A couple days ago while just browsing (some computer tech topics, of all things) the Internet with Firefox (Windows Vista), my Avira popped one or more warnings about a virus detection. Files such as conhost.exe, dwm.exe, and csrss.exe were quarantined and deleted (all originating in either Temp or AppData directories, including the latter two which have legitimate counterparts in the Windows directory). Browser proxy settings were changed in Firefox and IE. Registry entry was made to start one of the malicious files (deleted now). After killing processes, quarantining files, and a complete scan with Avira, it showed no infection after all this. The Avira detection was listed as TR/Crypt.XPACK.Gen.
But after rebooting, Avira kept giving an error "The profile could not be found". I tried to repair the Avira install (Programs and Features > Change > Modify > etc) which didn't help. Uninstalling and reinstalling did.
Now today I had a Comodo alert for a file, ms0cfg32.exe (which may also have been the previous time, I don't recall). Since I was a little paranoid from the last mess, I switched Defense+ to Paranoid Mode before doing more Internet browsing/searching... I blocked the file via Comodo, but when I checked its location, it was gone.
Now I tried a "Scan for Rootkits..." with Avira which showed no detection...
Also, here is a Registry entry I came across referring to a malware file, but I'm not sure what the entry should be, though I'm guessing just "explorer.exe":
Shell = explorer.exe,C:\Users\Ken\AppData\Roaming\dwm.exe
Not sure where I'm going with all this, but my questions are:
1. How do I know if I still have some sort of infection?
2. Should I just go through the hassle of restoring my C drive from a pre-infection image and restoring backed-up data?
3. How on earth is some crappy website able to save malicious executables to my hard drive AND execute them while I have Avira and Comodo running? Comodo normally pops up alerts for all kinds of stuff that is harmless, but yet malware was downloaded, browser setting changed, registry entries added/changed, and malware processes run.
Any help with what to do next would be appreciated. After two issues in a few days, I have become fearful of even using the Internet for Web browsing. I used to think my security setup was pretty good and had little or no problems in years, until lately...
I do have HijackThis on my system, and have just downloaded DDS and GMER, in case that's helpful.
Edited by Zellers, 10 December 2010 - 10:28 AM.