Don't connect your computer to the network until you have everything installed and running. That means anti-malware, drivers, everything.

everytime i perform a spybot scan i get 25 registry changes
HKUS is everywhere, in internet explorer, ms media player, ms direct 3d, ms direct draw, windows media SDK,

can someone instruct me on how to cleanse my machine ?

you may not have done a clean install

during windows install, pick the option to repartition the main drive

hkcu (hkey_current_user) is one of the root trees in the system registry

but i gotta connect to get the anti malware and drivers

should i attempt another clean install ? , i thought it was sorted

Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3529113940-1506998598-1981180112-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

MS Media Player: [SBI $5C51E349] Client ID (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3529113940-1506998598-1981180112-1000\Software\Microsoft\MediaPlayer\Player\Settings\Client ID

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3529113940-1506998598-1981180112-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

Windows: [SBI $1E4E2003] Drivers installation paths (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources

Windows: [SBI $1E4E2003] Drivers installation paths (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-3529113940-1506998598-1981180112-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry Change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3529113940-1506998598-1981180112-1000\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry Change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3529113940-1506998598-1981180112-1000\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry Value, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry Value, nothing done)
HKEY_USERS\S-1-5-21-3529113940-1506998598-1981180112-1000\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Cookie: [SBI $49804B54] Browser: Cookie (2) (Browser: Cookie, nothing done)


Cache: [SBI $49804B54] Browser: Cache (2233) (Browser: Cache, nothing done)


History: [SBI $49804B54] Browser: History (6) (Browser: History, nothing done)


Cookie: [SBI $49804B54] Browser: Cookie (78) (Browser: Cookie, nothing done)


History: [SBI $49804B54] Browser: History (104) (Browser: History, nothing done)




i click fix but they come back......

copy the divers, mbam/spybot setup to a usb stick or burn them to a cd/dvd

then reinstall and format the drive

i am currently in safe mode with networking, only got OS and wireless adapter installed,
could i not get software and drivers by using safemode ?

please instruct me further so i can continue later, i gotta go,im done !!

Oh CottonMouth - understand Spybot will report all privacy/security issues, even if they aren't actually an infection. It's very advance and checks everything so professionals can security check and privacy concerned can clean. So even temporary internet history or an internet cookie will be detected and suggested to be removed. Those will come back next time you run the web-browser, etc. It doesn't mean they are malicous, rather just a small record of your browsing history or something which come might considered a privacy issue to clean up.

That list appears to be fine...

Recent Documents (default of Windows, keeping a history of documents you have opened).

Windows Media holds an Unique ID of your computer.

Browser History / Cookies / Cache is also cleaned.

(etc)

Things like Ramnit and virtumonde and fraudload.edt, on the other hand, need to be cleaned out as malicous.

You could try TDSSKiller from Kaspersky if it's not cleaning out the RootKits:
http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe

It should just take like 15 seconds to scan for some rootkit malware and remove it if there.

ok Azza, so if i think iv done a clean install and run a Spybot scan, the fact that i am clean (supposed to be) and Spybot indicates that it is scanning Fraudload, virtumonde, chinky gen etc, basically, i still have these nasty little things still present on my system ?
, im gon try the link TDSS,

i ran it, (in safe mode),, nothing there, when im back up & running again, il check again

iv just ran another TDSSkiller scan , nothing, but when i run a Spybot scan, i see multiple virus names, a big one is Virtumonde.dll, among others, , so if im scanning them ,i still have them on my system ?? even if the Spybot report only shows low threat things like the ones above,, i believe i am infected bad,,,

spybot will detect a few reg entrys that many virus/malware will change
you can fix or ignore them

Първоначално публикувано от _I_:

spybot will detect a few reg entrys that many virus/malware will change
you can fix or ignore them

am i right in thinking that if i run a Spybot2 scan after a clean install and it scans things like Virtumonde.dll, chinky.gen and lots more, that i have infact still got these still in my system(infected)... spybot wudnt be scanning them if i didnt have them ,right >?

