This mostly fixed the problem, but it still happens occasionally. I then brought out some of the bigger guns (which helped me last time), like UnhackMe and ComboFix.
UnhackMe discovered HPEVENTOFFICE.DLL and I let it remove that. It also discovered two false positives, which I left alone.
ComboFix found the sfamcc00001.dll and sfareca00001.dll files in C:\Documents and Settings\<user id>\Local Settings\Temp, and removed them. However, they keep coming back. I turned off Windows Restore, and used safe mode to delete them manually, but they still keep coming back when I reboot into normal mode.
Like my previous experience earlier in the year (different PC), I figure it's a combination of things. At that time, I was able to figure it out, but this time I'm stumped. So, I've decided to ask for help. As per the preparation guide, the DDS.txt output is below, and Attach.txt and Ark.txt are attached. Your help would be much appreciated.
I'm also curious how one gets these infections. Both of us are computer savvy. We don't click on links in e-mail. We don't use Outlook. We're behind a hardware firewall. We don't download and install stuff we don't trust.
DDS (Ver_10-12-12.02) - NTFSx86
Run by lalbrough at 10:54:07.14 on 12/18/10
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1453 [GMT -5:00]
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\GlidePoint\glidesvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\iTunesHelper.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\lalbrough\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\quicktime\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\lalbro~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\lalbro~1\startm~1\programs\startup\speedfan.lnk - c:\program files\speedfan\speedfan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\lalbro~1\applic~1\mozilla\firefox\profiles\x4nd8c2l.default\
FF - prefs.js: browser.startup.homepage - c:\\proj\\internet\\bluebirdlane\\index.html
FF - prefs.js: network.proxy.http - 192.168.1.229
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\quicktime\mozilla plugins\npitunes.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
============= SERVICES / DRIVERS ===============
R2 GlidePoint;GlidePoint Touchpad Client;c:\program files\glidepoint\glidesvc.exe [2005-9-30 131072]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 glidehid;GlidePoint HID Touchpad Minidriver;c:\windows\system32\drivers\glidehid.sys [2005-9-30 33920]
R3 glideps2;GlidePoint PS/2 Touchpad Filter;c:\windows\system32\drivers\glideps2.sys [2005-9-30 12672]
S3 atinysxx;ATI USB 2.0 TV Audio Crossbar;c:\windows\system32\drivers\atinysxx.sys [2005-12-13 93696]
S3 atinyvxx;ATI TV WONDER USB2.0 Video & Audio;c:\windows\system32\drivers\atinyvxx.sys [2005-12-13 185344]
S3 ATITUNEP2;ATI TV WONDER USB2.0 TV Tuner;c:\windows\system32\drivers\atinyuxx.sys [2005-12-13 75776]
S3 ATIUTD;ATI TV WONDER USB2.0 Device Driver;c:\windows\system32\drivers\ATIUTD.sys [2005-12-13 38912]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-12-18 35816]
S3 TTDec;ATI TV WONDER USB2.0 Teletext Decoder;c:\windows\system32\drivers\atinyttx.sys [2005-12-13 13824]
=============== Created Last 30 ================
2010-12-18 15:23:15 -------- d-----w- c:\program files\FileASSASSIN
2010-12-18 14:31:09 -------- d-sha-r- C:\cmdcons
2010-12-18 14:27:29 98816 ----a-w- c:\windows\sed.exe
2010-12-18 14:27:29 89088 ----a-w- c:\windows\MBR.exe
2010-12-18 14:27:29 256512 ----a-w- c:\windows\PEV.exe
2010-12-18 14:27:29 161792 ----a-w- c:\windows\SWREG.exe
2010-12-18 14:24:35 388096 ----a-r- c:\docume~1\lalbro~1\applic~1\microsoft\installer\{0761c9a8-8f3a-4216-b4a7-b7afbf24a24a}\HiJackThis.exe
2010-12-18 14:02:22 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-12-18 14:02:22 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-12-18 14:01:45 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-12-18 14:01:42 -------- d-----w- c:\program files\UnHackMe
2010-12-18 13:29:16 -------- d-----w- c:\windows\setup.pss
2010-12-18 13:28:03 -------- d-----w- c:\windows\setupupd
2010-12-18 03:27:44 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{20017bc8-c904-4fd4-aa09-3a6a851413d5}\mpengine.dll
2010-12-16 03:21:44 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 03:18:15 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-14 22:46:46 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\backup\mpengine.dll
2010-12-14 22:46:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-14 13:33:35 -------- d-----w- c:\docume~1\lalbro~1\applic~1\Malwarebytes
2010-12-14 13:33:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-14 13:33:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-14 13:33:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 13:33:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-08 17:58:31 -------- d-----w- c:\docume~1\lalbro~1\locals~1\applic~1\WdcfgPath
2010-11-30 22:03:11 -------- d-----w- c:\program files\iPod
2010-11-30 21:59:34 -------- d-----w- c:\program files\Bonjour
2010-11-21 21:34:34 2790864 ----a-w- c:\temp\install_flash_player.exe
2010-11-18 18:12:44 81920 -c----w- c:\windows\system32\dllcache\isign32.dll
==================== Find3M ====================
2010-12-18 14:01:50 26 ----a-w- c:\windows\WINSTART.BAT
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-07 17:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 17:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2004-03-11 18:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe
============= FINISH: 10:54:59.51 ===============