Author Topic: HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]  (Read 6284 times)

Offline diana_loves

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Yesterday my Avast! Home Edition crashed and shut down after I tried running a setup file I downloaded. Windows Defender and Windows Firewall seemed to be inoperable, too.

When I tried launching the Avast console I kept getting a message saying that Avast was not a valid win32 application. Windows Defender also displayed "an initialization error message".

After doing some research, I found a virus removal tool called Elibagle that identified and removed 7 infections while running it in Safe Mode, although there were various files and folders it claimed not to have access to.

I ran Elibagle, Malwarebyte's Anti-Malware, Combofix, AVG virus removal, and Avast virus removal. Only the second one found some additional virus. I don't know if they were associated to the main infection. But it removed the viruses. However, Avast kept throwing the "not a valid win32 application" and Windows Defender kept throwing the "initialization error". Windows would tell me that it had blocked some applications, when I clicked on "Show blocked application" the Windows Defender error came up, and when I tried to "Run blocked application" it told me that "TOSCDSPD.exe from an unidentified publisher" was trying to gain access to my computer so I decided not to grant access.

I tried uninstalling my Home version and installing it again. It asked me if I wanted to run the boot scan that Avast always offers the first time after installation and although I said yes, the computer just restarted and got into windows without running the boot scan and kept failing to initiate Avast.

Finally after running all the previous programs over and over, I decided to uninstall Avast! Home and install the trial version of Avast! Pro. Once again it asked me if I wanted to run the boot scan. SUCCESS! Finally it ran the boot scan before loading Windows Vista.

Now I have this message displayed and I'm not sure what's the best option:

Report file: C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.text

Scan of all local drives

File C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe is infected by Win32:Beagle-AHE [trj]
Press  1  to  Delete
         2       Delete all
         3       Move
         4       Move all
         5       Move to Chest
         6       Move all to Chest
         7       Repair
         8       Repair all
         9       Ignore
         0       Ignore all
         Esc    Exit :


Since this is exactly the file that Windows seemed to be blocking I'm not sure what to do!!  I want to eliminate the problem as soon as possible but I'm afraid to be Deleting or Removing an important backup file or something.   Can anyone give me a hand?

Thanks!!!

Offline FreewheelinFrank

  • avast! Evangelist
  • Ultra Poster
  • ***
  • Posts: 4854
  • Gender: Male
  • I'm a GNU
    • Don't Surf in the Nude!
    • Personal Message (Offline)
Re: HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]
« Reply #1 on: November 19, 2008, 04:18:29 AM »
Option 5 "Move to Chest"- this is the option to quarantine suspected malware.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline diana_loves

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]
« Reply #2 on: November 19, 2008, 10:38:07 AM »
Hey Frank!

Thanks for your reply...  what´s the difference between "Move to Chest" and Move all to Chest". The only thing I´m afraid of is moving that file to the chest and not being able to restablish my Windows Defender because it seems to be a related .exe, or actualy leaving the virus latent if I just move it instead of deleting it.

Can you throw some light on this?  Again!! Thanks a bunch!

Diana

Online Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64867
  • Gender: Male
    • Personal Message (Online)
Re: HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]
« Reply #3 on: November 19, 2008, 10:41:27 AM »
Beagle is a dangerous malware to avast installations. Take care.

what´s the difference between "Move to Chest" and Move all to Chest".
Moving one file only or moving all detected file. I think it's not safe send all to Chest, specially if you move a necessary file to boot the computer, it will be unbootable :'(
The best things in life are free.

Offline diana_loves

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]
« Reply #4 on: November 19, 2008, 02:59:01 PM »
Thanks Tech!

Does this mean that the "Repair" options are not a good idea?

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69205
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]
« Reply #5 on: November 19, 2008, 05:06:09 PM »
The Repair option only works in certain circumstances, infection of a file by a 'true' virus and that infected file must be on that has been included in a VRDB generation. So that would linit greatly what could possibly be repaired and if that repair failed I don't believe you would get prompted for another action.

