feet of clay found in v4 the toolkit (Wsyscheck ) here uses ifeo hajaking to disable/block target program. Operations: 1 start Wsyscheck , right click on ekrn.exe choose the highlighted menu item on the popupmenu as below. http://www.nod32club.com/attachments/month_0811/20081121_13f82e658ce5e35dc642XdifAH3Ciu9S.jpg the image file execution option entry left in registry after reboot. http://www.nod32club.com/attachments/month_0811/20081121_94d126937998f149d9e5HX3iyAyACdqN.jpg 2 reboot your computer. source :http://www.nod32club.com/viewthread.php?tid=58077 (your chinese official forum =) *the OP suggested that v4 should have some driver to implement kernel level protection that can take effect at early boot stage to protect critical registries and files -- oops i missed the second shot.