wTM-Removal searches and removes malicious files contained within windowstoolbox.
TLDR: Please report this bad Repo: https://github.com/windowtoolbox/under_observation
- 1. windowToolboxMalwareRemoval
- 2. Usage
- 3. Combined Investigation Report from SemperVideo Discord Community
- 4. Thanks to
- Start wTM-Removal.cmd as Administrator (wTM-Removal.ps1 needs to be in same Folder)
- Accept the UAC Prompt for Powershell
- On Removal request answer with Y/y -> Enter
- Reboot System & Run Windows Troubleshooting for Windows Updates
Malicious thing this discord is about: https://github.com/windowtoolbox/powershell-windows-toolbox
Wayback Archive Link before the repository was changed.
Second Account used : https://github.com/alexrybak0444
This might be the original project: https://github.com/WinTweakers/WindowsToolbox
Deleted issue in the original repository:
Wayback Archive Link before the repository was changed.
All thanks to @ZerGo0
Stage 1: (@LinuxUserGD)
https://gist.github.com/ZerGo0/aa0984800fd6da0a9d9e7842a0dc3645
Stage 1: Explained
Stage 2:
https://gist.github.com/ZerGo0/690175a1163bd4747d825491810c6ebb
Stage 2: Explained
Stage 3:
https://gist.github.com/ZerGo0/ce1d2786cdb5ecca248f309a98b1d987
Stage 3: Explained
Showcase 1 (Gets stuck at Curl)
https://app.any.run/tasks/40c113ab-7908-4979-8810-8733fd67bf3a/
Showcase 2 / (Progressing the Script by hand)
https://app.any.run/tasks/b6f0d354-bce5-401a-b422-08d262b2be82/
To check if you are infected:
Open PowerShell as admin
Get-WinSystemLocale
if "Name" start with "en-"
Check for the rest, if not, then you are most likely safe.
Does this exist?
C:\systemfile\
C:\Windows\security\pywinvera
C:\Windows\security\pywinveraa
Or do these Task exist in Task Scheduler
Microsoft\Windows\AppID\VerifiedCert
Microsoft\Windows\Application Experience\Maintenance
Microsoft\Windows\Services\CertPathCheck
Microsoft\Windows\Services\CertPathw
Microsoft\Windows\Servicing\ComponentCleanup
Microsoft\Windows\Servicing\ServiceCleanup
Microsoft\Windows\Shell\ObjectTask
Microsoft\Windows\Clip\ServiceCleanup
Then you are affected!
There is a check in Stage 3, where the bad stuff happens, here it checks for the SystemLocale if it is not "en-" it kills the cmd.exe,
Which stops everything else (look at the first showcase linked above).
On the right side you see the Processes, here if it reaches 560 cmd.exe it opens PowerShell with the check.
The check fails (for us Germans, for example) and it kills itself.
For others, the script just keeps going.
@Blocky38
blubbablasen
Kay
Limn0
@LinuxUserGD
Mikasa
@OptionalM
Sonnenläufer
@Zergo0
@Zuescho
for Investigative Work & Reporting
Cirno
Harromann
Janmm14
@luzeadev
XplLiciT
for Bugfixes, Testing and QoS improvements
@Zeryther
for translating the README into German