Първоначално публикувано от Azza ☠:

Things like Ramnit and virtumonde and fraudload.edt, on the other hand, need to be cleaned out as malicous.

You could try TDSSKiller from Kaspersky if it's not cleaning out the RootKits:
http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe

It should just take like 15 seconds to scan for some rootkit malware and remove it if there.

are you saying that if this TDSSkiller cant find anything, i dont have anything ?

Първоначално публикувано от Azza ☠:

That list appears to be fine...

but if im scanning with Spybot and i can see the names of the virus' it is scanning , surely something about them would show up in the report...?!

when i installed the first windows updates i got a error box about Bitdefender , i couldnt read it all but there was definately a problem ,, i cant remember using bit defender tho, what is this ???
cant remember seeing it before...

are you using a legit windows OS?
boot from windows dvd installer, reformat primary partition before re-installing windows OS.

if you are using a usb windows installer, possibility that the flash drive is already infected so create another bootable usb drive from a confirmed 'clean computer'.

Първоначално публикувано от chiefputsa:

are you using a legit windows OS?
boot from windows dvd installer, reformat primary partition before re-installing windows OS.

if you are using a usb windows installer, possibility that the flash drive is already infected so create another bootable usb drive from a confirmed 'clean computer'.

i clicked format on the partition SSD and windows installed, i still think im infected

i just did a bunch of rootkit scans and they found nothing...

One more thing to note with Spybot - When it's updating and scanning it will label what it's scanning for. It's just telling you which things it's looking for or what that latest defination is. If your infected with it will show in the reports. You're not just being paranoid with seeing those names before that are you?

--

If not and you are actually badly infected...

Virtumonde.dll - is a high risk adware infection which exploits backdoor flaws in the Windows Operating System. It's normally hidden inside the Operating System, application software, or actual games, etc. For example, if you download an already infected copy of something, it's therefore hard to remove from that and reinfects each time the software is run.

Spybot probably therefore can only half clean it - you will never get rid of the problem, unless you get rid of the infected software (root cause). It will just keep spreading out and infecting the rest otherwise.

It usually blocks access to the Windows Update, disables some Virus scanners from working correctly, changes the structure of Windows Explorer and modifies registry files, causing harm to your computer system and its ability to function efficiently.

It might display adware and popup advertising, etc.

Trojan.Vundo Removal Tool:
http://www.symantec.com/security_response/writeup.jsp?docid=2004-112210-3747-99

chinky.gen - copies several malicious files to the system directory of the operating system and creates an autorun entry in order to get launched on every start up. When the computer is infected Win32.Chinky.gen tries to download other malware in order to harm the computer.

You might also wish to disable your Windows AutoRun / AutoPlay, if it's jumping from your USB or external HDD devices (before you can clean them):
http://www.redmondpie.com/how-to-disable-autorun-autoplay-in-windows-7-and-windows-8/

or just hold down the "left shift" button (to suppress autorun) when connecting any external devices and be careful not to share it with other PCs till clean.

Spybot can remove that one easily, but if it keeps coming back, it's either from another trojan or local network infection. You need to disconnect each PC / Device and scan the lot individually. It could be jump from one to another and becoming a cycle of reinfection.

Първоначално публикувано от Azza ☠:

One more thing to note with Spybot - When it's updating and scanning it will label what it's scanning for. It's just telling you which things it's looking for or what that latest defination is. If your infected with it will show in the reports. You're not just being paranoid with seeing those names before that are you?

--

If not and you are actually badly infected...

ok, i was actually thinking that when it was scanning ,it was only showing me the names of virus' it is scanning FOR, not scanning virus' i had,,,,

so just to confirm, are you saying that when i do a spybot scan and i see these virus names being scanned, i dont actually have them, spybot is looking for them ???

and if i DID have them IT WOULD show me i had them in the report ??

for instance when it scans virtumonde, it scans it for a coupl minutes, as though i have it and its taking a close look at it, thats why i think im infected, it seems as though its scanning them not FOR them

when i scan i see maybe 50 or more virus names .
scratch that easy 100