Deutsche Version

1. windowToolboxMalwareRemoval

wTM-Removal searches and removes malicious files contained within windowstoolbox.

TLDR: Please report this bad Repo: https://github.com/windowtoolbox/under_observation

Repo is gone. Thank you all for helping taking it down 👍

1.1 Contents

• 1. windowToolboxMalwareRemoval
  • 1.1 Contents
• 2. Usage
  • 2.1 Differentiation between OS Languages
• 3. Combined Investigation Report from SemperVideo Discord Community
  • 3.1 Deobfuscated
  • 3.2 Are you affected ?
  • 3.3 Why are only "en-" Users affected ?
• 4. Thanks to

2. Usage

1. Right Click on "wTM-Removal.cmd"
   
2. "Run as Administrator"
3. Accept the UAC Prompt for Powershell
   
4. On Removal request answer with Y/y -> Enter
   
   
5. Reboot System, Rerun the Script once more.
6. On a third run the Script should display that there was nothing more found and exit after 10 Seconds.
7. Run Windows Troubleshooting for Windows Updates

The Malware maniupulates the Windows Update Service in some cases. This should prevent Windows Update to mess with the Malware and make it unusable.

2.1 Differentiation between OS Languages

To address the Issue I added a more clearer output on the Tool:

The Message is now to be differentiated in red/green and for our colorblind folks in [ ! ] / [ - ].
Also we added Yellow for small explaination and [ ? ] for colorblind folks.

3. Combined Investigation Report from SemperVideo Discord Community

Malicious Script Suite this Discord-Server is about: https://github.com/windowtoolbox/powershell-windows-toolbox
Wayback Archive Link before the repository was changed.

Second Account used : https://github.com/alexrybak0444
This might be the original (unaffected) project: https://github.com/WinTweakers/WindowsToolbox

Deleted issue in the original repository:
Wayback Archive Link before the repository was changed.

3.1 Deobfuscated

All thanks to @ZerGo0
Stage 1: (@LinuxUserGD)
https://gist.github.com/ZerGo0/aa0984800fd6da0a9d9e7842a0dc3645
Stage 1: Explained

Stage 2:
https://gist.github.com/ZerGo0/690175a1163bd4747d825491810c6ebb
Stage 2: Explained

Stage 3: https://gist.github.com/ZerGo0/ce1d2786cdb5ecca248f309a98b1d987
Stage 3: Explained

Showcase 1 (Gets stuck at Curl)
https://app.any.run/tasks/40c113ab-7908-4979-8810-8733fd67bf3a/

Showcase 2 / (Progressing the Script by hand)
https://app.any.run/tasks/b6f0d354-bce5-401a-b422-08d262b2be82/

3.2 Are you affected ?

To check if you are infected:
Open PowerShell as Administrator

Get-WinSystemLocale

if "Name" start with "en-"
Check for the rest, if not, then you are most likely safe.

Do these folders exist?

C:\systemfile\
C:\Windows\security\pywinvera
C:\Windows\security\pywinveraa

Do these Tasks exist in Task Scheduler

Microsoft\Windows\AppID\VerifiedCert
Microsoft\Windows\Application Experience\Maintenance
Microsoft\Windows\Services\CertPathCheck
Microsoft\Windows\Services\CertPathw
Microsoft\Windows\Servicing\ComponentCleanup
Microsoft\Windows\Servicing\ServiceCleanup
Microsoft\Windows\Shell\ObjectTask
Microsoft\Windows\Clip\ServiceCleanup

Then you are affected!

3.3 Why are only "en-" Users affected ?

There is a check in Stage 3, where the bad stuff happens, here it checks for the SystemLocale if it is not "en-" it kills the cmd.exe,
Which stops everything else (look at the first showcase linked above).
On the right side you see the Processes, here if it reaches 560 cmd.exe it opens PowerShell with the check.

The check fails (for us Germans, for example) and it kills itself.
For others, the script just keeps going.

4. Thanks to

@BlockyTheDev
blubbablasen
Kay
@ThisLimn0
@LinuxUserGD
Mikasa
@OptionalM
Sonnenläufer
@Zergo0
@Zuescho
for Investigative Work & Reporting

Cirno
Harromann
Janmm14
@luzeadev
XplLiciT
for Bugfixes, Testing and QoS improvements

@Zeryther
for translating the README into German

@pabumake