wscript.exe infected?

[REDACTED]

No... do you think it is gone? do you know what was the culprit?

[essexboy]

It appears to have been downloaded from your chrome synch and I missed it the second time it did that

[REDACTED]

Ok thank you. I will be more vigilant about installing chrome extensions going forward.

[essexboy]

Run delfix again to remove the tools

[REDACTED]

Unfortunately,after a few hours the alert has returned.

[essexboy]

Do you have an external drive or a USB that you are plugging in ?

[REDACTED]

There are external drives permanently connected to the computer, but none were added between the time I ran the last scan and/or fix and the time the alert re-appeared.

[REDACTED]

I think the problem might have been that I didn't completely remove chrome from each user profile.  I uninstalled chrome again, then manually deleted each C:\Users\[USERNAME]\AppData\Local\Google\Chrome\User Data folder.

Then I re-installed chrome from scratch.  Took me a while to manually add back each of the family member's bookmarks, but so far no more alerts.

Let me know if there is any other scan you would like to see to confirm my pc is now clean.

Thanks.

[essexboy]

You can run a fresh FRST if you wish

[REDACTED]

Latest FRST logs attached.

Thanks again!

[essexboy]

User cory is the one that is being reinfected

I will remove the mountpoints (they will be recreated when needed) just in case

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-2661723367-4171544803-1169632980-1000\...\MountPoints2: {6dd5e860-2b15-11e4-bc42-534e57000000} - I:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1000\...\MountPoints2: {e7b0e1ba-5734-11e4-b3f4-534e57000000} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL L:\start.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1000\...\MountPoints2: {eb350a3b-7d4e-11e4-b234-534e57000000} - L:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1003\...\MountPoints2: {6dd5e860-2b15-11e4-bc42-534e57000000} - I:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1003\...\MountPoints2: {e7b0e1ba-5734-11e4-b3f4-534e57000000} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL L:\start.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1003\...\MountPoints2: {eb350a3b-7d4e-11e4-b234-534e57000000} - L:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1004\...\MountPoints2: {6dd5e860-2b15-11e4-bc42-534e57000000} - I:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1004\...\MountPoints2: {e7b0e1ba-5734-11e4-b3f4-534e57000000} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL L:\start.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1004\...\MountPoints2: {eb350a3b-7d4e-11e4-b234-534e57000000} - L:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1005\...\MountPoints2: {6dd5e860-2b15-11e4-bc42-534e57000000} - I:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1005\...\MountPoints2: {e7b0e1ba-5734-11e4-b3f4-534e57000000} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL L:\start.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1005\...\MountPoints2: {eb350a3b-7d4e-11e4-b234-534e57000000} - L:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1006\...\MountPoints2: {6dd5e860-2b15-11e4-bc42-534e57000000} - I:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1006\...\MountPoints2: {e7b0e1ba-5734-11e4-b3f4-534e57000000} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL L:\start.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1006\...\MountPoints2: {eb350a3b-7d4e-11e4-b234-534e57000000} - L:\Splash.exe
Startup: C:\Users\Cory\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windowsshell.vbs ()
2015-01-19 16:08 - 2015-01-19 16:08 - 00000000 __SHD () C:\Users\Maya\AppData\Local\EmieUserList
2015-01-19 16:08 - 2015-01-19 16:08 - 00000000 __SHD () C:\Users\Maya\AppData\Local\EmieSiteList
2015-01-19 14:17 - 2015-01-20 09:43 - 00000000 __SHD () C:\Users\Deborah\AppData\Local\EmieUserList
2015-01-19 14:17 - 2015-01-20 09:43 - 00000000 __SHD () C:\Users\Deborah\AppData\Local\EmieSiteList
2015-01-15 19:42 - 2015-01-15 19:42 - 00003891 _____ () C:\ads_err.adt
2015-01-15 19:42 - 2015-01-15 19:42 - 00003072 _____ () C:\ads_err.adi
2015-01-15 19:42 - 2015-01-15 19:42 - 00002048 _____ () C:\ads_err.adm
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

Ran FRST again.  Log is attached.

[essexboy]

How is it now ?

[REDACTED]

No more alerts, but they stopped for almost a day earlier.  I can't say for sure that the problem is gone, but there is no indication of any problem at the moment!

[essexboy]

OK lets wait for a day then