User Guides Guide to delete 'Contra Crypto Miner malware' (Self-created)

A self-created guide and methodology to get rid of Contra Crypto Miner malware​

-----Summary:

Last week on 17th Mar 22, my system got infected by a crypto malware named: Contra Crypto Miner-- Essentially an infection from fake ads of a new game called Contra Returns which is fluke!

-----How I suspected?

Whenever I boot my system afresh I have this usual bad habit of checking for temperatures and processes/ resource consumption etc.
On this fine day, I sensed that somethings not right with my systems behavior. As everything felt too much heavy like opening browser, explorer and excel etc.
CPU and GPU temps direct above 60c degrees.

-----How your pc can get infected?

Fake ads of a new game called Contra Returns are on facebook and on many other sites.
There are also many domains on this named attracting gamers to enter it and click on any ad and download either an online or offline installer.
Pen drives from infected machines.

-----Research:

I instantly caught up on this behavior and found in task manager that some unknown process named 'Gpu_update.exe' was eating 83% of GPU constantly causing its temps to hit 75c+ as if on booting I have kept a heavy game for startup! CPU temps as well in upwards of 50c.

"Gpu_update.exe" was running from this folder under user appdata "C:\Users\username\AppData\Local\Packages\Conf\v13-13"
Searched more and found many more similar folders under chrome, firefox, microsoft etc. had exactly same files!

There is a separate Rnews folder "C:\Users\sTriX\AppData\Local\Packages\Rnews\v13-13" which might be controlling rest of the folders/files in other directories.

In same folder, an app named "Rnews.exe" also reside. It has got its own uninstaller but even after trying to uninstall (even if it shows success) nothing actually gets uninstalled. This app doesn't appear in MS store or anywhere in Program & Features etc.

Rnews.exe is responsible for triggering Gpu_update.exe.

Traces of Gpu_update.exe and Rnews.exe were nowhere in registry/startup/services but rather runs via scheduled tasks in high priority mode with 5 independent tasks ensuring tasks never gets killed and keeps looping even after killed via task manager.

To me this looks like some remote mining on your gpu.

-----Evidences: Refer to the below pics.

Task manager just after boot/reboot:

With CPU & GPU temps:

Malware locations:

Malwarebytes scan results:

Script output:

Task Scheduler entries:

-----Symptoms:

First sign is system feels heavy just after boot like some handover.
Abruptly high utilization of gpu with post boot gpu and cpu temps already crossing 60c.
Unknown processes running and utilizing gpu. (Gpu_update.exe in this case)

-----Remediation- Steps to counter:

You actually do not require any AV etc. Manual cleanup is trustworthy to eradicate everything related.

• In task manager, lookout for the problem process (Gpu_update.exe in this case)
• Identify its location.
• Kill the process Gpu_update.exe.
• In "Startup" look for any entry triggered to start these files "Gpu_update.exe or Rnews.exe" (In my case there were none but for some users months back, they reported)
• Search for the same filename in your user account folder: "C:\Users\username\AppData"
• If system is used by multiple users then a search in entire "C:\Users\ "directory makes sense to rule out unknown possibilities.
• One you find the traces of similar files and folder, you have to jot down their locations a later they all need to be deleted.
• Then ensure Gpu_update.exe isn't running anymore and gpu/cpu temps are normal.

Spoiler: Script

@Echo off

REM Restore SmartScreen ownership and permissions

takeown /f "%systemroot%\\System32\\smartscreen.exe" /a

cacls "%systemroot%\\System32\\smartscreen.exe" /s:"DAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;OICIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204)(A;OICIIO;GXGR;;;S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;CI;0x1200a9;;;BA)(A;OICI;0x1200a9;;;LS)(A;OICI;0x1200a9;;;NS)(A;OICI;0x1200a9;;;RC)(XA;;0x1200a9;;;BU;(Exists WIN://SYSAPPID))"

icacls "%systemroot%\\System32\\smartscreen.exe" /grant Administrators:F

icacls "%systemroot%\\System32\\smartscreen.exe" /setowner "NT SERVICE\TrustedInstaller"

icacls "%systemroot%\\System32\\smartscreen.exe" /grant:r Administrators:RX

REM Enable SmartScreen

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f

reg.exe ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\System /v EnableSmartScreen /t REG_DWORD /d 1 /f

REM Remove Path Exclusions

powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%"""

powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Updates"""

powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Update"""

powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Packages\Update"""

powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Google\Update"""

powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Mozilla\Update"""

powershell.exe -command "Remove-MpPreference -ExclusionPath ""%LOCALAPPDATA%\Microsoft\Update"""

