HELP!!! What do I do? TOSCDSPD.exe is infected by Win32:Beagle-AHE [Trj]

Yesterday my Avast! Home Edition crashed and shut down after I tried running a setup file I downloaded. Windows Defender and Windows Firewall seemed to be inoperable, too.

When I tried launching the Avast console I kept getting a message saying that Avast was not a valid win32 application. Windows Defender also displayed “an initialization error message”.

After doing some research, I found a virus removal tool called Elibagle that identified and removed 7 infections while running it in Safe Mode, although there were various files and folders it claimed not to have access to.

I ran Elibagle, Malwarebyte’s Anti-Malware, Combofix, AVG virus removal, and Avast virus removal. Only the second one found some additional virus. I don’t know if they were associated to the main infection. But it removed the viruses. However, Avast kept throwing the “not a valid win32 application” and Windows Defender kept throwing the “initialization error”. Windows would tell me that it had blocked some applications, when I clicked on “Show blocked application” the Windows Defender error came up, and when I tried to “Run blocked application” it told me that “TOSCDSPD.exe from an unidentified publisher” was trying to gain access to my computer so I decided not to grant access.

I tried uninstalling my Home version and installing it again. It asked me if I wanted to run the boot scan that Avast always offers the first time after installation and although I said yes, the computer just restarted and got into windows without running the boot scan and kept failing to initiate Avast.

Finally after running all the previous programs over and over, I decided to uninstall Avast! Home and install the trial version of Avast! Pro. Once again it asked me if I wanted to run the boot scan. SUCCESS! Finally it ran the boot scan before loading Windows Vista.

Now I have this message displayed and I’m not sure what’s the best option:

[b]Report file: C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.text

Scan of all local drives

File C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe is infected by Win32:Beagle-AHE [trj]
Press 1 to Delete
2 Delete all
3 Move
4 Move all
5 Move to Chest
6 Move all to Chest
7 Repair
8 Repair all
9 Ignore
0 Ignore all
Esc Exit :[/b]

Since this is exactly the file that Windows seemed to be blocking I’m not sure what to do!! I want to eliminate the problem as soon as possible but I’m afraid to be Deleting or Removing an important backup file or something. Can anyone give me a hand?

Thanks!!!

Option 5 “Move to Chest”- this is the option to quarantine suspected malware.

Hey Frank!

Thanks for your reply… what´s the difference between “Move to Chest” and Move all to Chest". The only thing I´m afraid of is moving that file to the chest and not being able to restablish my Windows Defender because it seems to be a related .exe, or actualy leaving the virus latent if I just move it instead of deleting it.

Can you throw some light on this? Again!! Thanks a bunch!

Diana

Beagle is a dangerous malware to avast installations. Take care.

Moving one file only or moving all detected file. I think it’s not safe send all to Chest, specially if you move a necessary file to boot the computer, it will be unbootable :cry:

Thanks Tech!

Does this mean that the “Repair” options are not a good idea?

The Repair option only works in certain circumstances, infection of a file by a ‘true’ virus and that infected file must be on that has been included in a VRDB generation. So that would linit greatly what could possibly be repaired and if that repair failed I don’t believe you would get prompted for another action.

So the safest option is to move it to the chest, here you have other option that you can try later.

Thanks David!

The scan is now 95% of the way and it seems the Avast Pro Boot Scan has found some other infections, according to the log so far:

File C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe is infected by Win32:Beagle-AHE [trj]
File c:\Qoobox\Quarantine\C\Windows\System32\drivers\winfilse.exe.vir is infected by Win32:Beagle-AHE [trj]
File C:\Users\Fidelis\Desktop\vray\vray 1.5 rc5 max 2008\Crack\Keymaker.exe is infected by Win32:Crypt-CYC [trj]

So far I’ve moved all of them to the Chest since it seems to be the safest option and I imagine I will be able to access the Chest later to ask Avast to clean or delete the files if necessary, is that right?

If the boot scan is still running could I hook up my ipod to the USB port for it to be scanned too, or is it too late?

Thanks guys!!

The first detection TOSCDSPD.exe needs further investigation as it seems a legit file (the reason why sending to the chest is important), see below.

The second detection is an interesting one it looks like this quarantine folder isn’t encrypted

The third detection looks good as using cracks is a high risk business not to mention any legal/moral issues, who can you complain to when using a crack that your system got infected ???

