Last week, I do not remember the day exactly but I believe on 2/2/2016 I downloaded and installed a free screen recording application called CamStudio. It seemed legit but it asked to install a bunch of other stuff which I declined, then went ahead and installed a bunch of other stuff anyway. This affected all the browsers on my computer (Chrome, IE, and Firefox), changing the search to "Bing" or something that looked like Bing, and installed some other programs that I noticed.
I tried removing all of it and everything seemed fine until I was notified today by a user of a website that I maintain (hosted at GoDaddy) that the site looked strange. Sure enough it is completely messed up. I have not uploaded any new files to the site in the last week but when I look at the source code for the index page I see strange links to javascripts that are not supposed to be present, and redirects appended to links on the page.
The two scripts I notice immediately are "us.clickscart.in" and "us.browserupdatecheck.in". I have attached a screenshot.
To conclude, my issue appears to be similar to this user's: My Help Thread: Get Rid Of Javascript Injection
Before I came across this forum I read on some other sites and ran an AdwCleaner scan and clean, but did not keep the log file it may have created. From this point I will follow only the instructions given me in this thread.
Yes, I do have access to the original Windows 7 install disk. I also have a disk image of my C drive (operating system) from one month ago that I can restore if that would be the better approach. I take an image once a month but the most recent one was two nights ago and that would have included whatever malware I still have. All my data is on a separate drive and is backed up nightly.
Here is my dds.text:
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18124 BrowserJavaVersion: 11.73.2
Run by Luke at 19:44:43 on 2016-02-08
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.2851 [GMT -8:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\wnavga.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Google\Update\1.3.29.2\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.29.2\GoogleCrashHandler64.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Classic Shell\ClassicStartMenu.exe
C:\Users\Luke\AppData\Local\Mixesoft\AppNHost\appnhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\splwow64.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\sysWow64\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-ca195f9e
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: ExplorerBHO Class: {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll
BHO: Adblock Plus for IE Browser Helper Object: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll
TB: Classic Explorer Bar: {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
uRun: [appnhost] C:\Users\Luke\AppData\Local\Mixesoft\AppNHost\appnhost.exe
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
uRun: [Xmarks] C:\Program Files (x86)\Xmarks\IE Extension\xmarkssync.exe -q
uRun: [Icecream_Screen_Recorder_Prefetcher] C:\Program Files (x86)\Icecream Screen Recorder\recorder.exe -prefetch
mRun: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
mRun: [ControlCenter4] C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe /autorun
mRun: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{20E23A14-3458-4496-AC9E-51A584A1F672} : DHCPNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.103\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-ca195f9e
x64-BHO: ExplorerBHO Class: {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Adblock Plus for IE Browser Helper Object: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll
x64-TB: Classic Explorer Bar: {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll
x64-Run: [Classic Start Menu] "C:\Program Files\Classic Shell\ClassicStartMenu.exe" -autorun
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\sud8bwqz.default\
FF - prefs.js: browser.search.selectedEngine - Search Provided by Bing
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 4
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.29.2\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_73\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_73\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_286.dll
.
============= SERVICES / DRIVERS ===============
.
