Expert: Brian Benosky - 3/6/2011

Question
QUESTION: Hi Brian,
  Seems like I'm constantly bugging you these days, sorry for that. Tonight while on Facebook (I'm beginning to think I'd be better off just to close my freaking account there)something popped up and completely took over the computer. It kept saying my computer was infected and wouldn't let me into Malwarebytes or MSE, kept saying something like the app or files were damaged, and kept trying to direct me to this address: http//softenza.com
 I couldn't do anything. Ended up putting the computer in safe mode and doing a systems restore, and for a while, I didn't even think it would let me do that.
  I think things are running OK now. I was wondering if you would take a look at my latest HJT log and see if you see anything, or if you have any other suggestions.
  Thanks again, Brian.
Jax

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:42 PM, on 2/28/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19019)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\MSN Toolbar\Platform\6.3.2348.0\mswinext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
R3 - URLSearchHook: (no name) - {9565115d-c7d6-46d3-bd63-b67b481a4368} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: PlaySushi - {21608B66-026F-4DCB-9244-0DACA328DCED} - C:\Program Files\PlaySushi\PSText.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\6.3.2348.0\npwinext.dll
O2 - BHO: Inbox Toolbar - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client\YontooIEClient.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\6.3.2348.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\6.3.2348.0\npwinext.dll
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Bing Bar] "C:\Program Files\MSN Toolbar\Platform\6.3.2348.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKCU\..\Run: [Singlesnet] C:\Program Files\Singlesnet\Singlesnet\Singlesnet.exe
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: ZooskMessenger.lnk = C:\Program Files\ZooskMessenger\ZooskMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cab
O16 - DPF: {64CD313F-F079-4D93-959F-4D28B5519449} (Jeopardy Control) - http://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v41/freecell/freecell.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} (WorldWinner ActiveX Launcher Control) - http://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} (MysteryPI Control) - http://www.worldwinner.com/games/v45/mysterypi/mysterypi.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Advanced Networking Service (hnmsvc) - Dell Inc. - c:\Program Files\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 9040 bytes

ANSWER: Hi Jax

It seems that MSE is not doing you much good if malware keep getting past it.  I think we should take the time to lock things down.  System Restore cannot be relied upon to keep undoing things.  First though, I'd like to run a scan using a program called SuperAntiSpyware.  It's similar to MBAM, but it never hurts to get a second opinion.  Download and install from here:

http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Run a Complete Scan after installing and updating, then let me know the results.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian,
  First of all, I'm not quite sure what you mean by taking the time to "lock things down", but I trust you. Anyway I downloaded and ran a complete SAS scan. The results:
Adware.Tracking Cookie [289 items]
Browser Hijacker.Deskbar [26 items]
Rogue.MSE-Fraud [2 items]
Rogue.MySecurityShield [1 item]
Rogue.SecurityMasterAV {1 item]

I checked all the boxes and clicked on next, then went through Quarantining and Removing, then Reboot. After that the only thing I noticed was having to try a couple of times before my homepage would display, but really no big problems.
So here I am again, reporting back to you.
  So what does all this mean? Can I run both MSE and SAS on my computer? Do I need to uninstall anything?
  Thanks, Brian.
Jax

ANSWER: Hi Jax

By locking things down, I was referring to making your computer less prone to attacks by changing your security software.  We just have to make sure that you are totally clean first.  We will leave SAS and MBAM, but uninstall MSE.  After uninstalling, download Avira Antivir from this link:

http://www.avira.com/en/free-download-avira-antivir-personal

After installing, the program should update to the latest definitions then run a short diagnostic scan.  After it completes, open the program window and perform a complete system scan.  After it's completed, let me know if it comes up with anything.

If the scan comes up negative, then we can start to clean things up and secure your browser.

Brian  

---------- FOLLOW-UP ----------

QUESTION: Hi Brian,
 OK, I uninstalled MSE. At first Avira wouldn't download. It said it was because Windows Defender was currently enabled on my system and that it could lead to compatibility problems. Then it told me how to disable WD, but I seriously didn't think it worked. So I tried the download again, and this time it worked.
  It updated and ran the short diagnostic. It was a little hard to figure out, but I ran a complete scan. The log is below:
Avira AntiVir Personal
Report file date: Saturday, March 05, 2011  22:00

Scanning for 2460711 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee        : Avira AntiVir Personal - FREE Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform        : Windows Vista
Windows version : (Service Pack 2)  [6.0.6002]
Boot mode       : Normally booted
Username        : linda
Computer name   : LINDA-PC

