Recurring Algssl.exe Problems ?

How to Remove It Manually?
  1. The first thing you have to do is to terminate the process of algssl.exe using "Task Manager". This is very important. Otherwise, the process of algssl.exe will cause interruption to the following steps, especially step 3.
  2. The second thing that you need to do is to get rid of the autorun.inf file in C drive and all other drives. To do this, the most effective way is through this video.
  3. Then, proceed to fix the viewing hidden files problem. This has to be done via regedit.
      Click Start/Run,type regedit then press Ok
      Navigate to the following registry key:
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
      \Advanced\Folder\Hidden\SHOWALL

      Now right click on,and delete the value "CheckedValue" in the right
      hand window.

      Now create a new "DWORD Value" called exactly "CheckedValue" in the
      right hand window.
      Double click on "CheckedValue".
      In the opening 'Edit DWORD Value' box,set the 'Value data:' to 1

      Press Ok,exit regedit,restart your pc. Thanks to this link
  4. After restarted, 'enable viewing of hidden files' and also 'enable viewing protected operating system files'. Then use Windows search utility to search for the following files(if it is found) and delete them
    • msfir80.exe (would be found in c:\windows\system32)


    • msime80.exe (would be found in c:\windows\system32)
    • algssl.exe - You have to go to task manager to terminate the process first.
    • sal.xls.exe
    • tel.xls.exe
  5. Then fix the startup settings. You can either get it done with regedit or msconfig or both.
      regedit:
      Look under HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Run &
      HKEY_CURRENT_USER\Software Microsoft\Windows\CurrentVersion\Run and delete way the entries for both msfir80.exe and msime80.exe

      msconfig:
      Disable the entries under msconfig/startup
  6. Done, restart you machine.

What is this bugger Algssl.exe ?

Under Window Task Manager (Ctrl+Alt+Delete)




Who is in the family (The whole package of malwares that collectively act together)?

  1. Autorun.inf
  2. msime80.exe
  3. msfir80.exe
  4. sal.xls.exe

How Do They Look Like ?



Autorun.inf is just a text file and triggers everytime you accesses the partition which it sits.

Sal.xls.exe is originated from China. I believe it is spread heavily via the Edison Chen's dilemma.

Symptoms ?

  1. Make changes to registries during system startup (Windows Boot Up).
    • Disable viewing of hidden files
    • Automatically starts trojan files(msime80.exe & msfir80.exe)

  2. It will place autorun.inf in all partitions.
  3. It will place 'sal.xls.exe' in non active partitions --> you have to enable viewing protected operating system files.
  4. It will place msfir80.exe and msime.exe into '\windows\system32\' of the active partitions. You have to search msfir80.exe and msime80.exe from within the 'c:\windows\system32' itself.
Anti-virus and Malwares Programs ?
  1. Spyware Doctor couldn't find it
  2. AVG couldn't find it
  3. Windows Defender Scanner also couldn't find it...

How Does It Spread ?
  1. I got it from thumb-drive interactions, where the file 'autorun.inf' will copy sal.xls.exe into your computer from the infected thumb-drive.
  2. Spreading of LAN is not yet proven.
  3. Infected download files.

The Best Solution ?
--> Use Windows Vista and enable User Account Control(UAC). Why ?
  1. UAC prevents it from altering any registries during Windows booting up.
  2. Windows Defender (with UAC turned on) able to analyze where it is coming from ? (i.e the actual path of the files and etc)
  3. Even if you haven't totally got rid of all the files, having UAC turned-on would allow you to monitor what funny things malwares are doing at the back; by auditing changes request to system settings



Find out more about sal.xls.exe

Comments

Anonymous said…
Hello. This post is likeable, and your blog is very interesting, congratulations :-). I will add in my blogroll =). If possible gives a last there on my blog, it is about the Câmera Digital, I hope you enjoy. The address is http://camera-fotografica-digital.blogspot.com. A hug.
Brandon Teoh said…
Thanks for commenting.

I enjoy your blog too.

But what language is that ?