Malware... driving me to the brink...

[Draygoes]

I tried to run Combofix after several other programs. It cannot even finish its Find3M report. But this is what I was able to type down.

c:\users\Admin\AppData\Local\Temp\_MEI41962\_ctypes.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\_elementtree.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\_hashlib.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\_multiprocessing.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\_socket.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\_ssl.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\hashobjs_ext.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\pyexpat.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\pysqlite2._sqlite.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\python27.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\pythoncom27.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\PyWinTypes27.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\select.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\unicodedata.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32api.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32com.shell.shell.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32crypt.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32event.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32file.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32gui.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32inet.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32pdh.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32pipe.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32process.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32profile.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32security.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32ts.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\windows._lib_cacheinvalidation.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._animate.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._controls_.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._core_.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._gdi_.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._html2.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._misc_.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._windows_.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._wizard.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wxbase294u_net_vc90.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\wxbase294u_vc90.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\wxmsw294u_adv_vc90.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\wxmsw294u_core_vc90.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\wxmsw294u_html_vc90.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\wxmsw294u_webview_vc90.dll

I keep seeing changes through HTJ, and MBAM keeps seeing the same 9 infections.

I am working on personally removing them, but if that does not work I will reinstall.

Any other ideas?

EDIT
And no, I do not have python installed...

 

[Draygoes]

Sorry, I forgot the end of the file...

*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2015-01-16 23308256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell V310-V510 Series"="c:\program files (x86)\Dell V310-V510 Series\fm3032.exe" [2009-12-31 311296]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-02-01 5233840]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-12-18 508800]
"vmware-tray.exe"="c:\program files (x86)\VMware\VMware Workstation\vmware-tray.exe" [2015-01-17 112856]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2013-03-10 88984]
.
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Mozilla Thunderbird.lnk - c:\program files (x86)\Mozilla Thunderbird\thunderbird.exe [2014-11-8 93808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\UnsignedThemes]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 LiveUpdateSvc;LiveUpdate;c:\program files (x86)\IObit\LiveUpdate\LiveUpdate.exe;c:\program files (x86)\IObit\LiveUpdate\LiveUpdate.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys;c:\windows\SYSNATIVE\drivers\hitmanpro37.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys;c:\windows\SYSNATIVE\DRIVERS\vmci.sys [x]
S0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys;c:\windows\SYSNATIVE\drivers\vsock.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 aswBcc;Avast Business Console Client;c:\program files\AVAST Software\Avast\bcc.exe;c:\program files\AVAST Software\Avast\bcc.exe [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
S2 Avast Business Console Client Antivirus Service;Avast Business Console Client Antivirus Service;c:\program files\AVAST Software\Avast\bccavsvc.exe;c:\program files\AVAST Software\Avast\bccavsvc.exe [x]
S2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe;c:\program files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [x]
S2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe;c:\windows\SYSNATIVE\dleacoms.exe [x]
S2 dleaCATSCustConnectService;dleaCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe;c:\windows\SYSNATIVE\spool\DRIVERS\x64\3\\dleaserv.exe [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\windows\SYSNATIVE\drivers\npf.sys [x]
S2 UnsignedThemes;Unsigned Themes;c:\windows\UnsignedThemesSvc.exe;c:\windows\UnsignedThemesSvc.exe [x]
S2 uxpatch;uxpatch;c:\windows\system32\drivers\uxpatch.sys;c:\windows\SYSNATIVE\drivers\uxpatch.sys [x]
S2 VBoxAswDrv;VBoxAsw Support Driver;c:\program files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys;c:\program files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [x]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [x]
S2 VMwareHostd;VMware Workstation Server;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe [x]
S2 vstor2-mntapi20-shared;Vstor2 MntApi 2.0 Driver (shared);SysWOW64\drivers\vstor2-mntapi20-shared.sys;SysWOW64\drivers\vstor2-mntapi20-shared.sys [x]
S3 AvastVBoxSvc;AvastVBox COM Service;c:\program files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe;c:\program files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [x]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-02-06 02:19 1086280 ----a-w- c:\program files (x86)\Google\Chrome\Application\40.0.2214.111\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-02-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-10-03 07:29]
.
2015-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-11-15 20:08]
.
2015-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-11-15 20:08]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}]
2015-01-28 09:44 2471744 ----a-w- c:\program files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-02-01 16:03 628192 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2015-01-16 00:59 776520 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2015-01-16 00:59 776520 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2015-01-16 00:59 776520 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2015-01-16 00:59 776520 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2015-01-16 00:59 776520 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-23 10920552]
"dleamon.exe"="c:\program files (x86)\Dell V310-V510 Series\dleamon.exe" [2010-04-01 765952]
"EzPrint"="c:\program files (x86)\Dell V310-V510 Series\ezprint.exe" [2009-06-22 135168]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
LSP: %windir%\system32\vsocklib.dll
Trusted Zone: dell.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0bx2t0j.default\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3997187460-616208669-1420885517-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{85945CEA-6F7F-DD98-572C-6BA6B0CD5FD4}*]
"jalfplkpolpfplnbgjab"=hex:64,62,6c,65,6b,66,65,61,61,61,6c,6b,68,64,62,68,69,
68,68,61,62,66,6f,69,62,6a,6f,70,6e,6b,6a,64,61,66,6e,6c,67,69,6d,68,00,82
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\TeamViewer\TeamViewer_Service.exe
c:\windows\SysWOW64\vmnat.exe
c:\program files (x86)\VMware\VMware Workstation\vmware-authd.exe
c:\windows\SysWOW64\vmnetdhcp.exe
c:\program files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
c:\program files (x86)\Pale Moon\palemoon.exe
c:\program files (x86)\Pale Moon\plugin-container.exe
c:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
c:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
.
**************************************************************************
.
Completion time: 2015-02-14 06:11:22 - machine was rebooted
ComboFix-quarantined-files.txt 2015-02-14 14:11
ComboFix2.txt 2015-02-06 21:56
ComboFix3.txt 2015-02-06 20:26
ComboFix4.txt 2015-02-06 19:25
.
Pre-Run: 139,818,553,344 bytes free
Post-Run: 139,467,251,712 bytes free
.
- - End Of File - - E8973C79D04ADDCDDEDB148FDC3244B4
A36C5E4F47E84449FF07ED3517B43A31

