Skip to content

Instantly share code, notes, and snippets.

@Iksas

Iksas/crypto_miner_removal.md

Created October 29, 2025 16:17
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Iksas/fdf4d254b66b0ea876f3b606bddfc195 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Iksas/fdf4d254b66b0ea876f3b606bddfc195 to your computer and use it in GitHub Desktop.
Download ZIP
Crypto miner removal
Raw
crypto_miner_removal.md

Crypto miner removal

This manual describes how to remove a trojan I came across on someone else's machine.

The trojan seems to contain a crypto miner, and spreads through infecting USB sticks.

Here are hashes of the trojan's main files:

svctrl64.exe:

  • md5: b88b2c61844a49fcc54727105ae9abac
  • sha256: c946fab611d49b224d1f6ecee63f02bdfcfb017b860ca1f8361546f5d2c77daa

uXXXXXX.dll, where XXXXXX are six random numbers, e.g. u148375.dll:

  • md5: 1cf4a8bfd59d5f04be313d2fa3af5f5a
  • sha256: e93823b3cc234511c49ffde8169794600417c59e0a3340c5407cc57b71bdb378

Removal steps

1. Preventing the malware from automatically running

  • Download the Autoruns program from the Microsoft website (search for autoruns download site:microsoft.com). This program allows you to inspect which software is started when you turn on your PC.
  • Extract the .zip, and run the Autoruns64 program as an administrator.
  • After the program has loaded, scroll down the list. There will be a few lines with a red background. Two of them will be called \svctrl64 and uXXXXXX. Right-click on them and select Delete.

2. Removing the malware files

Delete the following files:

  • C:\Windows\System32\uXXXXXX.dll
  • C:\Windows\System32\svctrl64.exe

If you have an infected USB stick, also delete these files:

  • X:\sysvolume\
  • The malicious .lnk file

3. Reboot and check

Restart your computer, and open the Autoruns64 program again as an administrator. Check that the \svctrl64 and uXXXXXX entries you deleted have not come back.

If they have come back, repeat the previous steps.

4. Delete Microsoft Defender exclusions

To avoid detection, the virus added the following folders to Microsoft Defender's exclusion list:

  • C:\Windows \System32
  • C:\Windows\System32
  • X:\sysvolume\

Open the Windows Security application, and navigate to Virus & threat protection -> Virus & threar protection settings -> Manage settings -> Exclusions -> Add or remove exclusions.

Click on each excluded path and remove it.

Reboot the machine.

5. Perform a system scan

Open the Windows Security application, and navigate to Virus & threat protection -> Scan options.

Perform a Microsoft Defender Offline scan if possible. Alternatively, perform a Full scan.

Indicators of compromise

The following information can be used to detect infected computers / USB sticks.

On Computers

The following files exist:

  • C:\Windows\System32\uXXXXXX.dll
  • C:\Windows\System32\svctrl64.exe

On USB sticks

  • There is a hidden folder X:\sysvolume\, which is only accessible by directly typing its path.
  • There is a malicious .lnk file which points to a script inside the sysvolume folder. The .lnk has the same name as a folder on the USB stick. (For example, if there is a X:\test\ folder, the link is named X:\test.lnk, and the original folder is hidden.)
@Oakchris1955
Copy link

Oakchris1955 commented Nov 30, 2025
edited
Loading

Crypto miner found in Greece last Monday (November 24, 2024). At least on VirusTotal the majority of the scans report it as malware. The miner also seems to mine the Monero cryptocurrency.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment