Here is what I see is the basics of removing Windows XP Recovery:
* Start Windows in Safe Mode.
* Run RKill (iExplore, RKill.com, etc, etc)
* Run tdsskiller
* Install (mbam-setup) and run Malwarebytes to remove infections.
* Reeboot and start Windows in Normal Mode.
* Run Unhide.exe
* Add back menu items in Windows Start Menu.
After obtaining the files, using another PC and putting them on a USB stick, I tried to follow the above process.
I ran iExplore.exe.
Running tdsskiller found "Rootkit.Boot.wistler.a" (which required a reboot to remove).
I installed and then tried to run Malwarebytes. I believe I got a "cannot run in Safe Mode" message.
So, I then rebooted into Normal Mode.
Then I ran Malwarebytes. Then ran Unhide.exe, then rebooted.
I've also run AVG. (In fact I had both Malwarebytes and AVG running- not good). Okay, I don't know how far I've got in removing viruses, but I do see the following in AVG vault:
I would have said the Windows XP Recovery virus was removed. Because the menu associated with that malware no longer appears.
However, there is some kind of redirection problem. When in Google, clicking a search result produces no change in page. I think the address in the address bar just stays the same. Not in every instance, but many.
Question: Did I run through the process sufficently correctly? I did a reboot after running Rkill, and I ran Malwarebytes in Normal Mode without having run Rkill beforehand. But, tdsskiller ought to have removed the rootkit on reboot.
I think possibly my main problem now is the redirect problem. Is there a slight error in the process as given? Because I could not start Malwarebytes in Safe Mode? Thanks.
Edited by richard7116, 30 April 2012 - 09:46 AM.