I have a program on my add/remove programs that is called "ec50ws" when I try to remove it, it asks me for my password. Considering I didn't install this program, I am not going to randomly type in passwords to uninstall it. I would like to know what this program is, and how to remove it. I can't even delete the folder from my c: drive. I think I may have deleted the registry key, but, I can't do anything else. Does anyone know either a really good spyware program, or what this particular program is and how to uninstall it? Thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Need to remove Spyware
- Thread starter studyaid
- Start date
Hello, have you tried to use a registry cleaner program like RegCleaner ?updated now..... works well. Also System Mechanic has new parasite checker in their 30 day free trial software, availible Also i did a search for....."scans for spyware", on google with several results. Hopes this helps.....Direcway
mattjurado
MIS
Try spybot, Remember to update it after you install, be patient, sometimes the update appears to freeze, if you update from the default Europe update server. It will finish.
Matt J.
Matt J.
I just noted the same program "ec50ws" in my win2kpro add/remove programs. When I clicked on remove (no password required) it told me "pearl echo" was successfully removed.
Pearl Echo is corporate spyware/keylogger software.
1. I wonder if it is really gone, or did it morph?
2. I have been running Spybot S&D with updates, which (apparently) does not detect "ec50ws" or "pearl echo".
How do I check this?
Pearl Echo is corporate spyware/keylogger software.
1. I wonder if it is really gone, or did it morph?
2. I have been running Spybot S&D with updates, which (apparently) does not detect "ec50ws" or "pearl echo".
How do I check this?
yes all these are good..
first things i do is
run cwshredder
run spybot
run hijackthis if you dont knwo the line you suspect maybe a spyware , then jsut search for it on google.. then you will know whether or not to remove it.. good for removing the quicktim estartup and a few other things...
then of course go to trendmicro.com and run the online free virus scan... trend seems to catch more than the others. as apybot seems to catch more than adaware though its still good
first things i do is
run cwshredder
run spybot
run hijackthis if you dont knwo the line you suspect maybe a spyware , then jsut search for it on google.. then you will know whether or not to remove it.. good for removing the quicktim estartup and a few other things...
then of course go to trendmicro.com and run the online free virus scan... trend seems to catch more than the others. as apybot seems to catch more than adaware though its still good
- Thread starter
- #7
Pearl Echo seems interesting. I just had a problem reconnecting to my domain because of an issue with pearl echo showing up in a registry key where it should have been. I do have spybot installed, and I'm doing a search for hijack this right now. I searched for ec50ws on Google, and it came back with two responses, one being this thread, and the other being someone's address, I think in New Hampshire. I'll check hijackthis, and cwshredder and see what I can find.
You should know this is not traditional "SpyWare", this is a commercial product that someone paid money for and deliberatly installed on your computer.
If in a corporate setting you can ask the System Administrator about the intentions of the program, and ask to have it removed.
But given particularly that Add/Remove found it password blocked, I think it a fair question to ask what is the corporate policy on monitoring, and if you find it unacceptable, find another job.
If in a corporate setting you can ask the System Administrator about the intentions of the program, and ask to have it removed.
But given particularly that Add/Remove found it password blocked, I think it a fair question to ask what is the corporate policy on monitoring, and if you find it unacceptable, find another job.
- Thread starter
- #10
well, the problem with this is, I am the Sys Admin 
I did try using pearl echo briefly as a test to see how it works, but, never put a password on it to protect it from being uninstalled or disabled. I know what the corporate policy is, and considering I'm the only person in the M.I.S. department, nobody else has access to install this. That is why it raised a red flag in the first place.
I did try using pearl echo briefly as a test to see how it works, but, never put a password on it to protect it from being uninstalled or disabled. I know what the corporate policy is, and considering I'm the only person in the M.I.S. department, nobody else has access to install this. That is why it raised a red flag in the first place.- Thread starter
- #13
I have a user that has a toolbar at the bottom of her IE screen (it pops up every time you open IE) which redirects IE to searchexe.com/passthrough/popupbaropener.htm. Used Spybot but it's still there. Any help would be greatly appreciated. I tried to find highjackthis.exe to download but haven't been able to find it. Thanks.
Get it here:
You may want to post your log in forum760 for better results.
"'Tis an ill wind that blows no minds." - Malaclypse the Younger
You may want to post your log in forum760 for better results.
"'Tis an ill wind that blows no minds." - Malaclypse the Younger
Sorry...something seems to be amiss with the site, those two links aren't showing as links.
You can cut and paste the web address, but you'll need to navigate around the site to find the Virus/Spyware discussion forum.
"'Tis an ill wind that blows no minds." - Malaclypse the Younger
You can cut and paste the web address, but you'll need to navigate around the site to find the Virus/Spyware discussion forum.
