Have you noticed that your laptop has started to get suspiciously warm for no apparent reason? The fans work at their limit even when watching a video, and the battery runs out in a couple of hours? Your device may be infected hidden miner — malware that uses processor or video card resources to mine cryptocurrency. According to Kaspersky, in 2023, every fifth corporate computer encountered such attacks, and home devices - even more often.
Miners are dangerous not only due to increased wear of components. They steal electricity (up to 300-500 rubles per month during active operation), reduce battery life and can serve as a “back door” for other viruses. Worst of all, modern miners are able to masquerade as system processes, making their detection a task for experienced users. But there is good news: you can check your laptop for the presence of a miner yourself - without installing an antivirus or deep knowledge of IT.
Signs of infection by miners: when to sound the alarm
Hidden miners rarely give themselves away with obvious symptoms, but there are 7 key signsthat should alert you:
- 🔥 Overheating without load: The laptop heats up to 80-90°C when working in Word or viewing YouTube (the norm for office tasks is 40-60°C).
- ⚡ A sharp drop in autonomy: The battery drains in 1-2 hours instead of the usual 5-6, even if you don't play games.
- 🐢 System slowdown: the cursor “stutters”, applications open with a delay of 10-20 seconds, although before everything worked quickly.
- 🔊 Constant fan noise: coolers operate at maximum speed even in standby mode.
- 📉 Unexplained traffic consumption: 1-3 GB of data “leaks” per day (check in
Settings → Network → Data usage). - 🖥️ Artifacts on the screen: flickering, stripes or “snow” during simple operation is a sign of an overloaded video card.
- 🔄 Spontaneous reboots: laptop suddenly turns off or goes to a blue screen (BSOD) without errors in the logs.
If you observe at least 2-3 items from the list, the probability of infection by a miner is 70-80%. But don’t panic: next we’ll look at how to confirm or refute suspicions using built-in tools.
⚠️ Attention: Miners are often activated at night or when the laptop is connected to charger. Check the system at different times of the day!
- Once a week
- Once a month
- Only if something slows you down
- Never
Method 1: Check through Task Manager (Windows)
The fastest way to identify a miner is to analyze the CPU and video card load. Open Task Manager combination Ctrl + Shift + Esc and go to the tab Performance.
Please note:
- 📊 CPU load: if without running programs it remains stably at the level 30-100%, this is suspicious.
- 🎮 GPU usage: In the "Video card" section, check the graph
3D. Miners often load it on 80-99% even in idle time. - 📂 Unknown processes: on tab
Detailslook for names likesvchost.exewith high resource consumption (but be careful - some systemsvchostcan load the CPU legitimately).
Pay special attention to processes with names:
WmiPrvSE.exe(if the CPU load is more than 10%)lsass.exe(the norm is up to 5%, above is a sign of infection)- Any random sets of letters:
kworker,xmrig,miner
If you find a suspicious process, don't delete it right away! First check via Google or VirusTotal — some miners disguise themselves as legitimate system files.
☑️ What to do if you find a suspicious process
Method 2: Monitor Network Activity
Miners constantly exchange data with pool servers (for example, NiceHash, MinerGate). To track suspicious connections:
- Open Command line (
Win + R→ entercmd). - Run the command:
netstat -ano | findstr "ESTABLISHED"It will show all active network connections.
- Look for IP addresses with ports
3333,5555,7777or14444— they are often used by miners. - Check unknown IPs through the service AbuseIPDB.
Example command output with a suspicious connection:
TCP 192.168.1.5:54321 144.217.100.100:3333 ESTABLISHED 1234
Here 144.217.100.100:3333 — potential mining server.
| Port | What could it mean | Action |
|---|---|---|
3333 |
Standard port for XMRig (miner Monero) | Block in firewall |
5555 |
Used by the miner Claymore for Ethereum | Check processes EthDcrMiner64.exe |
7777 |
Pool port MinerGate or NiceHash | Scan the system for viruses |
14444 |
Mining port Zcash or Bitcoin Gold | Check files in %AppData% |
⚠️ Attention: Some legitimate programs (eg. Discord or Steam) also use non-standard ports. Always double check before blocking!
