{"id":22298,"date":"2024-05-23T10:46:11","date_gmt":"2024-05-23T10:46:11","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=22298"},"modified":"2025-06-29T01:04:29","modified_gmt":"2025-06-29T01:04:29","slug":"trojan-win32-acll","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/trojan-win32-acll\/","title":{"rendered":"Trojan:Win32\/Acll Virus Removal Guide (Windows 11)"},"content":{"rendered":"

If you’re seeing Trojan:Win32\/Acll detected by your antivirus, your computer might be running slow. You might notice your CPU fan spinning constantly. Strange processes are eating up your system resources. Your personal information could be at risk.<\/p>\n

This guide will help you remove this stealer malware completely. Follow these step-by-step instructions to eliminate the threat. We’ll start with manual methods you can try right now.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Detection Name<\/strong><\/td>\nTrojan:Win32\/Acll<\/td>\n<\/tr>\n
Alternative Names<\/strong><\/td>\nPython\/Acll, Stealer.Acll, Infostealer.Acll<\/td>\n<\/tr>\n
Threat Type<\/strong><\/td>\nInformation Stealer<\/a> \/ Spyware<\/a><\/td>\n<\/tr>\n
Programming Language<\/strong><\/td>\nPython (compiled to executable)<\/td>\n<\/tr>\n
Primary Function<\/strong><\/td>\nSteals passwords, cryptocurrency wallets, browser data, and personal information<\/td>\n<\/tr>\n
Targeted Data<\/strong><\/td>\nBrowser credentials, crypto wallets, FTP\/VPN settings, system information, keystrokes<\/td>\n<\/tr>\n
Affected Systems<\/strong><\/td>\nWindows 7, 8, 8.1, 10, 11 (32-bit and 64-bit)<\/td>\n<\/tr>\n
Common Sources<\/strong><\/td>\nPirated software<\/a>, malicious email attachments, fake system utilities<\/td>\n<\/tr>\n
Distribution Methods<\/strong><\/td>\nSoftware bundles, fake fan controllers, UEFI utilities, malicious downloads<\/td>\n<\/tr>\n
Persistence Method<\/strong><\/td>\nRegistry startup entries, scheduled tasks, DLL sideloading<\/td>\n<\/tr>\n
Data Exfiltration<\/strong><\/td>\nTelegram API, cloud services (OneDrive, Azure), encrypted connections<\/td>\n<\/tr>\n
Network Behavior<\/strong><\/td>\nConnects to multiple IP addresses, uses HTTPS for data transmission<\/td>\n<\/tr>\n
Risk Level<\/strong><\/td>\nHigh<\/span> – Can steal financial information and cryptocurrency wallets<\/td>\n<\/tr>\n
Removal Difficulty<\/strong><\/td>\nMedium<\/span> – Requires registry cleanup and scheduled task removal<\/td>\n<\/tr>\n
First Detected<\/strong><\/td>\n2024 (recent discovery, actively spreading)<\/td>\n<\/tr>\n<\/table>\n
\"Trojan:Win32\/Acll
Trojan:Win32\/Acll detection window<\/figcaption><\/figure>\n

What is Trojan:Win32\/Acll?<\/h2>\n

Trojan:Win32\/Acll is a stealer malware coded in Python. It targets your sensitive information. The malware steals login credentials, personal details, and financial data. It can grab files from your computer. It does keylogging to capture what you type. It manipulates your clipboard and performs other spyware activities<\/a>.<\/p>\n

The malware spreads through malicious software downloads<\/a> and malicious email attachments. Some samples mimic hardware management tools. They pretend to be fan controlling utilities and UEFI parameter modifiers. This trick helps them get highest system privileges.<\/p>\n

Technical Analysis<\/h2>\n

Before starting its malicious activities, Acll performs environment checks. It looks for signs of virtualization to avoid analysis. The malware checks these registry locations:<\/p>\n

\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\SystemCertificates\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\r\n<\/pre>\n
These keys contain certificate stores and security settings. The malware uses code obfuscation to avoid detection, similar to techniques used by other heuristic threats<\/a>.<\/p>\n
System Persistence<\/h3>\n
After checking the environment, Acll creates mutexes to prevent multiple instances:<\/p>\n
\r\nLocal\\SM0:3648:304:WilStaging_02\r\nLocal\\SM0:5144:304:WilStaging_02\r\n<\/pre>\n
The malware adds itself to Windows Task Scheduler for regular startups. It also creates registry entries to run at system startup:<\/p>\n
\r\nschtasks \/create \/f \/RU "%USERNAME%" \/tr "%ProgramData%\\WinTrackerSP\\WinTrackerSP.exe" \/tn "WinTrackerSP HR" \/sc HOURLY \/rl HIGHEST\r\n<\/pre>\n
Registry entry:<\/p>\n
\r\nHKEY_USERS\\%SID%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ExtreamFanV5\r\n<\/pre>\n
The malware uses DLL sideloading through this command:<\/p>\n