When done, and windows has booted, right click the avast ‘a’ icon, select avast! Antivirus Chest, the only part that interests you is the Infected Files section.

I don’t even know if avast’s boot-time scan would scan attached devices on a boot-time scan, some might net even be recognised before windows boots (depending on your BIOS settings).

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect.
Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect*
That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

You’ve been very helpful David!!

Point taken on the “cracks” comments!! :-\ … will do my best to resist the temptation in the future!

Anyhow, I have good news… after the Avast boot scan, the initial problem generated by the infection seems to have been corrected: the Avast console is now operating. I still haven’t hooked up to the web on the infected laptop but that’s the next thing I’ll try so I can test how the Avast updates and web protection are holding up…

However, the Windows Defender problem persists. I get this message:

 Windows Defender
 [b]Application failed to initialize:0x800106ba. A problem caused this program's services to stop. 
 To start the services, restart your computer or search Help and Support for how to start a
 service manually.[/b]

After researching the problem in Microsoft’s page, I found that the error can be corrected by uninstalling and reinstalling Windows Defender.

In the internet I found out that one of the infected files (TOSCDSPD.exe) is related to a Toshiba CD/DVD Drive Acoustic Silencer installed on various models of Toshiba Laptops such as mine. I checked the file were the Toshiba TOSCDSPD.exe should be for the Acoustic Silencer to work and it’s not there. So I imagine that confirms that it is not a clone file but the actual file that has been infected. Interestingly, TOSCDSPD.exe was actually the “application” that tried to access my system when I attempted to click on “Run Blocked Application” when I got the notification from Windows that an app had been blocked. The other option in that popup was “View Blocked Applications” and when I clicked on that option I immediatly go the Windows Defender error quoted above.

At this point, I’m not sure if the apparent connection between this infected TOSCDSPD.exe and the error with Windows Defender is real.

Would you recommend going ahead with the uninstall/reinstall of Windows Defender? How would I go about “cleaning” the TOSCDSPD.exe file if it is indeed a component that has to be in the laptop for the Acoustic Silencer to work?

(Sorry for all the questions!!)

I have never used windows defender never rated it that much but things like this are often corrected by an uninstall, boot, install.

The Beagle infections are pretty bad as part of their action it to try and disable your security software and that could well be what hit windows defender.

My comment about the detection on TOSCDSPD.exe you need to follow that up and confirm if the detection was good or otherwise. So read my instructions on how to do this under the ####

So you aren’t cleaning but confirming if TOSCDSPD.exe is indeed infected or not once that is done then we can consider what action is neded.

Ok, David… I’ll follow your instructions and send the file to VirusTotal… just have a couple more doubts that you might be able to clarify for me.

I just uninstalled the Acoustic Silencer from my Toshiba (the application connected with the supposedly infected TOSCDSPD.exe file) after downloading a clean installer for the application from the Toshiba website.

My questions are, if I follow your instructions to send the report to VirusTotal, won’t I run the risk of reactivating the beagle virus that supposedly infected the TOSCDSPD.exe file when I’m trying to export it to the c:\Suspect folder?

If that is a real risk and if indeed I already found the installer to recover that application, could I just Delete the file from the Chest and be rid of it finally? Is that what happens when you Delete the files form the Avast Chest? Are they deleted totally without leaving any other trace in the recycle bin or any other place in the laptop?

Thanks again for all your help!

Exporting is just copying not running, the fact that it isn’t in the original location also gives some limited protection (even if it were infected) because any run command would be referencing the original location.

So with the file in the suspect folder it would effectively be inert unless you actually execute/run the file, which you aren’t going to do.

As I have said deletion is a last action and then only if confirmed as infected and that is what we are trying to do.

Me again.

I did as you suggested and uploaded the exported TOSCDSPD.exe file to VirusTotal.