Method 3: Checking via PowerShell (hidden processes)
Miners often hide from Task Manager, but they can be identified through PowerShell. Run it as administrator and run:
Get-Process | Where-Object {$_.CPU -gt 10} | Select-Object Name, Id, CPU, Path | Sort-Object CPU -Descending
This command will show all processes using more than 10% CPU, indicating their ways. Please note:
- 📁 File location: legitimate processes usually lie in
C:\Windows\System32orC:\Program Files. Miners often hide in:C:\Users\Имя_пользователя\AppData\RoamingC:\Users\Имя_пользователя\AppData\Local\Temp - 🔄 No digital signature: Right click on the process in Task Manager →
Properties→ tabDigital signatures. If there is no signature, it is suspicious.
If you find a process with a path like C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\randomname.exe, it's almost guaranteed to be a miner.
wmic process where "ProcessId=1234" get ExecutablePath
(replace 1234 with the real ID from PowerShell).-->
Method 4: Analysis of startup and task scheduler
Miners are often registered in startup or Task Schedulerto start when you turn on the laptop. Check:
- Autoload:
- Click
Ctrl + Shift + Esc→ tabAutoload. - Sort by Column
Impact on launch. - Look for unknown programs with high impact.
- Click
- Task Scheduler:
- Open via
Start → System Tools → Task Scheduler. - Check the folders:
Библиотека планировщика задач → Microsoft → Windows → MaintenanceБиблиотека планировщика задач → TaskHost - Look for tasks with triggers like
"When the computer starts"or"When idle".
- Open via
Typical miner task names:
WindowsUpdate(but not from Microsoft)GoogleUpdateTask(if you don't have Google Chrome)OneDrive Standalone Update(fake)
How to distinguish a real Windows task from a fake one
Real Microsoft tasks in Planner have:
- Author: "Microsoft Corporation"
- File path: starts with "C:\Windows\"
- Digital signature (checked through file properties).
If even one point doesn’t match, it’s a virus.
Method 5: Check on Linux and macOS
If you have a laptop Linux or macOS, the miner search algorithm is slightly different.
For Linux (Ubuntu, Debian, Fedora):
- Open a terminal (
Ctrl + Alt + T). - Run the command to monitor processes:
top -o %CPULook for processes with >50% CPU consumption.
- Check your network connections:
ss -tulnp | grep "ESTAB" - Look for suspicious files in:
/tmp//var/tmp/
/dev/shm/
For macOS:
- Open
Monitor activity(Applications → Utilities). - Sort processes by CPU usage.
- Look for unknown processes with names like
ppld,xmrig,miner. - Check startup:
launchctl list | grep "miner"
On macOS miners often disguise themselves as updates Adobe Flash Player or Java. Remove all unknown programs in /Library/LaunchDaemons/ And /Library/LaunchAgents/.
Method 6: Specialized utilities for searching for miners
If manual methods do not help, use free utilities:
| Program | What does it check? | Link |
|---|---|---|
| MinerBlock | Blocks miner domains in the browser | minerblock.org |
| NoCoin | Protects against mining via web pages | GitHub |
| Process Explorer | Shows hidden processes and their parents | Microsoft Sysinternals |
| Malwarebytes | Scans for miners and other software | malwarebytes.com |
For a deep check:
- Download Process Explorer from the official website Microsoft.
- Run as administrator.
- Click
Ctrl + Fand enter the keywords:miner,xmrig,ppld. - Check processes with empty description or without a signature.
⚠️ Attention: Some "cleaners" (for example, CCleaner) can contain miners themselves! Download software only from official sites.
1) CPU temperature (use HWMonitor)
2) Hard disk status (command wmic diskdrive get status)
3) Presence of other viruses (scanning Kaspersky Virus Removal Tool).-->
Method 7: Checking the file system for traces of the miner
Miners leave traces in system folders. Perform a manual inspection:
- 🔍 Windows:
C:\Users\Имя_пользователя\AppData\Roaming\C:\Users\Имя_пользователя\AppData\Local\Temp\
C:\ProgramData\Look for files with extensions
.bat,.vbs,.exeand random names (for example,12345678.exe). - 🔍 Linux/macOS:
/tmp//var/tmp/
/usr/local/bin/Check permissions: miners often have
chmod 777.
Please note:
- 📅 File creation date: if the file appeared on the day the “brakes” began, this is suspicious.