I linked Thunderbird to startup, so that is no worry. But... the heck is this?

[HKEY_USERS\S-1-5-21-3997187460-616208669-1420885517-1000\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{85945CEA-6F7F-DD98-572C-6BA6B0CD5FD4}*]
"jalfplkpolpfplnbgjab"=hex:64,62,6c,65,6b,66,65,61 ,61,61,6c,6b,68,64,62,68,69,
68,68,61,62,66,6f,69,62,6a,6f,70,6e,6b,6a,64,61,66 ,6e,6c,67,69,6d,68,00,82

 

[setishock]

You always run scans in safe mode. ComboFix will run a command line version in safe mode. Catches the little buggars sleeping.
You may also want to run Stinger. Stinger | McAfee Free Tools

 

[pete.i]

I find that if I am even slightly thinking about going down the road of using sticky mud type programs like Hijack This, Combofix et al I will reinstall. If Malwarebytes doesn't find it then anything else is just wasting my life. I have spent days in the past trying to analyse all that goop to no avail. It takes a couple of hours to reinstall. Even on commercial networks, and I was responsible for one with with four servers and a couple of hundred desktops and peripherals, with multi[ple raid arrays these days its far quicker to just install the backups rather than try to decipher the goop. You have already said you will reinstall if you can't sort it by trying to decipher that load of gobble de gook. Well just do it you know it makes sense and you wont be wasting your life.

 

[cb600fshornet]

You always run scans in safe mode. ComboFix will run a command line version in safe mode. Catches the little buggars sleeping.

Love it, absolutely

 

[Draygoes]

You always run scans in safe mode. ComboFix will run a command line version in safe mode. Catches the little buggars sleeping.
You may also want to run Stinger. Stinger | McAfee Free Tools

Unfortunatly, it showed the same results, and Stinger ended up showing 8 infections.

I reinstalled, after truly giving up.

Thank you setishock.