"'Tis an ill wind that blows no minds." - Malaclypse the Younger
here are the log entries: (Hope it helps)
Logfile of HijackThis v1.97.7
Scan saved at 1:18:14 PM, on 2/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ANTETR~1\helplog.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\Seiko\slpcap.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\lotus\Notes\NLNOTES.EXE
C:\lotus\Notes\ntaskldr.EXE
C:\Corel\Suite8\Programs\WPWIN8.EXE
C:\Corel\Suite8\Programs\ps80.exe
C:\Corel\Suite8\Programs\PFPPOP80.EXE
G:\USERS\FRONTOFF\SUPFILES\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = O1 - Hosts: 156.121.2.2 psvtd
O1 - Hosts: 156.121.2.3 JMS PSVTDJ
O1 - Hosts: 156.121.2.7 FAST PSVTDF
O1 - Hosts: 156.121.2.112 vtdecm01
O1 - Hosts: 156.121.3.5 bvtp1
O1 - Hosts: 156.121.3.6 psvtpp
O1 - Hosts: 156.121.3.10 vtpnt01
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {110DA1CF-DD5E-56DC-B2B2-265D30C48F8A} - C:\PROGRA~1\ACIDRU~1\Body Manager.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Bleh base anti - {281742B7-6C79-0B93-0952-5E73B4DE4C34} - C:\PROGRA~1\ACIDRU~1\Body Manager.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dart Dale] C:\PROGRA~1\ANTETR~1\helplog.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O17 - HKLM\System\CCS\Services\Tcpip\..\{23550A4A-A518-42DE-B9DE-41EFB81D408C}: NameServer = 156.119.13.27,156.119.5.27,156.121.2.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B1A77DD-9673-4F40-812B-2F77AB434FEA}: NameServer = 156.119.13.27,156.119.5.27,156.121.2.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = uscmail.dcn
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = uscmail.dcn
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = uscmail.dcn
Logfile of HijackThis v1.97.7
Scan saved at 1:18:14 PM, on 2/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ANTETR~1\helplog.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\Seiko\slpcap.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\lotus\Notes\NLNOTES.EXE
C:\lotus\Notes\ntaskldr.EXE
C:\Corel\Suite8\Programs\WPWIN8.EXE
C:\Corel\Suite8\Programs\ps80.exe
C:\Corel\Suite8\Programs\PFPPOP80.EXE
G:\USERS\FRONTOFF\SUPFILES\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = O1 - Hosts: 156.121.2.2 psvtd
O1 - Hosts: 156.121.2.3 JMS PSVTDJ
O1 - Hosts: 156.121.2.7 FAST PSVTDF
O1 - Hosts: 156.121.2.112 vtdecm01
O1 - Hosts: 156.121.3.5 bvtp1
O1 - Hosts: 156.121.3.6 psvtpp
O1 - Hosts: 156.121.3.10 vtpnt01
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {110DA1CF-DD5E-56DC-B2B2-265D30C48F8A} - C:\PROGRA~1\ACIDRU~1\Body Manager.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Bleh base anti - {281742B7-6C79-0B93-0952-5E73B4DE4C34} - C:\PROGRA~1\ACIDRU~1\Body Manager.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dart Dale] C:\PROGRA~1\ANTETR~1\helplog.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O17 - HKLM\System\CCS\Services\Tcpip\..\{23550A4A-A518-42DE-B9DE-41EFB81D408C}: NameServer = 156.119.13.27,156.119.5.27,156.121.2.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B1A77DD-9673-4F40-812B-2F77AB434FEA}: NameServer = 156.119.13.27,156.119.5.27,156.121.2.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = uscmail.dcn
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = uscmail.dcn
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = uscmail.dcn
First, disable system restore. Instructions here:
Then, remove the following entries using Hijack this!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O1 - Hosts: 156.121.2.2 psvtd
O1 - Hosts: 156.121.2.3 JMS PSVTDJ
O1 - Hosts: 156.121.2.7 FAST PSVTDF
O1 - Hosts: 156.121.2.112 vtdecm01
O1 - Hosts: 156.121.3.5 bvtp1
O1 - Hosts: 156.121.3.6 psvtpp
O1 - Hosts: 156.121.3.10 vtpnt01
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
Reboot.
"'Tis an ill wind that blows no minds." - Malaclypse the Younger
Then, remove the following entries using Hijack this!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O1 - Hosts: 156.121.2.2 psvtd
O1 - Hosts: 156.121.2.3 JMS PSVTDJ
O1 - Hosts: 156.121.2.7 FAST PSVTDF
O1 - Hosts: 156.121.2.112 vtdecm01
O1 - Hosts: 156.121.3.5 bvtp1
O1 - Hosts: 156.121.3.6 psvtpp
O1 - Hosts: 156.121.3.10 vtpnt01
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
Reboot.
"'Tis an ill wind that blows no minds." - Malaclypse the Younger
- Status
Similar threads
- Locked
- Question