- 🔄 Hidden attributes: in Windows execute in
cmd:attrib -s -h -r C:\path\to\fileto see hidden files.
Example of a dangerous file:
C:\ProgramData\WindowsUpdate\kworker.exe
(real Windows updates are in C:\Windows\SoftwareDistribution!).
What to do if you find a miner: step-by-step instructions
Found a miner? Follow the algorithm:
- Turn off the Internet (unplug the Wi-Fi cable or turn off the router). This will prevent data leakage and the downloading of additional viruses.
- Back up important files to an external drive (but not to the cloud - the miner can infect it too!).
- Remove miner files:
- B Windows: through
Unlocker(if the file is not deleted). - B Linux/macOS:
sudo rm -rf /путь/к/файлу
- B Windows: through
- Clean startup and scheduler (see Method 4).
- Check your browsers:
- Remove unknown extensions in Chrome/Firefox.
- Reset your browser settings via
Settings → Advanced → Restore settings.
- Install antivirus and do a deep scan. We recommend:
- Kaspersky Virus Removal Tool (one-time utility)
- Dr.Web CureIt! (does not require installation)
Для Windows: Настройки → Обновление и безопасность → Центр обновления WindowsДля Linux: sudo apt update && sudo apt upgrade -y
Для macOS: Об этом Mac → Обновление ПО
If after all the steps the laptop continues to slow down, consider the option system reinstallation. This is an extreme measure, but sometimes it is the only one guaranteed to remove all miners.
FAQ: Frequently asked questions about miners on laptops
Can a miner appear on a laptop without my knowledge?
Yes, and it happens more often than you think. Main routes of infection:
- 📧 Phishing emails with investments (for example, “bank account”).
- 🌐 Hacked sites with vulnerabilities (even legitimate resources can be infected).
- 💾 Pirated software (especially cracked games or Adobe Photoshop).
- 🔌 USB devices (flash drives, external drives with autorun).
According to Check Point, in 2023 40% of all cyber attacks were associated with miners.
How can a miner damage a laptop?
Consequences of long-term operation of the miner:
- 🔥 Overheating: Constant load reduces the lifespan of the processor and video card by 90-100%. 2-3 times.
- 🔋 Battery degradation: lithium batteries lose up to 20% capacity in 6 months with constant mining.
- 💥 Component failure: Most often, capacitors on the motherboard or memory chips burn out.
- 💰 Increased electricity bills: a laptop with a miner consumes energy like a small heater (up to 100-150 W/hour).
In 2022 in Russia Several cases have been recorded where laptops ASUS And Lenovo failed due to miners after 8-12 months of operation.
Is it possible to mine on a laptop legally and safely?
Technically yes, but this is highly not recommended. Here's why:
- 📉 Low profit: even on the top RTX 4090 in a laptop you will earn ~50-100 rubles per day (minus electricity).
- ⚡ High risk of breakage: Laptops are not designed for 24/7 workloads.
- 🔒 Breach of warranty: most manufacturers (Dell, HP, Acer) consider mining to be an "inappropriate use".
If you want to try it, use cloud mining (For example, NiceHash) or build a desktop with good cooling.
How to protect your laptop from miners in the future?
Preventive measures:
- 🛡️ Install antivirus with protection from miners (Kaspersky Internet Security, Bitdefender).
- 🔄 Update your system regularly (especially Windows Defender in Windows 10/11).
- 🚫 Don't install pirated software (risk of infection - 90%).
- 🔒 Use a miner blocker for browser (uBlock Origin + filter
NoCoin). - 📥 Check all downloaded files through VirusTotal.
- 🔌 Disable autorun from USB:
Для Windows: gpedit.msc → Конфигурация компьютера → Административные шаблоны → Система → Отключить автозапуск
Following these rules reduces the risk of infection 80-90%.
Can the miner work if the laptop is turned off?
No, but there are some nuances:
- ⚡ Miners only work when the laptop is turned on, but some of them can:
- Wake device from sleep mode (check settings
Power → Advanced settings → Sleep mode → Allow wake timers). - Start when connected to charging (if a trigger is specified in the miner settings
On AC Power). - 🔌 If the laptop completely turned off (not in hibernation), the miner is not active.
To check if the laptop wakes up on its own, use the command:
powercfg /lastwake