So the safest option is to move it to the chest, here you have other option that you can try later.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline diana_loves

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]
« Reply #6 on: November 19, 2008, 05:14:01 PM »
Thanks David!

The scan is now 95% of the way and it seems the Avast Pro Boot Scan has found some other infections, according to the log so far:

File C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe is infected by Win32:Beagle-AHE [trj]
File c:\Qoobox\Quarantine\C\Windows\System32\drivers\winfilse.exe.vir is infected by Win32:Beagle-AHE [trj]
File C:\Users\Fidelis\Desktop\vray\vray 1.5 rc5 max 2008\Crack\Keymaker.exe is infected by Win32:Crypt-CYC [trj]

So far I've moved all of them to the Chest since it seems to be the safest option and I imagine I will be able to access the Chest later to ask Avast to clean or delete the files if necessary, is that right?

If the boot scan is still running could I hook up my ipod to the USB port for it to be scanned too, or is it too late?

Thanks guys!!

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69205
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]
« Reply #7 on: November 19, 2008, 05:29:41 PM »
The first detection TOSCDSPD.exe needs further investigation as it seems a legit file (the reason why sending to the chest is important), see below.

The second detection is an interesting one it looks like this quarantine folder isn't encrypted

The third detection looks good as using cracks is a high risk business not to mention any legal/moral issues, who can you complain to when using a crack that your system got infected ???

When done, and windows has booted, right click the avast 'a' icon, select avast! Antivirus Chest, the only part that interests you is the Infected Files section.

I don't even know if avast's boot-time scan would scan attached devices on a boot-time scan, some might net even be recognised before windows boots (depending on your BIOS settings).

####
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect.
Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\*
That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline diana_loves

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]
« Reply #8 on: November 19, 2008, 06:41:03 PM »
You've been very helpful David!!

Point taken on the "cracks" comments!!  :-\ ... will do my best to resist the temptation in the future!

Anyhow, I have good news... after the Avast boot scan, the initial problem generated by the infection seems to have been corrected: the Avast console is now operating. I still haven't hooked up to the web on the infected laptop but that's the next thing I'll try so I can test how the Avast updates and web protection are holding up...

However, the Windows Defender problem persists. I get this message:
     
     Windows Defender
     Application failed to initialize:0x800106ba. A problem caused this program's services to stop.
     To start the services, restart your computer or search Help and Support for how to start a
     service manually.


After researching the problem in Microsoft's page, I found that the error can be corrected by uninstalling and reinstalling Windows Defender.

In the internet I found out that one of the infected files (TOSCDSPD.exe) is related to a Toshiba CD/DVD Drive Acoustic Silencer installed on various models of Toshiba Laptops such as mine. I checked the file were the Toshiba TOSCDSPD.exe should be for the Acoustic Silencer to work and it's not there. So I imagine that confirms that it is not a clone file but the actual file that has been infected. Interestingly, TOSCDSPD.exe was actually the "application" that tried to access my system when I attempted to click on "Run Blocked Application" when I got the notification from Windows that an app had been blocked. The other option in that popup was "View Blocked Applications" and when I clicked on that option I immediatly go the Windows Defender error quoted above.

At this point, I'm not sure if the apparent connection between this infected TOSCDSPD.exe and the error with Windows Defender is real.

Would you recommend going ahead with the uninstall/reinstall of Windows Defender? How would I go about "cleaning" the TOSCDSPD.exe file if it is indeed a component that has to be in the laptop for the Acoustic Silencer to work?

(Sorry for all the questions!!)


Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69205
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]
« Reply #9 on: November 19, 2008, 07:01:23 PM »
I have never used windows defender never rated it that much but things like this are often corrected by an uninstall, boot, install.

The Beagle infections are pretty bad as part of their action it to try and disable your security software and that could well be what hit windows defender.