\r\nC:\\Windows\\System32\\wuapihost.exe -Embedding\r\n<\/pre>\n
Data Collection Targets<\/h3>\n
Acll specifically targets cryptocurrency wallets<\/a> and sensitive user data. It collects passwords as hashes or plaintext. The malware searches browser folders and shared password storage locations:<\/p>\n
\r\nC:\\Users\\<USER>\\AppData\\Local\\Google\\Chrome\\User Data\\\r\nC:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\\r\nC:\\Users\\user\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\r\nC:\\Users\\user\\AppData\\Local\\Vivaldi\\User Data\r\nC:\\Users\\user\\AppData\\Roaming\\Opera Software\\Opera GX Stable\r\nC:\\Users\\user\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\r\n<\/pre>\n
For cryptocurrency wallets, it targets these locations:<\/p>\n
\r\nC:\\Users\\user\\AppData\\Local\\Coinomi\\Coinomi\\wallets\r\nC:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\r\nC:\\Users\\user\\AppData\\Roaming\\Ethereum\\keystore\r\nC:\\Users\\user\\AppData\\Roaming\\Exodus\\exodus.wallet\r\nC:\\Users\\user\\AppData\\Roaming\\atomic\\Local Storage\\leveldb\r\nC:\\Users\\user\\AppData\\Roaming\\bytecoin\r\n<\/pre>\n
The malware also targets FTP and VPN credentials. It looks for FileZilla, OpenVPN, and NordVPN settings. If you had any passwords stored on the infected device, you should reset all passwords<\/a> immediately.<\/p>\n
Data Exfiltration Methods<\/h3>\n
Acll sends stolen data to command and control servers<\/a>. Some samples use Telegram bot as an intermediate server:<\/p>\n
\r\nhttps:\/\/api.telegram[.]org\/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718\/sendMessage\r\nhttps:\/\/api.telegram.org\/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718\/sendDocument\r\n<\/pre>\n
The malware also uses cloud services including OneDrive, Microsoft Azure, and EdgeCast. It connects to these IP addresses:<\/p>\n
\r\nTCP 204.79.197.203:443\r\nTCP 34.117.186.192:443\r\nTCP 149.154.167.220:443\r\nTCP 20.99.186.246:443\r\n<\/pre>\n
Manual Removal Steps<\/h2>\n
You can remove Trojan:Win32\/Acll manually by following these steps. This process requires careful attention to detail. Make sure to follow each step completely.<\/p>\n
Step 1: Boot into Safe Mode<\/h3>\n
Safe Mode prevents the malware from starting automatically. This makes removal easier and safer.<\/p>\n
    \n
  1. Press Windows key + R to open Run dialog<\/li>\n
  2. Type “msconfig” and press Enter<\/li>\n
  3. Go to Boot tab<\/li>\n
  4. Check “Safe boot” and select “Minimal”<\/li>\n
  5. Click OK and restart your computer<\/li>\n<\/ol>\n
    Step 2: Identify Malicious Processes<\/h3>\n
    Open Task Manager to find suspicious processes. Acll often runs under different names to hide itself.<\/p>\n
      \n
    1. Press Ctrl + Shift + Esc to open Task Manager<\/li>\n
    2. Click on “More details” if needed<\/li>\n
    3. Look for processes with these characteristics:<\/li>\n
    4. High CPU usage for unknown processes<\/li>\n
    5. Processes running from %ProgramData% or %AppData% folders<\/li>\n
    6. Processes with names like “WinTrackerSP.exe” or “ExtreamFanV5”<\/li>\n
    7. Right-click suspicious processes and select “End task”<\/li>\n<\/ol>\n
      Step 3: Delete Malicious Files<\/h3>\n
      Navigate to common malware locations and delete suspicious files. Be careful not to delete legitimate system files.<\/p>\n
        \n
      1. Open File Explorer<\/li>\n
      2. Navigate to these folders:<\/li>\n
      3. %ProgramData%\\WinTrackerSP\\<\/li>\n
      4. %AppData%\\Local\\Temp\\<\/li>\n
      5. %AppData%\\Roaming\\<\/li>\n
      6. Look for recently created folders with random names<\/li>\n
      7. Delete any suspicious files and folders<\/li>\n
      8. Empty the Recycle Bin<\/li>\n<\/ol>\n
        Step 4: Clean Startup Programs<\/h3>\n
        Remove malware entries from startup programs to prevent automatic execution.<\/p>\n
          \n
        1. Press Windows key + R<\/li>\n
        2. Type “msconfig” and press Enter<\/li>\n
        3. Go to Startup tab<\/li>\n
        4. Look for suspicious entries, especially:<\/li>\n
        5. Entries pointing to %ProgramData%\\WinTrackerSP\\<\/li>\n
        6. Entries with names like “ExtreamFanV5”<\/li>\n
        7. Uncheck suspicious entries<\/li>\n
        8. Click OK<\/li>\n<\/ol>\n
          Step 5: Registry Cleanup<\/h3>\n
          Clean malware entries from Windows Registry. This step requires caution as incorrect registry changes can damage Windows.<\/p>\n
            \n
