Trojan:Win32/Acll Virus Removal Guide (Windows 11)

Stephanie Adlam
12 Min Read
Trojan:Win32/Acll Analysis & Removal
Trojan:Win32/AcII is a novice sample of spyware/infostealer malware

If you’re seeing Trojan:Win32/Acll detected by your antivirus, your computer might be running slow. You might notice your CPU fan spinning constantly. Strange processes are eating up your system resources. Your personal information could be at risk.

This guide will help you remove this stealer malware completely. Follow these step-by-step instructions to eliminate the threat. We’ll start with manual methods you can try right now.

Detection Name Trojan:Win32/Acll
Alternative Names Python/Acll, Stealer.Acll, Infostealer.Acll
Threat Type Information Stealer / Spyware
Programming Language Python (compiled to executable)
Primary Function Steals passwords, cryptocurrency wallets, browser data, and personal information
Targeted Data Browser credentials, crypto wallets, FTP/VPN settings, system information, keystrokes
Affected Systems Windows 7, 8, 8.1, 10, 11 (32-bit and 64-bit)
Common Sources Pirated software, malicious email attachments, fake system utilities
Distribution Methods Software bundles, fake fan controllers, UEFI utilities, malicious downloads
Persistence Method Registry startup entries, scheduled tasks, DLL sideloading
Data Exfiltration Telegram API, cloud services (OneDrive, Azure), encrypted connections
Network Behavior Connects to multiple IP addresses, uses HTTPS for data transmission
Risk Level High – Can steal financial information and cryptocurrency wallets
Removal Difficulty Medium – Requires registry cleanup and scheduled task removal
First Detected 2024 (recent discovery, actively spreading)
Trojan:Win32/Acll detection window screenshot
Trojan:Win32/Acll detection window

What is Trojan:Win32/Acll?

Trojan:Win32/Acll is a stealer malware coded in Python. It targets your sensitive information. The malware steals login credentials, personal details, and financial data. It can grab files from your computer. It does keylogging to capture what you type. It manipulates your clipboard and performs other spyware activities.

The malware spreads through malicious software downloads and malicious email attachments. Some samples mimic hardware management tools. They pretend to be fan controlling utilities and UEFI parameter modifiers. This trick helps them get highest system privileges.

Technical Analysis

Before starting its malicious activities, Acll performs environment checks. It looks for signs of virtualization to avoid analysis. The malware checks these registry locations:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy

These keys contain certificate stores and security settings. The malware uses code obfuscation to avoid detection, similar to techniques used by other heuristic threats.

System Persistence

After checking the environment, Acll creates mutexes to prevent multiple instances:

Local\SM0:3648:304:WilStaging_02
Local\SM0:5144:304:WilStaging_02

The malware adds itself to Windows Task Scheduler for regular startups. It also creates registry entries to run at system startup:

schtasks /create /f /RU "%USERNAME%" /tr "%ProgramData%\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST

Registry entry:

HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5

The malware uses DLL sideloading through this command:

C:\Windows\System32\wuapihost.exe -Embedding

Data Collection Targets

Acll specifically targets cryptocurrency wallets and sensitive user data. It collects passwords as hashes or plaintext. The malware searches browser folders and shared password storage locations:

C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\
C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\user\AppData\Local\Vivaldi\User Data
C:\Users\user\AppData\Roaming\Opera Software\Opera GX Stable
C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data

For cryptocurrency wallets, it targets these locations:

C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
C:\Users\user\AppData\Roaming\Electrum\wallets
C:\Users\user\AppData\Roaming\Ethereum\keystore
C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
C:\Users\user\AppData\Roaming\bytecoin

The malware also targets FTP and VPN credentials. It looks for FileZilla, OpenVPN, and NordVPN settings. If you had any passwords stored on the infected device, you should reset all passwords immediately.

Data Exfiltration Methods

Acll sends stolen data to command and control servers. Some samples use Telegram bot as an intermediate server:

https://api.telegram[.]org/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718/sendMessage
https://api.telegram.org/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718/sendDocument

The malware also uses cloud services including OneDrive, Microsoft Azure, and EdgeCast. It connects to these IP addresses:

TCP 204.79.197.203:443
TCP 34.117.186.192:443
TCP 149.154.167.220:443
TCP 20.99.186.246:443

Manual Removal Steps

You can remove Trojan:Win32/Acll manually by following these steps. This process requires careful attention to detail. Make sure to follow each step completely.

Step 1: Boot into Safe Mode

Safe Mode prevents the malware from starting automatically. This makes removal easier and safer.

  1. Press Windows key + R to open Run dialog
  2. Type “msconfig” and press Enter
  3. Go to Boot tab
  4. Check “Safe boot” and select “Minimal”
  5. Click OK and restart your computer

Step 2: Identify Malicious Processes

Open Task Manager to find suspicious processes. Acll often runs under different names to hide itself.

  1. Press Ctrl + Shift + Esc to open Task Manager
  2. Click on “More details” if needed
  3. Look for processes with these characteristics:
  4. High CPU usage for unknown processes
  5. Processes running from %ProgramData% or %AppData% folders
  6. Processes with names like “WinTrackerSP.exe” or “ExtreamFanV5”
  7. Right-click suspicious processes and select “End task”

Step 3: Delete Malicious Files

Navigate to common malware locations and delete suspicious files. Be careful not to delete legitimate system files.

  1. Open File Explorer
  2. Navigate to these folders:
  3. %ProgramData%\WinTrackerSP\
  4. %AppData%\Local\Temp\
  5. %AppData%\Roaming\
  6. Look for recently created folders with random names
  7. Delete any suspicious files and folders
  8. Empty the Recycle Bin

Step 4: Clean Startup Programs

Remove malware entries from startup programs to prevent automatic execution.

  1. Press Windows key + R
  2. Type “msconfig” and press Enter
  3. Go to Startup tab
  4. Look for suspicious entries, especially:
  5. Entries pointing to %ProgramData%\WinTrackerSP\
  6. Entries with names like “ExtreamFanV5”
  7. Uncheck suspicious entries
  8. Click OK

Step 5: Registry Cleanup

Clean malware entries from Windows Registry. This step requires caution as incorrect registry changes can damage Windows.

  1. Press Windows key + R
  2. Type “regedit” and press Enter
  3. Navigate to these registry keys:
  4. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  5. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  6. Look for entries with suspicious names or paths
  7. Right-click suspicious entries and select “Delete”
  8. Close Registry Editor

Step 6: Check Scheduled Tasks

Remove malicious scheduled tasks that restart the malware.

  1. Press Windows key + R
  2. Type “taskschd.msc” and press Enter
  3. In Task Scheduler, expand “Task Scheduler Library”
  4. Look for tasks with suspicious names like “WinTrackerSP HR”
  5. Right-click suspicious tasks and select “Delete”
  6. Restart your computer in normal mode

Automatic Removal with GridinSoft Anti-Malware

Manual removal can be complex and time-consuming. For a faster, more reliable solution, GridinSoft Anti-Malware offers automatic detection and removal of stealer malware. Professional anti-malware software can find hidden components and registry changes that you might miss.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

Browser Cleanup

Remove Malicious Browser Extensions

Stealer malware like Acll often installs browser extensions to monitor your activity. Remove any suspicious extensions you don’t recognize.

Google ChromeMozilla FirefoxMicrosoft EdgeOpera

Google Chrome

  1. Launch the Chrome browser.
  2. Click on the icon "Configure and Manage Google Chrome" ⇢ Additional Tools ⇢ Extensions.
  3. Click "Remove" next to the extension.

If you have an extension button on the browser toolbar, right-click it and select Remove from Chrome.

Mozilla Firefox

  1. Click the menu button, select Add-ons and Themes, and then click Extensions.
  2. Scroll through the extensions.
  3. Click on the … (three dots) icon for the extension you want to delete and select Delete.

Microsoft Edge

  1. Launch the Microsoft Edge browser.
  2. Click the three dots (…) menu in the top right corner.
  3. Select Extensions.
  4. Find the extension you want to remove and click Remove.
  5. Click Remove again to confirm.

Alternatively, you can type edge://extensions/ in the address bar to access the extensions page directly.

Opera

  1. Launch the Opera browser.
  2. Click the Opera menu button in the top left corner.
  3. Select ExtensionsManage extensions.
  4. Find the extension you want to remove and click the X button next to it.
  5. Click Remove to confirm.

Alternatively, you can type opera://extensions/ in the address bar to access the extensions page directly.

Reset Your Browser

If you suspect browser-based data theft, reset your browser completely. This removes any malicious modifications and restores default settings.

Google ChromeMozilla FirefoxMicrosoft EdgeOpera

Google Chrome

  1. Tap on the three verticals … in the top right corner and Choose Settings. Choose Settings
  2. Choose Reset and Clean up and Restore settings to their original defaults. Choose Reset and Clean
  3. Tap Reset settings. Fake Virus Alert removal

Mozilla Firefox

  1. In the upper right corner tap the three-line icon and Choose Help. Firefox: Choose Help
  2. Choose More Troubleshooting Information. Firefox: Choose More Troubleshooting
  3. Choose Refresh Firefox… then Refresh Firefox. Firefox: Choose Refresh

Microsoft Edge

  1. Tap the three verticals. Microsoft Edge: Fake Virus Alert Removal
  2. Choose Settings. Microsoft Edge: Settings
  3. Tap Reset Settings, then Click Restore settings to their default values. Disable Fake Virus Alert in Edge

Opera

  1. Launch the Opera browser.
  2. Click the Opera menu button in the top left corner and select Settings.
  3. Scroll down to the Advanced section in the left sidebar and click Reset and clean up.
  4. Click Restore settings to their original defaults.
  5. Click Reset settings to confirm.

Alternatively, you can type opera://settings/reset in the address bar to access reset options directly.

How to Prevent Future Infections

Protecting yourself from trojan malware requires good security habits. Here’s how to stay safe:

Avoid Pirated Software
Cracked games and pirated software are common malware sources. Always download software from official websites. Pay for legitimate software when possible.

Be Careful with Email Attachments
Never open suspicious email attachments. Scam emails often contain malware. Verify sender identity before opening any attachments.

Keep Windows Updated
Install Windows security updates promptly. Updates fix vulnerabilities that malware exploits. Enable automatic updates for better protection.

Use Strong Passwords
Create unique passwords for different accounts. Consider using a password manager. Enable two-factor authentication where available.

Monitor System Performance
Watch for signs of infection like slow performance or high CPU usage. Suspicious processes might indicate malware presence.

Backup Important Data
Regular backups protect your data from theft and ransomware. Store backups offline or in secure cloud storage.

Frequently Asked Questions

What is Trojan:Win32/Acll and why is it dangerous?

Trojan:Win32/Acll is an information stealer that targets your personal data, passwords, and cryptocurrency wallets. It’s dangerous because it can steal financial information and sell it to cybercriminals. The malware runs quietly in the background while collecting your sensitive data.

How did Trojan:Win32/Acll get on my computer?

Most infections come from malicious game hacks or malicious email attachments. Some variants pretend to be system utilities like fan controllers. Always download software from official sources to avoid infection.

Can I remove Trojan:Win32/Acll manually?

Yes, you can remove it manually using the steps in this guide. However, manual removal requires technical knowledge and patience. Missing any components could leave your system vulnerable. Automatic removal tools are usually more reliable.

Is it safe to delete the processes and files mentioned?

The specific files and processes mentioned in this guide are associated with Acll malware. However, always verify file locations and names before deleting anything. When in doubt, use professional anti-malware software to avoid accidentally deleting system files.

How can I prevent Trojan:Win32/Acll in the future?

Avoid downloading cracked software and be cautious with email attachments. Keep Windows updated and use reputable antivirus software. Regular system scans can catch threats before they cause damage.

What if manual removal doesn’t work?

If manual removal fails, the malware might have deeper system integration. Use GridinSoft Anti-Malware for thorough automatic removal. Professional tools can detect hidden components and registry modifications that manual methods might miss.

Should I change all my passwords after infection?

Yes, change all passwords immediately after removing the malware. This includes online accounts, cryptocurrency wallets, and any stored passwords. Use strong, unique passwords for each account.

Can Trojan:Win32/Acll steal cryptocurrency?

Yes, this malware specifically targets cryptocurrency wallets including Electrum, Exodus, and Ethereum keystores. If you had crypto wallets on the infected computer, move your funds to new wallets immediately after cleaning the infection.

Quick Summary: Trojan:Win32/Acll is a Python-based stealer that targets passwords, personal data, and cryptocurrency wallets. It spreads through pirated software and email attachments. Remove it manually using the steps above, or use GridinSoft Anti-Malware for automatic removal. Always change passwords after infection and avoid downloading software from untrusted sources.

Trojan:Win32/Acll Virus Removal Guide (Windows 11)

Share This Article
Follow:
I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?