My comment about the detection on TOSCDSPD.exe you need to follow that up and confirm if the detection was good or otherwise. So read my instructions on how to do this under the ####

So you aren't cleaning but confirming if TOSCDSPD.exe is indeed infected or not once that is done then we can consider what action is neded.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline diana_loves

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]
« Reply #10 on: November 19, 2008, 10:38:57 PM »
Ok, David... I'll follow your instructions and send the file to VirusTotal.. just have a couple more doubts that you might be able to clarify for me.

I just uninstalled the Acoustic Silencer from my Toshiba (the application connected with the supposedly infected TOSCDSPD.exe file) after downloading a clean installer for the application from the Toshiba website.

My questions are, if I follow your instructions to send the report to VirusTotal, won't I run the risk of reactivating the beagle virus that supposedly infected the TOSCDSPD.exe file when I'm trying to export it to the c:\Suspect  folder?

If that is a real risk and if indeed I already found the installer to recover that application, could I just Delete the file from the Chest and be rid of it finally? Is that what happens when you Delete the files form the Avast Chest? Are they deleted totally without leaving any other trace in the recycle bin or any other place in the laptop?

Thanks again for all your help!

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69205
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]
« Reply #11 on: November 19, 2008, 11:29:32 PM »
Exporting is just copying not running, the fact that it isn't in the original location also gives some limited protection (even if it were infected) because any run command would be referencing the original location.

So with the file in the suspect folder it would effectively be inert unless you actually execute/run the file, which you aren't going to do.

As I have said deletion is a last action and then only if confirmed as infected and that is what we are trying to do.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline diana_loves

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]
« Reply #12 on: November 20, 2008, 12:55:55 AM »
Me again.

I did as you suggested and uploaded the exported TOSCDSPD.exe file to VirusTotal.

I don't know how to interpret the results so I'm posting them here to see if you can tell me what's the next necessary step:

File TOSCDSPD.exe received on 11.20.2008 02:38:25 (CET)Antivirus Version Last Update Result

AhnLab-V3 2008.11.18.2 2008.11.19 Win-Trojan/Bagle.872456
AntiVir 7.9.0.34 2008.11.19 TR/Dldr.Bagle.agb
Authentium 5.1.0.4 2008.11.19 -
Avast 4.8.1281.0 2008.11.19 Win32:Beagle-AHE
AVG 8.0.0.199 2008.11.19 Win32/Themida
BitDefender 7.2 2008.11.20 -
CAT-QuickHeal 10.00 2008.11.19 TrojanDownloader.Bagle.agb
ClamAV 0.94.1 2008.11.20 -
DrWeb 4.44.0.09170 2008.11.19 Trojan.Packed.650
eSafe 7.0.17.0 2008.11.19 Win32.Bagle.agb
eTrust-Vet 31.6.6217 2008.11.19 -
Ewido 4.0 2008.11.19 -
F-Prot 4.4.4.56 2008.11.20 -
F-Secure 8.0.14332.0 2008.11.20 Trojan-Downloader.Win32.Bagle.agb
Fortinet 3.117.0.0 2008.11.20 W32/Bagle.AGB!tr.dldr
GData 19 2008.11.20 Win32:Beagle-AHE 
Ikarus T3.1.1.45.0 2008.11.20 Trojan-Downloader.Win32.Bagle
K7AntiVirus 7.10.528 2008.11.19 -
Kaspersky 7.0.0.125 2008.11.20 Trojan-Downloader.Win32.Bagle.agb
McAfee 5439 2008.11.19 Generic Downloader.x
Microsoft 1.4104 2008.11.20 TrojanDownloader:Win32/Bagle.WB
NOD32 3626 2008.11.19 Win32/Bagle.QH
Norman 5.80.02 2008.11.19 W32/Mitglied.BEI
Panda 9.0.0.4 2008.11.20 -
PCTools 4.4.2.0 2008.11.19 -
Prevx1 V2 2008.11.20 Malicious Software
Rising 21.04.22.00 2008.11.19 -
SecureWeb-Gateway 6.7.6 2008.11.20 Trojan.Dldr.Bagle.agb
Sophos 4.35.0 2008.11.20 Mal/Bagle-B
Sunbelt 3.1.1801.2 2008.11.14 Trojan-Downloader.Win32.Agent.V (vf)
Symantec 10 2008.11.20 -
TheHacker 6.3.1.1.159 2008.11.19 W32/Behav-Heuristic-064
TrendMicro 8.700.0.1004 2008.11.19 -
VBA32 3.12.8.9 2008.11.19 Trojan-Downloader.Win32.Bagle.agb
ViRobot 2008.11.18.1474 2008.11.18 -
VirusBuster 4.5.11.0 2008.11.19 -
 
