A customer called, saying her daughters laptop is almost unusable, due to some infection.

When I get there, the daughter tells me that she noticed the laptop was running slow, and was generating many popup messages about a virus infection… So she bought and installed norton internet security.

Norton says everything is fine, and it couldn’t see a problem. I installed avg antispyware and windows defender, and they also said nothing was wrong with the system (I did a scan in safe mode, and everything was fully updated)

After some digging around, I eventually disabled some suspicious-looking startup programs, but after a reboot, the popups still poped-up (particularly browser hijacks to www.safewebnavigate.com)!

It was getting close to 2 hours, so I asked if I could complete the removal back at the office… By that stage, I had figured out that the problem seemed to revolve around a file called mxduo.dll

Further analysis showed that this was yet another smitfraud variant. I also found excellent advice on how to deal with it on:

http://forums.techguy.org/malware-removal-hijackthis-logs/616547-winavxx-exe-tried-delete-safemode.html

And it seems this variant was first seen on 25 aug 2007 (I saw it on 8 sep 2007… just 2 weeks later!). The chances of norton detecting it are virtually nil.

It seems that the area I had overlooked in doing a manual cleanup, was the O21 section of hijackthis.

O21 is otherwise known as SSODL (ShellServiceObjectDelayLoad), an undocumented autorun method,  found in the windows registry at: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad

After removing the relevant startup methods, and removing the infected files (in safe mode), the PC became a lot more responsive.