Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win



Posted on 2006-07-21
Medium Priority
Last Modified: 2007-12-19
My Bit Defender virus protection program showe six cases of spyware.Pws.A that it could not remove. Does anyone know how to remove this spyware?

Question by:djh27525
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2

Expert Comment

ID: 17153835
here is what i've found about PWS's in general, as yours is not listed...

Spyware Information: PWS
This application is a password guesser. It is designed to try to break through a password system by guessing millions of passwords until it gets the correct one. Hackers will often use such tools to break into computers on a network; they can set up the password guesser to try to log in to the network, and let it run until it does.

Although you may have never heard of PWS and don't know how it got onto your computer, your computer may have beem compromised and a hacker may have installed the password guesser on it. This allows the hacker to run the guesser without being caught -- if a network administrator sees that someone is trying to guess a password and traces the communication, the trace will end at your computer.

i'm looking for a removal tool or where this is dropped.

Expert Comment

ID: 17153930
I can not find any instance of this name. Is this software microsoft windows defender?
If not, download their free software,

LVL 47

Expert Comment

ID: 17155031
Can we look at your hujackthis log?
Please download HijackThis 1.99.1
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.


Author Comment

ID: 17159516
I tried all the things list and still my morning report says this:

C:\Documents and Settings\David.DJH27523\My Documents\FrontPage Webs\SBCS2006\rockxp.exe=>(RAR Sfx o)=>RAS.exe      Detected: Spyware.Pws.A
C:\Documents and Settings\David.DJH27523\My Documents\FrontPage Webs\SBCS2006\rockxp.exe=>(RAR Sfx o)=>RAS.exe      Disinfection failed
C:\Documents and Settings\David.DJH27523\My Documents\FrontPage Webs\SBCS2006\rockxp.exe=>(RAR Sfx o)=>RAS.exe      Move failed
C:\Documents and Settings\David.DJH27523\My Documents\FrontPage Webs\SBCS2006\rockxp.exe=>(RAR Sfx o)=>RockXp_.exe      Detected: Spyware.Pws.A
C:\Documents and Settings\David.DJH27523\My Documents\FrontPage Webs\SBCS2006\rockxp.exe=>(RAR Sfx o)=>RockXp_.exe      Disinfection failed
C:\Documents and Settings\David.DJH27523\My Documents\FrontPage Webs\SBCS2006\rockxp.exe=>(RAR Sfx o)=>RockXp_.exe      Move failed

This is the report issued by bitdefender at bitdefender.com. This just poped up last week.  Any ideas?



Author Comment

ID: 17159698
I ran an online scan and found torjan.downloader.Zlob.sy now.
LVL 32

Expert Comment

ID: 17160521
Download and install HijackThis from http://www.hijackthis.de/ (I am assuming you did this already per advice by rpggamergirl above)

Download fixwareout from:


and save it on your desktop.

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and post the scan results to: http://www.hijackthis.de/. Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.
LVL 23

Expert Comment

ID: 17162823
Your log shows 2 instances of PWS.a password stealer. Bitdefender's log is saying that it found an instance, it tried to disinfect it and failed, and then it tried to move it and failed. You might try running the scan in safe mode (f8 at startup) or navigating to the infected files in safe mode and attempting to delete/rename them. Either way, you should follow rpggamergirl's advice: download Hijack This, run a scan and post a link here to the saved scan log page.
LVL 47

Accepted Solution

rpggamergirl earned 1000 total points
ID: 17162997
If you downloaded that crack tool called RockXP yourself then you have nothing to worry about, that's just a false positive, Avast, Mcafee, and Bit Defender will flag that tool as possible threat. McAfee even flags Hijackthis.exe as a worm.

RockXP tool allows you to:
* retrieve and change your XP Key
* retrieve all Microsoft Products keys
* save your XP activation file
* retrieve your lost XP system passwords
* retrieve your lost RAS (Remote Access Settings) passwords
* generate new passwords

Rockxp.exe is a RAR self extracting archive with 4 files:
Xpkey.exe – rockxp_.exe – ras.exe – keyms.exe

LVL 47

Expert Comment

ID: 17164415
Thanks! :)

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question