Infected with recurring sfamcc00001.dll

A few days ago, my wife's computer started redirecting her to unwanted sites (up-to-date version of Firefox). I'd experienced a similar problem earlier this year, and was able to fix it by studying much of the traffic here, so the first thing I did was run MBAM, which found an infection and removed it (...Local Settings\Temp\vwcnb.tmp (Trojan.Daonol)).

This mostly fixed the problem, but it still happens occasionally. I then brought out some of the bigger guns (which helped me last time), like UnhackMe and ComboFix.

UnhackMe discovered HPEVENTOFFICE.DLL and I let it remove that. It also discovered two false positives, which I left alone.

ComboFix found the sfamcc00001.dll and sfareca00001.dll files in C:\Documents and Settings\<user id>\Local Settings\Temp, and removed them. However, they keep coming back. I turned off Windows Restore, and used safe mode to delete them manually, but they still keep coming back when I reboot into normal mode.

Like my previous experience earlier in the year (different PC), I figure it's a combination of things. At that time, I was able to figure it out, but this time I'm stumped. So, I've decided to ask for help. As per the preparation guide, the DDS.txt output is below, and Attach.txt and Ark.txt are attached. Your help would be much appreciated.

I'm also curious how one gets these infections. Both of us are computer savvy. We don't click on links in e-mail. We don't use Outlook. We're behind a hardware firewall. We don't download and install stuff we don't trust.


DDS (Ver_10-12-12.02) - NTFSx86
Run by lalbrough at 10:54:07.14 on 12/18/10
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1453 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\GlidePoint\glidesvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\iTunesHelper.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\lalbrough\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\quicktime\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\lalbro~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\lalbro~1\startm~1\programs\startup\speedfan.lnk - c:\program files\speedfan\speedfan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lalbro~1\applic~1\mozilla\firefox\profiles\x4nd8c2l.default\
FF - prefs.js: browser.startup.homepage - c:\\proj\\internet\\bluebirdlane\\index.html
FF - prefs.js: network.proxy.http - 192.168.1.229
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\quicktime\mozilla plugins\npitunes.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R2 GlidePoint;GlidePoint Touchpad Client;c:\program files\glidepoint\glidesvc.exe [2005-9-30 131072]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 glidehid;GlidePoint HID Touchpad Minidriver;c:\windows\system32\drivers\glidehid.sys [2005-9-30 33920]
R3 glideps2;GlidePoint PS/2 Touchpad Filter;c:\windows\system32\drivers\glideps2.sys [2005-9-30 12672]
S3 atinysxx;ATI USB 2.0 TV Audio Crossbar;c:\windows\system32\drivers\atinysxx.sys [2005-12-13 93696]
S3 atinyvxx;ATI TV WONDER USB2.0 Video & Audio;c:\windows\system32\drivers\atinyvxx.sys [2005-12-13 185344]
S3 ATITUNEP2;ATI TV WONDER USB2.0 TV Tuner;c:\windows\system32\drivers\atinyuxx.sys [2005-12-13 75776]
S3 ATIUTD;ATI TV WONDER USB2.0 Device Driver;c:\windows\system32\drivers\ATIUTD.sys [2005-12-13 38912]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-12-18 35816]
S3 TTDec;ATI TV WONDER USB2.0 Teletext Decoder;c:\windows\system32\drivers\atinyttx.sys [2005-12-13 13824]

=============== Created Last 30 ================

2010-12-18 15:23:15 -------- d-----w- c:\program files\FileASSASSIN
2010-12-18 14:31:09 -------- d-sha-r- C:\cmdcons
2010-12-18 14:27:29 98816 ----a-w- c:\windows\sed.exe
2010-12-18 14:27:29 89088 ----a-w- c:\windows\MBR.exe
2010-12-18 14:27:29 256512 ----a-w- c:\windows\PEV.exe
2010-12-18 14:27:29 161792 ----a-w- c:\windows\SWREG.exe
2010-12-18 14:24:35 388096 ----a-r- c:\docume~1\lalbro~1\applic~1\microsoft\installer\{0761c9a8-8f3a-4216-b4a7-b7afbf24a24a}\HiJackThis.exe
2010-12-18 14:02:22 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-12-18 14:02:22 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-12-18 14:01:45 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-12-18 14:01:42 -------- d-----w- c:\program files\UnHackMe
2010-12-18 13:29:16 -------- d-----w- c:\windows\setup.pss
2010-12-18 13:28:03 -------- d-----w- c:\windows\setupupd
2010-12-18 03:27:44 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{20017bc8-c904-4fd4-aa09-3a6a851413d5}\mpengine.dll
2010-12-16 03:21:44 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 03:18:15 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-14 22:46:46 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\backup\mpengine.dll
2010-12-14 22:46:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-14 13:33:35 -------- d-----w- c:\docume~1\lalbro~1\applic~1\Malwarebytes
2010-12-14 13:33:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-14 13:33:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-14 13:33:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 13:33:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-08 17:58:31 -------- d-----w- c:\docume~1\lalbro~1\locals~1\applic~1\WdcfgPath
2010-11-30 22:03:11 -------- d-----w- c:\program files\iPod
2010-11-30 21:59:34 -------- d-----w- c:\program files\Bonjour
2010-11-21 21:34:34 2790864 ----a-w- c:\temp\install_flash_player.exe
2010-11-18 18:12:44 81920 -c----w- c:\windows\system32\dllcache\isign32.dll

==================== Find3M ====================

2010-12-18 14:01:50 26 ----a-w- c:\windows\WINSTART.BAT
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-07 17:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 17:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2004-03-11 18:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 10:54:59.51 ===============

Problems resolved. Just in case it helps anyone:

- The original run of MBAM resolved one problem, as I already mentioned.

After that, we still had the occasional redirect.

- UnHackMe took care of a second problem (HPEVENTOFFICE.DLL).

- ComboFix took care of another problem (a rogue DLL that was being loaded), and reported and removed the two DLLs mentioned above (sfamcc00001.dll and sfareca00001.dll).

That just left the two mysterious reappearing DLLs. I decided the machine was unsafe, and left it turned off while waiting for help here. In other words, we didn't check to see if the redirect problem had gone away. It didn't help that several sites mention those DLLs as being malware.

I finally decided to investigate further (you guys and gals must be swamped right now), and ran all of the other usual tools (all downloaded from links recommended on this site), and none found anything. I finally determined that the DLLs actually are created by, and belong to, SpeedFan. Exiting SpeedFan makes one of them go away, and allows the other to be deleted. I'm pretty sure SpeedFan is okay, but I removed it anyway.

For someone with a good understanding of the workings of OSes, the information on this site is quite useful in diagnosing one's own problems. Thanks!

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

I'm glad that you have since resolved your topic and thanks for letting us know.

Casey

Glad all is well.

Edited by thcbytes, 28 December 2010 - 06:18 PM.