Open your Task Manager, if you see a "Form 1" application running all the time, and it is algssl.exe process. Yes, it is a Trojan. Apparently it is a Chinese community thingy. I am not sure how did I get it, but apparently Norton and other anti-virus thing cannot remove it completely. So you have to do it manually.
Most of the online explanation is in Chinese, so I am writing an English one, for people who don't know Chinese but got this Chinese Trojan on their computer.
Step 1:
Kill the algssl.exe process
Step2:
Go to C:\Windows\System32\
Delete algssl.exe, msime80.exe, and msfir80.exe
Step 3:
Edit Registry (run regedit)
Go to:
HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Windows\
CurrentVersion\
Explorer\
Advanced\
Folder\
Hidden\
SHOWALL
Delete CheckedValue
Recreate a DWORD CheckedValue with Value = 1
Step 4:
If you are using XP, you probably can turn on "show hidden files" and search for autorun.inf, tel.xls.exe (or sal.xls.exe). All located at the top level of the hard drive (i.e. C:\, D:\, E:\, F:\, G:\...so on) should be removed. Note that your external/pluggable hard drives maybe affected as well, so plug in and do the search and delete for them.
If you are using Vista, unfortunately "show hidden files" is not doing the trick. What I did was using command prompt. You can list hidden files with
C:\>dir /AH
and delete them with
C:\>del /AH autorun.inf
C:\>del /AH sal.xls.exe
*If any of your hard drive was not cleared with these files, when you double click the drive to explore it, the same Trojan would be installed again. So when you switch between drivers, do not double click to explore. You can type E: for example in your explorer bar.
Step 5:
Go back to regedit, go to:
HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Windows\
CurrentVersion\
Run
and
HKEY_CURRENT_USER\
Software\
Microsoft\
Windows\
CurrentVersion\
Run
to remove anything with msime80.exe or msfir80.exe.
Step 6:
I don't have to do this step but apparently some people do. Run msconfig, go to Start Up and remove anything with msime80.exe or msfir80.exe.
Restart your machine, everything should be OK now.
Thanks Jacqui. works great,
ReplyDeleteScott Nelson
No worries. :) Good that it helps. :)
ReplyDeleteYou are my hero! Thank you, Jacqui! After exhaustive searches, this is the only free approach I found to removing the algssl.exe virus.
ReplyDeleteI still see a call to start msime80.exe in my startup services in msconfig, but I have disabled it and the msime80.exe file is nowhere on my system. So, I'm not worried about it, but would like to remove that service on startup. Let me know if you have a fix. Otherwise, I'm all set.
Thanks again!
http://cococokie.wordpress.com/2007/06/16/how-to-remove-startup-entries-from-msconfig/
ReplyDeleteThis guy got a fix for it! :D
That was easy. Thanks!
ReplyDeleteI pretty much handled most of it, what i dident know is that it was screwing up my hidden file settings aswell, and i'm quite surprised i dident notice it. What i did notice was that it was opening drives in full-screen explorer, instead of the windowed-mode i had set up. Anyhow, thanks for the tips... fixed.
ReplyDeleteYeah I had the same problems:)
ReplyDeleteThx for this nice tutorial;)
Gypsy: Can you explain how to Recreate a DWORD CheckedValue with Value = 1
ReplyDeleteThanks
Great post, it solved the problem I've had. Thank you!
ReplyDeleteThanks!!!!!
ReplyDeleteMany thanks!!! I don't know much about computers. But WinRar shows all files (hidden or not). Could we just delete autoran and sal.xls using It? (seems to be working for me)
ReplyDeleteCorrecting: I ment instead doing
ReplyDeletesteps 3 and 4