Some time ago I believe I was infected via some sort of flash-based malware. It put the Total Security fake anti-virus on my system, which I managed to stop running by being quick on the ctrl-alt-del as soon as windows started, and killing its process. At the time I used Malwarebytes to get rid of it. However, over the last month or so, odd things keep happening that may or may not be connected.
I noticed that my password forms would be reset, meaning I would have to re-enter them, which made me suspicious. Around the same time, Microsoft Security Essentials found and removed PWS:Win32/Zbot, though this keeps coming back. I found a website online that directed me to look in C:\Documents and Settings\<username>\Application Data (I am running XP) and sure enough found a randomly named folder in there. This is one folder that has regenerated itself, always with a random 4 character name, and containing an exe with a 5 character name. When that folder came back, my firewall (Zonealarm) also detected a file with a random name, but of the format 0.xxxxxxxxxxxxxxxx.exe where the x's are numbers. The 5 character program also adds itself to my startup files, which I checked using start > run > msconfig.
I also started getting problems with my ATI graphics monitoring program, CCC, where it would crash on startup (I reinstalled it and seems ok now) as well as odd graphical glitches and instability within ZoneAlarm (also reinstalled whilst in safemode). The settings window for Java in 'Control Panel' was also corrupted, looking like graphical gobbledigook So I re-installed Java. I have run a number of the free antimalware programs - Malwarebytes, IOBit360 and Microsoft Security Essentials. The latter two are running all the time, Malwarebytes I use as passive scan. According to them my system is currently clean but infections keep returning.
MSE also recently detected the following: Exploit:Win32/Pdfjsc.PE, Exploit:JS/Mult.DL and TrojanSpy: Win32/Delf.CL and removed them.
However I have also been getting redirects in Firefox via google.ad.sgdoubleclick, where google searches are hijacked and I am taken to an advert site rather than what I clicked on. I found some advice on Bleeping Computer HERE, some of which I followed:
-Cleared java cache
-Ran TDSS killer (no infection found)
-Ran TFC temp file cleaner
-Ran RKUnhookerLE but had no clue what I was looking at
-Ran DDS, but it doesn't want to work - the DOS window doesnt open, and I just get a notepad document of more gobbledigook. My machine has given it the icon of an AutoCad script, so maybe my Autodesk Inventor installation has claimed it for its own?
Basically because this stuff keeps coming back, I am concerned something has dug its claws in deep and that even the three programs I have on the system just aren't finding the root of it.
Can anyone help me find out whats going on? Thanks in advance!
EDIT: Sys Specs:
AMD Athlon X2 4800+
Windows XP 32 BIT (All updates installed)
Edited by RossNashwan, 22 May 2011 - 09:29 AM.