If your laptop has become suspiciously slow, is heating up for no reason, or the fans are running at maximum speed even during simple tasks, it may be infected hidden miner. Malicious programs for cryptocurrency mining (Monero, Bitcoin, Ethereum) are actively distributed through hacked sites, pirated software and system vulnerabilities. They use your resources CPU or GPU, shortening the life of your hardware and increasing your energy bills.
In this article you will find step by step instructionshow to identify a miner on Windows 10, check suspicious processes, analyze network traffic and completely clean the system. We will look at both standard operating system tools and specialized utilities - without the need to pay for antivirus software or contact IT specialists.
Signs of infection with a mining virus
Hidden miners often masquerade as legitimate processes, but their activities still leave traces. Pay attention to these key symptoms:
- 🔥 The laptop overheats even in standby mode (temperature CPU/GPU exceeds
80-90°C) - ⚡ Significant increase in energy consumption (the battery runs out in 1-2 hours instead of the usual 4-6)
- 🐢 The system freezes when opening the task manager or launching heavy applications
- 📈 Inexplicably high network traffic (especially on ports
3333,5555,7777) - 🖥️ Fans work at maximum immediately after turning on the PC
Important: modern miners can automatically reduce the load when opening the task manager in order to remain undetected. If the symptoms disappear during testing, but return after 5-10 minutes, this is a sure sign of hidden mining.
For accurate diagnosis, you will need to analyze several parameters simultaneously. Start by checking the CPU load in idle mode (when no programs are running). Normal indicators for Windows 10:
| Component | Normal load(%) | Suspicious load (%) |
|---|---|---|
| Central Processing Unit (CPU) | 0-5% | 50-100% (constant) |
| Graphics Processing Unit (GPU) | 0-2% | 30-100% (even without games) |
| Random access memory (RAM) | 20-40% | 80-100% (in the absence of heavy programs) |
| Disk activity | 0-1% | 5-10% (continuous write/read) |
- Once a week
- Once a month
- Only when something goes wrong
- Never
Checking via Task Manager
The fastest way to identify a miner is to analyze active processes using a standard Task Manager. Open it with the combination Ctrl+Shift+Esc and follow these steps:
- Go to the tab "Details" (not to be confused with "Processes")
- Sort processes by column "CPU" or "Memory" (click on title)
- Pay attention to unknown processes with high load (especially with names like
svchost.exe *32,lsass.exe,winlogon.exein several copies) - Check the path to the executable file (right-click → "Open file storage location")
Typical signs of a miner in the task manager:
- 📁 The process is located in non-standard folders:
C:\Users\AppData\Roaming\,C:\ProgramData\,C:\Windows\Temp\ - 🔄 The process name imitates system services (for example,
svch0st.exeinstead ofsvchost.exe) - 🖥️ High load on GPU in the absence of graphic tasks (checked in the "Performance" tab)
- 🌐 Suspicious network connection ("Details" tab → "Network" column)
☑️ What to check in the Task Manager
If you find a suspicious process, don't delete it right away - first create a system restore point (Control Panel → Recovery → Set up system recovery). Some miners block the deletion of their files or disguise themselves as critical system components.
⚠️ Attention: ProcessesMsMpEng.exe(Windows Defender) andNVIDIA Container(for NVIDIA video cards) are often mistaken for miners. Before deleting, check their digital signature through the file properties.
Network activity analysis
Miners constantly exchange data with pools (mining pools) to receive tasks and send results. This traffic can be tracked through built-in tools Windows 10:
- Open
Resource Monitor(clickWin+R, enterresmon) - Go to the tab "Network"
- Pay attention to processes with active connections to unknowns IP addresses
- Check the ports
3333,5555,7777,14444- they are often used by miners
For a more in-depth analysis, use the command in Command line (run as administrator):
netstat -ano | findstr "ESTABLISHED"
This command will show all active network connections. Please note:
- 🌍 Suspicious foreign IPs (especially from China, Russia, the Netherlands)
- 🔗 Many connections from one process to different addresses
- 🔄 Connections on non-standard ports (above 10000)
To check a specific IP addresses use services like VirusTotal or AbuseIPDB. Mining pools are often blacklisted by these services.
How miners mask network traffic
Some modern miners use legitimate protocols (such as WebSocket or Tor) to exchange data. They can connect to cloud services (AWS, Google Cloud) or CDN, which makes them difficult to detect. In such cases, only deep packet analysis via Wireshark helps.
