That's a definite possibility; did you sanitize your known infections? Here's a quick-n-dirty way using the locate DB (which may not be current, but should be within 24 hours):
rm -if $(locate defauit.php) && rm -if $(locate nbpafebaef.jpg)
But another possibility is erroneous permissions on the user account in question. Can you run the User Accounts -> Fix Permissions routine?