It may be helpful for troubleshooting.
download and install AutoRuns by By Mark Russinovich (not necessary step) -
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx - this is useful utility to verify
system "startups" and "hooks", including loading drivers.
This particular virus (in my case) runs as driver "srosa.sys" & "srosa2.sys"
Even if virus active, srosa2.sys shown by AutoRuns (in "drivers" tab) as "sK9Ou0s" with
description "AVZ Driver" at path (in my case) c:\documents and settings\%login_name%\application data\drivers\srosa2.sys
Since virus itself is "rootkit", srosa.sys does not shown if virus active. (but if virus
deactivated, AutoRuns shows "srosa" autorun entry for srosa.sys).
In my case another executable - winupgro.exe - in the same directory was registered for startup
(in registry at HKCU\Software\Microsoft\Windows\CurrentVersion\Run as "drvsyskit")
so cure was simple as renaming the directory (beware it marked as "hidden") where those viruses
reside, and then reboot.
I should admit that if virus active, it hides srosa.sys and rest of "slave stuff" (like "downld"
subdirectory), so if in your system it reside in standard ~/system32/drivers directory, you have
to boot from installation CD to console (i.e. CMD.EXE) or using something like BartPE to boot, find and delete those files.
-+-
Curios enough: avast recognize srosa.sys as "infected by Win32:Beagle-AAW [trj]", but keep
silence about another two beasts: srosa2.sys & winupgro.exe
Another curiosity - even with active virus, entry point for srosa2.sys shown by AutoRuns and
could be "unchecked" ("deactivated"/"disabled") but this is not affect virus activity (at least
regarding "countermeasures" against avast)
Yet Another Coupled Curiosity - this virus did try brake firewall (in my case it is Kerio Personal
Firewall) and succeed (removing kpf driver) but than did not perform any counteraction to
prevent repair KPF installation... hmmm... I was lucky to not loose my fw configuration files
:-))