Go to HKCU ⁄ Software ⁄
You’ll notice it doesn’t hide here:
You can delete this two crypto entries
Once those are deleted scroll down to Microsoft
Continue to scroll down to Windows ⁄ Current Version
Scroll down to where it says run – you can see the virus listed here. You can delete it.
It will also be listed under run once – delete that as well
Uncheck protected operating system files
In the directory shown below delete these two files
So we will delete it later.
Also check your temp directory as shown below for any other suspicious files
You can now go back and delete that file we couldn’t delete before
You can no go back and protect our system files