup to be created directly in the folder you select, you can also simply remove the date from the folder edit field before clicking "OK".

Next, select the backup options:

- System registry: The current system registry, usually consisting of the files DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM.

- Current user registy: The registry files for the currently logged-on user, usually NTUSER.DAT and USRCLASS.DAT.

- Other open user registries: Sometimes Windows has a few other user registries in memory. Examples for this are "generic" registries, e.g. for user "EVERYONE", or registries of other users if you use Fast Task Switching in Windows XP. Check this option to backup all these additional user registries (if found) as well.

Click "OK" and wait until the backup process is complete. (Note that depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the program is still running.) The ERDNT program for later restoration of the registry is automatically copied to the restore folder.]]> Tue, 19 Aug 2008 22:48:39 -0500 113
Normal Usage for Removal:

"Download VundoFix" to your desktop.

* Double-click VundoFix.exe to run it.
* When VundoFix opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.

*****Note: It is possible that VundoFix encountered a file it could not remove.*****
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot.

If you encounter a variant of Vundo that VundoFix does not detect or cannot remove please let us know on our forum located at http://www.atribune.org/forums/ in the HijackThis and Malware Removal section. The forum staff is always happy to help with removal of Vundo and other malware as well.]]> Thu, 29 May 2008 11:26:16 -0500 100
Warning: This is an Unicode compiled script and will not run on Win9x/ME.]]> Thu, 29 May 2008 11:03:51 -0500 98