If you look at the first post, the OP is running rustc directly, so cargo is not part of the equation here.
It’s the same with Process Explorer as with Task Manager: rustc compiles when I open it or leave it open.
Thanks for the explanation. I tried compiling after deleting everything other than main.rs (hello world program) in safe mode and it was quick. For me, exe file and pdb file are created in the same directory as main.rs.
If you like playing cat and mice, another tool that I’ve seen recommended in “finding processes which attempt to hide” web discussions is http://yaprocmon.sourceforge.net/ . Never personally tested it.
You can also investigate which software is started at boot time, a pretty convenient tool for this which aggregates together all the many way to schedule code to run on boot is SysInternals AutoRuns. If you don’t find anything interesting in your regular session, you may want to run it in safe mode, again just in case this is malware playing hide and seek.
Thanks, I’ll try your advice and stuff that comes up by searching “malware hide task manager”.
…and if all else fails, well, the easiest way to get rid of malware on a Windows machine remains to backup your data, do extensive malware checks on the backup from a different machine, then wipe the disk, reinstall the OS, and restore data/reinstall apps.
If you ultimately end up having to go down this route, you may want to reconsider your security policies to save yourself from the trouble next time. No matter how much of an annoyance these two might be, no antivirus software and no automatic updates is a bit careless on an OS which is as highly targeted by malware authors as Windows.
Finally resolved the problem. Thanks again for your help!
So the malware did not stop when Sysinternals Process Monitor or Yet Another Process Monitor was run, even though, as we saw, Task Manager or Process Explorer would stop it.
Here is a screenshot from Process Tree inside Process Monitor:
It was taken just after Process Explorer was opened, while rustc had been running for a while. It shows curl.exe, which died when Process Explorer opened.
(Continues... since I can only put one image in a post.)
Another process called svchost.exe, which was in a different directory from that of the legitimate one, died when Process Explorer opened:
I suspended all the offending processes first and killed them in Process Explorer. Then from Autoruns I deleted registry and scheduler settings. Finally, in Process Tree I looked up the file locations and deleted the files. The file mainuda.exe was from October 2017 and svchost.exe was from February 2018. There was also another file that showed up as a VirusTotal suspect in Autoruns that had random looking name that I forgot to check the creation date of.
I'd like to add that youtube videos of Mark Russinovich, who is one of the authors of Sysinternal tools, was also very helpful.
Glad you figured it out! And yes, Mark Russinovitch is an awesome resource whenever you need to stick your hands deep into Windows internals
Windows is scary
Can I ask why? This seems like generally a bad idea for reasons that should be obvious but perhaps more so now. Turning on updates and windows defender might well have helped find this, and clean up more fully. There can be good reasons to keep a machine in a very static configuration, but they're rare and specialised and need careful handling (like special measures when exposing them to network and remote content) that don't fit well with general-purpose workstations.
More generally, and to the broader audience: this matters to the community. If one is going to be developing software on a machine, the integrity of that machine becomes important to the integrity of all users who consume that software. Important with respect to generated binaries, edited source, and credentials and secrets that might be used on the machine.
As a random data-point: I know a few people who have recently stopped installing updates after Microsoft’s recent… indiscretions around Windows 10. Some simply don’t trust updates coming from Microsoft any more. Some are sick of Microsoft pushing out updates without adequate testing and seriously breaking things. Some (including myself) can’t accept Microsoft’s attitude of “it’s our machine, be thankful we let you use it”.
For one of them, I have managed to get them to run Windows Defender, but for a while they ran no AV at all because of a long history of performance and compatibility problems caused by AV in general. I have to badger them into installing security updates after one of those security updates resulted in ads for Windows 10, which also seriously hurt my credibility.
I think that, for some, the threat of a maybe compromise is more tolerable than the definite repeated screwing they believe they’ll get otherwise.
Personally, my overall stance on this is, if you don’t accept Microsoft’s policy regarding Windows it is better not to use this operating system than to leave it in a vulnerable state.
But I am aware that I am speaking from a place of high privilege on this front. I do not strictly need to use Windows for anything at home or work, and I only use it on an isolated machine for occasional gaming convenience… but games are exactly the kind of apps that the OP wants to develop, and graphics driver idiocy makes this much easier on Windows than on other platforms
I used to dual boot linux/windows, using windows for only specific things like games. Windows Update was time consuming so I turned it off.
One day I messed up my linux partition, making it unbootable, so I just started using windows for everything and, thinking it was temporary and I was eventually going to fix it, I didn’t think of AV or windows update. Days turned into years…
Anyways, after removing the malware I freshly installed slitaz linux and working through The Book from there. I chose slitaz because it seemed to be the only distribution whose installation media could fit into my 100mb usb.
Ubuntu (and probably other distributions) have network installer medium, containing just the minimum needed to launch the installer, downloading the rest over the Internet: mini.iso.
I wasn’t aware of that. Good to know. Thanks.