LibAcc.EXE - The Annoying Bane of my existence.

[Whopula]

Hey everyone,

Does anyone know what "libacc.exe" is? I have a laptop that will NOT stop running the stupid thing. It has a memory leak in it, and it just consumes the laptop.

The only way I can stop it is end process the thing, but it just starts right back up.

I can't find anything in Search, Google, MS Config... nothing. I found a reference to it in the Prefetch directory, so it's getting it from somewhere, but the prefetch file shows me nothing but binary garbage. So I can't trace it back from there.

Any help on this would be appreciated!

-{Whopula}-

 

[Direwolf20]

Probably spyware. Use the programs in my sig (make sure to update them first before doing a scan) to check for it. They are all free.

Also, you can use HiJackThis, but with that program you will find a LOT of false positives. It lists EVERYTHING in your system thats in a position to start a program, so only use that as a last alternative if you know whats safe to remove and not remove.

If you run the programs in my signature, and still have a problem, use HiJackthis to get a log file and copy/paste it into here before deleting anything. We can tell you whats safe to delete.

 

[Whopula]

I used my Bart boot disk and ran Ad-aware and Mcafee.

Spybot S&D doesn't find it either.

I need a logger program that will show me what ran and when. I'll give Hijackthis a try, if it can at least show me where it is. I will be a happy man.

 

[SJConsultant]

Also, you can use HiJackThis, but with that program you will find a LOT of false positives. It lists EVERYTHING in your system thats in a position to start a program, so only use that as a last alternative if you know whats safe to remove and not remove.

There is no such thing as a false positive with HijackThis.The sole purpose of the program is to show you the various startup locations and associated programs regardless of if they are legitimate or not.

It's up to the user to figure out what is supposed to be legitimate or not.

 

[Whopula]

Okay, I ran HiJack. There is a bunch of stuff that needs to go, but it also found the file that I need to destroy. Problem there is that the only file in that directory is a .tmp file. No "libacc.exe". Mighty confused here. (and yes, hidden files are shown)

- Log -
Logfile of HijackThis v1.99.0
Scan saved at 11:02:59 AM, on 1/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
\spserver\Dumping Ground\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 63.226.109.114 shredpro.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: .com
O1 - Hosts: on.com
O1 - Hosts: 1.iwon.com
O1 - Hosts: 1.iwon.com
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: om
O1 - Hosts: om
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: d.com
O1 - Hosts: d.com
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: ind.com
O1 - Hosts: ind.com
O1 - Hosts: find.com
O1 - Hosts: find.com
O1 - Hosts: yfind.com
O1 - Hosts: yfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: styfind.com
O1 - Hosts: styfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: w.zestyfind.com
O1 - Hosts: olbar.com
O1 - Hosts: w.zestyfind.com
O1 - Hosts: toolbar.com
O1 - Hosts: ertoolbar.com
O1 - Hosts: 1 www.zes
O1 - Hosts: m
O1 - Hosts: com
O1 - Hosts: n.com
O1 - Hosts: won.com
O1 - Hosts: .iwon.com
O1 - Hosts: w1.iwon.com
O1 - Hosts: 127.0.0.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CATLEvents Object - {DF57FEB6-9BCE-45E3-AA65-BE327B8CCE7F} - C:\DOCUME~1\RICKNA~1\LOCALS~1\Temp\ccabil.dat
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [*binxml] C:\WINDOWS\system\binxml.exe
O4 - HKLM\..\Run: [*fonts] C:\WINDOWS\system\fonts.exe
O4 - HKLM\..\Run: [*nutmain] C:\WINDOWS\Driver Cache\nutmain.exe
O4 - HKLM\..\Run: [*dlleula] C:\WINDOWS\AppPatch\dlleula.exe
O4 - HKLM\..\Run: [*libacc] C:\WINDOWS\Config\libacc.exe
O4 - HKLM\..\Run: [FortiClient] C:\Program Files\Fortinet\FortiClient\FortiClient.exe /minimize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\program files\fortinet\forticlient\fortilsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\fortinet\forticlient\fortilsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\fortinet\forticlient\fortilsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\fortinet\forticlient\fortilsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.road.com/oralmasp/download/mgaxctrl6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ShredPro.Com
O17 - HKLM\Software\..\Telephony: DomainName = ShredPro.Com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ShredPro.Com
O23 - Service: Fortinet Service Scheduler - Fortinet Inc. - C:\Program Files\Fortinet\FortiClient\scheduler.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


-----
By the way, this is my boss's laptop. My machine is NEVER this filled with crap.

 

[Phoenix86]

Run MS-Antispy and/or SpySweeper on the machine, re-run hijack this and post the cleaner logs. It'll be easier to sort out once the automated tools do their thing, and they may fix it for you.

 

[Direwolf20]

Get rid of the following:

O1 - Hosts: .com
O1 - Hosts: on.com
O1 - Hosts: 1.iwon.com
O1 - Hosts: 1.iwon.com
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: om
O1 - Hosts: om
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: d.com
O1 - Hosts: d.com
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: ind.com
O1 - Hosts: ind.com
O1 - Hosts: find.com
O1 - Hosts: find.com
O1 - Hosts: yfind.com
O1 - Hosts: yfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: styfind.com
O1 - Hosts: styfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: w.zestyfind.com
O1 - Hosts: olbar.com
O1 - Hosts: w.zestyfind.com
O1 - Hosts: toolbar.com
O1 - Hosts: ertoolbar.com
O1 - Hosts: 1 www.zes
O1 - Hosts: m
O1 - Hosts: com
O1 - Hosts: n.com
O1 - Hosts: won.com
O1 - Hosts: .iwon.com
O1 - Hosts: w1.iwon.com
O1 - Hosts: 127.0.0.

Here's your culprit:

O4 - HKLM\..\Run: [*libacc] C:\WINDOWS\Config\libacc.exe

Is fortinet something you installed? Seems like some kinda of AV/Firewall program.

Theres a few in there that look fishy, but I won't say for certain to wack them. The ones that might be ok to delete (if the above doesn't solve your problem, these are really up to you, I don't recognize them, but it doesn't mean they are bad):

O2 - BHO: CATLEvents Object - {DF57FEB6-9BCE-45E3-AA65-BE327B8CCE7F} - C:\DOCUME~1\RICKNA~1\LOCALS~1\Temp\ ccabil.dat
O4 - HKLM\..\Run: [*binxml] C:\WINDOWS\system\binxml.exe
O4 - HKLM\..\Run: [*fonts] C:\WINDOWS\system\fonts.exe
O4 - HKLM\..\Run: [*nutmain] C:\WINDOWS\Driver Cache\nutmain.exe
O4 - HKLM\..\Run: [*dlleula] C:\WINDOWS\AppPatch\dlleula.exe
O17 - HKLM\System\CCS\Services\Tcpip\Para meters: Domain = ShredPro.Com
O17 - HKLM\Software\..\Telephony: DomainName = ShredPro.Com
O17 - HKLM\System\CS1\Services\Tcpip\Para meters: Domain = ShredPro.Com

 

[starhawk]

do what direwolf said... then:

(1) go into My_Computer>C:/>Documents and Settings>[your user acct.]>Cookies
delete everything but index.dat (which cannot be deleted)
(2) go into IE and delete all files, cookies, and offline content.