R0 phylock;phylock;C:\Windows\System32\drivers\phylock.sys [2015-6-30 34864]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-4-29 238080]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2013-4-29 361984]
R2 DiagTrack;Diagnostics Tracking Service;C:\Windows\System32\svchost.exe -k utcsvc [2009-7-13 27136]
R2 WinGraph;Windows Graphics Accelerator;C:\Windows\wnavga.exe [2016-2-5 7680]
R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2015-12-6 46136]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-5-13 96896]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
R3 VSBC7;Virtual Serial Bus Enumerator 7 (Eltima Software);C:\Windows\System32\drivers\evsbc7.sys [2015-6-27 36656]
R3 WsAudioDevice_383S(1);WsAudioDevice_383S(1);C:\Windows\System32\drivers\WsAudioDevice_383S(1).sys [2016-1-29 29288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2015-6-3 327296]
S3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2015-6-30 266240]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 evserial7;Virtual Serial Ports Driver 7 (Eltima Software);C:\Windows\System32\drivers\evserial7.sys [2015-6-27 71472]
S3 evserial8;Virtual Serial Ports Driver 8 (Eltima Software);C:\Windows\System32\drivers\evserial8.sys [2015-9-26 21152]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2015-12-8 114688]
S3 libusb0;libusb-win32 - Kernel Driver 07/29/2010 1.2.1.0;C:\Windows\System32\drivers\libusb0.sys [2015-7-14 42944]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TBIMount;TBIMount;C:\Windows\System32\drivers\TBIMount.sys [2015-6-30 374296]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 VSBC8;Virtual Serial Bus Enumerator 8 (Eltima Software);C:\Windows\System32\drivers\evsbc8.sys [2015-9-26 104608]
S3 VsEtwService120;Visual Studio ETW Event Collection Service;C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe [2014-7-22 89232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2015-6-28 1255736]
.
=============== Created Last 30 ================
.
2016-02-09 02:53:21 -------- d-----w- C:\FRST
2016-02-09 02:30:44 -------- d-----w- C:\AdwCleaner
2016-02-06 13:24:21 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{843F593F-F183-40FA-8A3C-955F6E2418FF}\offreg.2160.dll
2016-02-06 01:32:09 -------- d-----w- C:\Windows\pss
2016-02-06 01:21:25 -------- d-----w- C:\Windows\System32\appmgmt
2016-02-06 01:13:27 -------- d-----w- C:\Users\Luke\AppData\Roaming\Shark007
2016-02-06 01:13:27 -------- d-----w- C:\ProgramData\Shark007
2016-02-06 01:13:23 324608 ----a-w- C:\Windows\System32\BugTrap-x64.dll
2016-02-06 01:13:20 580096 ----a-w- C:\Windows\System32\ac3filter.acm.old
2016-02-06 01:13:20 3571200 ----a-w- C:\Windows\System32\x264vfw.dll
2016-02-06 01:13:20 260184 ----a-w- C:\Windows\System32\unrar64.dll
2016-02-06 01:13:20 2231296 ----a-w- C:\Windows\System32\ac3filter.acm.new
2016-02-06 01:13:20 2231296 ----a-w- C:\Windows\System32\ac3filter.acm
2016-02-06 01:13:20 2034176 ----a-w- C:\Windows\System32\VSFilter.dll
2016-02-06 01:13:20 124909 ----a-w- C:\Windows\System32\pthreadGC2.dll
2016-02-06 01:13:20 -------- d-----w- C:\Program Files\Shark007
2016-02-06 01:13:04 1679360 ----a-w- C:\Windows\SysWow64\ac3filter.acm.new
2016-02-06 01:12:43 -------- d-----w- C:\Users\Luke\AppData\Roaming\Advanced
2016-02-06 01:12:39 -------- d-----w- C:\Program Files (x86)\Shark007
2016-02-06 00:31:10 -------- d-----w- C:\Users\Luke\AppData\Local\assembly
2016-02-06 00:31:09 -------- d-----w- C:\Users\Luke\AppData\Roaming\OBS
2016-02-06 00:30:30 -------- d-----w- C:\Program Files\OBS
2016-02-06 00:30:21 -------- d-----w- C:\Program Files (x86)\OBS
2016-02-06 00:28:59 238936 ----a-w- C:\Windows\SysWow64\xactengine3_5.dll
