Sal.xls.exe - Not Able to Enable Viewing of Hidden Files For Vista

First of all, my sister's laptop got infected with some malwares, and here are the findings. It contracted through infected pen-drive.

Then I concluded that Vista is safe from any threats, however I soon realized that my laptop which is currently running Vista is also got infected by a malware.

It is identified with the file called sal.xls.exe (or tel.xls.exe) and full descriptions can be found here.

To simply put, how it got infected to my Vista was probably through my sister laptop's infection which it spread across the LAN in my house. During that time, the UAC for my Vista was disable for development purposed.

When it infects, it will first create an autorun file (autorun.inf) into C drive which points to sal.xls.exe.

And when you boot up the next time, sal.xls.exe will be executed and it actually creates one trouble and a few shits (additional files).

The only trouble which it creates is the inability for you to view hidden file. When you enable viewing of hidden files from "folder's option", it will roll back to "Do not view hidden files". This is the only trouble, and it not harmful.

The additional files created as spoofs are:
  • algssl.exe
  • msfir80.exe (Is a trojan)
  • msime80.exe (Is a trojan)
I don't really want to go about explaining so much... instead, I will just show here the steps I have taken from discovery to restoring the system.

I first discovered the problem not due to any peculiarity from the system, (even with autorun.inf being rested comfortably on my C drive, I could still execute explorer from My Computer), but from the Windows Task Manager.


"Form1" is created by the process of algssl.exe.



Then I check out 'msconfig' and found that..


So, the next to do was to remove all these files.

Take note that Windows Defender doesn't help in this case, one of the reason is that Windows Defender couldn't scan for hidden files (because the damage done to the laptop is to corrupt feature to view the hidden file).

This web teaches me how to remove all these files. Too bad it is in mandarin.

Let me translate here with minor enhancement.
  1. The first thing you have to do is to terminate the process of algssl.exe using "Task Manager". This is very important. Otherwise, the process of algssl.exe will cause interruption to the following steps, especially step 3.
  2. The second thing that you need to do is to get rid of the autorun.inf file in C drive and all other drives. To do this, the most effective way is through this video. The content of autorun.inf looks like this..

  3. Then, proceed to fix the viewing hidden files problem. This has to be done via regedit.
      Click Start/Run,type regedit then press Ok
      Navigate to the following registry key:
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
      \Advanced\Folder\Hidden\SHOWALL

      Now right click on,and delete the value "CheckedValue" in the right
      hand window.

      Now create a new "DWORD Value" called exactly "CheckedValue" in the
      right hand window.
      Double click on "CheckedValue".
      In the opening 'Edit DWORD Value' box,set the 'Value data:' to 1

      Press Ok,exit regedit,restart your pc. Thanks to this link
  4. After restarted, 'enable viewing of hidden files' and also 'enable viewing protected operating system files'. Then use Windows search utility to search for the following files(if it is found) and delete them
    • msfir80.exe (would be found in c:\windows\system32)


    • msime80.exe (would be found in c:\windows\system32)
    • algssl.exe - You have to go to task manager to terminate the process first.
    • sal.xls.exe
    • tel.xls.exe
  5. Then fix the startup settings. You can either get it done with regedit or msconfig or both.
      regedit:
      Look under HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Run &
      HKEY_CURRENT_USER\Software Microsoft\Windows\CurrentVersion\Run and delete way the entries for both msfir80.exe and msime80.exe

      msconfig:
      Disable the entries under msconfig/startup
  6. Done, restart you machine.
More Tips (Complements the steps above):
  1. In Vista User Account Control (UAC)--> Able to stop this malware package from editing the registry.
  2. It will place autorun.inf in all partitions.
  3. It will place 'sal.xls.exe' in non active partitions --> you have to enable viewing protected operating system files.
  4. It will place msfir80.exe and msime.exe into '\windows\system32\' of the active partitions. You have to search msfir80.exe and msime80.exe from within the 'c:\windows\system32' itself.

Conclusion:

  1. Vista is only resistant to infections if UAC is enabled.
  2. The sal.xls.exe worm only causes damage of unable viewing hidden files, which interferes with the working of anti-virus and malwares softwares such as Windows Defender
  3. It will spread through machine from the LAN (Need to confirm this again).
  4. It spreads through thumb-drive interactions.
  5. I did mention that Spyware Doctor is a great tool for dealing with things, much better than AVG (free edition).However, it is only available for Windows XP under Google Pack (also known as started edition). For Vista, the free version is called trial version and similar to AVG (Free edition) where it permits real time detection and removal of threats but not for on-demand scan. Check it out here.. Spyware Doctor is not able to detect sal.xls.exe(algssl.exe + autorun.inf + msime80.exe +msfir80.exe)
  6. If after having gone through the steps described above, you are still having recurring algssl.exe attacks, then you should at least disable it each time before you connect to the Internet, this is because it is known to have outbound communication and may potentially transfer unsolicited information out of your computer. Perform at least step 1 described above (to kill the active process which will come back after restarts).
  7. All 'sal.xls.exe' has to be removed physically (from all partitions) and thumb-drives. It is the main file of this package of malwares (sal.xls.exe, autorun.inf, msime80.exe, msfir80.exe, algssl.exe)

Comments

Anonymous said…
thanks, this was helpful
Anonymous said…
Thanks a lot!
best regards / Jonas in sweden
Anonymous said…
Great article. Thank you from Germany
Unknown said…
thx alot , from romania ' best regards'
Anonymous said…
Thank you a lot. Not everything was applicable in my case, but everything was explained so well that I could fix my computer. The only other source that came in useful was http://www.scribd.com/doc/2353773/Step-By-Step-Manual-Delete-Autorun-Virus
and this along with this page helped a total beginner get rid of the persistant Sal.xls.exe and autofun.inf files.
My computer's folder structure was set out a little more differently, but since you provided two ways of getting to the HKEY place, I could figure out the location and delete the startup commands for the other bad exe files.

Once again, thank you.
Anonymous said…
thanx a lot
Dario said…
THANK YOU SOOOOOOOOOOOOO MUCH!!!!!!!!