PUP.CPUMiner is a category of potentially unwanted programs that hijack your computer's processor to mine cryptocurrency without your consent or knowledge. Unlike traditional malware that steals files or locks your system, these miners quietly consume your CPU resources in the background—sometimes pegging utilization at 70-100%—to generate digital currency for the attacker while your machine slows to a crawl, overheats, and racks up your electricity bill. While technically not a virus in the classic sense, CPU miners are classified as unwanted because they're installed deceptively and cause measurable harm to your hardware and user experience.
These miners typically arrive bundled with free software downloads, pirated applications, or through malicious advertisements. You might notice your computer running unusually hot, fans spinning constantly, programs taking forever to open, or your system freezing during routine tasks. The performance degradation can be severe enough to make your computer nearly unusable, and prolonged exposure can shorten the lifespan of your processor and other components due to constant thermal stress.
Threat Profile
| Attribute | Details |
|---|---|
| Threat Category | PUP (Potentially Unwanted Program), Cryptocurrency Miner |
| Alternative Names | CoinMiner, BitCoinMiner, Trojan.CoinMiner, PUA:Win32/CoinMiner, Riskware.BitCoinMiner |
| Platform | Windows (all versions), some variants target Linux/macOS |
| Mined Currencies | Monero (XMR), Bitcoin, Ethereum, Zcash—typically privacy coins that don't require extensive GPU resources |
| Distribution Methods | Software bundling, fake installers, malvertising, exploit kits, compromised websites |
| Persistence Mechanisms | Run registry keys, scheduled tasks, Windows services, startup folder entries |
| Primary Impact | Severe CPU utilization (60-100%), system slowdown, overheating, increased electricity costs, hardware degradation |
| Network Behavior | Establishes persistent connections to mining pools (common ports: 3333, 4444, 5555, 7777, 14444) |
| Stealth Features | Process name spoofing, CPU throttling when Task Manager is open, disabling of system monitoring tools |
| Data Theft Risk | Low (primary goal is resource theft, not data), though some variants include secondary info-stealer payloads |
| Typical File Indicators | Executables with names like svchost.exe (in wrong location), csrss.exe (misspelled), or random alphanumeric strings in temp folders |
| Removal Difficulty | Moderate—miners often reinstall themselves if all components aren't removed; some variants resist termination |
How It Spreads
CPU miners rarely arrive through traditional email phishing campaigns. Instead, they're most commonly bundled with software you intentionally download—often from third-party download sites that repackage legitimate freeware with unwanted extras. That free video converter, PDF tool, or game cheat you downloaded from a site plastered with "Download" buttons? There's a good chance it came with a miner tucked inside the installer. During installation, an easily-missed checkbox (often pre-checked) or an "Express Install" option authorizes the miner's installation alongside the program you actually wanted.
The second major vector is malicious advertising, particularly on streaming sites, torrent platforms, and forums. A single click on a fake "Play" button or deceptive ad can trigger a drive-by download that installs the miner without any obvious installer window. Some attackers have also compromised legitimate websites by injecting mining scripts into the page code—your browser runs the miner while you're simply visiting the site, though these JavaScript-based miners are less persistent than installed executables.
Common distribution methods include:
- Software bundlers and download portals — Sites like Softonic, Download.com, and countless smaller portals often wrap installers in custom download managers that include miners as "recommended" software
- Pirated software and cracks — Torrents for commercial software, key generators, and game cracks are heavily targeted; the crack itself often IS the miner
- Fake updates and system warnings — Pop-ups claiming your Flash Player, Java, or video codec is outdated, leading to miner-laden installers
- Malvertising on streaming sites — Clicking anywhere on free movie sites, sports streams, or adult content platforms can trigger downloads
- Compromised browser extensions — Extensions that promise ad-blocking, VPN services, or download assistance sometimes include miners or get updated to include them later
- Email attachments masquerading as invoices — Less common for miners specifically, but business-themed emails with macro-laden documents can drop miners as secondary payloads
- Exploit kits targeting unpatched systems — Automated attack frameworks exploit browser and plugin vulnerabilities to silently install miners without any user interaction
What It Does On Your Machine
Once installed, PUP.CPUMiner's primary objective is simple: use as much of your processor as possible to solve complex mathematical problems that generate cryptocurrency for the attacker's wallet. The miner will typically configure itself to use 70-90% of your available CPU resources, leaving just enough headroom that your computer doesn't completely freeze (which would prompt you to investigate). More sophisticated variants include logic to throttle back when you open Task Manager or other monitoring tools, making detection harder.