Additional information
File size: 872456 bytes
MD5...: 1fb8c915bad498904ea46e1bec9fc0c0
SHA1..: 529e1e968db9a6b82a0f9d48277a0a7379e39f85
SHA256: a21f6074c28fc03afd9af429f06d9616931f7d3870c249f48e66ce98489e46be
SHA512: 626a8daa5d6cd2653601bbf6172b574881e3c22ea023473f3b59458d67fce31b<BR>dfde7ff8959d78f04b6fcebbffb575eba478170dd492c4b64c7eee36d5ab62f0
PEiD..: -
TrID..: File type identification<BR>Win32 Executable Generic (42.3%)<BR>Win32 Dynamic Link Library (generic) (37.6%)<BR>Generic Win/DOS Executable (9.9%)<BR>DOS Executable Generic (9.9%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x488014<BR>timedatestamp.....: 0x4912b351 (Thu Nov 06 09:05:21 2008)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 4 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>0x1000 0x7f000 0x3a000 7.98 042f03724e2a90c658f9c412cd6fa2ac<BR>.rsrc 0x80000 0x6a08 0x3000 5.90 df1e50853b5cb1b9edc4fc61a936228c<BR>.idata 0x87000 0x1000 0x1000 0.24 1774b4558eb29db1bb488bcb9523da64<BR>Themida 0x88000 0x156000 0x96000 7.88 db89fa947c97866ccb1ce2a4d8c94bc5<BR><BR>( 2 imports ) <BR>&gt; KERNEL32.dll: CreateFileA, ExitProcess<BR>&gt; COMCTL32.dll: InitCommonControls<BR><BR>( 0 exports ) <BR>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=99AE801B0813BC94508F0D6755CD55007A046904
packers (F-Prot): Themida



Does this mean it was or wasn't a false positive? Should I report it to  http://forum.avast.com/index.php?topic=34950.msg293451#msg293451. If it is a false positive can I safely reinstall the Acoustic Silencer that I downloaded from Toshiba which surely contains another file named TOSCDSPD.exe? Won't this cause Avast to report it as a virus or malicious software?..... Does the fact that Avast is running normally again mean that I'm free of this obnoxious beagle pest?  ......asks the newbie yet again!!   ::)

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69205
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]
« Reply #13 on: November 20, 2008, 01:16:23 AM »
Fortunately I know how to interpret that particular set of results, it is a good detection it isn't a false positive, you should delete the copy in the suspect folder.

Now you re-downloaded the Acoustic Silencer installation file and avast should have scanned that file when you downloaded it (if not or you aren't sure find where you saved it to and right click on the file, select Scan selected area for viruses) that should find if anything is infected on it. If no detection you should be OK to reinstall just watch for any avast alert, but that may not be the case.

There is no need to report it as it isn't a false positive.
« Last Edit: November 20, 2008, 01:19:17 AM by DavidR »
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline diana_loves

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]
« Reply #14 on: November 20, 2008, 02:01:08 AM »
Sounds good!

I guess this would probably mean that the beagle infection has been erradicated, yes?

And now for the final question that just poped into my mind....

As soon as the initial problem started I backed up the most important files I had on my ipod. Is there a way I can scan my ipod (maybe with Avast!Pro) while making sure that nothing in the ipod will be able to reinfect my laptop? Maybe I need to run on Safe Mode and only then connect my ipod to run an avast scan?

Thanks again for all your help in this matter!!  :)

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now