Version information:
BUILD.DAT       : 10.0.0.611          Bytes   1/14/2011 13:42:00
AVSCAN.EXE      : 10.0.3.5      435368 Bytes   1/10/2011 20:23:31
AVSCAN.DLL      : 10.0.3.0       46440 Bytes    4/1/2010 18:57:04
LUKE.DLL        : 10.0.3.2      104296 Bytes   1/10/2011 20:23:40
LUKERES.DLL     : 10.0.0.1       12648 Bytes   2/11/2010 05:40:49
VBASE000.VDF    : 7.10.0.0    19875328 Bytes   11/6/2009 15:05:36
VBASE001.VDF    : 7.11.0.0    13342208 Bytes  12/14/2010 20:23:50
VBASE002.VDF    : 7.11.3.0     1950720 Bytes    2/9/2011 03:54:38
VBASE003.VDF    : 7.11.3.1        2048 Bytes    2/9/2011 03:54:38
VBASE004.VDF    : 7.11.3.2        2048 Bytes    2/9/2011 03:54:38
VBASE005.VDF    : 7.11.3.3        2048 Bytes    2/9/2011 03:54:38
VBASE006.VDF    : 7.11.3.4        2048 Bytes    2/9/2011 03:54:39
VBASE007.VDF    : 7.11.3.5        2048 Bytes    2/9/2011 03:54:39
VBASE008.VDF    : 7.11.3.6        2048 Bytes    2/9/2011 03:54:39
VBASE009.VDF    : 7.11.3.7        2048 Bytes    2/9/2011 03:54:39
VBASE010.VDF    : 7.11.3.8        2048 Bytes    2/9/2011 03:54:39
VBASE011.VDF    : 7.11.3.9        2048 Bytes    2/9/2011 03:54:39
VBASE012.VDF    : 7.11.3.10       2048 Bytes    2/9/2011 03:54:39
VBASE013.VDF    : 7.11.3.59     157184 Bytes   2/14/2011 03:54:40
VBASE014.VDF    : 7.11.3.97     120320 Bytes   2/16/2011 03:54:41
VBASE015.VDF    : 7.11.3.148    128000 Bytes   2/19/2011 03:54:41
VBASE016.VDF    : 7.11.3.183    140288 Bytes   2/22/2011 03:54:42
VBASE017.VDF    : 7.11.3.216    124416 Bytes   2/24/2011 03:54:42
VBASE018.VDF    : 7.11.3.251    159232 Bytes   2/28/2011 03:54:42
VBASE019.VDF    : 7.11.4.33     148992 Bytes    3/2/2011 03:54:43
VBASE020.VDF    : 7.11.4.34       2048 Bytes    3/2/2011 03:54:43
VBASE021.VDF    : 7.11.4.35       2048 Bytes    3/2/2011 03:54:43
VBASE022.VDF    : 7.11.4.36       2048 Bytes    3/2/2011 03:54:43
VBASE023.VDF    : 7.11.4.37       2048 Bytes    3/2/2011 03:54:43
VBASE024.VDF    : 7.11.4.38       2048 Bytes    3/2/2011 03:54:43
VBASE025.VDF    : 7.11.4.39       2048 Bytes    3/2/2011 03:54:44
VBASE026.VDF    : 7.11.4.40       2048 Bytes    3/2/2011 03:54:44
VBASE027.VDF    : 7.11.4.41       2048 Bytes    3/2/2011 03:54:44
VBASE028.VDF    : 7.11.4.42       2048 Bytes    3/2/2011 03:54:44
VBASE029.VDF    : 7.11.4.43       2048 Bytes    3/2/2011 03:54:44
VBASE030.VDF    : 7.11.4.44       2048 Bytes    3/2/2011 03:54:44
VBASE031.VDF    : 7.11.4.71     118784 Bytes    3/4/2011 03:54:45
Engineversion   : 8.2.4.178
AEVDF.DLL       : 8.1.2.1       106868 Bytes   1/10/2011 20:23:26
AESCRIPT.DLL    : 8.1.3.55     1282426 Bytes    3/6/2011 03:54:50
AESCN.DLL       : 8.1.7.2       127349 Bytes   1/10/2011 20:23:26
AESBX.DLL       : 8.1.3.2       254324 Bytes   1/10/2011 20:23:26
AERDL.DLL       : 8.1.9.2       635252 Bytes   1/10/2011 20:23:25
AEPACK.DLL      : 8.2.4.11      520566 Bytes    3/6/2011 03:54:49
AEOFFICE.DLL    : 8.1.1.16      205179 Bytes    3/6/2011 03:54:49
AEHEUR.DLL      : 8.1.2.81     3314038 Bytes    3/6/2011 03:54:48
AEHELP.DLL      : 8.1.16.1      246134 Bytes    3/6/2011 03:54:46
AEGEN.DLL       : 8.1.5.2       397683 Bytes    3/6/2011 03:54:46
AEEMU.DLL       : 8.1.3.0       393589 Bytes   1/10/2011 20:23:18
AECORE.DLL      : 8.1.19.2      196983 Bytes    3/6/2011 03:54:45
AEBB.DLL        : 8.1.1.0        53618 Bytes   1/10/2011 20:23:18
AVWINLL.DLL     : 10.0.0.0       19304 Bytes   1/10/2011 20:23:32
AVPREF.DLL      : 10.0.0.0       44904 Bytes   1/10/2011 20:23:30
AVREP.DLL       : 10.0.0.8       62209 Bytes   6/17/2010 20:27:13
AVREG.DLL       : 10.0.3.2       53096 Bytes   1/10/2011 20:23:31
AVSCPLR.DLL     : 10.0.3.2       84328 Bytes   1/10/2011 20:23:31
AVARKT.DLL      : 10.0.22.6     231784 Bytes   1/10/2011 20:23:27
AVEVTLOG.DLL    : 10.0.0.8      203112 Bytes   1/10/2011 20:23:28
SQLITE3.DLL     : 3.6.19.0      355688 Bytes   6/17/2010 20:27:22
AVSMTP.DLL      : 10.0.0.17      63848 Bytes   1/10/2011 20:23:31
NETNT.DLL       : 10.0.0.0       11624 Bytes   6/17/2010 20:27:21
RCIMAGE.DLL     : 10.0.0.26    2550120 Bytes   1/28/2010 19:10:20
RCTEXT.DLL      : 10.0.58.0      97128 Bytes   1/10/2011 20:23:52

