search

skidaim / TJprojMain-explorer.exe-remover

This simple batch script will get rid of the annoying TJprojMain malware, which infects all your exe files to spread
30 stars 10 forks source link

The Malware can be found on "X:/Windows/System" (system common empty folder) also. added more lines to code: #3

Open DANILLO65535 opened 1 year ago

DANILLO65535 commented 1 year ago

`@echo off title TJprojMain remover echo Starting soon, don't touch anything timeout 3 > NUL cls if %CD%==C:\ goto DeleteC if %CD%==D:\ goto DeleteD if %CD%==E:\ goto DeleteE

:DeleteC attrib -h -r -s /s /d C:\Windows\Resources\svchost.exe attrib -h -r -s /s /d C:\Windows\Resources\spoolsv.exe attrib -h -r -s /s /d C:\Windows\Resources\Themes\explorer.exe attrib -h -r -s /s /d C:\Windows\Resources\Themes\icsys.icn.exe attrib -h -r -s /s /d C:\Windows\system\svchost.exe attrib -h -r -s /s /d C:\Windows\system\spoolsv.exe attrib -h -r -s /s /d C:\Windows\system\explorer.exe wmic process where ExecutablePath='C:\Windows\Resources\svchost.exe' CALL TERMINATE /nointeractive del /f /A:S C:\Windows\Resources\svchost.exe del /f C:\Windows\Resources\svchost.exe wmic process where ExecutablePath='C:\Windows\Resources\Themes\explorer.exe' CALL TERMINATE /nointeractive del /f /A:S C:\Windows\Resources\Themes\explorer.exe del /f C:\Windows\Resources\Themes\explorer.exe wmic process where ExecutablePath='C:\Windows\Resources\spoolsv.exe' CALL TERMINATE /nointeractive del /f /A:S C:\Windows\Resources\spoolsv.exe del /f C:\Windows\Resources\spoolsv.exe wmic process where ExecutablePath='C:\Windows\Resources\Themes\icsys.icn.exe' CALL TERMINATE /nointeractive del /f /A:S C:\Windows\Resources\Themes\icsys.icn.exe del /f C:\Windows\Resources\Themes\icsys.icn.exe wmic process where ExecutablePath='C:\Windows\system\explorer.exe' CALL TERMINATE /nointeractive del /f /A:S C:\Windows\system\explorer.exe del /f C:\Windows\system\explorer.exe wmic process where ExecutablePath='C:\Windows\system\svchost.exe' CALL TERMINATE /nointeractive del /f /A:S C:\Windows\system\svchost.exe del /f C:\Windows\system\svchost.exe wmic process where ExecutablePath='C:\Windows\system\spoolsv.exe' CALL TERMINATE /nointeractive del /f /A:S C:\Windows\system\spoolsv.exe del /f C:\Windows\system\spoolsv.exe goto checkC

:DeleteD attrib -h -r -s /s /d D:\Windows\Resources\svchost.exe attrib -h -r -s /s /d D:\Windows\Resources\spoolsv.exe attrib -h -r -s /s /d D:\Windows\Resources\Themes\explorer.exe attrib -h -r -s /s /d D:\Windows\Resources\Themes\icsys.icn.exe wmic process where ExecutablePath='D:\Windows\Resources\svchost.exe' CALL TERMINATE /nointeractive del /f /A:S D:\Windows\Resources\svchost.exe del /f D:\Windows\Resources\svchost.exe wmic process where ExecutablePath='D:\Windows\Resources\Themes\explorer.exe' CALL TERMINATE /nointeractive del /f /A:S D:\Windows\Resources\Themes\explorer.exe del /f D:\Windows\Resources\Themes\explorer.exe wmic process where ExecutablePath='D:\Windows\Resources\spoolsv.exe' CALL TERMINATE /nointeractive del /f /A:S D:\Windows\Resources\spoolsv.exe del /f D:\Windows\Resources\spoolsv.exe wmic process where ExecutablePath='D:\Windows\Resources\Themes\icsys.icn.exe' CALL TERMINATE /nointeractive del /f /A:S D:\Windows\Resources\Themes\icsys.icn.exe del /f D:\Windows\Resources\Themes\icsys.icn.exe wmic process where ExecutablePath='D:\Windows\system\explorer.exe' CALL TERMINATE /nointeractive del /f /A:S D:\Windows\system\explorer.exe del /f C:\Windows\system\explorer.exe wmic process where ExecutablePath='D:\Windows\system\svchost.exe' CALL TERMINATE /nointeractive del /f /A:S D:\Windows\system\svchost.exe del /f C:\Windows\system\svchost.exe wmic process where ExecutablePath='D:\Windows\system\spoolsv.exe' CALL TERMINATE /nointeractive del /f /A:S D:\Windows\system\spoolsv.exe del /f D:\Windows\system\spoolsv.exe goto checkD