REM Restore defender settings

powershell.exe -command "Remove-MpPreference -DisableArchiveScanning"

powershell.exe -command "Remove-MpPreference -DisableBlockAtFirstSeen"

powershell.exe -command "Remove-MpPreference -DisableIntrusionPreventionSystem"

powershell.exe -command "Remove-MpPreference -DisableIOAVProtection"

powershell.exe -command "Remove-MpPreference -DisablePrivacyMode"

powershell.exe -command "Remove-MpPreference -DisableScriptScanning"

powershell.exe -command "Remove-MpPreference -HighThreatDefaultAction"

powershell.exe -command "Remove-MpPreference -LowThreatDefaultAction"

powershell.exe -command "Remove-MpPreference -MAPSReporting"

powershell.exe -command "Remove-MpPreference -ModerateThreatDefaultAction"

powershell.exe -command "Remove-MpPreference -ScanAvgCPULoadFactor"

powershell.exe -command "Remove-MpPreference -ScanScheduleDay"

powershell.exe -command "Remove-MpPreference -SevereThreatDefaultAction"

powershell.exe -command "Remove-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine"

powershell.exe -command "Remove-MpPreference -SubmitSamplesConsent"

REM Delete Malicious Files

@RD /S /Q "%LOCALAPPDATA%\Updates"

@RD /S /Q "%LOCALAPPDATA%\Update"

@RD /S /Q "%LOCALAPPDATA%\Packages\Update"

@RD /S /Q "%LOCALAPPDATA%\Google\Update"

@RD /S /Q "%LOCALAPPDATA%\Mozilla\Update"

@RD /S /Q "%LOCALAPPDATA%\Microsoft\Update"

REM Remove Malicious Scheduled Tasks

schtasks /delete /tn UpdateCore0x300 /f

schtasks /delete /tn UpdateCore0x301 /f

schtasks /delete /tn UpdateCore0x302 /f

schtasks /delete /tn UpdateCore0x303 /f

schtasks /delete /tn UpdateCore0x304 /f

schtasks /delete /tn ServiceGPUTaskUpdate /f

• Copy the above script in a notepad and save the notepad file as .bat file.
• Run the .Bat script file in "Run as Admin" mode and input "Y" whenever prompted. Let the process finish.
• Reboot the pc.
• Then ensure Gpu_update.exe isnt running anymore and gpu/cpu temps are normal as usual and if its ruining kill it again.
• Now open "Task Scheduler" and delete all schedulers as seen in the pics above.
• Open the earlier folders you jot down and delete them one by one.
• Access "%temp%" and delete everything here and do it for every user account.
• "C:\Windows\Prefetch" lookout for Gpu_update.exe/ Rnews.exe traces and delete them (In my case there were none but for some users months back, they reported)

Found few older links on Reddit and YT which only refers to running of some script which actually did nothing at least in my case, may be the new variant is immune to that script now.
Malwarebytes detected and offered to quarantine.
Windows defender I do not use but started it for testing and it did notified and offered quarantine.

But real game, mere quarantine or delete wont work as none of these will actually delete the scheduled tasks created nor delete the entire traces esp. parent folders etc.

** For some/many the guide might be boring but going/reading through every word/line will actually help. As I faced the issue hence created the guide carefully based on my personal exp. on this malware.

For any help you can reply here so that others will also be helped!

 

[joy.das.jd]

Manual removal is the best option to remove any kind of malware and this above guide is wonderful. Most of the time this above procedure can be used for most malware. Just the names of the application will be different.

One small suggestion to the guide is to use the SAFE MODE in windows to do cleaning of malware. This way it will absolutely sure that the no residue is left after clean up.

 

[enthusiast29]

Moral of the story... Don't click on tempting ads and if you're one of them who do then keep a realtime anti-malware solution installed (don't depend on Windows defender). This was definitely not a 0-day attack and could have been blocked by basic signature scanning. Also, you were lucky not to get hit by ransomware instead.

All things aside, good thing you documented this for people.

 

[lockhrt999]

Also, I'd suggest you add Browser user profiles in Windows' Controlled folder access.

User profiles store your password, history etc and those can be easily read by any application running on your computer. For chrome, it's stored under user/appdata/local and roaming. By giving it controlled folder access, you block access to this directory to all applications with some exceptions. The settings is inside ransomware protection.

 

[blr_p]

Lots of work there. Good stuff

Oh and there is no plural form for the word 'evidence'....