All,

I'd appreciate help with this nasty Trojan. Spybot reports it as W32.beagle, aka Trojan.Tooso.R.

I got infected a few days ago - the trojan killed my Norton Internet security, blocked installation of several rootkit-detection packages, BSOD's in safe mode, etc. Luckily I bumped into the the following writeup (http://www.kreslavsky.com/2008/02/wintermsexe-hldrrrexe.html)and followed the recommendation. At first it looked like I managed to get rid of the beast. Norton is up and running again as well as a bunch of anti-spyware stuff, spybot leading the bunch.

To my utmost disappointment, I've discovered yesterday that there are probably pieces of the Trojan still in the system. After each reboot spybot reports the following

- FirstRRRun registry entry exists
- c:\Windows\Sytem32\drivers\down exists

Spybot is able to clean the above but they re-appear again after the next reboot.

Norton, gmer, spyware doctor do not report any traces of
wintems, hldrrr or srosa. Still something re-creates those registry entries, and I can not figure out what it might be.

Any help will be appreciated.

Hi

Download and install TrendMicro HijackThis (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe)
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.