          1. Press Windows key + R<\/li>\n
          2. Type “regedit” and press Enter<\/li>\n
          3. Navigate to these registry keys:<\/li>\n
          4. HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/li>\n
          5. HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/li>\n
          6. Look for entries with suspicious names or paths<\/li>\n
          7. Right-click suspicious entries and select “Delete”<\/li>\n
          8. Close Registry Editor<\/li>\n<\/ol>\n
            Step 6: Check Scheduled Tasks<\/h3>\n
            Remove malicious scheduled tasks that restart the malware.<\/p>\n
              \n
            1. Press Windows key + R<\/li>\n
            2. Type “taskschd.msc” and press Enter<\/li>\n
            3. In Task Scheduler, expand “Task Scheduler Library”<\/li>\n
            4. Look for tasks with suspicious names like “WinTrackerSP HR”<\/li>\n
            5. Right-click suspicious tasks and select “Delete”<\/li>\n
            6. Restart your computer in normal mode<\/li>\n<\/ol>\n
              Automatic Removal with GridinSoft Anti-Malware<\/h2>\n
              Manual removal can be complex and time-consuming. For a faster, more reliable solution, GridinSoft Anti-Malware offers automatic detection and removal of stealer malware. Professional anti-malware software can find hidden components and registry changes that you might miss.<\/p>\n\"GridinSoft\n
              Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.<\/p>\n
              Download Anti-Malware<\/a><\/div>\n
              After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click \"Advanced mode\" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.<\/p>\n\"Scan\n
              Click \"Clean Now\" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.<\/p>\n\"Removal\n
              Browser Cleanup<\/h2>\n
              Remove Malicious Browser Extensions<\/h3>\n
              Stealer malware like Acll often installs browser extensions to monitor your activity. Remove any suspicious extensions you don’t recognize.<\/p>\n
              Google Chrome<\/span>Mozilla Firefox<\/span>Microsoft Edge<\/span>Opera<\/span><\/div>
              \n
              Google Chrome<\/h4>\n
                \n    
              1. Launch the Chrome browser.<\/li>\n    
              2. Click on the icon \"Configure and Manage Google Chrome\" \u21e2 Additional Tools \u21e2 Extensions.<\/li>\n    
              3. Click \"Remove\" next to the extension.<\/li>\n<\/ol>\n
                If you have an extension button on the browser toolbar, right-click it and select Remove from Chrome.<\/p>\n<\/div>\n
                \n
                Mozilla Firefox<\/h4>\n
                  \n    
                1. Click the menu button, select Add-ons<\/strong> and Themes<\/strong>, and then click Extensions.<\/li>\n    
                2. Scroll through the extensions.<\/li>\n    
                3. Click on the \u2026 (three dots) icon for the extension you want to delete and select Delete<\/strong>.<\/li>\n<\/ol>\n<\/div>\n
                  \n
                  Microsoft Edge<\/h4>\n
                    \n    
                  1. Launch the Microsoft Edge browser.<\/li>\n    
                  2. Click the three dots (\u2026) menu in the top right corner.<\/li>\n    
                  3. Select Extensions<\/strong>.<\/li>\n    
                  4. Find the extension you want to remove and click Remove<\/strong>.<\/li>\n    
                  5. Click Remove<\/strong> again to confirm.<\/li>\n<\/ol>\n
                    Alternatively, you can type edge:\/\/extensions\/<\/strong> in the address bar to access the extensions page directly.<\/p>\n<\/div>\n
                    \n
                    Opera<\/h4>\n
                      \n    
                    1. Launch the Opera browser.<\/li>\n    
                    2. Click the Opera<\/strong> menu button in the top left corner.<\/li>\n    
                    3. Select Extensions<\/strong> \u21e2 Manage extensions<\/strong>.<\/li>\n    
                    4. Find the extension you want to remove and click the X<\/strong> button next to it.<\/li>\n    
                    5. Click Remove<\/strong> to confirm.<\/li>\n<\/ol>\n
                      Alternatively, you can type opera:\/\/extensions\/<\/strong> in the address bar to access the extensions page directly.<\/p>\n<\/div><\/div><\/div>\n
                      Reset Your Browser<\/h3>\n
                      If you suspect browser-based data theft, reset your browser completely. This removes any malicious modifications and restores default settings.<\/p>\n
                      Google Chrome<\/span>Mozilla Firefox<\/span>Microsoft Edge<\/span>Opera<\/span><\/div>
                      \n
                      Google Chrome<\/h4>\n
                        \n    
                      1. Tap on the three verticals \u2026 in the top right corner and Choose Settings. \"Choose<\/li>\n    
                      2. Choose Reset and Clean up and Restore settings to their original defaults. \"Choose<\/li>\n    
                      3. Tap Reset settings. \"Fake<\/li>\n<\/ol>\n<\/div>\n
                        \n
                        Mozilla Firefox<\/h4>\n
                          \n    
                        1. In the upper right corner tap the three-line icon and Choose Help. \"Firefox:<\/li>\n    
                        2. Choose More Troubleshooting Information. \"Firefox:<\/li>\n    
                        3. Choose Refresh Firefox\u2026 then Refresh Firefox. \"Firefox:<\/li><\/ol>\n<\/div>\n
                          \n
                          Microsoft Edge<\/h4>\n
                            \n    
                          1. Tap the three verticals. \"Microsoft<\/li>\n    
                          2. Choose Settings. \"Microsoft<\/li>\n    
                          3. Tap Reset Settings, then Click Restore settings to their default values. \"Disable<\/li>\n<\/ol>\n<\/div>\n
                            \n
                            Opera<\/h4>\n
                              \n    
                            1. Launch the Opera browser.<\/li>\n    
                            2. Click the Opera<\/strong> menu button in the top left corner and select Settings<\/strong>.<\/li>\n    
                            3. Scroll down to the Advanced<\/strong> section in the left sidebar and click Reset and clean up<\/strong>.<\/li>\n    
                            4. Click Restore settings to their original defaults<\/strong>.<\/li>\n    
                            5. Click Reset settings<\/strong> to confirm.<\/li>\n<\/ol>\n
                              Alternatively, you can type opera:\/\/settings\/reset<\/strong> in the address bar to access reset options directly.<\/p>\n<\/div><\/div><\/div>\n
                              How to Prevent Future Infections<\/h2>\n
                              Protecting yourself from trojan malware<\/a> requires good security habits. Here’s how to stay safe:<\/p>\n
                              Avoid Pirated Software<\/strong>
                              \n                              Cracked games and pirated software<\/a> are common malware sources. Always download software from official websites. Pay for legitimate software when possible.<\/p>\n
                              Be Careful with Email Attachments<\/strong>
                              \nNever open suspicious email attachments.                               Scam emails<\/a> often contain malware. Verify sender identity before opening any attachments.<\/p>\n
                              Keep Windows Updated<\/strong>
                              \nInstall Windows security updates promptly. Updates fix vulnerabilities that malware exploits. Enable automatic updates for better protection.<\/p>\n
                              Use Strong Passwords<\/strong>
                              \nCreate unique passwords for different accounts. Consider using a password manager. Enable two-factor authentication where available.<\/p>\n
                              Monitor System Performance<\/strong>
                              \nWatch for signs of infection like slow performance or high CPU usage.                               Suspicious processes<\/a> might indicate malware presence.<\/p>\n
                              Backup Important Data<\/strong>
                              \nRegular backups protect your data from theft and ransomware. Store backups offline or in secure cloud storage.<\/p>\n
                              Frequently Asked Questions<\/h2>\n
                              What is Trojan:Win32\/Acll and why is it dangerous?<\/h3>\n
                              Trojan:Win32\/Acll is an information stealer that targets your personal data, passwords, and cryptocurrency wallets. It’s dangerous because it can steal financial information and sell it to cybercriminals. The malware runs quietly in the background while collecting your sensitive data.<\/p>\n