:DeleteE attrib -h -r -s /s /d E:\Windows\Resources\svchost.exe attrib -h -r -s /s /d E:\Windows\Resources\spoolsv.exe attrib -h -r -s /s /d E:\Windows\Resources\Themes\explorer.exe attrib -h -r -s /s /d E:\Windows\Resources\Themes\icsys.icn.exe wmic process where ExecutablePath='E:\Windows\Resources\svchost.exe' CALL TERMINATE /nointeractive del /f /A:S E:\Windows\Resources\svchost.exe del /f E:\Windows\Resources\svchost.exe wmic process where ExecutablePath='E:\Windows\Resources\Themes\explorer.exe' CALL TERMINATE /nointeractive del /f /A:S E:\Windows\Resources\Themes\explorer.exe del /f E:\Windows\Resources\Themes\explorer.exe wmic process where ExecutablePath='E:\Windows\Resources\spoolsv.exe' CALL TERMINATE /nointeractive del /f /A:S E:\Windows\Resources\spoolsv.exe del /f E:\Windows\Resources\spoolsv.exe wmic process where ExecutablePath='E:\Windows\Resources\Themes\icsys.icn.exe' CALL TERMINATE /nointeractive del /f /A:S E:\Windows\Resources\Themes\icsys.icn.exe del /f E:\Windows\Resources\Themes\icsys.icn.exe

wmic process where ExecutablePath='E:\Windows\system\explorer.exe' CALL TERMINATE /nointeractive del /f /A:S E:\Windows\system\explorer.exe del /f E:\Windows\system\explorer.exe wmic process where ExecutablePath='E:\Windows\system\svchost.exe' CALL TERMINATE /nointeractive del /f /A:S E:\Windows\system\svchost.exe del /f E:\Windows\system\svchost.exe wmic process where ExecutablePath='E:\Windows\system\spoolsv.exe' CALL TERMINATE /nointeractive del /f /A:S E:\Windows\system\spoolsv.exe del /f E:\Windows\system\spoolsv.exe goto checkE

:checkC if exist C:\Windows\Resources\svchost.exe goto DeleteC if exist C:\Windows\Resources\spoolsv.exe goto DeleteC if exist C:\Windows\Resources\Themes\explorer.exe goto DeleteC if exist C:\Windows\Resources\Themes\icsys.icn.exe goto DeleteC if exist C:\Windows\system\svchost.exe goto DeleteC if exist C:\Windows\system\spoolsv.exe goto DeleteC if exist C:\Windows\system\explorer.exe goto DeleteC goto end

:checkD if exist D:\Windows\Resources\svchost.exe goto DeleteD if exist D:\Windows\Resources\spoolsv.exe goto DeleteD if exist D:\Windows\Resources\Themes\explorer.exe goto DeleteD if exist D:\Windows\Resources\Themes\icsys.icn.exe goto DeleteD if exist D:\Windows\system\svchost.exe goto DeleteD if exist D:\Windows\system\spoolsv.exe goto DeleteD if exist D:\Windows\system\explorer.exe goto DeleteD goto end

:checkE if exist E:\Windows\Resources\svchost.exe goto DeleteE if exist E:\Windows\Resources\spoolsv.exe goto DeleteE if exist E:\Windows\Resources\Themes\explorer.exe goto DeleteE if exist E:\Windows\Resources\Themes\icsys.icn.exe goto DeleteE if exist E:\Windows\system\svchost.exe goto DeleteE if exist E:\Windows\system\spoolsv.exe goto DeleteE if exist E:\Windows\system\explorer.exe goto DeleteE :end cls echo Done! explorer.exe (TJprojMain) is now removed @PAUSE`

llariola00 commented 1 month ago

Yes, I've encountered the virus in "Windows\System" folder also. I've resorted to manually delete them.

adonios77 commented 1 month ago

Yes, I've encountered the virus in "Windows\System" folder also. I've resorted to manually delete them.

What was the file name/extension?

adonios77 commented 1 month ago

I have made a .cmd (based on the prototype) reduced by 2/3 in volume. That is: the code is not needed three times separately for each disk where the operating system could be installed (ie C:,D:,E:). We would simply make a variable:

REM %~d0 detects the disk's Drive Letter which cmd/bat runs from
SET "_DL_=%~d0"
echo Checking Current System Drive: %_DL_%

There's also other ways too, for example:

REM detects and sets the disk's Drive Letter which System is installed
IF EXIST C:\windows SET _DL_=C:
IF EXIST D:\windows SET _DL_=D:
echo Checking Current System Drive: %_DL_%

So, where there is a Drive Letter in the cmd/bat, it is replaced with it. for example:

attrib -h -r -s /s /d %_DL_%\Windows\Resources\svchost.exe
wmic process where ExecutablePath='%_DL_%\\Windows\\Resources\\svchost.exe' CALL TERMINATE /nointeractive
del /f /A:S %_DL_%\Windows\Resources\svchost.exe
del /f %_DL_%\Windows\Resources\svchost.exe
adonios77 commented 1 month ago

In my case there was also the tjcm.cmn infected file, so was added to my cmd. :DELETE del /f %_DL_%\Windows\Resources\Themes\tjcm.cmn :CHECK if exist %_DL_%\Windows\Resources\Themes\tjcm.cmn goto :DELETE

edit! Also i added 

:: schedule tasks
:: ("svchost" scheduled task reproduces infection at Windows Startup.)
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Svchost" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Explorer" /f
schtasks /Delete /TN "svchost" /f

You could check the Windows "Scheduled Tasks Library" (Start>Run> taskschd.msc /s) if there are enabled any suspicious tasks like above.

adonios77 commented 1 month ago

My edited "TJprojMain remover" : (saved as "TJprojMain remover[edited].cmd")

@echo off
title TJprojMain remover[edited]
cls
echo This will remove now the "TJprojMain" malware.
echo Starting, don't touch anything!
echo.
:: The following line, detects the current Drive Letter (eg. C: or any) and sets the ( _DL_ ) abbreviation as a ( %_DL_% ) variable.
:: *The'%~d0' is the DriveLetter of the address where this batch starts (eg. C: or any)
SET _DL_=%~d0

echo report:
echo ----------------------------------------
echo Checking Current Drive: %_DL_%

:DELETE
attrib -h -r -s /s /d %_DL_%\Windows\Resources\svchost.exe
attrib -h -r -s /s /d %_DL_%\Windows\Resources\spoolsv.exe
attrib -h -r -s /s /d %_DL_%\Windows\Resources\Themes\explorer.exe
attrib -h -r -s /s /d %_DL_%\Windows\Resources\Themes\icsys.icn.exe
wmic process where ExecutablePath='%_DL_%\\Windows\\Resources\\svchost.exe' CALL TERMINATE /nointeractive
del /f /A:S %_DL_%\Windows\Resources\svchost.exe
del /f %_DL_%\Windows\Resources\svchost.exe
wmic process where ExecutablePath='%_DL_%\\Windows\\Resources\\Themes\\explorer.exe' CALL TERMINATE /nointeractive
del /f /A:S %_DL_%\Windows\Resources\Themes\explorer.exe
del /f %_DL_%\Windows\Resources\Themes\explorer.exe
wmic process where ExecutablePath='%_DL_%\\Windows\\Resources\\spoolsv.exe' CALL TERMINATE /nointeractive
taskkill /f /im spoolsv.exe /t
del /f /A:S %_DL_%\Windows\Resources\spoolsv.exe
del /f %_DL_%\Windows\Resources\spoolsv.exe
wmic process where ExecutablePath='%_DL_%\\Windows\\Resources\\Themes\\icsys.icn.exe' CALL TERMINATE /nointeractive 
del /f /A:S %_DL_%\Windows\Resources\Themes\icsys.icn.exe
del /f %_DL_%\Windows\Resources\Themes\icsys.icn.exe