2016-02-06 00:26:15 -------- d-----w- C:\Windows\SysWow64\directx
2016-02-04 05:57:19 -------- d-----w- C:\Program Files (x86)\Common Files\SWF Studio
2016-02-04 01:08:39 -------- d-----w- C:\Users\Luke\AppData\Local\Apple Computer
2016-02-03 20:29:03 -------- d-----w- C:\Users\Luke\AppData\Roaming\Serif
2016-02-03 20:29:03 -------- d-----w- C:\Users\Luke\AppData\Local\Serif
2016-02-03 19:40:50 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin7.dll
2016-02-03 19:40:50 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin6.dll
2016-02-03 19:40:50 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin5.dll
2016-02-03 19:40:50 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin4.dll
2016-02-03 19:40:50 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin3.dll
2016-02-03 19:40:50 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin2.dll
2016-02-03 19:40:50 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin.dll
2016-02-03 19:39:24 -------- d-----w- C:\Users\Luke\AppData\Local\Apple
2016-02-03 19:37:58 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine
2016-02-03 19:37:57 -------- d-----w- C:\Program Files (x86)\Common Files\MSSoap
2016-02-03 19:30:51 -------- d-----w- C:\Program Files (x86)\Serif
2016-01-30 03:23:47 -------- d-----w- C:\Users\Luke\AppData\Local\Wondershare
2016-01-30 03:23:47 -------- d-----w- C:\Program Files (x86)\Common Files\Wondershare
2016-01-30 03:23:44 -------- d-----w- C:\Users\Luke\AppData\Roaming\Wondershare
2016-01-30 03:22:46 29288 ----a-w- C:\Windows\System32\drivers\WsAudioDevice_383S(1).sys
2016-01-30 03:22:44 -------- d-----w- C:\Program Files (x86)\Wondershare
2016-01-30 02:19:09 -------- d-----w- C:\Users\Luke\AppData\Local\Icecream
2016-01-30 02:19:09 -------- d-----w- C:\Users\Luke\AppData\Local\CrashRpt
2016-01-30 02:19:09 -------- d-----w- C:\Users\Luke\.Icecream Screen Recorder
2016-01-30 02:18:42 -------- d-----w- C:\Program Files (x86)\Common Files\WebM Project
2016-01-30 02:18:20 -------- d-----w- C:\Program Files (x86)\Xiph.Org
2016-01-30 02:18:07 -------- d-----w- C:\Program Files (x86)\Icecream Screen Recorder
2016-01-30 02:12:08 -------- d-----w- C:\Fraps
2016-01-28 13:00:21 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{843F593F-F183-40FA-8A3C-955F6E2418FF}\offreg.1992.dll
2016-01-26 12:18:43 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{843F593F-F183-40FA-8A3C-955F6E2418FF}\offreg.2108.dll
.
==================== Find3M ====================
.
2016-02-06 03:27:38 97888 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2016-01-27 03:57:58 796864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2016-01-27 03:57:58 142528 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2015-12-02 21:18:58 301728 ------w- C:\Windows\System32\MpSigStub.exe
2015-11-20 18:54:59 98816 ----a-w- C:\Windows\System32\wudriver.dll
2015-11-20 18:54:59 3170304 ----a-w- C:\Windows\System32\wucltux.dll
2015-11-20 18:54:59 192512 ----a-w- C:\Windows\System32\wuwebv.dll
2015-11-20 18:54:28 91136 ----a-w- C:\Windows\System32\WinSetupUI.dll
2015-11-20 18:54:18 12288 ----a-w- C:\Windows\System32\wu.upgrade.ps.dll
2015-11-20 18:54:15 37888 ----a-w- C:\Windows\System32\wuapp.exe
2015-11-20 18:34:36 93696 ----a-w- C:\Windows\SysWow64\wudriver.dll
2015-11-20 18:34:36 174080 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2015-11-20 18:33:56 35328 ----a-w- C:\Windows\SysWow64\wuapp.exe
2015-11-11 18:53:48 1735680 ----a-w- C:\Windows\System32\comsvcs.dll
2015-11-11 18:53:47 525312 ----a-w- C:\Windows\System32\catsrvut.dll
2015-11-11 18:39:34 1242624 ----a-w- C:\Windows\SysWow64\comsvcs.dll
2015-11-11 18:39:33 487936 ----a-w- C:\Windows\SysWow64\catsrvut.dll
.
============= FINISH: 19:44:54.46 ===============
I tried removing all of it and everything seemed fine until I was notified today by a user of a website that I maintain (hosted at GoDaddy) that the site looked strange. Sure enough it is completely messed up. I have not uploaded any new files to the site in the last week but when I look at the source code for the index page I see strange links to javascripts that are not supposed to be present, and redirects appended to links on the page.
The two scripts I notice immediately are "us.clickscart.in" and "us.browserupdatecheck.in". I have attached a screenshot.
To conclude, my issue appears to be similar to this user's: My Help Thread: Get Rid Of Javascript Injection
Before I came across this forum I read on some other sites and ran an AdwCleaner scan and clean, but did not keep the log file it may have created. From this point I will follow only the instructions given me in this thread.
Yes, I do have access to the original Windows 7 install disk. I also have a disk image of my C drive (operating system) from one month ago that I can restore if that would be the better approach. I take an image once a month but the most recent one was two nights ago and that would have included whatever malware I still have. All my data is on a separate drive and is backed up nightly.
Here is my dds.text:
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18124 BrowserJavaVersion: 11.73.2
Run by Luke at 19:44:43 on 2016-02-08
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.2851 [GMT -8:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\wnavga.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Google\Update\1.3.29.2\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.29.2\GoogleCrashHandler64.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Classic Shell\ClassicStartMenu.exe
C:\Users\Luke\AppData\Local\Mixesoft\AppNHost\appnhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\splwow64.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\sysWow64\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-ca195f9e
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: ExplorerBHO Class: {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll
BHO: Adblock Plus for IE Browser Helper Object: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll
TB: Classic Explorer Bar: {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
uRun: [appnhost] C:\Users\Luke\AppData\Local\Mixesoft\AppNHost\appnhost.exe
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
uRun: [Xmarks] C:\Program Files (x86)\Xmarks\IE Extension\xmarkssync.exe -q
uRun: [Icecream_Screen_Recorder_Prefetcher] C:\Program Files (x86)\Icecream Screen Recorder\recorder.exe -prefetch
mRun: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
mRun: [ControlCenter4] C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe /autorun
mRun: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{20E23A14-3458-4496-AC9E-51A584A1F672} : DHCPNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.103\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-ca195f9e
x64-BHO: ExplorerBHO Class: {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Adblock Plus for IE Browser Helper Object: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll
x64-TB: Classic Explorer Bar: {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll
x64-Run: [Classic Start Menu] "C:\Program Files\Classic Shell\ClassicStartMenu.exe" -autorun
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\sud8bwqz.default\
FF - prefs.js: browser.search.selectedEngine - Search Provided by Bing
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 4
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.29.2\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_73\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_73\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_286.dll
.
============= SERVICES / DRIVERS ===============
.
R0 phylock;phylock;C:\Windows\System32\drivers\phylock.sys [2015-6-30 34864]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-4-29 238080]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2013-4-29 361984]
R2 DiagTrack;Diagnostics Tracking Service;C:\Windows\System32\svchost.exe -k utcsvc [2009-7-13 27136]
R2 WinGraph;Windows Graphics Accelerator;C:\Windows\wnavga.exe [2016-2-5 7680]
R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2015-12-6 46136]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-5-13 96896]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
R3 VSBC7;Virtual Serial Bus Enumerator 7 (Eltima Software);C:\Windows\System32\drivers\evsbc7.sys [2015-6-27 36656]
R3 WsAudioDevice_383S(1);WsAudioDevice_383S(1);C:\Windows\System32\drivers\WsAudioDevice_383S(1).sys [2016-1-29 29288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2015-6-3 327296]
S3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2015-6-30 266240]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 evserial7;Virtual Serial Ports Driver 7 (Eltima Software);C:\Windows\System32\drivers\evserial7.sys [2015-6-27 71472]
S3 evserial8;Virtual Serial Ports Driver 8 (Eltima Software);C:\Windows\System32\drivers\evserial8.sys [2015-9-26 21152]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2015-12-8 114688]
S3 libusb0;libusb-win32 - Kernel Driver 07/29/2010 1.2.1.0;C:\Windows\System32\drivers\libusb0.sys [2015-7-14 42944]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TBIMount;TBIMount;C:\Windows\System32\drivers\TBIMount.sys [2015-6-30 374296]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 VSBC8;Virtual Serial Bus Enumerator 8 (Eltima Software);C:\Windows\System32\drivers\evsbc8.sys [2015-9-26 104608]
S3 VsEtwService120;Visual Studio ETW Event Collection Service;C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe [2014-7-22 89232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2015-6-28 1255736]
.
