Releases: pabumake/windowToolboxMalware-Removal
wTM-Removal v1.04
- Added explanations to the output to address feedback from #9
- Also fixed Contributors Username
Full Changelog: v1.0.3-alpha...v1.0.4
wTM-Removal v1.03-alpha
What's Changed
- Update README.md by @ThisLimn0 in #7
New Contributors
- @ThisLimn0 made their first contribution in #7
Full Changelog: v1.0.2-alpha...v1.0.3-alpha
Manual Release Information
To address the Issue I added a more clearer output on the Tool.
The Message is now to be differentiated in red/green and for our colorblind folks in [ ! ] / [ - ].
wTM-Removal v1.0.2-alpha
1. windowToolboxMalwareRemoval
wTM-Removal searches and removes malicious files contained within windowstoolbox.
TLDR:
Please report this bad Repo: https://github.com/windowtoolbox/under_observation
1.1 Contents
- 1. windowToolboxMalwareRemoval
- 2. Usage
- 3. Combined Investigation Report from SemperVideo Discord Community
- 4. Thanks to
2. Usage
- Start wTM-Removal.cmd as Administrator (wTM-Removal.ps1 needs to be in same Folder)
- Accept the UAC Prompt for Powershell
- On Removal request answer with Y/y -> Enter
- Reboot System & Run Windows Troubleshooting for Windows Updates
3. Combined Investigation Report from SemperVideo Discord Community
Malicious thing this discord is about: https://github.com/windowtoolbox/powershell-windows-toolbox
Wayback Archive Link before the repository was changed.
Second Account used : https://github.com/alexrybak0444
This might be the original project: https://github.com/WinTweakers/WindowsToolbox
Deleted issue in the original repository:
Wayback Archive Link before the repository was changed.
3.1 Deobfuscated
All thanks to @ZerGo0
Stage 1: (@LinuxUserGD)
https://gist.github.com/ZerGo0/aa0984800fd6da0a9d9e7842a0dc3645
Stage 1: Explained
Stage 2:
https://gist.github.com/ZerGo0/690175a1163bd4747d825491810c6ebb
Stage 2: Explained
Stage 3:
https://gist.github.com/ZerGo0/ce1d2786cdb5ecca248f309a98b1d987
Stage 3: Explained
Showcase 1 (Gets stuck at Curl)
https://app.any.run/tasks/40c113ab-7908-4979-8810-8733fd67bf3a/
Showcase 2 / (Progressing the Script by hand)
https://app.any.run/tasks/b6f0d354-bce5-401a-b422-08d262b2be82/
3.2 Are you affected ?
To check if you are infected:
Open PowerShell as admin
Get-WinSystemLocale
if "Name" start with "en-"
Check for the rest, if not, then you are most likely safe.
Does this exist?
C:\systemfile\
C:\Windows\security\pywinvera
C:\Windows\security\pywinveraa
Or do these Task exist in Task Scheduler
Microsoft\Windows\AppID\VerifiedCert
Microsoft\Windows\Application Experience\Maintenance
Microsoft\Windows\Services\CertPathCheck
Microsoft\Windows\Services\CertPathw
Microsoft\Windows\Servicing\ComponentCleanup
Microsoft\Windows\Servicing\ServiceCleanup
Microsoft\Windows\Shell\ObjectTask
Microsoft\Windows\Clip\ServiceCleanup
Then you are affected!
3.3 Why are only "en-" Users affected ?
There is a check in Stage 3, where the bad stuff happens, here it checks for the SystemLocale if it is not "en-" it kills the cmd.exe,
Which stops everything else (look at the first showcase linked above).
On the right side you see the Processes, here if it reaches 560 cmd.exe it opens PowerShell with the check.
The check fails (for us Germans, for example) and it kills itself.
For others, the script just keeps going.
4. Thanks to
@BlockyTheDev
blubbablasen
Kay
Limn0
@LinuxUserGD
Mikasa
@OptionalM
Sonnenläufer
@ZerGo0
@Zuescho
for Investigative Work & Reporting
Cirno
Harromann
Janmm14
@luzeadev
XplLiciT
for Bugfixes, Testing and QoS improvements
@Zeryther
for translating the README into German
wTM-Removal v1.0.1-alpha
1. windowToolboxMalwareRemoval
wTM-Removal searches and removes malicious files contained within windowstoolbox.
TLDR:
Please report this bad Repo: https://github.com/windowtoolbox/under_observation
1.1 Contents
- 1. windowToolboxMalwareRemoval
- 2. Usage
- 3. Combined Investigation Report from SemperVideo Discord Community
- 4. Thanks to
2. Usage
- Start wTM-Removal.cmd as Administrator (wTM-Removal.ps1 needs to be in same Folder)
- Accept the UAC Prompt for Powershell
- On Removal request answer with Y/y -> Enter
- Reboot System & Run Windows Troubleshooting for Windows Updates
3. Combined Investigation Report from SemperVideo Discord Community
Malicious thing this discord is about: https://github.com/windowtoolbox/powershell-windows-toolbox
Wayback Archive Link before the repository was changed.
Second Account used : https://github.com/alexrybak0444
This might be the original project: https://github.com/WinTweakers/WindowsToolbox
Deleted issue in the original repository:
Wayback Archive Link before the repository was changed.
