Dave B

Yeah I think it was to remove the last residual traces after removing the extension folders. To be fair to then, I've had many cases like this with Sophos, Norton and Avira where Malwarebytes saved the day. I think their adaware scanner is slightly deeper for these types of threat - although AV companies should be catching up.

Ok just spoke to ESET support and they advised to do the following; 1. Disable all extensions in Chrome. Settings > More Tools > Extensions. 2. Select 'Developer mode' from the extensions menu and make note of the ID of the extensions you want to keep (along with the official Google ones such as sheets etc) - e.g. ID: bhghoamapcdpbohphigoooaddinpkbai 3. Close Chrome and navigate to %username%\AppData\Local\Google\Chrome\User Data\Default\Extensions From here you delete all the extension ID's that you don't want (leave the ones you recorded in step 2). I believe the malware in question started with the letter 'o' (but it might not be universal). 4. Download and run 'ADWCleaner' from Malwarebytes. When you first run it go into the options menu and select all options. Run a scan and then clean all. Please note you'll lose RDP connectivity during the clean so advise the user to restart after it's completed. So far so good. ESET were actually very helpful.

Actually I spoke too soon. 24 hours later, the alerts have returned. Full details; JS/Mindspark.E Event occurred during an attempt to access the file. Threat Handled - No Location - %username%AppData/Local/Temp/scoped_dir7224_24928/CRX_INSTALL/js/scriptInjector.js I navigated to that path and cannot find the file in question. ESET What do you advise?

Thanks Cp3p0 Worked for me also I didn't get the notifications on the client but disabling extensions, clearing cache/cookies and then running a scan from the ERA worked.