::  ADDED EDITED infected files
:: Note: The "TJprojMain" malware could create its files with different name and address like below.
::  So, any file you discovered could be added accordingly here below, as also at ":CHECK" section further below.
del /f %_DL_%\Windows\system\cmsys.cmn
del /f %_DL_%\Windows\Resources\Themes\tjcm.cmn
del /f %_DL_%\Windows\Resources\Themes\icsys.icn

:: OTHER hooked places

:: schedule tasks
:: Note: "svchost" scheduled task reproduces infection at Windows Startup.)
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Svchost" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Explorer" /f
schtasks /Delete /TN "svchost" /f

:: The next line is optional. Just closes the infected "explorer.exe" if it's open.
taskkill /fi "WINDOWTITLE eq Libraries*"

:: The next lines are optional. It's "disabled", Un-comment to make them work.
:: WARNING: Those will Delete traces like "Recents", "StartMenu>Run" and more... MAYBE YOU DON'T NEED THIS.
:Reg CLEAN
::reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU" /f
::reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f
::reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /f

goto :CHECK

:CHECK
if exist %_DL_%\Windows\Resources\svchost.exe goto :DELETE
if exist %_DL_%\Windows\Resources\spoolsv.exe goto :DELETE
if exist %_DL_%\Windows\Resources\Themes\explorer.exe goto :DELETE
if exist %_DL_%\Windows\Resources\Themes\icsys.icn.exe goto :DELETE
::  ADDED EDITED infected files
if exist %_DL_%\Windows\system\cmsys.cmn goto :DELETE
if exist %_DL_%\Windows\Resources\Themes\tjcm.cmn goto :DELETE
if exist %_DL_%\Windows\Resources\Themes\icsys.icn goto :DELETE
echo ----------------------------------------
goto :END

:END
echo.
echo Done! 
echo  explorer.exe (TJprojMain malware) is now removed.
echo  Please exit and RUN it again. (just in case...)
echo.
echo Press any key to Exit . . . 
PAUSE >nul
EXIT
https://github.com/skidaim/TJprojMain-explorer.exe-remover/blob/main/remover.bat
llariola00 commented 1 month ago

Yes, I've encountered the virus in "Windows\System" folder also. I've resorted to manually delete them.

What was the file name/extension?

In my case, I've got 4 files. svchost.exe spoolsv.exe explorer.exe cmsys.cmn All located in "C:\Windows\system\"

llariola00 commented 1 month ago

Okay thanks! I"ve used an edited version of your script and it works for me now.

@echo off
title TJprojMain remover[edited]
cls
echo This will remove now the "TJprojMain" malware.
echo Starting, don't touch anything!
echo.
:: The following line, detects the current Drive Letter (eg. C: or any) and sets the ( _DL_ ) abbreviation as a ( %_DL_% ) variable.
:: *The'%~d0' is the DriveLetter of the address where this batch starts (eg. C: or any)
SET _DL_=%~d0

echo report:
echo ----------------------------------------
echo Checking Current Drive: %_DL_%

:DELETE
attrib -h -r -s /s /d %_DL_%\Windows\Resources\svchost.exe
attrib -h -r -s /s /d %_DL_%\Windows\Resources\spoolsv.exe
attrib -h -r -s /s /d %_DL_%\Windows\Resources\Themes\explorer.exe
attrib -h -r -s /s /d %_DL_%\Windows\Resources\Themes\icsys.icn.exe

attrib -h -r -s /s /d %_DL_%\Windows\system\svchost.exe
attrib -h -r -s /s /d %_DL_%\Windows\system\spoolsv.exe
attrib -h -r -s /s /d %_DL_%\Windows\system\explorer.exe
attrib -h -r -s /s /d %_DL_%\Windows\system\cmsys.cmn

wmic process where ExecutablePath='%_DL_%\\Windows\\Resources\\svchost.exe' CALL TERMINATE /nointeractive
del /f /A:S %_DL_%\Windows\Resources\svchost.exe
del /f %_DL_%\Windows\Resources\svchost.exe

wmic process where ExecutablePath='%_DL_%\\Windows\\Resources\\Themes\\explorer.exe' CALL TERMINATE /nointeractive
del /f /A:S %_DL_%\Windows\Resources\Themes\explorer.exe
del /f %_DL_%\Windows\Resources\Themes\explorer.exe

wmic process where ExecutablePath='%_DL_%\\Windows\\Resources\\spoolsv.exe' CALL TERMINATE /nointeractive
taskkill /f /im spoolsv.exe /t
del /f /A:S %_DL_%\Windows\Resources\spoolsv.exe
del /f %_DL_%\Windows\Resources\spoolsv.exe

wmic process where ExecutablePath='%_DL_%\\Windows\\Resources\\Themes\\icsys.icn.exe' CALL TERMINATE /nointeractive 
del /f /A:S %_DL_%\Windows\Resources\Themes\icsys.icn.exe
del /f %_DL_%\Windows\Resources\Themes\icsys.icn.exe

wmic process where ExecutablePath='%_DL_%\\Windows\\system\\svchost.exe' CALL TERMINATE /nointeractive
del /f /A:S %_DL_%\Windows\system\svchost.exe
del /f %_DL_%\Windows\system\svchost.exe

wmic process where ExecutablePath='%_DL_%\\Windows\\system\\spoolsv.exe' CALL TERMINATE /nointeractive
taskkill /f /im spoolsv.exe /t
del /f /A:S %_DL_%\Windows\system\spoolsv.exe
del /f %_DL_%\Windows\system\spoolsv.exe

wmic process where ExecutablePath='%_DL_%\\Windows\\system\\explorer.exe' CALL TERMINATE /nointeractive
del /f /A:S %_DL_%\Windows\system\explorer.exe
del /f %_DL_%\Windows\system\explorer.exe

del /f /A:S %_DL_%\Windows\system\cmsys.cmn
del /f %_DL_%\Windows\system\cmsys.cmn

:: tjcm.cmn
del /f %_DL_%\Windows\Resources\Themes\tjcm.cmn
del /f %_DL_%\Windows\Resources\Themes\icsys.icn

:: OTHER hooked places

:: schedule tasks
:: ("svchost" scheduled task reproduces infection at Windows Startup.)
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Svchost" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Explorer" /f
schtasks /Delete /TN "svchost" /f

::The next line is optional. Just closes the infected "explorer.exe" if it's open.
taskkill /fi "WINDOWTITLE eq Libraries*"

::The next lines are optional. Un-comment to make them work.
:Reg CLEAN
::reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU" /f
::reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f
::reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /f

goto :CHECK

:CHECK
if exist %_DL_%\Windows\Resources\svchost.exe goto :DELETE
if exist %_DL_%\Windows\Resources\spoolsv.exe goto :DELETE
if exist %_DL_%\Windows\Resources\Themes\explorer.exe goto :DELETE
if exist %_DL_%\Windows\Resources\Themes\icsys.icn.exe goto :DELETE
if exist %_DL_%\Windows\system\svchost.exe goto :DELETE
if exist %_DL_%\Windows\system\spoolsv.exe goto :DELETE
if exist %_DL_%\Windows\system\explorer.exe goto :DELETE
if exist %_DL_%\Windows\system\cmsys.cmn goto :DELETE
::
if exist %_DL_%\Windows\Resources\Themes\tjcm.cmn goto :DELETE
if exist %_DL_%\Windows\Resources\Themes\icsys.icn goto :DELETE
echo ----------------------------------------
goto :END

:END
echo.
echo Done! 
echo  explorer.exe (TJprojMain malware) is now removed.
echo  Please exit and RUN it again. (just in case...)
echo.
echo Press any key to Exit . . . 
PAUSE >nul
EXIT
https://github.com/skidaim/TJprojMain-explorer.exe-remover/blob/main/remover.bat