ibay770
commented
2 years ago Also here is a malware analysis from any.run if it helps.:
Closed ibay770 closed 1 year ago
ibay770
commented
2 years ago Also here is a malware analysis from any.run if it helps.:
adonios77
commented
2 years ago Many thanks! I have make some improvements to .bat file and also I figured out a new file (tjcm.cmm) to be cleared. (in advance, sorry for my English)
_Firstly I want to point that I was infected by TJprojMain twice and from different programs. For that reason I think that in some way this malware hooks in already installed executable(s) and not only from already infected .exe downloads. For the history, in my case was SleepTimer.exe and Ghostbusterportable.exe which was downloaded from original source and for that reason I think that hooks as I describe above.
_Changes that Makes: (in my case)
startup processes: svchost.exe 32, explorer.exe 32 (HKLM:RunOnce)
scheluded task: "c:\windows\resources\svchost.exe"
Registry entries: [Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg... ]
Also adds the files:
explorer.exe, icsys.icn.exe, tjcm.cmm, icsys.icn files in "C:\Windows\Resources\Themes", and
spoolsv.exe and svchost.exe in "C:\Windows\Resources", and
"
I don't get why must check too the secondary (eg. D:) or third (eg. F:) and so on. So, I make two different for the same reason I think the writer of original made: just in case. *Some info added as a comments in both baches.
===================================================================== TJprojMain REMOVER #1.cmd (checks/clears only the Drive which .bat/.cmd started from) CODE: @echo off title TJprojMain remover cls echo This will remove now the "TJprojMain" malware. && echo. echo Starting, don't touch anything! && echo.
:: The following line, detects the current Drive Letter (eg. C: or any) and sets the ( DL ) abbreviation as a ( %DL% ) variable. :: *The'%~d0' is the DriveLetter of the address where this batch starts (eg. C: or any) SET DL=%~d0 :: With this way, The volume of the script can be reduced by 2/3 without negative impact or any 'collateral losses'.
echo report: echo ---------------------------------------- echo Checking Current Drive: %DL%
:DELETE attrib -h -r -s /s /d %DL%\Windows\Resources\svchost.exe attrib -h -r -s /s /d %DL%\Windows\Resources\spoolsv.exe attrib -h -r -s /s /d %DL%\Windows\Resources\Themes\explorer.exe attrib -h -r -s /s /d %DL%\Windows\Resources\Themes\icsys.icn.exe wmic process where ExecutablePath='%DL%\Windows\Resources\svchost.exe' CALL TERMINATE /nointeractive del /f /A:S %DL%\Windows\Resources\svchost.exe del /f %DL%\Windows\Resources\svchost.exe wmic process where ExecutablePath='%DL%\Windows\Resources\Themes\explorer.exe' CALL TERMINATE /nointeractive del /f /A:S %DL%\Windows\Resources\Themes\explorer.exe del /f %DL%\Windows\Resources\Themes\explorer.exe wmic process where ExecutablePath='%DL%\Windows\Resources\spoolsv.exe' CALL TERMINATE /nointeractive del /f /A:S %DL%\Windows\Resources\spoolsv.exe del /f %DL%\Windows\Resources\spoolsv.exe wmic process where ExecutablePath='%DL%\Windows\Resources\Themes\icsys.icn.exe' CALL TERMINATE /nointeractive del /f /A:S %DL%\Windows\Resources\Themes\icsys.icn.exe del /f %DL%\Windows\Resources\Themes\icsys.icn.exe :: tjcm.cmn del /f %DL%\Windows\Resources\Themes\tjcm.cmn goto :CHECK
:CHECK if exist %DL%\Windows\Resources\svchost.exe goto :DELETE if exist %DL%\Windows\Resources\spoolsv.exe goto :DELETE if exist %DL%\Windows\Resources\Themes\explorer.exe goto :DELETE if exist %DL%\Windows\Resources\Themes\icsys.icn.exe goto :DELETE echo ---------------------------------------- goto :END
:END echo. echo Done! echo explorer.exe (TJprojMain malware) is now removed. && echo. echo Press any key to Exit . . . PAUSE >nul
EXIT https://github.com/skidaim/TJprojMain-explorer.exe-remover/blob/main/remover.bat
===================================================================== TJprojMain REMOVER #2.cmd (checks/clears also the "secondaries" Drives as original do, but with "improvements") CODE: @echo off title TJprojMain remover cls echo This will remove now the "TJprojMain" malware. && echo. echo Starting, don't touch anything! && echo.
