AVAST ANTIVIRUS Flagging all APPS as Infected on STARTING these APPS

[qrius2noall]

Hello

I had been using AVAST for the last 4 years and never had such headaches ,as being faced since Start of using AVAST 5 Edition(FREE) about three months ago.

Since yesterday,As soon as I start any APP,there is a pop up from AVAST saying it is infected(Although these APPS have been in use for years without any problem).

Typical POP UP Message reads

Malicious URL Blocked
Avast Network Shield has blocked a threat.No further action is required
Object: REMOVED
Infector URL:Mal
Action Blocked
Process (the path of the blocked app is mentioned)

The Threat was detected and blocked just before connecting to the URL


And this has been going on for all the apps started since yesterday.
I have since done scans with AVAST(quick and boot time)Hitman pro,Spybot S&D,
Super Antispyware,Malware BYTEs.TDSS KILL etc - the usual security utilities I have
at diposal,but All scans are coming clean and the problem continues

Otherwise the PC is working fine-there are no slowdowns,no excessive CPU/Memory consumtion noticed,no suspicious process in Task Manager List and all The APPS after start are working as usual-THE ONLY IRRITATING ISSUE IS THAT ALL APPS ARE BEING FLAGGED INFECTED BY AVAST POP UPS(I have even uploaded the virus chest to AVAST-thinking maybe false positive issues but even after latest update ,AVAST still flags all apps as infected)

Iam pasting here some portions of the AVAST LOGS

avast! Antirootkit, version 1.0
Scan started: Thursday, August 19, 2010 10:48:08 PM

Scan finished: Thursday, August 19, 2010 10:48:11 PM
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

--------------
nshield log
--------------

15.08.2010 13:58:18 Network Shield: blocked access to malicious site REMOVED/f.exe [ E:\APP LAUNCHER FOLDER NEW\PASSIVE USEFUL APPS\TEXT MAGICIAN-UTILITY FOR TEXT FILES-PORTABLE\Text Magician\uninstall.exe ( 2032 ) ]
18.08.2010 01:41:02 Network Shield: blocked access to malicious siteREMOVED/f.exe [ E:\META FOLDER-DOWNLOADS\DJVU Viewer\DjVuLibre\djview.exe ( 3344 ) ]
18.08.2010 06:00:42 Network Shield: blocked access to malicious site REMOVED/e.exe [ E:\PORTABLE APPS\SWEEP RAM-ram optimizer-STANDALONE\SweepRAM.exe ( 936 ) ]
18.08.2010 06:25:50 Network Shield: blocked access to malicious site tREMOVEDe.exe [ \??\C:\WINDOWS\system32\winlogon.exe ( 460 ) ]
18.08.2010 06:30:54 Network Shield: blocked access to malicious siteREMOVED/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\uTORRENT\utorrent.exe ( 1552 ) ]
18.08.2010 06:32:22 Network Shield: blocked access to malicious site REMOVED/e.exe [ \??\C:\WINDOWS\system32\winlogon.exe ( 468 ) ]
18.08.2010 06:38:26 Network Shield: blocked access to malicious site tREMOVED/e.exe [ \??\C:\WINDOWS\system32\winlogon.exe ( 468 ) ]
18.08.2010 06:40:50 Network Shield: blocked access to malicious site REMOVED/e.exe [ \??\C:\WINDOWS\system32\winlogon.exe ( 468 ) ]
18.08.2010 07:11:39 Network Shield: blocked access to malicious site REMOVED/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\uTORRENT\utorrent.exe ( 720 ) ]
18.08.2010 07:29:36 Network Shield: blocked access to malicious site REMOVED/e.exe [ E:\PORTABLE APPS\FIREFOX-OLD STABLE\FirefoxPortable\App\firefox\firefox.exe ( 2036 ) ]
18.08.2010 07:31:24 Network Shield: blocked access to malicious site REMOVEDe.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\WORD DOC PROCESSOR-JARTE-PORTABLE\Jarte.exe ( 1412 ) ]
18.08.2010 08:11:54 Network Shield: blocked access to malicious site REMOVEDe.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\MP3 FILES MERGER-MERGEMP3-PORTABLE\MergeMP3.exe ( 2240 ) ]
18.08.2010 08:16:54 Network Shield: blocked access to malicious site REMOVED/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\MP3 FILES MERGER-MERGEMP3-PORTABLE\MergeMP3.exe ( 3460 ) ]
18.08.2010 08:30:04 Network Shield: blocked access to malicious site REMOVED/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\WORD DOC PROCESSOR-JARTE-PORTABLE\Jarte.exe ( 4040 ) ]

19.08.2010 15:37:42 Network Shield: blocked access to malicious site REMOVED/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\7 zip-Portable\7-ZipPortable\App\7-Zip\7zFM.exe ( 2064 ) ]
REMOVED MALICIOUS WEBSITES
avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, August 19, 2010 1:26:23 AM
*

8/19/2010 9:41:59 PM C:\Documents and Settings\Daksh\Local Settings\Temporary Internet Files\Content.IE5\2HOZGBE1\e[1].exe [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
8/19/2010 9:42:00 PM C:\DOCUME~1\Daksh\LOCALS~1\Temp\xxxxx [L] Win32:Malware-gen (0)
File was successfully moved to chest...
8/19/2010 9:42:49 PM C:\DOCUME~1\Daksh\LOCALS~1\Temp\lllll [L] Win32:Malware-gen (0)
File was successfully moved to chest...
8/19/2010 9:43:07 PM C:\DOCUME~1\Daksh\LOCALS~1\Temp\rrrrr [L] Win32:Malware-gen (0)
File was successfully moved to chest...
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*


I have done the usual protocol of downloading Combofix,TDSS killer and OTS.exe and that too,is not resolving the issue

So here it is a request for one and all to suggest ways to tackle this irritant,failing which,I guess there is no option,but to Re-Install the windows(sadly so)

Hoping for an earliest reply

Q2NA


P.S. About 3 months back,I had the same kind of problem,whicjh I had posted here

http://forum.raymond.cc/spyware-viruses/18528-avast-5-free-showing-infection-of-win-32-malware-gen.html

At that time HITMAN pro suggestion worked quite well ,but now Even Hitman Pro scan is coming clean,So Iam at a loss as to what to do.Repeated scans done with almost 6 spyware scanners have not yielded any results,SO ANY NEW IDEAS FROM ONE AND ALL ARE MOST WELCOME(SAVING OF COURSE REINSTALL ,WHICH I AM CONTEMPLATING NOW)

tHANKS IN ANTICIPATION

Q2NA

P.S.2

If somebody can/wants to have a look at these logs I can post these.Also Should I post here HIJACK This logs ?

Q2NA

[INDRANIL]

Download HijackThis scan & put result here.

[qrius2noall]

tHANKS iNDRANIL FOR YOUR QUICK REPLY

Here is the log done about 30 seconds ago



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:31 PM, on 8/20/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\USEFUL CRUCIAL UTILITIES FOLDER\ANTIVIRUS-AVAST NEW VER 5\AvastSvc.exe
E:\USEFUL~1\ANTIVI~2\avastUI.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
E:\USEFUL CRUCIAL UTILITIES FOLDER\EVERYTHING STABLE VERSION\Everything-1.2.1.371.exe
E:\PORTABLE APPS\FIREFOX-OLD STABLE\FirefoxPortable\FirefoxPortable.exe
E:\PORTABLE APPS\FIREFOX-OLD STABLE\FirefoxPortable\App\firefox\firefox.exe
E:\USEFUL CRUCIAL UTILITIES FOLDER\uTORRENT\utorrent.exe
C:\Program Files\NCH Swift Sound\Switch\switch.exe
C:\Program Files\NCH Software\Components\mp3el\mp3enc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\ACTIVE DOWNLOADS\HIJACK THIS-trend micro\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeware365.com/desktop/folderguide.htm
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast5] E:\USEFUL~1\ANTIVI~2\avastUI.exe /nogui
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {A9B34036-3ED6-460a-9C59-696DC24C516F} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: SAIG Surfula&ter - {A9B34036-3ED6-460a-9C59-696DC24C516F} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O23 - Service: avast! Antivirus - AVAST Software - E:\USEFUL CRUCIAL UTILITIES FOLDER\ANTIVIRUS-AVAST NEW VER 5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - E:\USEFUL CRUCIAL UTILITIES FOLDER\ANTIVIRUS-AVAST NEW VER 5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - E:\USEFUL CRUCIAL UTILITIES FOLDER\ANTIVIRUS-AVAST NEW VER 5\AvastSvc.exe

--
End of file - 2920 bytes

[leofelix]

Hi
you visited a malicious website

http://www.mywot.com/en/scorecardREMOVED

http://www.malwareurl.com/listing.php?domain=REMOVED

MBAM PRO ip blocker prevented me to reach that malicious website

Avast prevented e.exe f.exe ecc ecc to infect your system and to get connected.

Unfortunately it seems you downloaded some malware anyhow, I hope those executable couldn't be run

Please clean your browser cache immediately using CCleaner ar ATF Cleaner

Now download HijackThis v 2.0.4, run it and click on "Do a system scan and save a log file"
Copy and paste you log here.

Then download Superantispyware portable, doubleclick it and run a full scan.

Post the results in your reply.
Thank you

[qrius2noall]

tHANKS iNDRANIL FOR YOUR QUICK REPLY

Here is the log done about 30 seconds ago



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:31 PM, on 8/20/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\USEFUL CRUCIAL UTILITIES FOLDER\ANTIVIRUS-AVAST NEW VER 5\AvastSvc.exe
E:\USEFUL~1\ANTIVI~2\avastUI.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
E:\USEFUL CRUCIAL UTILITIES FOLDER\EVERYTHING STABLE VERSION\Everything-1.2.1.371.exe
E:\PORTABLE APPS\FIREFOX-OLD STABLE\FirefoxPortable\FirefoxPortable.exe
E:\PORTABLE APPS\FIREFOX-OLD STABLE\FirefoxPortable\App\firefox\firefox.exe
E:\USEFUL CRUCIAL UTILITIES FOLDER\uTORRENT\utorrent.exe
C:\Program Files\NCH Swift Sound\Switch\switch.exe
C:\Program Files\NCH Software\Components\mp3el\mp3enc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\ACTIVE DOWNLOADS\HIJACK THIS-trend micro\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://h t tp://w w w.freeware365.co...olderguide.htm
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast5] E:\USEFUL~1\ANTIVI~2\avastUI.exe /nogui
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {A9B34036-3ED6-460a-9C59-696DC24C516F} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: SAIG Surfula&ter - {A9B34036-3ED6-460a-9C59-696DC24C516F} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O23 - Service: avast! Antivirus - AVAST Software - E:\USEFUL CRUCIAL UTILITIES FOLDER\ANTIVIRUS-AVAST NEW VER 5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - E:\USEFUL CRUCIAL UTILITIES FOLDER\ANTIVIRUS-AVAST NEW VER 5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - E:\USEFUL CRUCIAL UTILITIES FOLDER\ANTIVIRUS-AVAST NEW VER 5\AvastSvc.exe

--
End of file - 2920 bytes

[INDRANIL]

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
E:\USEFUL CRUCIAL UTILITIES FOLDER\EVERYTHING STABLE VERSION\Everything-1.2.1.371.exe

These two tscupgrd.exe & Everything-1.2.1.371.exe seems to be malicious. Wait for leo's reply.

[leofelix]

@ grius3noall

please pay attention: I had to delete all the malicious links you posted which were in your Avast log.

Read my previous post, please

[edit to add]

Please clean your browser cache immediately using CCleaner or ATF Cleaner

Then download Superantispyware portable, doubleclick it and run a full scan.

