[StriderH2]

Is there a way to use ZwDeleteFile in a boot driver?

[EP_X0FF]

Depends on what you want to delete, where and when.

[StriderH2]

What to delete: trojan dlls hooked to winlogon.exe. (The ones that prohibit registry changes for the Pending File Rename Operations value).
Where:
Before the Logon screen- Pre-installation environment.
Automatic <--services start at logon
Demand <-- Manual registration and activation of service
Boot <-- Hard disk
System

How:
1. Create a list of files to delete
2. have the driver read from the file at boot
3. Delete all the files listed in the text


It deletes the file I want when I start the service on Demand and when logged in.
The problem is that when I run OSR loader to have this service scheduled for Boot or System, it says that the file(list to read from) cannot be found when I attempt to test the service.

[EP_X0FF]

What to delete: trojan dlls hooked to winlogon.exe. (The ones that prohibit registry changes for the Pending File Rename Operations value).

You can try native application. It will be loaded after most of system initialization but before Win32 init.
I.e. have a look on PageDefrag or Autochk.

[StriderH2]

What to delete: trojan dlls hooked to winlogon.exe. (The ones that prohibit registry changes for the Pending File Rename Operations value).

You can try native application. It will be loaded after most of system initialization but before Win32 init.
I.e. have a look on PageDefrag or Autochk.

Good idea,I should have seen that earlier hahah.
Thanks!