rogue program running—-acccr.exe

pts.
Tags:
Microsoft Windows XP
hello, I have a remote users desktop that has slowed to a crawl. when I look at processor usage one program is hogging 80% of the cpu resources. I have never seen this program before and all attempts to remove it have failed. ran several diff spyware/adware removal programs, took out the entries manually in the registry and it keeps coming back. program file is acccr.exe has anybody seen this and what is it?

Answer Wiki

Thanks. We'll let you know when a new response is added.

The real problem isn’t acccr, it’s the service that has been installed that is regenerating the file.

Install WinPatrol. (Freeware from the web.) Its display of the running services is easier to navigate than the Windows version. Then delete the odd-ball service.

Also, Search your hard drive for all .exe files. Sort them by most recent date first. Then work backwards, looking for unknown executables that have been added lately. Most of these kinds of programs install their reinstaller in the System32 folder.

Good Luck,
Kent

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • KputerBob
    First, I would do a search to find the file(s) acccr.exe. Right click on the file and select properties. Click on the second tab "version" and check all the information available there. Especially "Internal Name" and "Original File Name". You might find out the programs real name from there... Your search might also display the temp folder used when it was installed; perhaps some of the other files there would be more searchable at Google, giving you a clue as to its origion and purpose. Second, I would D/L & install StartupMonitor (http://www.mlin.net/StartupMonitor.shtml). At least with a program like this running, you will be able to see which program keeps registering acccr.exe to be run again at the next boot. I hope this helps but keep us posted with your progress. Have a Great Day! KputerBob
    0 pointsBadges:
    report
  • Sonotsky
    A quick search of Google does not return any results for acccr.exe; however, accr.exe appears to be some kind of dialer for making voice calls through your modem (I don't read Cyrillic very well). In any case - I use Process Explorer to see all running procs and how they are dependant. You can search on a filename, as well as view the tree. Spybot Search & Destroy can, optionally, run agents that monitor Registry changes and allow you to pre-empt them. Of course, this assumes that you have a clean system to being with. One of the above replies mentions going and looking for new programs. This is a good step, once you've run a malware removal program (such as Spybot), killed off wayward processes, and cleaned the Registry by hand. However, before your next reboot, you must look in both the %WINDIR%, %WINDIR%system, and %WINDIR%system32 folders for programs (.EXE and .BAT seem to be the primary culprits). If you spot a program name that you do know know for certain (and in some cases, even then), check out its' Version properties. If the file has no Version tab on its' Properties sheet, it's often safe to assume that it's not a nice program. Rename the file (I usually just add a dash to the end of the file extension) and make sure you have your recovery disks handy, just in case. When you're gone through all programs, reboot. Run the malware remover again, check the task list again, check for new programs again. Rinse and repeat until nothing new appears. (alternatively, it's often easier to restore an image or backup of the system to a known good state, unless you want to rack up some overtime hours...)
    695 pointsBadges:
    report
  • MisterX83
    I recently removed a couple of trojans from my mother-in-law's PC. Reimage was not an option, plus I got the bit in my teeth over the challenge. One of the trojans had a file that was visible, but couldn't be removed because it was in use by the other trojan file that was not visible -- even with hideden files displayed. The hidden file was started by a registry value (AppInit_DLLs) in HKLMSoftwareMicrosoftWindowsNTCurrent VersionWindows. I the data value looked blank in regedit, but could be seen and deleted with Registrar Lite, which I downloaded from the web. Then I had to boot to the Windows Recovery Console to delete the hidden file, then I could delete the one that could be seen in Windows Explorer. Other places to look in the registry are the various Run keys, and the (Default) value in the HKCR?shellopencommand keys where the ? represents the common executable file type like "batfile" or "cmdfile", or "exefile", etc. The data should read '"%1" %*' (without the single quote marks). If there is another file name in the data that's your trojan, and it will run again whenever that kind of file is executed. If you are lucky you can delete these hooks with regedit. I agree with an earlier post -- Spybot S&D has a cool supplimentary app called Tea Timer which locks the registry. A pop up screen asks you to OK every change to be made to the registry. After fixing Mom-in-law's PC I loaded it on one of mine, and not five minutes later it prevented the same trojan (about:blank) from getting into the registry on my PC! Trojans are a pain in the rear, but you can clean them, if you have to. On a business machine, though, a reforamt and re-image is best in the long run. Once compromised you can never be sure you have gotten every single little bit of spyware/malware off the machine. I know this is long, but I'm trying to distill two weeks worth of web searching, downloading, scanning, and cleaning. Good Luck
    0 pointsBadges:
    report
  • ArrghOff2Pillage
    Lot of good advice here, just thought I would add some to fill in some holes. I usually use Spybot with tea timer enabled, as it helps to isolate the services as described elswhere here. I also do a visual inspection of the Windows, WINNT, and system32 directories, with the ability to view hidden system files. Sort on Attribute. Look at the properties of all that are listed as HSA, or HSRA. Create a quarantine folder.NOTE CARE MUST BE TAKEN HERE AS SOME OF THESE MAY BE TO SYSTEM PROCESSES. IF YOU ARE NOT WELL EXPERIENCED IN RECOVERY OF WINDOWS SYSTEMS DO NOT TRY THIS! Those that do not have a digital signature, move to the quarantine if possible. Then sort by date modified. repeat above. Next sort by date created and repeat. Note that you may find some that cannot be removed except by booting to safe mode command prompt. I just started seeing these variants about 3 weeks abo an they are a bugger to get rid of. When ever you use a spyware remover, I suggest always having a copy of LSPfix on hand. Spybot and Adaware do a fine job of removal, but sometimes they neglect to repair the damage caused by removal of items within the winsock chain. This usually shows up with the inability to browse. One additional item. I have come accross in the past few weeks a variant that appears to have changed the send/receive window on the machine. uninstalling and re-installing TCPIP had no effect on it, however, the tcpip speed up registry hacks from speedguide.net rectified the situation.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following