Configuration settings for the scan:
Jobname.............................: Local Drives
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\alldrives.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, E:, F:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Saturday, March 05, 2011  22:00

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'SearchProtocolHost.exe' - '1' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
Scan process 'Apntex.exe' - '1' Module(s) have been scanned
Scan process 'HidFind.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'sttray.exe' - '1' Module(s) have been scanned
Scan process 'Apoint.exe' - '1' Module(s) have been scanned
Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'Dwm.exe' - '1' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
   [INFO]      No virus was found!
   [INFO]      Please restart the search with Administrator rights

Start scanning boot sectors:
Boot sector 'C:\'
   [INFO]      No virus was found!
   [INFO]      Please restart the search with Administrator rights
Boot sector 'E:\'
   [INFO]      No virus was found!
   [INFO]      Please restart the search with Administrator rights

Starting to scan executable files (registry).
The registry was scanned ( '1631' files ).


Starting the file scan:

Begin scan in 'C:\' <OS>
C:\Program Files\PlaySushi\psuninst.exe
   [DETECTION] Is the TR/Buzy.1463 Trojan
C:\Users\linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IWVGXFJA\facebook_com[2].txt
   [DETECTION] Contains recognition pattern of the PHISH/Facebook.9966 phishing file/email
C:\Users\linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IWVGXFJA\home[4].php
   [DETECTION] Contains recognition pattern of the PHISH/Facebook.9966 phishing file/email
C:\Users\linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MGLMEBL6\facebook_com[4].txt
   [DETECTION] Contains recognition pattern of the PHISH/Facebook.9966 phishing file/email
C:\Users\linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MGLMEBL6\home[6].php
   [DETECTION] Contains recognition pattern of the PHISH/Facebook.9966 phishing file/email
C:\Users\linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YPDC13LV\facebook_com[1].txt
   [DETECTION] Contains recognition pattern of the PHISH/Facebook.9966 phishing file/email
C:\Users\linda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\5416a4d0-117c63ca
[0] Archive type: ZIP
 [DETECTION] Contains recognition pattern of the JAVA/Dldr.OpenS.NBG Java virus
--> glass/boing.class
 [DETECTION] Contains recognition pattern of the JAVA/Dldr.OpenS.NBG Java virus
C:\Users\linda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\bc0fce7-7661f803
[0] Archive type: ZIP
 [DETECTION] Contains recognition pattern of the JAVA/Rast.A Java virus
--> folder/Ump_45.class
 [DETECTION] Contains recognition pattern of the JAVA/Rast.A Java virus
C:\Users\linda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\1721fbc4-33e61b9e
[0] Archive type: ZIP
 [DETECTION] Contains recognition pattern of the EXP/Java.dgw exploit
--> glass/flying.class
 [DETECTION] Contains recognition pattern of the EXP/Java.dgw exploit
C:\Users\linda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\5b94a9f1-19aa5f2c
[0] Archive type: ZIP
 [DETECTION] Contains recognition pattern of the JAVA/Agent.JH Java virus
--> plugin/adobe.class
 [DETECTION] Contains recognition pattern of the JAVA/Agent.JH Java virus
--> plugin/sportGame.class
 [DETECTION] Contains recognition pattern of the JAVA/Agent.JG Java virus
C:\Users\linda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\6af140be-6d09401b
[0] Archive type: ZIP
 [DETECTION] Contains recognition pattern of the JAVA/Dldr.OpenS.NBG Java virus
--> folder/boing.class
 [DETECTION] Contains recognition pattern of the JAVA/Dldr.OpenS.NBG Java virus
Begin scan in 'E:\' <RECOVERY>
Begin scan in 'F:\'
Search path F:\ could not be opened!
System error [21]: The device is not ready.

