Malware Removal - logs

Re run Hitman and have it delete all of the Potential Unwanted Programs.



http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Delete this:
C:\ProgramData\BitGuard



Re run RogueKiller, just a scan and attach the log.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Download and run OTM.


Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:reg
[-HKLM\SOFTWARE\Classes\AppID\escort.DLL]
[-HKLM\SOFTWARE\Classes\AppID\escortApp.DLL]
[-HKLM\SOFTWARE\Classes\AppID\escortEng.DLL]
[-HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL]
[-HKLM\SOFTWARE\Classes\AppID\esrv.EXE]
[-HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}]
[-HKLM\SOFTWARE\Classes\AppID\{39CB8175-E224-4446-8746-00566302DF8D}]
[-HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}]
[-HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}]
[-HKLM\SOFTWARE\Classes\Interface\{1231839B-064E-4788-B865-465A1B5266FD}]
[-HKLM\SOFTWARE\Classes\Interface\{2DAC2231-CC35-482B-97C5-CED1D4185080}]
[-HKLM\SOFTWARE\Classes\Interface\{3F1CD84C-04A3-4EA0-9EA1-7D134FD66C82}]
[-HKLM\SOFTWARE\Classes\Interface\{3F83A9CA-B5F0-44EC-9357-35BB3E84B07F}]
[-HKLM\SOFTWARE\Classes\Interface\{47E520EA-CAD2-4F51-8F30-613B3A1C33EB}]
[-HKLM\SOFTWARE\Classes\Interface\{57C91446-8D81-4156-A70E-624551442DE9}]
[-HKLM\SOFTWARE\Classes\Interface\{70AFB7B2-9FB5-4A70-905B-0E9576142E1D}]
[-HKLM\SOFTWARE\Classes\Interface\{7AD65FD1-79E0-406D-B03C-DD7C14726D69}]
[-HKLM\SOFTWARE\Classes\Interface\{97DD820D-2E20-40AD-B01E-6730B2FCE630}]
[-HKLM\SOFTWARE\Classes\Interface\{B177446D-54A4-4869-BABC-8566110B4BE0}]
[-HKLM\SOFTWARE\Classes\Interface\{D9D1DFC5-502D-43E4-B1BB-4D0B7841489A}]
[-HKLM\SOFTWARE\Classes\Interface\{E0B07188-A528-4F9E-B2F7-C7FDE8680AE4}]
[-HKLM\SOFTWARE\Classes\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escort.DLL]
[-HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escortApp.DLL]
[-HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escortEng.DLL]
[-HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escorTlbr.DLL]
[-HKLM\SOFTWARE\Classes\Wow6432Node\AppID\esrv.EXE]
[-HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{39CB8175-E224-4446-8746-00566302DF8D}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{2DAC2231-CC35-482B-97C5-CED1D4185080}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{3F1CD84C-04A3-4EA0-9EA1-7D134FD66C82}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{3F83A9CA-B5F0-44EC-9357-35BB3E84B07F}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{47E520EA-CAD2-4F51-8F30-613B3A1C33EB}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{57C91446-8D81-4156-A70E-624551442DE9}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{70AFB7B2-9FB5-4A70-905B-0E9576142E1D}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{7AD65FD1-79E0-406D-B03C-DD7C14726D69}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{97DD820D-2E20-40AD-B01E-6730B2FCE630}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{B177446D-54A4-4869-BABC-8566110B4BE0}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{D9D1DFC5-502D-43E4-B1BB-4D0B7841489A}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{E0B07188-A528-4F9E-B2F7-C7FDE8680AE4}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37}]
[-HKLM\SOFTWARE\Wow6432Node\Delta]
[-HKLM\SOFTWARE\Wow6432Node\Delta\delta]
[-HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKU\S-1-5-21-3518730105-3027632610-2268540525-1001\Software\BabSolution]
[-HKU\S-1-5-21-3518730105-3027632610-2268540525-1001\Software\Delta]
[-HKU\S-1-5-21-3518730105-3027632610-2268540525-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]
[-HKU\S-1-5-21-3518730105-3027632610-2268540525-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]

