A customer called, saying her daughters laptop is almost unusable, due to some infection.
When I get there, the daughter tells me that she noticed the laptop was running slow, and was generating many popup messages about a virus infection… So she bought and installed norton internet security.
Norton says everything is fine, and it couldn’t see a problem. I installed avg antispyware and windows defender, and they also said nothing was wrong with the system (I did a scan in safe mode, and everything was fully updated)
After some digging around, I eventually disabled some suspicious-looking startup programs, but after a reboot, the popups still poped-up (particularly browser hijacks to www.safewebnavigate.com)!
It was getting close to 2 hours, so I asked if I could complete the removal back at the office… By that stage, I had figured out that the problem seemed to revolve around a file called mxduo.dll
Further analysis showed that this was yet another smitfraud variant. I also found excellent advice on how to deal with it on:
And it seems this variant was first seen on 25 aug 2007 (I saw it on 8 sep 2007… just 2 weeks later!). The chances of norton detecting it are virtually nil.
It seems that the area I had overlooked in doing a manual cleanup, was the O21 section of hijackthis.
O21 is otherwise known as SSODL (ShellServiceObjectDelayLoad), an undocumented autorun method, found in the windows registry at: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
After removing the relevant startup methods, and removing the infected files (in safe mode), the PC became a lot more responsive.