AVG Anti-Rootkit found some files - can I delete them?

Here's a screenshot of the files AVG Anti-Rootkit found. Which should I delete?

AVG won't be able to delete them, that hidden driver is quite stubborn.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Leave the script box empty.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

I did all the things you asked. After the reboot AVG opened and shown that some files (I think that same files as in the photo attached to my first post) are infected with Win32 Cryptor. I don't really know what this means cause Avanger was supposed to delete those files, right?

Here's the log:



EDIT:
AVG Antirootkit still finds one hidden driver a1ubgyk9.sys

Just because it's a hidden driver doesn't mean it's malicious.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACqxbejxvk.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Am I healed?

No, we've only stopped the main driver, now we have to kill off any traces of it.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

There's one problem - the log is in my language (polish) But I think the only part that actualy matters is this one:

Infected files:
C:\WINDOWS\system32\UACspttymfk.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACxeirwwsv.log (Trojan.Agent) -> Quarantined and deleted successfully.

Doesn't matter what language, the file locations stay the same and I can use a translator to figure out the rest.

One more scan to make sure it's gone.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

Yeah, I know that I need to uinstall one of the antiviruses


DDS (Ver_09-03-16.01) - NTFSx86
Run by Pawel at 23:02:58,75 on 2009-04-18
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.2046.1401 [GMT 2]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated)
FW: Zapora osobista *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\inne\gva\avgwdsvc.exe
C:\Programy\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
D:\inne\gva\avgrsx.exe
D:\inne\gva\avgnsx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programy\ESET Smart Security\egui.exe
C:\Programy\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programy\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe
C:\Programy\AutoConnect\AutoConnect.exe
C:\Programy\DAEMON Tools Lite\daemon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programy\Open Office\OpenOffice.org 3\program\soffice.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programy\Open Office\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programy\Winamp\winamp.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Programy\Opera\opera.exe
C:\Documents and Settings\Pawel\Pulpit\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://onet.pl/
uWindow Title = neostrada tp
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [AutoConnect] c:\programy\autoconnect\AutoConnect.exe
uRun: [DAEMON Tools Lite] "c:\programy\daemon tools lite\daemon.exe" -autorun
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [egui] "c:\programy\eset smart security\egui.exe" /hide /waitservice
mRun: [WOOWATCH] c:\progra~1\neostr~1\Watch.exe
mRun: [WOOTASKBARICON] c:\progra~1\neostr~1\GestMaj.exe TaskBarIcon.exe
mRun: [WinampAgent] c:\programy\winamp\winampa.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [WheelMouse] c:\programy\a4tech\mouse\Amoumain.exe
mRun: [Adobe Reader Speed Launcher] "c:\programy\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\programy\quicktime\QTTask.exe" -atboottime
mRun: [AVG8_TRAY] d:\inne\gva\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\pawel\menust~1\programy\autost~1\openof~1.lnk - c:\programy\open office\openoffice.org 3\program\quickstart.exe
IE: E&ksportuj do programu Microsoft Excel - c:\programy\micros~1\office12\EXCEL.EXE/3000
IE: { - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\programy\micros~1\office12\REFIEBAR.DLL
DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_0_03-win.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {18B3AD0D-B37A-44A3-AB8D-3744D5188047} = 194.204.159.1 217.98.63.164
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\inne\gva\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2009-4-17 3968]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-16 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-16 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-16 108552]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R2 avg8wd;AVG Free8 WatchDog;d:\inne\gva\avgwdsvc.exe [2009-4-16 298264]
R2 ekrn;ESET Service;c:\programy\eset smart security\ekrn.exe [2009-2-6 727720]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-4-4 80392]
R3 Stmatm;ATM/ADSL miniport;c:\windows\system32\drivers\stmatm.sys [2009-4-4 60255]
R3 TaurusUsb;ADSL Modem USB Service;c:\windows\system32\drivers\torususb.sys [2009-4-4 684265]
S2 .EsetTrialReset;Eset Trial Reset;c:\windows\system32\regedt32.exe [2008-4-15 3584]