:files
C:\Program Files (x86)\Delta
C:\Program Files (x86)\Delta\delta
C:\ProgramData\BitGuard
C:\Users\Dogcat\AppData\LocalLow\Delta
C:\Users\Dogcat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BitGuard
C:\Users\Dogcat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BitGuard\Uninstall BitGuard.lnk 
C:\Users\Dogcat\AppData\Roaming\Mozilla\Firefox\Profiles\tb51dfrx.default-1373746026430\bprotector_extensions.sqlite 
C:\Users\Dogcat\AppData\Roaming\Mozilla\Firefox\Profiles\tb51dfrx.default-1373746026430\bprotector_prefs.js 
C:\ProgramData\BitGuard

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.





Now re run Hitman again and attach the log for me to see.

 

This may be out of the realm of the malware forum, however, let me ask, what error message do you get when you try to update.. what happens exactly?


Run OTM.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:Processes
explorer.exe

:reg
[-HKLM\SOFTWARE\Classes\Interface\{1231839B-064E-4788-B865-465A1B5266FD}]
[-HKLM\SOFTWARE\Classes\Interface\{2DAC2231-CC35-482B-97C5-CED1D4185080}]
[-HKLM\SOFTWARE\Classes\Interface\{3F1CD84C-04A3-4EA0-9EA1-7D134FD66C82}]
[-HKLM\SOFTWARE\Classes\Interface\{3F83A9CA-B5F0-44EC-9357-35BB3E84B07F}]
[-HKLM\SOFTWARE\Classes\Interface\{47E520EA-CAD2-4F51-8F30-613B3A1C33EB}]
[-HKLM\SOFTWARE\Classes\Interface\{57C91446-8D81-4156-A70E-624551442DE9}]
[-HKLM\SOFTWARE\Classes\Interface\{70AFB7B2-9FB5-4A70-905B-0E9576142E1D}]
[-HKLM\SOFTWARE\Classes\Interface\{7AD65FD1-79E0-406D-B03C-DD7C14726D69}]
[-HKLM\SOFTWARE\Classes\Interface\{97DD820D-2E20-40AD-B01E-6730B2FCE630}]
[-HKLM\SOFTWARE\Classes\Interface\{B177446D-54A4-4869-BABC-8566110B4BE0}]
[-HKLM\SOFTWARE\Classes\Interface\{D9D1DFC5-502D-43E4-B1BB-4D0B7841489A}]
[-HKLM\SOFTWARE\Classes\Interface\{E0B07188-A528-4F9E-B2F7-C7FDE8680AE4}]
[-HKLM\SOFTWARE\Classes\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37}]
[-HKU\S-1-5-21-3518730105-3027632610-2268540525-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.




Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Re run Hitman again please and attach log.

 

Yes, we wish to continue. Especially since OTM is failing to deal with them.

 

And again with a rescan with Hitman, so we can see what's left. Attach the log for me to see.

 

These reg entries are being rather stubborn. How comfortable are you in the registry. If I asked you to delete those manually would you be okay with that?

 

Open up the registry and navigate to the following keys to delete.

• HKLM\SOFTWARE\Classes\Interface\{1231839B-064E-4788-B865-465A1B5266FD}
• HKLM\SOFTWARE\Classes\Interface\{2DAC2231-CC35-482B-97C5-CED1D4185080}
• HKLM\SOFTWARE\Classes\Interface\{3F1CD84C-04A3-4EA0-9EA1-7D134FD66C82}
• HKLM\SOFTWARE\Classes\Interface\{3F83A9CA-B5F0-44EC-9357-35BB3E84B07F}
• HKLM\SOFTWARE\Classes\Interface\{47E520EA-CAD2-4F51-8F30-613B3A1C33EB}
• HKLM\SOFTWARE\Classes\Interface\{57C91446-8D81-4156-A70E-624551442DE9}
• HKLM\SOFTWARE\Classes\Interface\{70AFB7B2-9FB5-4A70-905B-0E9576142E1D}
• HKLM\SOFTWARE\Classes\Interface\{7AD65FD1-79E0-406D-B03C-DD7C14726D69}
• HKLM\SOFTWARE\Classes\Interface\{97DD820D-2E20-40AD-B01E-6730B2FCE630}
• HKLM\SOFTWARE\Classes\Interface\{B177446D-54A4-4869-BABC-8566110B4BE0}
• HKLM\SOFTWARE\Classes\Interface\{D9D1DFC5-502D-43E4-B1BB-4D0B7841489A}
• HKLM\SOFTWARE\Classes\Interface\{E0B07188-A528-4F9E-B2F7-C7FDE8680AE4}
• HKLM\SOFTWARE\Classes\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37}
• HKU\S-1-5-21-3518730105-3027632610-2268540525-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}

Once done, reboot the machine and run yet another scan with Hitman. We'll see what remains this time.

