A self-created guide and methodology to get rid of Contra Crypto Miner malware
-----Summary:Last week on 17th Mar 22, my system got infected by a crypto malware named: Contra Crypto Miner-- Essentially an infection from fake ads of a new game called Contra Returns which is fluke!
-----How I suspected?
Whenever I boot my system afresh I have this usual bad habit of checking for temperatures and processes/ resource consumption etc.
On this fine day, I sensed that somethings not right with my systems behavior. As everything felt too much heavy like opening browser, explorer and excel etc.
CPU and GPU temps direct above 60c degrees.
-----How your pc can get infected?
Fake ads of a new game called Contra Returns are on facebook and on many other sites.
There are also many domains on this named attracting gamers to enter it and click on any ad and download either an online or offline installer.
Pen drives from infected machines.
-----Research:
I instantly caught up on this behavior and found in task manager that some unknown process named 'Gpu_update.exe' was eating 83% of GPU constantly causing its temps to hit 75c+ as if on booting I have kept a heavy game for startup! CPU temps as well in upwards of 50c.
"Gpu_update.exe" was running from this folder under user appdata "C:\Users\username\AppData\Local\Packages\Conf\v13-13"
Searched more and found many more similar folders under chrome, firefox, microsoft etc. had exactly same files!
There is a separate Rnews folder "C:\Users\sTriX\AppData\Local\Packages\Rnews\v13-13" which might be controlling rest of the folders/files in other directories.
In same folder, an app named "Rnews.exe" also reside. It has got its own uninstaller but even after trying to uninstall (even if it shows success) nothing actually gets uninstalled. This app doesn't appear in MS store or anywhere in Program & Features etc.
Rnews.exe is responsible for triggering Gpu_update.exe.
Traces of Gpu_update.exe and Rnews.exe were nowhere in registry/startup/services but rather runs via scheduled tasks in high priority mode with 5 independent tasks ensuring tasks never gets killed and keeps looping even after killed via task manager.
To me this looks like some remote mining on your gpu.
-----Evidences: Refer to the below pics.
Task manager just after boot/reboot:
With CPU & GPU temps:
Malware locations:
Malwarebytes scan results:
Script output:
Task Scheduler entries:
-----Symptoms:
First sign is system feels heavy just after boot like some handover.
Abruptly high utilization of gpu with post boot gpu and cpu temps already crossing 60c.
Unknown processes running and utilizing gpu. (Gpu_update.exe in this case)
-----Remediation- Steps to counter:
You actually do not require any AV etc. Manual cleanup is trustworthy to eradicate everything related.
- In task manager, lookout for the problem process (Gpu_update.exe in this case)
- Identify its location.
- Kill the process Gpu_update.exe.
- In "Startup" look for any entry triggered to start these files "Gpu_update.exe or Rnews.exe" (In my case there were none but for some users months back, they reported)
- Search for the same filename in your user account folder: "C:\Users\username\AppData"
- If system is used by multiple users then a search in entire "C:\Users\ "directory makes sense to rule out unknown possibilities.
- One you find the traces of similar files and folder, you have to jot down their locations a later they all need to be deleted.
- Then ensure Gpu_update.exe isn't running anymore and gpu/cpu temps are normal.
@Echo off
REM Restore SmartScreen ownership and permissions
takeown /f "%systemroot%\\System32\\smartscreen.exe" /a
cacls "%systemroot%\\System32\\smartscreen.exe" /s:"DAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;OICIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204)(A;OICIIO;GXGR;;;S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;CI;0x1200a9;;;BA)(A;OICI;0x1200a9;;;LS)(A;OICI;0x1200a9;;;NS)(A;OICI;0x1200a9;;;RC)(XA;;0x1200a9;;;BU;(Exists WIN://SYSAPPID))"
icacls "%systemroot%\\System32\\smartscreen.exe" /grant Administrators:F
icacls "%systemroot%\\System32\\smartscreen.exe" /setowner "NT SERVICE\TrustedInstaller"
icacls "%systemroot%\\System32\\smartscreen.exe" /grant:r Administrators:RX
REM Enable SmartScreen
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
reg.exe ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\System /v EnableSmartScreen /t REG_DWORD /d 1 /f
REM Remove Path Exclusions
powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%"""
powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Updates"""
powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Update"""
powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Packages\Update"""
powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Google\Update"""
powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Mozilla\Update"""
powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Microsoft\Update"""
REM Restore defender settings
powershell.exe -command "Remove-MpPreference -DisableArchiveScanning"
powershell.exe -command "Remove-MpPreference -DisableBlockAtFirstSeen"
powershell.exe -command "Remove-MpPreference -DisableIntrusionPreventionSystem"
powershell.exe -command "Remove-MpPreference -DisableIOAVProtection"
powershell.exe -command "Remove-MpPreference -DisablePrivacyMode"
powershell.exe -command "Remove-MpPreference -DisableScriptScanning"
powershell.exe -command "Remove-MpPreference -HighThreatDefaultAction"
powershell.exe -command "Remove-MpPreference -LowThreatDefaultAction"