The performance impact is immediate and severe. Programs that normally open in seconds take minutes. Web browsers become unresponsive. Video playback stutters. Simple tasks like typing in a document or scrolling through email become frustratingly laggy. Your computer's fans will run constantly at maximum speed as the processor generates excessive heat. Many users report their laptops becoming too hot to touch, or desktop towers producing a noticeable burning smell from prolonged thermal stress. The electricity consumption also spikes—we've had clients whose monthly power bills increased by $30-50 due to miners running 24/7.
Beyond performance degradation, there's real hardware risk. Modern processors have thermal protection that throttles performance or shuts down to prevent damage, but sustained operation at maximum capacity accelerates component aging. We've seen cases where computers infected with miners for several months suffered permanent CPU degradation or motherboard failures due to constant high temperatures. The cooling system (fans, heat sinks) also wears out faster when running continuously at maximum speed.
CPU miners establish persistent network connections to mining pool servers, where the computational work is coordinated and rewards are distributed. These connections are often encrypted, making them harder for basic network monitoring tools to identify. Some variants include additional payloads: keyloggers to steal passwords, system reconnaissance tools that report your installed software to attackers, or backdoors that allow future malware installation. While the primary threat is resource theft, you shouldn't assume that's the only malicious activity occurring.
Manual Removal — Step by Step
Disconnect From the Network
Unplug your ethernet cable or disable Wi-Fi before proceeding. This stops the miner from communicating with its control server, prevents it from downloading additional components, and ensures it can't continue generating currency while you're working on removal. Some miners include watchdog processes that attempt to reinstall components when deleted, and cutting network access disrupts this behavior.
Boot Into Safe Mode With Networking
Restart your computer and press F8 repeatedly during boot (Windows 7/8) or hold Shift while clicking Restart in Windows 10/11, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart, then press 5 for Safe Mode with Networking. Safe mode loads only essential drivers and services, preventing most malware including miners from auto-starting, which makes removal much safer and more effective.
Open Task Manager and Identify Suspicious Processes
Press Ctrl+Shift+Esc to open Task Manager. Click "More details" if needed, then sort by CPU usage. Look for processes consuming high CPU percentages, especially those with generic names (svchost.exe, csrss.exe, winlogon.exe) or random alphanumeric strings. Right-click any suspicious process, select "Open file location"—if it's anywhere other than C:\Windows\System32\ or C:\Windows\, it's likely malicious. Note the file path before proceeding.
Terminate the Miner Process
Right-click the suspicious process in Task Manager and select "End task." Some miners resist termination or immediately restart. If it won't close or reappears instantly, you may need to use Process Explorer from Microsoft Sysinternals (safe to download in Safe Mode) which provides more forceful termination options and can kill protected processes that Task Manager cannot.
Remove Persistence Mechanisms
Open Registry Editor (type regedit in Start menu) and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Look for entries you don't recognize, particularly those pointing to files in AppData or ProgramData folders. Delete suspicious entries. Then open Task Scheduler (search for it in Start menu), expand the Task Scheduler Library, and delete any tasks with suspicious names or those that run executables from unusual locations.
Delete the Miner Files and Folders
Navigate to the file locations you noted in step 3. Delete the entire folder containing the miner executable—don't just delete the .exe file as support files and configuration may remain. Check common hiding spots: %LOCALAPPDATA%, %APPDATA%, %TEMP%, and C:\ProgramData\. If Windows says the file is in use, you either didn't successfully terminate the process or there's a watchdog process protecting it that needs termination first.
Run Malwarebytes and a Secondary Scanner
Download and install Malwarebytes (the free version works fine) while still in Safe Mode. Run a full Threat Scan, which will take 30-60 minutes. Quarantine everything it finds. Then run a second scan with a different tool—either HitmanPro or AdwCleaner—because no single scanner catches everything. These secondary scans often find leftover registry entries or scheduled tasks that Malwarebytes missed, particularly with bundled PUPs that came alongside the miner.