 

That's great. Just the one to deal with then.

Please download Combofix to your desktop. Please refer to these instructions prior to running. And do not actually run it by double clicking it's file, I want you to run a script with it instead.


Now we need to use ComboFix by sUBs

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Registry::
[-HKU\S-1-5-21-3518730105-3027632610-2268540525-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}] 

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


Re run Hitman again, let's see if it's finally gone.

 

Can you try deleteing the last remaining claro registry key manualy, yourself, in safe mode? Let me know how you get on. It's nothing major, but before I give you final steps, I'd prefer it to be gone.

 

You have a locked registry key that we need to deal with, and the utmost care and attention needs to be applied whilst we do this. You need to follow instructions exactly as they are written and make sure that you have completed each step precisely.

Now download and install Registrar Lite


Open up the program and navigate to the following key. Actually click on they key so that it is highlighted in pale blue. Click on the "Edit" menu and from there choose "Properties" Click on "Take Ownership" and then click on "Permissions" and ensure that "Full control" is check marked if it is not already. Click Apply and click OK.

So remember the two parts to complete for each key, the ownership and the permissions. Just take your time.

The key we need to work on:

Reboot the machine once done and navigate back to this key. On the permissions, is full control still check-marked?

Try and delete the key again now and let me know how you get on.

 

Damn. Hang in there, and I'll see what else can be done.

 

Click start > and type regedit, click on regedit.exe to open up the windows registry editor.
Navigate to the key we want to kill:

• HKU\S-1-5-21-3518730105-3027632610-2268540525-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}

...and have it selected.
Then right click on this key and select Permissions > Then on the Permissions for it, click the Add button.
In the Enter the object names to select box type Everyone and click the Check Names button which should cause the Everyone text to be approved and underlined.
Then click the OK button which returns you to the Permissions for the key in question. Make sure you select Everyone from the upper list, and then in the Permissions form Everyone box, select Full Control and see if it allows you to click the Apply button.
If so then try and delete the key again and let me know how you get on.

 

When you actually right click the key itself (looks like a folder icon) in left hand pane, you don't see permissions option on the drop down menu? :confused

 

Alter the permissions for the approved extensions key. Actually click on approved extensions, have it highlighted and either right click and select permissions or use the "edit" menu at the top > then permissions.

 

OK, still on approved extensions > click on permissions >
Click the Advanced button
On this Advanced... form, select the Owner tab.
On the Owner tab, do the next steps to add Everyone to owners and make Everyone the current owner:
Click the Other users of groups... button
One the next form, in the Enter the object name to select box, type in Everyone and then click Check Names which will then verify that Everyone exists and will underline the text to show it was found
Then click OK
Then back on the Advanced Security Settings form select Everyone and then click the Apply button. And then OK out of this form.
Now you should be back at the Permissions for Root form.
Select Everyone and see if you can now give Full Control by checking the box and clicking Apply.

 

OK, try again but this time use Registrar Lite.

 

Yes, try that, and if it fails, follow the previous instuctions I gave you: (But using RegLite)

 

I am seeking advice. Hang in there. But do not fear surfing around or anything like that, just run as normal. As said before this leftover is not a major issue but I do prefer to clear everything out that I can see before giving final steps.

 

OK, let's start again. Forget RegLite for now, we'll go back to the registry via windows.