=============== Created Last 30 ================


==================== Find3M ====================

2009-04-04 21:36 361,344 a------- c:\windows\system32\drivers\tcpip.sys
2009-04-04 21:06 448,348 a------- c:\windows\system32\perfh015.dat
2009-04-04 21:06 74,450 a------- c:\windows\system32\perfc015.dat
2009-04-04 20:03 315,392 a------- c:\windows\HideWin.exe
2009-04-03 22:53 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-03 21:57 21,856 a------- c:\windows\system32\emptyregdb.dat
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-02-26 00:58 3,565,568 a------- c:\windows\system32\drivers\ati2mtag.sys
2009-02-25 23:42 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-02-25 23:41 325,120 a------- c:\windows\system32\ati2dvag.dll
2009-02-25 23:30 11,841,536 a------- c:\windows\system32\atioglxx.dll
2009-02-25 23:30 204,800 a------- c:\windows\system32\atipdlxx.dll
2009-02-25 23:29 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-02-25 23:29 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2009-02-25 23:29 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-02-25 23:29 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-02-25 23:27 602,112 a------- c:\windows\system32\ati2evxx.exe
2009-02-25 23:26 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-02-25 23:16 3,817,984 a------- c:\windows\system32\ati3duag.dll
2009-02-25 23:09 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-02-25 22:59 2,670,080 a------- c:\windows\system32\ativvaxx.dll
2009-02-25 22:58 3,107,788 a------- c:\windows\system32\ativva5x.dat
2009-02-25 22:58 887,724 a------- c:\windows\system32\ativva6x.dat
2009-02-25 22:44 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-02-25 22:40 475,136 a------- c:\windows\system32\atikvmag.dll
2009-02-25 22:38 126,976 a------- c:\windows\system32\atiadlxx.dll
2009-02-25 22:38 17,408 a------- c:\windows\system32\atitvo32.dll
2009-02-25 22:37 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2009-02-25 22:35 290,816 a------- c:\windows\system32\atiok3x2.dll
2009-02-25 22:32 45,056 a------- c:\windows\system32\aticalrt.dll
2009-02-25 22:32 45,056 a------- c:\windows\system32\aticalcl.dll
2009-02-25 22:32 626,688 a------- c:\windows\system32\ati2cqag.dll
2009-02-25 22:30 3,227,648 a------- c:\windows\system32\aticaldd.dll
2009-01-26 19:55 182,995 a------- c:\windows\system32\atiicdxx.dat
2009-01-21 17:11 473,600 a------- c:\windows\system32\SkanerOnline.dll

============= FINISH: 23:03:12,92 ===============

Looks good, one last thing to do.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.0 - Polish
ADSL Modem
AGEIA PhysX v7.07.09
Apple Software Update
Archiwizator WinRAR
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AutoConnect v0.1.2.5
AVG 8.5
AVG Anti-Rootkit Free
BearShare
Browser Configuration Utility
Catalyst Control Center - Branding
DAEMON Tools Toolbar
Energy Saver Advance B8.0729.1
ffdshow [rev 2832] [2009-03-28]
Gadu-Gadu 7.7
HijackThis 2.0.2
iOfficeWorks 7.80
IrfanView (remove only)
Java 2 Runtime Environment, SE v1.4.0_03
Java(TM) 6 Update 13
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Access MUI (Polish) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Polish) 2007
Microsoft Office Groove MUI (Polish) 2007
Microsoft Office InfoPath MUI (Polish) 2007
Microsoft Office OneNote MUI (Polish) 2007
Microsoft Office Outlook MUI (Polish) 2007
Microsoft Office PowerPoint MUI (Polish) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Polish) 2007
Microsoft Office Proofing (Polish) 2007
Microsoft Office Publisher MUI (Polish) 2007
Microsoft Office Shared MUI (Polish) 2007
Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1)
Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1)
Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1)
Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1)
Microsoft Office Word MUI (Polish) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
MSVC80_x86
My Global Search Bar
NAPIPROJEKT 1.0.6.2
neostrada tp
Nokia Connectivity Cable Driver
OpenAL
OpenOffice.org 3.0
Opera 9.63
Pakiet sterowników systemu Windows - Nokia pccsmcfd (08/22/2008 7.0.0.0)
PC Connectivity Solution
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Skaner on-line mks_vir
SopCast 3.0.1
The Godfather™ II
VideoLAN VLC media player 0.8.6f
Winamp
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
xp-AntiSpy 3.97-2

I see that you are running BearShare.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If BearShare is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

• BearShare
  
• Java 2 Runtime Environment, SE v1.4.0_03
  
• My Global Search Bar
  
• xp-AntiSpy 3.97-2
  

I see you have VLC player installed. You are running an old versions and needs updating.

Download and install VLC Player 0.9.9
When installing, it will ask if you want to uninstall the old version first before it can install the new version, so please select yes and allow it to install.

How is the machine now?