[Ceyfer √]

Looks like your system is pretty devastated either by a malware* ( due to alteration ) or by persistent fps?
*Network anomalies/ malware detection: signs of indeed possible malware infiltration is present.

If only I have the chance to get the same malware sample and recreate the same issue, I could knock-it down. Harvesting mode!

Update:Got the real payload !: VirusTotal = possibly a new variant.

So, what you're encountering now is that certain piece of malware that is already inside your system is contacting tigiporon.xx to download the real payload tigiporon.xx/f.exe. Or...worst, it is already sending data to that site?

Solutions:

- Back-up any important files and rescan it on another computer.
- Go and fire secondary scanner ( Rescue Disk : See Raymond.cc Archives ) * recommended for extreme infestation!
- Optional Scanner : Kaspersky VRT/Dr.WebCureIT
- Use Antirootkit tools * Advance user only!

[qrius2noall]

@ grius3noall

please pay attention: I had to delete all the malicious links you posted which were in your Avast log.

Read my previous post, please

[edit to add]

Thanks a lot Guys For your Guidance

Here is the fresh Hijack this log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:36:27 AM, on 8/21/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
E:\USEFUL CRUCIAL UTILITIES FOLDER\ANTIVIRUS-AVAST NEW VER 5\AvastSvc.exe
E:\USEFUL~1\ANTIVI~2\avastUI.exe
E:\USEFUL CRUCIAL UTILITIES FOLDER\uTORRENT\utorrent.exe
E:\PORTABLE APPS\FIREFOX-OLD STABLE\FirefoxPortable\FirefoxPortable.exe
E:\PORTABLE APPS\FIREFOX-OLD STABLE\FirefoxPortable\App\firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
E:\USEFUL CRUCIAL UTILITIES FOLDER\EVERYTHING STABLE VERSION\Everything-1.2.1.371.exe
E:\USEFUL CRUCIAL UTILITIES FOLDER\FOOBAR MEDIA PLAYER-PORTABLE VERSION\foobar2000\foobar2000.exe
C:\Documents and Settings\Daksh\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeware365.com/desktop/folderguide.htm
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast5] E:\USEFUL~1\ANTIVI~2\avastUI.exe /nogui
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {A9B34036-3ED6-460a-9C59-696DC24C516F} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: SAIG Surfula&ter - {A9B34036-3ED6-460a-9C59-696DC24C516F} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - E:\USEFUL CRUCIAL UTILITIES FOLDER\ANTIVIRUS-AVAST NEW VER 5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - E:\USEFUL CRUCIAL UTILITIES FOLDER\ANTIVIRUS-AVAST NEW VER 5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - E:\USEFUL CRUCIAL UTILITIES FOLDER\ANTIVIRUS-AVAST NEW VER 5\AvastSvc.exe

--
End of file - 3225 bytes
Iam running a second scan with SuperAntimalware portable scanner(the first I Did about thee hours ago was clean) So As soon as the scan finishrs I will post the log.

As regards the browser cache cleaning.I use firefox portable and very rarely IE and as a matter of routine do daily cleaning with CCLEANER.As this problem has been occuring for the last two days,I have been Cleaning Browser cahe,temp files periodically and SYSTEM RESTORE is right now off

Q2NA

[leofelix]

Hi
you are welcome
it seems a new variant of malware, have a look at ceyfer's post, please.

Sorry I haven't noticed you already scanned with Superantispyware.

Please download the lastest Kaspersky Virus Removal Tool
direct download here
http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
Install it and run a scan.

-----------

Now download Sophos antirootkit free
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
run a scan

-----------------------
When Kaspersky Removal tool and Sophos antirootkit will stop scanning download Avira Rescue System from here
http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html

( read how to use it here http://www.raymond.cc/blog/archives/2009/09/02/advanced-usage-of-avira-antivir-rescue-system-bootcd/)

----------
Please make me know the results