Open up regedit.exe and navigate to our key:

HKU\S-1-5-21-3518730105-3027632610-2268540525-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}

-----------------------

• Right click on the registry key named {4D2D3B0F-69BE-477A-90F5-FDDB05357975} and select Permissions from the menu.
• Click on Advanced.
• Select the Owner tab.
• In the "Change owner to" window, highlight the one that is your personal user account.
• Checkmark "Replace owner on subcontainers and objects".
• Click on Apply. Your personal user account should now be in the Current Owner box.
• Click on OK. You should now be back to the Security tab.
• Click on OK.
• Again, right click on the registry key named {4D2D3B0F-69BE-477A-90F5-FDDB05357975} and select Permissions from the menu.
• In the "Group or user names:" window, highlight the one that is your personal user account.
• In the Permissions for (your user name), the Full Control and Read boxes should be checked under Allow. IF NOT, skip to the section marked with an asterisk *
• Click on OK to close the Permissions window.
• Right click on the registry key named {4D2D3B0F-69BE-477A-90F5-FDDB05357975} and select Delete. Confirm the Delete. The registy key named {4D2D3B0F-69BE-477A-90F5-FDDB05357975} should disappear.
• The registry key should now disappear and you are done with the deletion. Close Regedit.
• Reboot your computer.
• Let me know if they key has gone from the registry.

*If your user account does not have Full Control, click on Advanced.
In the Permissions entries window, highlight the entry with your user account name.
Checkmark the box "Include inheritable permissions from this object's parent."
Click on Edit
In the Permissions window, check mark all the boxes under Allow.
Check mark the box "Apply these permissions to objects and/or containers within this container only."
In the Apply to: window, it should be "This key and subkeys".
Click on OK.
Click on Apply and OK.
Click on Apply and OK.
Right click on the registry key named {4D2D3B0F-69BE-477A-90F5-FDDB05357975} and select Delete. Confirm the Delete. the registry key named {4D2D3B0F-69BE-477A-90F5-FDDB05357975} should disappear.
The registry key should now disappear and you are done with the deletion. Close Regedit.
Reboot your computer.
Let me know if the key has gone from the registry.

FYI: If the registry key that you are attempting to remove has one or more subkeys under it, then you may have to change its permissions, obtain full control, and delete each of the subkeys before deleting the main registry key.

 

Complete the below, and where it is bolded text, I want you to take screenshots of those parts, just wanting to check you've added the everyone user and set permissions correctly.

 

Is it possible for you to do this but for the key in question?

OK, on the key HKU\S-1-5-21-3518730105-3027632610-2268540525-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975} > click on permissions >
Click the Advanced button
On this Advanced... form, select the Owner tab.
On the Owner tab, do the next steps to add Everyone to owners and make Everyone the current owner:
Click the Other users of groups... button
One the next form, in the Enter the object name to select box, type in Everyone and then click Check Names which will then verify that Everyone exists and will underline the text to show it was found
Then click OK
Then back on the Advanced Security Settings form select Everyone and then click the Apply button. And then OK out of this form.
Now you should be back at the Permissions for Root form.
Select Everyone and see if you can now give Full Control by checking the box and clicking Apply.
Does the key now delete?

 

Forget about the approved extensions, what about doing the same but for this key that we've discussed? Let me know.

• {4D2D3B0F-69BE-477A-90F5-FDDB05357975}

I've something else in line to try next anyway.

 

Please download RegAssassin to your desktop. Double click it's icon to open it up.

Copy and paste the below into the text box in Regassasin. Now press the delete button.

Reboot the machine, re run Hitman.... has it gone?

 

I have run out of options here. Sigh. The key is not a major worry, but I did not wish to wrap up the thread and leave it hanging. I have done all I can to try and get it gone, if you would like to persue the matter in the software forum please feel free to do so.

Try going thru the reg assasin steps in safe mode.

 

You are most welcome. I apologise that I cannot take it further. If you do post in the software forum here, I will follow the thread with interest. You can explain that we tried all sorts including taking permissions the correct way.

Of course if you purchased Hitman no doubt it would fix it. Not encouraging you to purchase, it's just a pity we couldn't crack it.

Is the computer running nicely at the moment?
Did Reg assassin now work in safe mode?

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Press and hold the Windows key http://forums.majorgeeks.com/chaslang/images/Windows_Logo_key.gif and then press the letter R on your keyboard. This opens the Run dialog box.
   • Copy and paste the below into the Run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!