=============== Created Last 30 ================
.
2016-02-09 02:53:21 -------- d-----w- C:\FRST
2016-02-09 02:30:44 -------- d-----w- C:\AdwCleaner
2016-02-06 13:24:21 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{843F593F-F183-40FA-8A3C-955F6E2418FF}\offreg.2160.dll
2016-02-06 01:32:09 -------- d-----w- C:\Windows\pss
2016-02-06 01:21:25 -------- d-----w- C:\Windows\System32\appmgmt
2016-02-06 01:13:27 -------- d-----w- C:\Users\Luke\AppData\Roaming\Shark007
2016-02-06 01:13:27 -------- d-----w- C:\ProgramData\Shark007
2016-02-06 01:13:23 324608 ----a-w- C:\Windows\System32\BugTrap-x64.dll
2016-02-06 01:13:20 580096 ----a-w- C:\Windows\System32\ac3filter.acm.old
2016-02-06 01:13:20 3571200 ----a-w- C:\Windows\System32\x264vfw.dll
2016-02-06 01:13:20 260184 ----a-w- C:\Windows\System32\unrar64.dll
2016-02-06 01:13:20 2231296 ----a-w- C:\Windows\System32\ac3filter.acm.new
2016-02-06 01:13:20 2231296 ----a-w- C:\Windows\System32\ac3filter.acm
2016-02-06 01:13:20 2034176 ----a-w- C:\Windows\System32\VSFilter.dll
2016-02-06 01:13:20 124909 ----a-w- C:\Windows\System32\pthreadGC2.dll
2016-02-06 01:13:20 -------- d-----w- C:\Program Files\Shark007
2016-02-06 01:13:04 1679360 ----a-w- C:\Windows\SysWow64\ac3filter.acm.new
2016-02-06 01:12:43 -------- d-----w- C:\Users\Luke\AppData\Roaming\Advanced
2016-02-06 01:12:39 -------- d-----w- C:\Program Files (x86)\Shark007
2016-02-06 00:31:10 -------- d-----w- C:\Users\Luke\AppData\Local\assembly
2016-02-06 00:31:09 -------- d-----w- C:\Users\Luke\AppData\Roaming\OBS
2016-02-06 00:30:30 -------- d-----w- C:\Program Files\OBS
2016-02-06 00:30:21 -------- d-----w- C:\Program Files (x86)\OBS
2016-02-06 00:28:59 238936 ----a-w- C:\Windows\SysWow64\xactengine3_5.dll
2016-02-06 00:26:15 -------- d-----w- C:\Windows\SysWow64\directx
2016-02-04 05:57:19 -------- d-----w- C:\Program Files (x86)\Common Files\SWF Studio
2016-02-04 01:08:39 -------- d-----w- C:\Users\Luke\AppData\Local\Apple Computer
2016-02-03 20:29:03 -------- d-----w- C:\Users\Luke\AppData\Roaming\Serif
2016-02-03 20:29:03 -------- d-----w- C:\Users\Luke\AppData\Local\Serif
2016-02-03 19:40:50 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin7.dll
2016-02-03 19:40:50 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin6.dll
2016-02-03 19:40:50 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin5.dll
2016-02-03 19:40:50 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin4.dll
2016-02-03 19:40:50 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin3.dll
2016-02-03 19:40:50 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin2.dll
2016-02-03 19:40:50 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin.dll
2016-02-03 19:39:24 -------- d-----w- C:\Users\Luke\AppData\Local\Apple