:: The following line, detects the current Drive Letter (eg. C: or any) and sets the ( DL ) abbreviation as a ( %DL% ) variable. :: *The'%~d0' is the DriveLetter of the address where this batch starts (eg. C: or any) SET DL=%~d0 :: With this way, The volume of the script can be reduced by 2/3 without negative impact or any 'collateral losses'. SET repeat=0
:START SET /a repeat =+1 if %repeat% == 1 SET DL=C: if %repeat% == 2 SET DL=D: if %repeat% == 3 SET DL=E: :: F:,G:,H:,... and so goes on... *(maybe this part can be even shorter with use of 'for' command)
echo report: echo ---------------------------------------- echo Checking Current Drive: %DL%
:DELETE attrib -h -r -s /s /d %DL%\Windows\Resources\svchost.exe attrib -h -r -s /s /d %DL%\Windows\Resources\spoolsv.exe attrib -h -r -s /s /d %DL%\Windows\Resources\Themes\explorer.exe attrib -h -r -s /s /d %DL%\Windows\Resources\Themes\icsys.icn.exe wmic process where ExecutablePath='%DL%\Windows\Resources\svchost.exe' CALL TERMINATE /nointeractive del /f /A:S %DL%\Windows\Resources\svchost.exe del /f %DL%\Windows\Resources\svchost.exe wmic process where ExecutablePath='%DL%\Windows\Resources\Themes\explorer.exe' CALL TERMINATE /nointeractive del /f /A:S %DL%\Windows\Resources\Themes\explorer.exe del /f %DL%\Windows\Resources\Themes\explorer.exe wmic process where ExecutablePath='%DL%\Windows\Resources\spoolsv.exe' CALL TERMINATE /nointeractive del /f /A:S %DL%\Windows\Resources\spoolsv.exe del /f %DL%\Windows\Resources\spoolsv.exe wmic process where ExecutablePath='%DL%\Windows\Resources\Themes\icsys.icn.exe' CALL TERMINATE /nointeractive del /f /A:S %DL%\Windows\Resources\Themes\icsys.icn.exe del /f %DL%\Windows\Resources\Themes\icsys.icn.exe :: tjcm.cmn del /f %DL%\Windows\Resources\Themes\tjcm.cmn goto :CHECK
:CHECK if exist %DL%\Windows\Resources\svchost.exe goto :START if exist %DL%\Windows\Resources\spoolsv.exe goto :START if exist %DL%\Windows\Resources\Themes\explorer.exe goto :START if exist %DL%\Windows\Resources\Themes\icsys.icn.exe goto :START echo ---------------------------------------- goto :END
:END echo. echo Done! echo explorer.exe (TJprojMain malware) is now removed. && echo. echo Press any key to Exit . . . PAUSE >nul
EXIT https://github.com/skidaim/TJprojMain-explorer.exe-remover/blob/main/remover.bat
Please check. Greetings and again: many thanks!
ibay770
commented
2 years ago My pleasure! I'll take a look. As you see, this malware hooks itself into other files so it reinfects the computer when they run, is there a way to disinfect said files and delete the infected ones as well? Another way of getting rid of it, is to run UVK use the autorun setting, click the explorer/svchost entries and click delete files and entries, then go back, and immunize the system, make sure all boxes are checked, apply, restart the system, and all is good,
tee4341
commented
2 years ago I can't find stinker.exe to clone. .exe remove (Detail tjprojmain.exe) I can't compile byte_stinker-1.1
First of all, many thanks for writing your script to get rid of this trash. From this video (https://www.youtube.com/watch?v=GsIl33z8B2Q) it seems the virus leaves behind registry entries of infected files, even once the original is deleted.
Assuming I wrote the commands correctly, I think this script will delete those, perhaps you could merge it to your script.
the /f deletes the key without asking for confirmation.
reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU" /f reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /f