Created a boot disk - Ultimate Boot CD 4 Windows (ruynning XP Prof)
Turned off system restore, rebooted and verified system restore info was deleted.
Booted from boot disk.
Ran SuperAntiSpyware which found a number of things including a rogue.antivirus. I removed all the infections and deleted them from the quarantine.
Each time I reboot, the malware.trace comes back. This happens whether I reboot from the boot disk or reboot normally. I have removed it and rebooted from the boot disk multiple times and each time it comes back. Each time it finds it in the same registry: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL.
If I rerun the SuperAntiSpyware without rebooting it says it's clean. Running MalwareBytes from the operating system results in it not finding anything. The only thing that sees it is SuperAntiSpyware.
I don't see how the thing can load itself when I'm doing everything from a boot disk! Could it be a false positive?
More info. Probably not a false positive as I got redirected to a bogus web site while trying to get back on the forum.
I read tutorial 83 and ran Getservices. I've attached the txt file of services. I don't see anything obvious but based on the Ssearch.biz hijacker example in the tutorial, it could be "upnphost" or maybe "PlugPlay." The plugplay is auto-start and the other is demand start, so I guess I would lean towards the auto-start one being the culprit.
EDIT: Posts merged ~BP
Edited by Budapest, 30 September 2010 - 04:03 PM.