i think i've got a lead on the firefox backdoor, though - they seem to be installing an extension somehow and then deleting it. that extension seems to be what's triggering all of the things.
the group policy doesn't have a firefox setting for obvious reasons, so maybe there's some user prefs to look at, there.
it still doesn't really answer anything...