[OkayOkayOkay]

Yes it is normal regarding steam. I moved it there. 

[Advertisements]

It's frozen a couple of times, this one has taken hours and not even at 50% yet!! Should I pursue with it?

 

 

If possible yes. Many people set it to run overnight since it takes awhile. With the type of infection you had I don't want to take any chances. Also if you get a second and are able to answer my question in Post#44 that would be great. Thank you!

[BrianDrab]

It's frozen a couple of times, this one has taken hours and not even at 50% yet!! Should I pursue with it?

 

 

If possible yes. Many people set it to run overnight since it takes awhile. With the type of infection you had I don't want to take any chances. Also if you get a second and are able to answer my question in Post#44 that would be great. Thank you!

[BrianDrab]

And you answered the question. Thank you. You can ignore that last part then.

[OkayOkayOkay]

Okay, I'm sticking at it! Luckily I'm using the laptop and it isn't freezing. 

[OkayOkayOkay]

I still have I - Cinema as an extension on Google Chrome. As well as two other suspicious ones. Will this remove them, do you think?

[BrianDrab]

I have a fix prepared that will remove those but was going to do it after the scan is finished. Because Chrome was compromised we're going to rip out most of the extensions and have you install only the ones that you use.

[OkayOkayOkay]

Okay, thank you! I see what you mean, now. Shall I prevent myself from using Chrome at this time?

[BrianDrab]

I would try to stay away from it until our next fix.

[OkayOkayOkay]

My computer restarted as I slept!!! I restarted it when I awoke and it's now on 44%. This program is a nightmare!! Hopefully it pays off.

[BrianDrab]

Arghhhh.....bummer.

[OkayOkayOkay]

It failed...screen went blank!!

[BrianDrab]

OK, we'll attack this a little differently. Please do the following.

 

Step#1 - CCleaner Warning
I see that you have CCleaner installed. This is indeed a good product but I wanted to caution you on running the registry cleaning functionality of the tool. Please avoid this as it can do more harm than good.
http://www.bleepingc...s/#entry2853053
http://miekiemoes.bl...weaking_13.html

 

Step#2 - Questions

1. It appears you moved all of your encrypted documents somewhere. Can you validate this? Just want to make sure.

2. I see you have another user account - simone_2. Do you use this account or is it a test account that can be removed?

 

 

Step#3 - FRST Fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop.  fixlist.zip   185.48KB   216 downloads. The file was too large to attach to the forum so I had to zip it. Once saving to your desktop, right-click on the file and extract the fixlist.txt. Please ensure that you move the fixlist.txt to your desktop.
Note. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
2. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.

 

Step#4 - FRST Registry Search
 1. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
2. Copy and paste globalUpdate,esgiguard,Shredder  into the Search box and click the Search Registry button.
   
 
3. When the scan is complete a notepad window will open with the results. Please copy and paste the contents in your next reply. If for some reason notepad doesn't open the file should be
    saved on your desktop named Search.txt.

 

 

Items for your next post

1. Answer to questions

2. FRST Fixlog.txt

3. FRST Search.txt log

 

 

 

 

[OkayOkayOkay]

Sorry for the delayed response. It worked...it found tens of thousands infected files...so much so it won't even let me paste it here!

[OkayOkayOkay]

I have private messaged you the SendSpace link

[BrianDrab]

Thank you for the information. I've updated my Post#57 to include these files. Can you go ahead and follow these steps in the post?