wTM-Removal searches and removes malicious files contained within windowstoolbox.
TLDR:
Please report this bad Repo: https://github.com/windowtoolbox/under_observation
Repo is gone. Thank you all for helping taking it down 👍
The Malware maniupulates the Windows Update Service in some cases. This should prevent Windows Update to mess with the Malware and make it unusable.
To address the Issue I added a more clearer output on the Tool:
The Message is now to be differentiated in red/green and for our colorblind folks in [ ! ] / [ - ].
Also we added Yellow for small explaination and [ ? ] for colorblind folks.
Malicious Script Suite this Discord-Server is about: https://github.com/windowtoolbox/powershell-windows-toolbox
Wayback Archive Link before the repository was changed.
Second Account used : https://github.com/alexrybak0444
This might be the original (unaffected) project: https://github.com/WinTweakers/WindowsToolbox
Deleted issue in the original repository:
Wayback Archive Link before the repository was changed.
All thanks to @ZerGo0
Stage 1: (@LinuxUserGD)
https://gist.github.com/ZerGo0/aa0984800fd6da0a9d9e7842a0dc3645
Stage 1: Explained
Stage 2:
https://gist.github.com/ZerGo0/690175a1163bd4747d825491810c6ebb
Stage 2: Explained
Stage 3:
https://gist.github.com/ZerGo0/ce1d2786cdb5ecca248f309a98b1d987
Stage 3: Explained
Showcase 1 (Gets stuck at Curl)
https://app.any.run/tasks/40c113ab-7908-4979-8810-8733fd67bf3a/
Showcase 2 / (Progressing the Script by hand)
https://app.any.run/tasks/b6f0d354-bce5-401a-b422-08d262b2be82/
To check if you are infected:
Open PowerShell as Administrator
Get-WinSystemLocale
if "Name" start with "en-"
Check for the rest, if not, then you are most likely safe.
Do these folders exist?
C:\systemfile\
C:\Windows\security\pywinvera
C:\Windows\security\pywinveraa
Do these Tasks exist in Task Scheduler
Microsoft\Windows\AppID\VerifiedCert
Microsoft\Windows\Application Experience\Maintenance
Microsoft\Windows\Services\CertPathCheck
Microsoft\Windows\Services\CertPathw
Microsoft\Windows\Servicing\ComponentCleanup
Microsoft\Windows\Servicing\ServiceCleanup
Microsoft\Windows\Shell\ObjectTask
Microsoft\Windows\Clip\ServiceCleanup
Then you are affected!
There is a check in Stage 3, where the bad stuff happens, here it checks for the SystemLocale if it is not "en-" it kills the cmd.exe,
Which stops everything else (look at the first showcase linked above).
On the right side you see the Processes, here if it reaches 560 cmd.exe it opens PowerShell with the check.
The check fails (for us Germans, for example) and it kills itself.
For others, the script just keeps going.
@BlockyTheDev
blubbablasen
Kay
@ThisLimn0
@LinuxUserGD
Mikasa
@OptionalM
Sonnenläufer
@Zergo0
@Zuescho
for Investigative Work & Reporting
Cirno
Harromann
Janmm14
@luzeadev
XplLiciT
for Bugfixes, Testing and QoS improvements
@Zeryther
for translating the README into German