2016-02-03 19:37:58 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine
2016-02-03 19:37:57 -------- d-----w- C:\Program Files (x86)\Common Files\MSSoap
2016-02-03 19:30:51 -------- d-----w- C:\Program Files (x86)\Serif
2016-01-30 03:23:47 -------- d-----w- C:\Users\Luke\AppData\Local\Wondershare
2016-01-30 03:23:47 -------- d-----w- C:\Program Files (x86)\Common Files\Wondershare
2016-01-30 03:23:44 -------- d-----w- C:\Users\Luke\AppData\Roaming\Wondershare
2016-01-30 03:22:46 29288 ----a-w- C:\Windows\System32\drivers\WsAudioDevice_383S(1).sys
2016-01-30 03:22:44 -------- d-----w- C:\Program Files (x86)\Wondershare
2016-01-30 02:19:09 -------- d-----w- C:\Users\Luke\AppData\Local\Icecream
2016-01-30 02:19:09 -------- d-----w- C:\Users\Luke\AppData\Local\CrashRpt
2016-01-30 02:19:09 -------- d-----w- C:\Users\Luke\.Icecream Screen Recorder
2016-01-30 02:18:42 -------- d-----w- C:\Program Files (x86)\Common Files\WebM Project
2016-01-30 02:18:20 -------- d-----w- C:\Program Files (x86)\Xiph.Org
2016-01-30 02:18:07 -------- d-----w- C:\Program Files (x86)\Icecream Screen Recorder
2016-01-30 02:12:08 -------- d-----w- C:\Fraps
2016-01-28 13:00:21 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{843F593F-F183-40FA-8A3C-955F6E2418FF}\offreg.1992.dll
2016-01-26 12:18:43 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{843F593F-F183-40FA-8A3C-955F6E2418FF}\offreg.2108.dll
.
==================== Find3M ====================
.
2016-02-06 03:27:38 97888 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2016-01-27 03:57:58 796864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2016-01-27 03:57:58 142528 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2015-12-02 21:18:58 301728 ------w- C:\Windows\System32\MpSigStub.exe
2015-11-20 18:54:59 98816 ----a-w- C:\Windows\System32\wudriver.dll
2015-11-20 18:54:59 3170304 ----a-w- C:\Windows\System32\wucltux.dll
2015-11-20 18:54:59 192512 ----a-w- C:\Windows\System32\wuwebv.dll
2015-11-20 18:54:28 91136 ----a-w- C:\Windows\System32\WinSetupUI.dll
2015-11-20 18:54:18 12288 ----a-w- C:\Windows\System32\wu.upgrade.ps.dll
2015-11-20 18:54:15 37888 ----a-w- C:\Windows\System32\wuapp.exe
2015-11-20 18:34:36 93696 ----a-w- C:\Windows\SysWow64\wudriver.dll
2015-11-20 18:34:36 174080 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2015-11-20 18:33:56 35328 ----a-w- C:\Windows\SysWow64\wuapp.exe
2015-11-11 18:53:48 1735680 ----a-w- C:\Windows\System32\comsvcs.dll
2015-11-11 18:53:47 525312 ----a-w- C:\Windows\System32\catsrvut.dll
2015-11-11 18:39:34 1242624 ----a-w- C:\Windows\SysWow64\comsvcs.dll
2015-11-11 18:39:33 487936 ----a-w- C:\Windows\SysWow64\catsrvut.dll
.
============= FINISH: 19:44:54.46 ===============