3.1 Deobfuscated
All thanks to @ZerGo0
Stage 1: (@LinuxUserGD)
https://gist.github.com/ZerGo0/aa0984800fd6da0a9d9e7842a0dc3645
Stage 1: Explained
Stage 2:
https://gist.github.com/ZerGo0/690175a1163bd4747d825491810c6ebb
Stage 2: Explained
Stage 3:
https://gist.github.com/ZerGo0/ce1d2786cdb5ecca248f309a98b1d987
Stage 3: Explained
Showcase 1 (Gets stuck at Curl)
https://app.any.run/tasks/40c113ab-7908-4979-8810-8733fd67bf3a/
Showcase 2 / (Progressing the Script by hand)
https://app.any.run/tasks/b6f0d354-bce5-401a-b422-08d262b2be82/
3.2 Are you affected ?
To check if you are infected:
Open PowerShell as admin
Get-WinSystemLocale
if "Name" start with "en-"
Check for the rest, if not, then you are most likely safe.
Does this exist?
C:\systemfile\
C:\Windows\security\pywinvera
C:\Windows\security\pywinveraa
Or do these Task exist in Task Scheduler
Microsoft\Windows\AppID\VerifiedCert
Microsoft\Windows\Application Experience\Maintenance
Microsoft\Windows\Services\CertPathCheck
Microsoft\Windows\Services\CertPathw
Microsoft\Windows\Servicing\ComponentCleanup
Microsoft\Windows\Servicing\ServiceCleanup
Microsoft\Windows\Shell\ObjectTask
Microsoft\Windows\Clip\ServiceCleanup
Then you are affected!
3.3 Why are only "en-" Users affected ?
There is a check in Stage 3, where the bad stuff happens, here it checks for the SystemLocale if it is not "en-" it kills the cmd.exe,
Which stops everything else (look at the first showcase linked above).
On the right side you see the Processes, here if it reaches 560 cmd.exe it opens PowerShell with the check.
The check fails (for us Germans, for example) and it kills itself.
For others, the script just keeps going.
4. Thanks to
@BlockyTheDev
blubbablasen
Kay
Limn0
@LinuxUserGD
Mikasa
@OptionalM
Sonnenläufer
@ZerGo0
@Zuescho
for Investigative Work & Reporting
Cirno
Harromann
Janmm14
@luzeadev
XplLiciT
for Bugfixes, Testing and QoS improvements
@Zeryther
for translating the README into German
wTM-Removal v1.0.0-alpha
1. windowToolboxMalwareRemoval
wTM-Removal searches and removes malicious files contained within windowstoolbox.
TLDR:
Please report this bad Repo: https://github.com/windowtoolbox/powershell-windows-toolbox
1.1 Contents
- 1. windowToolboxMalwareRemoval
- 2. Usage
- 3. Combined Investigation Report from SemperVideo Discord Community
- 4. Thanks to
2. Usage
- Start wTM-Removal.cmd as Administrator (wTM-Removal.ps1 needs to be in same Folder)
- Accept the UAC Prompt for Powershell
- On Removal request answer with Y/y -> Enter
- Reboot System & Run Windows Troubleshooting for Windows Updates
3. Combined Investigation Report from SemperVideo Discord Community
Malicious thing this discord is about: https://github.com/windowtoolbox/powershell-windows-toolbox
Second Account used : https://github.com/alexrybak0444
This might be the original project: https://github.com/WinTweakers/WindowsToolbox
Previous discussion:
https://archive.ph/3giKL or https://web.archive.org/web/20220409165432/https://github.com/windowtoolbox/powershell-windows-toolbox/issues/32
3.1 Deobfuscated
All thanks to @ZerGo0
Stage 1: (@LinuxUserGD)
https://gist.github.com/ZerGo0/aa0984800fd6da0a9d9e7842a0dc3645
Stage 2:
https://gist.github.com/ZerGo0/690175a1163bd4747d825491810c6ebb
Stage 3:
https://gist.github.com/ZerGo0/ce1d2786cdb5ecca248f309a98b1d987
Showcase 1 / Does not run completely
https://app.any.run/tasks/40c113ab-7908-4979-8810-8733fd67bf3a/
Showcase 2 / Helping Curl out
https://app.any.run/tasks/b6f0d354-bce5-401a-b422-08d262b2be82/
3.2 Are you affected ?
To check if you are infected:
Powershell : Get-WinSystemLocale
if "Name" start with en-
check for the rest
if not then you are most likely safe
Does this exist?
C:\systemfile\
C:\Windows\security\pywinveraa
Or do these Task exist in Task Scheduler
Microsoft\Windows\AppID\VerifiedCert
Microsoft\Windows\Application Experience\Maintenance
Microsoft\Windows\Services\CertPathCheck
Microsoft\Windows\Services\CertPathw
Microsoft\Windows\Servicing\ComponentCleanup
Microsoft\Windows\Servicing\ServiceCleanup
Microsoft\Windows\Shell\ObjectTask
Microsoft\Windows\Clip\ServiceCleanup
Then you are affected
3.3 Wha are only "en-" Users affected ?
There is a check in Stage 3, where the bad stuff happens, here it checks for the SystemLocale if it is not en- it kills the cmd.exe which stops everything else (look at the first Showcase linked above).
On the right side you see the Processes, here if it reaches 560 cmd.exe it opens powershell with the check.
The check failes (for us germans for example) and it kills itself.
For others here the script just keeps going.
4. Thanks to
@ZerGo0, @LinuxUserGD and Zuescho for Investigative Report
luzea,Harromann,Zuescho,XplLiciT,Cirno,Janmm14 for Bugfixes,Testing and QoS improvements