I don’t know how to interpret the results so I’m posting them here to see if you can tell me what’s the next necessary step:

File TOSCDSPD.exe received on 11.20.2008 02:38:25 (CET)Antivirus Version Last Update Result

AhnLab-V3 2008.11.18.2 2008.11.19 Win-Trojan/Bagle.872456
AntiVir 7.9.0.34 2008.11.19 TR/Dldr.Bagle.agb
Authentium 5.1.0.4 2008.11.19 -
Avast 4.8.1281.0 2008.11.19 Win32:Beagle-AHE
AVG 8.0.0.199 2008.11.19 Win32/Themida
BitDefender 7.2 2008.11.20 -
CAT-QuickHeal 10.00 2008.11.19 TrojanDownloader.Bagle.agb
ClamAV 0.94.1 2008.11.20 -
DrWeb 4.44.0.09170 2008.11.19 Trojan.Packed.650
eSafe 7.0.17.0 2008.11.19 Win32.Bagle.agb
eTrust-Vet 31.6.6217 2008.11.19 -
Ewido 4.0 2008.11.19 -
F-Prot 4.4.4.56 2008.11.20 -
F-Secure 8.0.14332.0 2008.11.20 Trojan-Downloader.Win32.Bagle.agb
Fortinet 3.117.0.0 2008.11.20 W32/Bagle.AGB!tr.dldr
GData 19 2008.11.20 Win32:Beagle-AHE
Ikarus T3.1.1.45.0 2008.11.20 Trojan-Downloader.Win32.Bagle
K7AntiVirus 7.10.528 2008.11.19 -
Kaspersky 7.0.0.125 2008.11.20 Trojan-Downloader.Win32.Bagle.agb
McAfee 5439 2008.11.19 Generic Downloader.x
Microsoft 1.4104 2008.11.20 TrojanDownloader:Win32/Bagle.WB
NOD32 3626 2008.11.19 Win32/Bagle.QH
Norman 5.80.02 2008.11.19 W32/Mitglied.BEI
Panda 9.0.0.4 2008.11.20 -
PCTools 4.4.2.0 2008.11.19 -
Prevx1 V2 2008.11.20 Malicious Software
Rising 21.04.22.00 2008.11.19 -
SecureWeb-Gateway 6.7.6 2008.11.20 Trojan.Dldr.Bagle.agb
Sophos 4.35.0 2008.11.20 Mal/Bagle-B
Sunbelt 3.1.1801.2 2008.11.14 Trojan-Downloader.Win32.Agent.V (vf)
Symantec 10 2008.11.20 -
TheHacker 6.3.1.1.159 2008.11.19 W32/Behav-Heuristic-064
TrendMicro 8.700.0.1004 2008.11.19 -
VBA32 3.12.8.9 2008.11.19 Trojan-Downloader.Win32.Bagle.agb
ViRobot 2008.11.18.1474 2008.11.18 -
VirusBuster 4.5.11.0 2008.11.19 -

Additional information
File size: 872456 bytes
MD5…: 1fb8c915bad498904ea46e1bec9fc0c0
SHA1…: 529e1e968db9a6b82a0f9d48277a0a7379e39f85
SHA256: a21f6074c28fc03afd9af429f06d9616931f7d3870c249f48e66ce98489e46be
SHA512: 626a8daa5d6cd2653601bbf6172b574881e3c22ea023473f3b59458d67fce31b
dfde7ff8959d78f04b6fcebbffb575eba478170dd492c4b64c7eee36d5ab62f0
PEiD…: -
TrID…: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x488014
timedatestamp…: 0x4912b351 (Thu Nov 06 09:05:21 2008)
machinetype…: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x7f000 0x3a000 7.98 042f03724e2a90c658f9c412cd6fa2ac
.rsrc 0x80000 0x6a08 0x3000 5.90 df1e50853b5cb1b9edc4fc61a936228c
.idata 0x87000 0x1000 0x1000 0.24 1774b4558eb29db1bb488bcb9523da64
Themida 0x88000 0x156000 0x96000 7.88 db89fa947c97866ccb1ce2a4d8c94bc5

( 2 imports )
> KERNEL32.dll: CreateFileA, ExitProcess
> COMCTL32.dll: InitCommonControls

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=99AE801B0813BC94508F0D6755CD55007A046904
packers (F-Prot): Themida

Does this mean it was or wasn’t a false positive? Should I report it to http://forum.avast.com/index.php?topic=34950.msg293451#msg293451. If it is a false positive can I safely reinstall the Acoustic Silencer that I downloaded from Toshiba which surely contains another file named TOSCDSPD.exe? Won’t this cause Avast to report it as a virus or malicious software?.. Does the fact that Avast is running normally again mean that I’m free of this obnoxious beagle pest? …asks the newbie yet again!! ::slight_smile:

Fortunately I know how to interpret that particular set of results, it is a good detection it isn’t a false positive, you should delete the copy in the suspect folder.

