I have a client who was infected with the Win32/Filecoder.BTCWare payload virus. They have NOD antivirus working on the PC and it did find it when the screen came up with the message of infection. I did a virus scan and it removed the virus. I also ran Malwarebytes and HitmanPro. Then I used Shadowexplorer to restore the infected files. Everything seemed to be working fine until today when my client went for lunch and when he came back his chrome browser was up on his desktop and it looked like it was displaying someone's bank profile. Nobody knows this person and by the looks of the email that is displayed, it looks fake. Also, my client says that he doesn't use chrome. So, right now we have disconnected him from the internet and network. He did another virus scan but it didn't find anything. Any help would really be appreciated. He is running Windows 10. I would post a picture of the screenshot but I can't figure out how to upload a picture.