Check Browser Extensions and Reset if Necessary
Open each browser you use and review installed extensions. Remove anything unfamiliar or that you don't explicitly remember installing. CPU miners are sometimes accompanied by browser hijackers that modify your homepage and search engine. If your browser still behaves strangely after removing extensions, reset it to default settings (this keeps bookmarks but removes extensions and resets settings). In Chrome/Edge: Settings > Reset and clean up > Restore settings to defaults.
Check System Services for Miner Services
Type services.msc in the Start menu and open Services. Scroll through the list looking for services with suspicious names or generic descriptions. Right-click any suspicious service, select Properties, and examine the "Path to executable." If it points to a file in AppData, ProgramData, or Temp folders, it's almost certainly malicious. Set the Startup Type to Disabled and stop the service before deleting the associated file.
Reboot Normally and Monitor Performance
Restart your computer normally (not in Safe Mode) and reconnect to the network. Open Task Manager immediately and watch CPU usage for 5-10 minutes. Healthy idle usage should be under 10-15%. If it spikes back to 60%+ or you see the suspicious process names returning, the miner reinstalled itself from a component you missed. In this case, professional removal is advisable because some variants include sophisticated protection mechanisms that require specialized tools to fully eradicate.
Prevention
- Download software only from official publisher websites — Avoid third-party download portals entirely. If you need VLC media player, go to videolan.org. If you need WinRAR, go to win-rar.com. These portals add nothing of value and substantially increase malware risk.
- Always choose "Custom" or "Advanced" installation — Never click "Express Install" or "Recommended Settings." Custom installation reveals bundled software that you can deselect. Read every screen of the installer carefully and uncheck offers for additional programs, toolbars, or "optimizers."
- Keep Windows and all software updated — Enable automatic updates for Windows, your browser, Java, Adobe products, and other commonly exploited software. Most exploit-kit infections targeting miners succeed because users are running software with known vulnerabilities that have been patched for months or years.
- Use a reputable ad-blocker — uBlock Origin (not AdBlock Plus) dramatically reduces malvertising exposure. This is particularly important if you visit high-risk sites like streaming platforms or torrent sites. The blocker prevents malicious advertisements from loading in the first place.
- Install and maintain quality antivirus software — Windows Defender has improved but still trails dedicated solutions in detection of bundled PUPs and miners. Bitdefender, Kaspersky, or ESET provide stronger real-time protection. Keep it updated and don't disable it to install suspicious software—that defeats the entire purpose.
- Avoid pirated software and cracks — This is where the highest concentration of miners lives. If you can't afford software, look for legitimate free alternatives rather than pirated versions. LibreOffice instead of cracked Microsoft Office. GIMP instead of cracked Photoshop. The money you "save" on pirated software will cost you multiples more in computer repairs.
- Enable "Show hidden files" and "Show file extensions" — In File Explorer, go to View > Options > View tab, and enable "Show hidden files, folders, and drives" while disabling "Hide extensions for known file types." This makes it easier to spot suspicious files during manual checks. A file named "invoice.pdf.exe" is obviously malicious, but if extensions are hidden, it appears as "invoice.pdf" with a PDF icon.
- Monitor system performance and investigate immediately — Get familiar with your computer's normal behavior. If it suddenly becomes sluggish, runs hot, or the fans spin constantly, investigate immediately. Open Task Manager and check what's consuming resources. Catching an infection in the first few hours or days minimizes hardware damage and electricity costs.
Bring It In
CPU miners cause real, measurable damage to your computer hardware when allowed to run for weeks or months. The performance issues are frustrating, but the long-term thermal stress on your processor, motherboard, and power supply can lead to expensive component failures down the road. If your computer has been running hot and slow for more than a few days, or if you've attempted manual removal but the miner keeps coming back, professional service is the smart move. We can remove the infection thoroughly, assess whether any hardware damage has occurred, and verify that your system is genuinely clean—not just temporarily working until the next auto-start triggers the miner again.
Computer Repair Roswell has seen hundreds of miner infections over the years, from simple bundled PUPs to sophisticated variants that resist removal and hide in multiple locations. Our technicians use specialized tools and techniques that go beyond what consumer antivirus provides, and we physically verify removal by monitoring system behavior under load rather than just checking for malware signatures. We're located in Roswell, Georgia, and can typically complete a full malware removal within a few hours of drop-off. Call us at (770) 637-1435 or stop by our shop. We'll get your computer running cool and fast again—and make sure it stays that way.