                              How did Trojan:Win32\/Acll get on my computer?<\/h3>\n
                              Most infections come from malicious game hacks<\/a> or malicious email attachments. Some variants pretend to be system utilities like fan controllers. Always download software from official sources to avoid infection.<\/p>\n
                              Can I remove Trojan:Win32\/Acll manually?<\/h3>\n
                              Yes, you can remove it manually using the steps in this guide. However, manual removal requires technical knowledge and patience. Missing any components could leave your system vulnerable. Automatic removal tools are usually more reliable.<\/p>\n
                              Is it safe to delete the processes and files mentioned?<\/h3>\n
                              The specific files and processes mentioned in this guide are associated with Acll malware. However, always verify file locations and names before deleting anything. When in doubt, use professional anti-malware software to avoid accidentally deleting system files.<\/p>\n
                              How can I prevent Trojan:Win32\/Acll in the future?<\/h3>\n
                              Avoid downloading cracked software<\/a> and be cautious with email attachments. Keep Windows updated and use reputable antivirus software. Regular system scans can catch threats before they cause damage.<\/p>\n
                              What if manual removal doesn’t work?<\/h3>\n
                              If manual removal fails, the malware might have deeper system integration. Use GridinSoft Anti-Malware for thorough automatic removal. Professional tools can detect hidden components and registry modifications that manual methods might miss.<\/p>\n
                              Should I change all my passwords after infection?<\/h3>\n
                              Yes, change all passwords immediately after removing the malware. This includes online accounts, cryptocurrency wallets, and any stored passwords. Use strong, unique passwords<\/a> for each account.<\/p>\n
                              Can Trojan:Win32\/Acll steal cryptocurrency?<\/h3>\n
                              Yes, this malware specifically targets cryptocurrency wallets including Electrum, Exodus, and Ethereum keystores. If you had crypto wallets on the infected computer, move your funds to new wallets immediately after cleaning the infection.<\/p>\n
                              \nQuick Summary:<\/strong> Trojan:Win32\/Acll is a Python-based stealer that targets passwords, personal data, and cryptocurrency wallets. It spreads through pirated software and email attachments. Remove it manually using the steps above, or use GridinSoft Anti-Malware for automatic removal. Always change passwords after infection and avoid downloading software from untrusted sources.
                              \n<\/div>\n
                              \"Trojan:Win32\/Acll<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
                              If you’re seeing Trojan:Win32\/Acll detected by your antivirus, your computer might be running slow. You might notice your CPU fan spinning constantly. Strange processes are eating up your system resources. Your personal information could be at risk. This guide will help you remove this stealer malware completely. Follow these step-by-step instructions to eliminate the threat. […]<\/p>\n","protected":false},"author":7,"featured_media":22302,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[4],"tags":[48,1360,223],"class_list":{"0":"post-22298","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-tips-tricks","8":"tag-spyware","9":"tag-stealer","10":"tag-windows-defender"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/05\/GS_Blog_banner_Trojan_Win32_Acll.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/22298","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=22298"}],"version-history":[{"count":18,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/22298\/revisions"}],"predecessor-version":[{"id":31206,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/22298\/revisions\/31206"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/22302"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=22298"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=22298"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=22298"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}