Checking startup and task scheduler
Miners are often registered in startup or create tasks in Task Schedulerto run every time you turn on the laptop. You can check this like this:
- Autoload:
- Click
Ctrl+Shift+Esc→ "Startup" tab - Sort by "Launch Impact" column
- Check for unknown programs with high impact
- Click
- Task Scheduler:
- Click
Win+R, entertaskschd.msc - Check the folders:
Task Scheduler Library → Microsoft → Windows(there should be no unknown tasks)Task Scheduler Library → Task(tasks are often created here by miners)
- Click
Typical signs of infected tasks:
- 📅 Tasks with random names (for example,
UpdateWin10_45678) - ⏰ Triggers to run every 5-10 minutes
- 🔄 Actions that trigger
.exeor.batfiles from temporary folders - 👤 Tasks created by an unknown user (checked in properties)
If you find a suspicious task, don't delete it right away — first export (right-click → “Export”). This will help restore the task if it turns out to be legitimate.
Create a separate Windows user with limited rights for day-to-day work. This will make it much more difficult for miners to gain administrative rights.
Using specialized utilities
Standard Tools Windows 10 Modern miners who use obfuscation techniques and rootkit components cannot always detect it. For an in-depth check, we recommend these free utilities:
| Utility | Purpose | Link |
|---|---|---|
| Process Explorer | An extended analogue of the Task Manager from Microsoft. Shows hidden processes and their parent relationships. | Download |
| Autoruns | Shows all startup points in the system, including hidden ones. | Download |
| GMER | Detection of rootkits that disguise miners. | Download |
| TCPView | DETAILED monitoring of network connections indicating the owner process. | Download |
Instructions for use Process Explorer to search for a miner:
- Run the utility as administrator
- Click
Ctrl+Fand enter part of the name of the suspicious process - Check:
- Process color (pink = service, blue = packed file)
- Path to the executable file
- Parent process (miners are often launched from
explorer.exeorsvchost.exe)
GMER requires special care when using:
⚠️ Attention: This utility runs at a low system level and may cause BSOD (blue screen of death) when scanning active rootkits. Before use, save all important data and create a restore point. Scanning takes 10-30 minutes - do not interrupt the process.
Checking the Windows Registry
Many miners register in Windows registryto run at system startup or block detection. Check these keys (open regedit through Win+R):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
What to look for in the registry:
- 🔑 Unknown string parameters with paths to
.exefiles - 📜 Parameters with random names (for example,
UpdateWin10_78945) - 🔗 Paths to files in temporary folders:
%Temp%%AppData%%LocalAppData%
- 🖥️ Settings that launch
PowerShellorWScriptwith suspicious scripts
Before deleting registry keys be sure to make a backup copy:
- Select a section (for example,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) - File → Export → Save
.regfile - Only then delete suspicious parameters
Some miners create tasks in Task Scheduler through the registry. Check this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
All scheduled tasks are stored here in encrypted form. For analysis it is better to use Autoruns, since manual parsing of this data is extremely difficult.
The registry is one of the favorite places for miners to autorun. Even after deleting the virus files, it can recover if the corresponding registry keys are not cleared.
Removing the miner and restoring the system
If you find a miner, follow this algorithm:
- Create a restore point:
- Control Panel → Recovery → Set up system recovery
- Click "Create" and following the instructions
- Terminate suspicious processes:
- Open Task Manager → find the process → "End task"
- If the process does not terminate, use Process Explorer (right click → "Kill Process")
- Remove miner files:
- Go to the folder with the executable file (from Task Manager)
- Delete all files in this folder
- Check your temporary folders (
%Temp%,%AppData%)
- Clean startup and registry:
- Remove tasks from Task Scheduler
- Clear registry keys (as described above)
- Check your system with antivirus:
- Use Malwarebytes or Kaspersky Virus Removal Tool
- Run a full scan
After removing the miner necessarily:
- 🔄 Reboot your laptop
- 🛡️ Update Windows and drivers
- 🔒 Check the strength of passwords (miners often steal access data)
- 📥 Install an ad blocker (for example, uBlock Origin) to protect against drive-by mining
If symptoms remain after cleaning:
- 🔍 Check your laptop for other viruses
- 🖥️ Go back to the restore point (if the problem started recently)
- 🔄 Reinstall Windows (a last resort if the miner is deeply embedded in the system)
After removing the miner, disable remote access to the laptop (RDP) and check open ports using the command netstat -ano. Many miners open back doors for re-infection.
Prevention of re-infection
To protect your laptop from future miners:
- Update the system:
- Turn on automatic Windows updates
- Update your drivers regularly (especially for your video card)
- Use a reliable antivirus:
- Bitdefender, Kaspersky or ESET NOD32 have specialized modules for detecting miners
- Set up regular scanning
- Block suspicious sites:
- Install the extension uBlock Origin for browser
- Use Pi-hole on the router to block known mining domains
- Monitor software installation:
- Download programs only from official sites
- Use Sandboxie to run suspicious files in an isolated environment
Additional protection measures:
- 🔐 Disable script execution in the browser (in security settings)
- 🛡️ Use Windows Defender Application Guard for browser isolation
- 📊 Set up alerts about high CPU/GPU load via HWInfo or AIDA64
- 🔄 Check startup and task scheduler regularly
For advanced users:
- 🔧 Customize Windows Defender Exploit Guard to block suspicious activities
- 📜 Turn it on Controlled Folder Access to protect system folders from changes
- 🖥️ Use Windows Sandbox for testing suspicious programs
Remember: miners are constantly evolving. What worked today may not work tomorrow. Regularly update your knowledge of new threats and defense methods.
How do miners get into a laptop?
Main routes of infection:
- Pirated software: Cracked programs often contain built-in miners (especially repacks of games and design software).
- Hacked sites: JavaScript miners are launched directly in the browser when visiting infected pages.
- Fake updates: Fake Flash Player, Java or browser update notifications.
- Software vulnerabilities: Exploits for Windows, browsers or plugins (for example, EternalBlue).
- Phishing attachments: DOC/XLS files with macros that launch the miner.
The most dangerous type is file miners, which are installed as legitimate software and can remain undetected for years.
Can a miner damage a laptop?
Yes, long-term mining significantly reduces the service life of components:
- Overheat: Constant operation at maximum frequencies leads to degradation of thermal paste and failure of chips.
- Battery wear: Mining increases the number of charge cycles, reducing battery capacity.
- SSD degradation: Constantly recording temporary files reduces the resource of memory cells.
- Video card damage: GPU mining is especially dangerous for laptops - they are not designed for 24/7 workloads.
According to statistics, a laptop with constant mining fails in 2-3 times fasterthan during normal use.
How to mine through a browser?
Browser mining (or cryptojacking) works through JavaScript code on a web page. Popular scenarios:
- Hidden mining: Code Coinhive or similar services are embedded into the site without the user’s knowledge.
- Legitimate mining: Some sites offer to disable your ad blocker in exchange for using the visitor's resources.
- Drive-by mining: The code runs when you click on a link or open a pop-up window.
Protection against browser mining:
- Use extensions NoCoin or MinerBlock
- Disable JavaScript on unknown sites
- Set up uBlock Origin with filters to block mining scripts
Browser mining is less dangerous for hardware, but still steals resources and increases electricity bills.
What to do if the miner is blocked by the antivirus?
If the miner blocks the launch of antivirus or diagnostic tools:
- Boot into Safe Mode:
- Reboot the laptop while holding down the key
Shift - Select "Safe Mode with Networking"
- Reboot the laptop while holding down the key
- Use portable utilities:
- Download Kaspersky Virus Removal Tool to another PC
- Transfer to a flash drive and run on an infected laptop
- Restore the registry:
- Import your registry backup (if you have one)
- Use RegDelNull to remove keys with null characters
- Disable network connections:
- Disable Wi-Fi/Ethernet before starting treatment
- This will prevent the miner from communicating with the control server
If all else fails, reinstall Windows with a full disk format. This is guaranteed to remove all traces of the miner.
How to check a laptop for mining at work?
If you suspect that a corporate laptop is being used for mining:
- Check corporate policies:
- Use
gpresult /h report.htmlto generate a group policy report - Check for suspicious scripts in
C:\Windows\System32\GroupPolicy\Machine\Scripts
- Use
- Analyze network traffic:
- Use Wireshark for packet capture
- Look for connections to known mining pools
- Check domain controllers:
- Request logs from the administrator Active Directory
- Look for unusual tasks in Group Policy Objects
- Use SIEM systems:
- If the company has Splunk or ELK, check the logs for anomalies
- Set up high load alerts on workstations
In a corporate environment, miners are often distributed through:
- Infected network folders
- Vulnerabilities in RDP or SMB
- Fake enterprise software updates
If you discover mining on a work laptop, immediately inform your IT security service - this could be part of a more serious attack on the company's infrastructure.