powershell.exe -command "Remove-MpPreference -MAPSReporting"
powershell.exe -command "Remove-MpPreference -ModerateThreatDefaultAction"
powershell.exe -command "Remove-MpPreference -ScanAvgCPULoadFactor"
powershell.exe -command "Remove-MpPreference -ScanScheduleDay"
powershell.exe -command "Remove-MpPreference -SevereThreatDefaultAction"
powershell.exe -command "Remove-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine"
powershell.exe -command "Remove-MpPreference -SubmitSamplesConsent"
REM Delete Malicious Files
@RD /S /Q "%LOCALAPPDATA%\Updates"
@RD /S /Q "%LOCALAPPDATA%\Update"
@RD /S /Q "%LOCALAPPDATA%\Packages\Update"
@RD /S /Q "%LOCALAPPDATA%\Google\Update"
@RD /S /Q "%LOCALAPPDATA%\Mozilla\Update"
@RD /S /Q "%LOCALAPPDATA%\Microsoft\Update"
REM Remove Malicious Scheduled Tasks
schtasks /delete /tn UpdateCore0x300 /f
schtasks /delete /tn UpdateCore0x301 /f
schtasks /delete /tn UpdateCore0x302 /f
schtasks /delete /tn UpdateCore0x303 /f
schtasks /delete /tn UpdateCore0x304 /f
schtasks /delete /tn ServiceGPUTaskUpdate /f
REM Restore SmartScreen ownership and permissions
takeown /f "%systemroot%\\System32\\smartscreen.exe" /a
cacls "%systemroot%\\System32\\smartscreen.exe" /s:"DAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;OICIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204)(A;OICIIO;GXGR;;;S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;CI;0x1200a9;;;BA)(A;OICI;0x1200a9;;;LS)(A;OICI;0x1200a9;;;NS)(A;OICI;0x1200a9;;;RC)(XA;;0x1200a9;;;BU;(Exists WIN://SYSAPPID))"
icacls "%systemroot%\\System32\\smartscreen.exe" /grant Administrators:F
icacls "%systemroot%\\System32\\smartscreen.exe" /setowner "NT SERVICE\TrustedInstaller"
icacls "%systemroot%\\System32\\smartscreen.exe" /grant:r Administrators:RX
REM Enable SmartScreen
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
reg.exe ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\System /v EnableSmartScreen /t REG_DWORD /d 1 /f
REM Remove Path Exclusions
powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%"""
powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Updates"""
powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Update"""
powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Packages\Update"""
powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Google\Update"""
powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Mozilla\Update"""
powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Microsoft\Update"""
REM Restore defender settings
powershell.exe -command "Remove-MpPreference -DisableArchiveScanning"
powershell.exe -command "Remove-MpPreference -DisableBlockAtFirstSeen"
powershell.exe -command "Remove-MpPreference -DisableIntrusionPreventionSystem"
powershell.exe -command "Remove-MpPreference -DisableIOAVProtection"
powershell.exe -command "Remove-MpPreference -DisablePrivacyMode"
powershell.exe -command "Remove-MpPreference -DisableScriptScanning"
powershell.exe -command "Remove-MpPreference -HighThreatDefaultAction"
powershell.exe -command "Remove-MpPreference -LowThreatDefaultAction"
powershell.exe -command "Remove-MpPreference -MAPSReporting"
powershell.exe -command "Remove-MpPreference -ModerateThreatDefaultAction"
powershell.exe -command "Remove-MpPreference -ScanAvgCPULoadFactor"
powershell.exe -command "Remove-MpPreference -ScanScheduleDay"
powershell.exe -command "Remove-MpPreference -SevereThreatDefaultAction"
powershell.exe -command "Remove-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine"
powershell.exe -command "Remove-MpPreference -SubmitSamplesConsent"
REM Delete Malicious Files
@RD /S /Q "%LOCALAPPDATA%\Updates"
@RD /S /Q "%LOCALAPPDATA%\Update"
@RD /S /Q "%LOCALAPPDATA%\Packages\Update"
@RD /S /Q "%LOCALAPPDATA%\Google\Update"
@RD /S /Q "%LOCALAPPDATA%\Mozilla\Update"
@RD /S /Q "%LOCALAPPDATA%\Microsoft\Update"
REM Remove Malicious Scheduled Tasks
schtasks /delete /tn UpdateCore0x300 /f
schtasks /delete /tn UpdateCore0x301 /f
schtasks /delete /tn UpdateCore0x302 /f
schtasks /delete /tn UpdateCore0x303 /f
schtasks /delete /tn UpdateCore0x304 /f
schtasks /delete /tn ServiceGPUTaskUpdate /f
- Copy the above script in a notepad and save the notepad file as .bat file.
- Run the .Bat script file in "Run as Admin" mode and input "Y" whenever prompted. Let the process finish.
- Reboot the pc.
- Then ensure Gpu_update.exe isnt running anymore and gpu/cpu temps are normal as usual and if its ruining kill it again.
- Now open "Task Scheduler" and delete all schedulers as seen in the pics above.
- Open the earlier folders you jot down and delete them one by one.
- Access "%temp%" and delete everything here and do it for every user account.
- "C:\Windows\Prefetch" lookout for Gpu_update.exe/ Rnews.exe traces and delete them (In my case there were none but for some users months back, they reported)
Found few older links on Reddit and YT which only refers to running of some script which actually did nothing at least in my case, may be the new variant is immune to that script now.
Malwarebytes detected and offered to quarantine.
Windows defender I do not use but started it for testing and it did notified and offered quarantine.
But real game, mere quarantine or delete wont work as none of these will actually delete the scheduled tasks created nor delete the entire traces esp. parent folders etc.
** For some/many the guide might be boring but going/reading through every word/line will actually help. As I faced the issue hence created the guide carefully based on my personal exp. on this malware.
For any help you can reply here so that others will also be helped!
Attachments
Last edited: