I spent HOURS on my brother-in-law's computer yesterday. We cleaned up partially uninstalled programs, straggling files, and found 21 instances of malware that NAV hadn't caught. We ran ewido in safe mode, and then I convinced him to give AntiVir a whirl.

I've got results that I don't know how to resolve. Can you walk me through cleaning this up? I've just included what I feel are the pertinent results, but it's still kind of long, sorry.

~~~~~~~~~~~~

There are multiple-instance locked and password protected zipped archives. Some of them I recognize and some I don't. They are: Advertising, AvenueAInc, BackWebLite, CDilla, Clop, CommonName (52 of these), Cydoor, DoubleClick, eAcceleration, eXactSearchBar, eZulaHotText, FileFreedom, FlashTrack, Gator, Hotbar, HuntBar, IGetNet, InternetWasher, IPInsight, MiniBug, nCase, NewNet, Unknown, VX, WildTangent, and WindowsMediaPlayer!

There are also single-instance locked archives called BargainBuddy, FreeHistoryCleaner, SaveNow, and TargetNet.

Here is the malware AntiVir detected, and its location:

C:\Program Files\HP Instant Support\plugin\bin
motdeusr.zip
ArchiveType: ZIP
--> resources\deusr\lib\js.zip
ArchiveType: ZIP
--> com\motive\JSInterp\JSClassLoader.class
[DETECTION] This file contains suspicious code Heuristic/Java.Downloader
Error! Could not change directory: System Volume Information

C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore
package_8.cab
ArchiveType: CAB (Microsoft)
--> \plugin\bin\motdeusr.zip
ArchiveType: ZIP
--> resources\deusr\lib\js.zip
ArchiveType: ZIP
--> com\motive\JSInterp\JSClassLoader.class
[DETECTION] This file contains suspicious code Heuristic/Java.Downloader

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin
motdeusr.zip
ArchiveType: ZIP
--> resources\deusr\lib\js.zip
ArchiveType: ZIP
--> com\motive\JSInterp\JSClassLoader.class
[DETECTION] This file contains suspicious code Heuristic/Java.Downloader

C:\WINDOWS\system32
L70000008.exe
[DETECTION] Contains the signature of a cost-incurring dialer DIAL/300743 (Dialer)
WAS DELETED!

And there were lots of files (as opposed to zipped archives) that were locked and password protected.

~~~~~~~~~~~

In addition to getting this mess cleaned up, I'd like to know: 1) Why was the dialer deleted, but the loaders weren't? 2) What can be done to eliminate the password protected archives and files? and 3) What are the chances that some of these programs will reinstall themselves?

Thank you!

Howdy,

Don't worry too much about the detections in zipped archives as they are not active and can't be activated until unzipped.

Thanks, Mr. R.

One other thing, he can't get the umbrella to open. I've gone over all the settings with him and can't figure what the problem is. Activate and Configure are both dimmed.

Hi again,

More input (sorry - I'm getting this piecemeal myself): when I reviewed all the configuration settings with him over the phone, he said that most of the boxes were not checked. Perhaps something nasty is preventing his access?

Howdy,

That is the best as he probably does have something active. Please post a link back here so I can follow along with the fix as some of this has been popping up in Europe and we might need to send some info to H&BEDV to get vdf sigs changed/updated.

If the archives that are "infected" aren't too big he should mail them in a password protected, zipped file, to heuristik@antivir.de and don't forget to put the password in the mail. He also needs to send the log and any symptoms he has noted to help them find out if it is something new or not.

Sorry I couldn't help further.

I would also recommend to install a tool like Spybot Search & Destroy. This tools offers good detection against Spyware. AntiVir is not able to detect this type of malware (yet).
You can download SS&D from http://www.safer-networking.org/en/index.html. Don' forget to run an update before scanning the system.

He does have Spybot. In fact, he has all the tools I've suggested to him over time. The problem is he isn't discriminatting enough over what he downloads, and he doesn't actively monitor the health of his computer - he simply relies on his safeguards, and thinks that that is enough. Unfortunately, for some people, it isn't enough to caution them, they have to experience a devastating experience before they learn to be careful.