My PC running XP and Avast has been bitten by a trojan horse.
I noticed some strange CPU usage, saw ASPIMGR.EXE in task manager, thought it odd, did a manual virus scan and AVAST locked up when it hit that file in memory.
I then rebooted into safe mode and scanned again, AVAST detected the “WIN32:Agent_GPS” trojan disguised as that file (in windows dir path, i forget where exactly), then advised that it was in memory and that I should reboot and it would do full scan again in a safer pre-bootup mode…which is what it is doing now (I am typing this now from another PC).
I am trying to find out exactly what this trojan is, what it does, what actions I may need to take (like changing passwords etc if this is some kind of key logger) but I cannot figure out how to lookup this virus name ANYWHERE on the AVAST website.
Also trying to search for it on other antivirus website databases is fruitless since vendors don’t call viruses by the same name (sigh). I have been able to find some info from searching on ASPIMGR.EXE but it appears to me that this file could be one of several DIFFERENT trojans, all with different payloads, and I REALLY need to find out exactly which one this is as per the avast virus name of “WIN32:Agent_GPS”.
Can anyone give me exact details on this trojan, or tell me HOW to look it up / WHERE to look it up on the AVAST website???
Help is greatly appreciated.
Note that my PC with AVAST that has this trojan on it is currently doing its special scan right now and will be tied up for hours (I will leave it go overnight) so I can’t do something like “run the avast program and select lookup database” or something like that now. I am asking instead if I can access this information VIA THE AVAST WEBSITE, which I am trying to do now from this other PC but getting nowhere (thankfully I was able to find this forum and am hoping someone here can help me).
Ran AVAST again. Memory scan clean. Can see the trojan in the “chest” along with it existing in one restore point plus 2 IE temp files.
Can access the AVAST database from the program itself and look up the trojan by name “Agent-GPS” (my post above was wrong, the “_” character is actually a “-”.
Unfortunately there are NO DETAILS about this trojan in the database. It is blank.
Where can I findout a proper description of this trojan??? PLEASE???
I had been investigating the filename and I’ve found that there is more than one trojan horse that hides under this name. I’m trying to find out which one bit me.
The name that AVG gave it was more specific than just “agent” though. It was Agent-GPS. Does anyone know exactly what that is according to AVAST?
I am starting on a new path of investigation now. I saved the trojan and scanned it on my other PC, which is running AVG. AVG calls it “proxy.ACFS”. I am now trying to figure out if they (or any other virus company) has info on it by that name. Thanks again!
P.S. This is very strange. Evidently AVG has no info on it either! Searched their on-line database for either proxy.ACFS or just ACFS and turned up nothing. Nada.
But isn’t “GPS” or “ACFS” the part of the name which would make it SPECIFIC???
I will try that virus total thing (just found it on google),maybe they can help. THANKS a ton. I really would like to know what this trojan does so I can take any appropriate action.
Unfortunately it gives no real world info about payloads/actions to take though. I will try seeing if I can find any more about it on each and every vendor that is listed there and by the name they use…thanks again for your help.
Variants are give a letter tag: A (1), B (2), C (3),… ACFS (~25,000?). Not very specific: there are thousands of similar variants of some Trojans. Like you said, several Trojans use the ASPIMGR.EXE, but the Sophos write-up above seems to fit.
I did read the Sophos description. Helpful only to a “forensics” degree, doesn’t get into specifics about payload, just alludes to what in general any backdoor thing like this COULD do with access that this thing creates.
I did find the 3 files mentioned there, plus one of the registry keys that it mentioned. That is good confirmation that I have that same bug.
Everything else I’ve read so far also only gets into forensic type stuff (names of dropped files, registry keys, etc). For example, Macafee calls it “Proxy-Agent.af.gen” and has similar info to Sophos. The vendors seem to know what it does as far as dropping files/making registry keys etc but not much info on the types of things the trojan/bad guys do after that.
Macafee goes into more details about sites that it sends “information” to but doesn’t go into what the information might be.
I think (hope?) that I caught this b4 it got to do anything, or at least I hadn’t accessed anything that exposed any critical website passwords? The date/time of the _check32.bat file it dropped is 11pm last night & it was about 2 AM that I first noticed the wierdness and I did not do much during that time. I was doing all kinds of stuff on the web and am struggling trying to remember where this thing might have come from.
I’m still researching this…thx again for your comments.
aspimgr.exe
Aspimgr.exe is Trojan.Asprox.
Trojan.Asprox is a Trojan horse that uses the compromised computer as a proxy server.
Related files:
%System%\aspimgr.exe
%Windir%\s32.txt
%Windir%\db32.txt
%Windir%\g32.txt
%Windir%\gs32.txt
%Windir%\ws386.ini
%Temp%_check32.bat
As recommended I will disable system restore to get rid of all my old restore points in case any of them are hiding this but I have a question. Just thinking out loud - if anyone has any comments feel free to post them.
The AVAST scan that caught this last night did detect it in one restore point, or at least what I THINK is a restore point, which I had it move to the virus chest. It shows the name of this as “A0035795.exe” and original location of C:\System Volume Information_restore{xxxxx}\RP304 (where “xxxxx” is a big long string looking similar to a registry key). Is this a restore point?
And is there any way that I can open that to read the restore point description if any, and the date it was created?? I ask this because the chest shows this file last modified as “6/11/08 7:08pm” but I don’t recall making any restore points then - also note that the aspimgr.exe trojan is dated almost exactly the same time.
I am wondering if I can get any more clues from this at least as far as when it was created as to when I first might have gotten bitten by this bug. I was hoping the date/time of the restore point might jog my memory. But I am also thinking that maybe the restore point was created by the trojan and not by me???
More clues I found as far as trying to figure out the timeline of this is that the date/time of the _check32.bat that I recovered from my TEMP dir is 11:09 last night, and the g32.txt file is 1:31am this morning. So I am thinking this thing first attacked me last night, maybe not even starting to do it’s thing until 11pm, but might have arrived as early as 7pm??
Yes, contents of System Volume Information are restore points.
You can get access rights to the restore folder, but I don’t think it’s a good idea due to opening an access to malware to do the same.
Windows create automatic restore points according to some actions (install software or drive, etc.). Maybe everything is normal. I don’t think a malware create restore points, but who knows ???