Beginning disinfection:
C:\Users\linda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\6af140be-6d09401b
   [DETECTION] Contains recognition pattern of the JAVA/Dldr.OpenS.NBG Java virus
   [NOTE]      The file was moved to the quarantine directory under the name '4954b962.qua'.
C:\Users\linda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\5b94a9f1-19aa5f2c
   [DETECTION] Contains recognition pattern of the JAVA/Agent.JG Java virus
   [NOTE]      The file was moved to the quarantine directory under the name '51b696c6.qua'.
C:\Users\linda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\1721fbc4-33e61b9e
   [DETECTION] Contains recognition pattern of the EXP/Java.dgw exploit
   [NOTE]      The file was moved to the quarantine directory under the name '03e0cc7b.qua'.
C:\Users\linda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\bc0fce7-7661f803
   [DETECTION] Contains recognition pattern of the JAVA/Rast.A Java virus
   [NOTE]      The file was moved to the quarantine directory under the name '65d183ed.qua'.
C:\Users\linda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\5416a4d0-117c63ca
   [DETECTION] Contains recognition pattern of the JAVA/Dldr.OpenS.NBG Java virus
   [NOTE]      The file was moved to the quarantine directory under the name '2052ae84.qua'.
C:\Users\linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YPDC13LV\facebook_com[1].txt
   [DETECTION] Contains recognition pattern of the PHISH/Facebook.9966 phishing file/email
   [NOTE]      The file was moved to the quarantine directory under the name '5f3b9cb0.qua'.
C:\Users\linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MGLMEBL6\home[6].php
   [DETECTION] Contains recognition pattern of the PHISH/Facebook.9966 phishing file/email
   [NOTE]      The file was moved to the quarantine directory under the name '13b5b0e4.qua'.
C:\Users\linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MGLMEBL6\facebook_com[4].txt
   [DETECTION] Contains recognition pattern of the PHISH/Facebook.9966 phishing file/email
   [NOTE]      The file was moved to the quarantine directory under the name '6f9bf0aa.qua'.
C:\Users\linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IWVGXFJA\home[4].php
   [DETECTION] Contains recognition pattern of the PHISH/Facebook.9966 phishing file/email
   [NOTE]      The file was moved to the quarantine directory under the name '42f7dff9.qua'.
C:\Users\linda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IWVGXFJA\facebook_com[2].txt
   [DETECTION] Contains recognition pattern of the PHISH/Facebook.9966 phishing file/email
   [NOTE]      The file was moved to the quarantine directory under the name '5ba9e47d.qua'.
C:\Program Files\PlaySushi\psuninst.exe
   [DETECTION] Is the TR/Buzy.1463 Trojan
   [NOTE]      The file was moved to the quarantine directory under the name '37cbc85f.qua'.


End of the scan: Saturday, March 05, 2011  23:36
Used time:  1:22:36 Hour(s)

The scan has been done completely.

 36593 Scanned directories
480306 Files were scanned
    12 Viruses and/or unwanted programs were found
     0 Files were classified as suspicious
     0 files were deleted
     0 Viruses and unwanted programs were repaired
    11 Files were moved to quarantine
     0 Files were renamed
     0 Files cannot be scanned
480294 Files not concerned
  1421 Archives were scanned
     0 Warnings
    11 Notes

  Please just let me know what I need to do next. Thanks, Brian.
Jax

Answer
Hi Jax

I know that Avira's user interface is not very intuitive, but the protection it offers is top-notch.  The viruses it found were most likely received on Facebook using Java exploits.  We need to make sure Java is updated to the latest security patches.  First, we will do a bit of clean up.  Download CCleaner from here:

http://www.piriform.com/ccleaner/download/slim

Install and open the program.  Click on the Analyze button and you'll get a summary of what can be cleaned.  Then click the Run Cleaner button to remove the items.  The program is very safe and deletes mostly temporary files and other clutter.  After running the Cleaner, click the Registry tab on the left and check for registry issues, then click Fix to remove those items.  The program will prompt you to make a backup of the registry as a safety precaution.  After fixing, close the program.  Download the FileHippo.com Update Checker from here:

http://www.filehippo.com/updatechecker/

Install the program.  It will launch automatically and alert you to programs you have installed that have a newer version available.  When you view the results on the web page, I recommend updating all your programs (especially things like Java and Flash).  You don't have to update to any of the Beta versions the site lists.  

Let me know when it's all done and if you have questions on anything I have mentioned.

Brian