Now you re-downloaded the Acoustic Silencer installation file and avast should have scanned that file when you downloaded it (if not or you aren’t sure find where you saved it to and right click on the file, select Scan selected area for viruses) that should find if anything is infected on it. If no detection you should be OK to reinstall just watch for any avast alert, but that may not be the case.

There is no need to report it as it isn’t a false positive.

Sounds good!

I guess this would probably mean that the beagle infection has been erradicated, yes?

And now for the final question that just poped into my mind…

As soon as the initial problem started I backed up the most important files I had on my ipod. Is there a way I can scan my ipod (maybe with Avast!Pro) while making sure that nothing in the ipod will be able to reinfect my laptop? Maybe I need to run on Safe Mode and only then connect my ipod to run an avast scan?

Thanks again for all your help in this matter!! :slight_smile:

It means that the infected file has been dealt with, how it came to be infected is the 64,000 dollar question. So it may be worth running some other tools to see if there is any undetected or hidden elements of this infection on your system, see below.

I take it you scanned the Acoustic Silencer installation file, found it to be clean and installed it without any avast alerts ?

You can plug in and scan your ipod’s storage using the Simple User Interface regular on-demand scan. Or having plugged it in, using windows explorer, right click on the ipod drive and select, Scan selected areas for viruses, etc.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.
  2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Yeap!! I scanned the file I downloaded from the Toshiba site. Bug free according to Avast. Installed it. Acoustic Silencer is now working smoothly. Needless to say, I owe you big time! The guys at Symantec support tried for about 40 minutes to convince me to invest in a $150/30-day long solution saying that every minute wasted trying to get information in public forums could potentially mean the total loss of my data as well as my laptop… I’m now seeping a glass of wine in your honor, so Cheers!!

As for the origin of the infection, the rar file I thought I was downloading was a trial version of Muvee (a video editor). And as soon as I ran the setup file in the rar (which, of course, I forgot to scan first Insert much deserved face-slapping here, please) I got the mysterious “Blackbox Decoder Install Console” screen which upon closing triggered the whole crash of my antivirus. My initial panicked reaction was backing up all the important info and deleting both the rar and the extracted file folder. I don’t know if that was such a good idea as it probably would’ve been helpful to scan those files too to answer the 64,000 dollar question.

I’m now only left with the pain-in-the-butt Windows Defender issue, which mainly is not generating any trouble except for the nagging feeling of knowing that it is there, not doing a damn thing for my system and can’t even find a way to unistall it to see if it can be “reinstalled” successfully (it doesn’t appear in the list of programs for uninstall in the control panel). Any ideas on this one?

Regarding the other suggestions, I have ran MalwareBytes Anti-Malware several times both in Safe Mode and Normal Mode and I hasn’t located any other infections. I guess that’s good? I’m now downloading SUPERantispyware now to see what it finds.

I’ll keep you posted!

You’re welcome, I guess they don’t know much about the avast forums ;D

MBAM is a good application doesn’t take up much resources unless you run its on-demand scan and worth keeping as part of a multi-application approach to your security as is SAS. Multi-application approach is great with the right applications, ones that compliment (not clash) each other and these work fine with avast.

I generally pause the Standard Shield whilst running scans with these scanners, if running in normal mode (not required in safe mode as avast isn’t running), overall this speeds up the scan duration.

Haha! My guess is they don’t know much about forums at all

Ok. Done. Finally got to run SUPERAntiSpyware and it found nothing on the laptop. The ipod seems to be clean according to Malwarebytes’s and AvastPro so I guess I’m in the clear?

Now I’m just wondering how to get rid of the Windows Defender useless component which is just… there. Like having a corpse on my Control Panel. Any ideas on how to get it off if it doesn’t appear on the Uninstall list?

Well useless is perhaps a little strong, even though I don’t rate it very much, it doesn’t seem to catch anything (from comments in these forums) but I believe it is meant to have resident protection (though it doesn’t seem to have done much for you in this case).

I have never used it so I have never tried to remove windows defender, but my friend google probably does ;D
http://www.google.co.uk/search?q=remove+windows+defender
This is just one of the hits, http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=479680&SiteID=17 another http://wiki.answers.com/Q/How_to_remove_windows_defender_from_vista.