How to get rid of ICQ.PWS.Trojan

On that special day, philip, (pcywong@stanford.edu) said...

> NAV detected ICQ.PWS.Trojan but can't clean or
> quarantine. it.

The name is quite generic, it just says the heuristics found a trojan
that is specialized on using IRC (to announce a trojanized site) and log
passwords to send them to a place where someone will read and copy them.

> Access denied. And my system is getting very slow.

Which indicates that this trojan is running in the background, but with
high priority. Programs that are currently active, cannot be deleted (a
self protective scheme of XP). You will have to prevent the automatic
startup of the trojan in order to remove it, which means boot the PC in
Safe Mode.

And you will have to remove the trojan from the system backup aka system
restore, too, because files that are deleted, will be stored in that
backup, and reactivated later on, with the next start. The problem is,
you cannot exclude a single file from system restore; you have to
deactivate the system restore, reboot, so that the restore files are
wiped, and activate the system restore again.

I am only using Windows ME, and disabled this "feature" after a few
weeks, because I don't see much sense in keeping old configurations. If
I mess up the machine royally, I'll have to fix it from a boot disk, but
heck; I did that in former times, too, with older Win versions.

> How can i
> get rid of that trojan and the associated Worm.Win32.Bizex?

The Norton and other AV sites should by now give details on how to deal
with this worm.

And to prevent it from happening again: please switch to another
browser, like Mozilla Thunderbird. This worm was installed by a
trojanized site you went to.

Maybe you were lured there by a message sent by the trojan via IRC. But
there are drive-by infections, too, via ad banners; and even official
sites have already been infectious, as it has happened with a German
public service site last year, which had been hacked by intruders.


Gabriele Neukam

Gabriele.Spamfighter.Neukam.RemoveThis@t-online.de


--
Ah, Information. A good, too valuable these days, to give it away, just
so, at no cost.
 >> Stay informed about: How to get rid of ICQ.PWS.Trojan 

PWS is definately a password stealer. The reason your AV can't remove it is
that its probably still running. Find out what filename it is and path,
then run taskmanager and kill the process. Then delete the file or submit
it to your favourite AV companies.

If you're having problems killing the process, download TDS-3 (Trojan
Defence Suite) or Port Explorer (allows you to see where the trojan is
sending the passwords) from www.diamondcs.com.au.. Both allow the
termination of processes.

Before running a system scan, disable your AV (resident) and scan/remove
using TDS-3.

Let us know how that goes.

"Big Will"
<spamWspamispamlspamlspamBspam4spamespamvspaaaammespammityrspam@nidontlikesp
ametzero.net> wrote in message
> philip wrote:
>
> > Got a problm here. NAV detected ICQ.PWS.Trojan but can't clean or
> > quarantine. it. Access denied. And my system is getting very slow. How
can i
> > get rid of that trojan and the associated Worm.Win32.Bizex?
> >
> > Thanks
> > philip
> >
> >
> 1)What OS are you using? 2)Where is it located. If you're using
> Windows XP, then you might need to purge system restore. Try purging
> system restore, then rebooting and running in safe mode, and attempt the
> scan then. Also, because Symantec doesn't provide much information on
> this trojan, what's the actual filename that it appears under (include
> full path). Chances are, you could just delete it, but since I don't
> know much about this trojan, and Symantec isn't offering any
> information, I can't tell you to simply delete the file without knowing
> the consequences (unless someone else in this newsgroup is more familiar
> with icq.pws.trojan). Also, you might want to look into TDS3
> (tds3.diamondcs.com.au), a dedicated trojan removal program. Oh, and
> when you finally delete the tojan, change your passwords, because this
> one is a password stealer (pws=password steal).
>
> --
> William
>
> If it don't work, hit it.
> If it still doesn't work, kick it.
> If it works after hitting it and kicking it, then it doesn't matter if
> hitting it or kicking it helped, what's important is it worked.
>
 >> Stay informed about: How to get rid of ICQ.PWS.Trojan