A suspicious Windows service miner is malware or unwanted software that installs as a Windows service, scheduled task, or startup entry, then uses CPU/GPU resources in the background. If the process returns after you end it, treat the case as persistence cleanup: identify the file path, remove the service or task that restarts it, delete the installer source, and scan the system before restoring normal browsing or gaming.
First checks for a suspicious service miner
- Task Manager: sort by CPU/GPU, right-click the process, and open its file location before ending it.
- Services: check whether an unknown service launches the process again after reboot.
- Task Scheduler: look for recently created tasks with random names, PowerShell commands, or paths in
AppData,Temp,ProgramData, Downloads, or a crack/mod folder. If the path isC:\ProgramData\RealtekHD\taskhostw.exe, follow the RealtekHD AutoIt Line 21219 cleanup guide. - Startup Apps: disable suspicious entries tied to the same folder, then verify they do not reappear.
- Downloads and Temp: remove the installer, archive, crack, game mod, fake update, or bundle that introduced the miner.
Service miner and high CPU guides
| Guide | Best first action |
|---|---|
| Altisik Service | Check AltisikService.exe, helper DLLs, service persistence, and high CPU usage. |
| AlrustiqApp.exe / Alrustiq Service | Remove the miner-like app and check service/startup entries. |
| Aluc Service and Aluc App | Uninstall suspicious app entries and scan for persistence. |
| Almoristics Application | Check for miner symptoms, unwanted install source, and startup restoration. |
| Bitfiat process | Remove high-CPU miner components and verify after reboot. |
| MicrosoftHost.exe | Confirm it is not a fake Microsoft-named miner and scan the source folder. |
| Hellminer.exe | Clean the miner and check whether another loader installed it. |
Why ending the task often fails
Miner malware often has more than one moving part. The visible process may be only the worker. A Windows service, scheduled task, helper executable, Run key, or installer folder can restart it. MITRE tracks both Windows service creation and scheduled task abuse as common persistence techniques, and Microsoft Sysinternals Autoruns exists because normal Task Manager shows only part of what starts automatically.
Do not delete random services by name alone. First compare the service name, executable path, publisher, install date, and parent folder. A fake system name in a user-writable folder is much more suspicious than a signed Microsoft component in C:\Windows\System32. Microsoft’s SvcMiner description is a useful example: miner malware may use legitimate-looking file names while consuming resources and collecting system information.
Recommended cleanup order
- Disconnect from suspicious downloads and close unknown installers, cracks, mods, or fake updates.
- Open the process file location and write down the folder path before ending the task.
- Boot Safe Mode with Networking if the process keeps returning or blocks cleanup tools.
- Run a full Gridinsoft Anti-Malware scan and remove detected miner, loader, PUA, and persistence entries.
- Check Services, Task Scheduler, Startup Apps, and browser extensions for entries that point to the same folder.
- Delete the original installer, archive, crack, or mod folder, then empty temporary folders tied to the same timestamp.
- Restart and leave the PC idle for five minutes. If CPU usage jumps again, repeat the persistence check before assuming cleanup is complete.
After uninstalling the suspicious app or deleting the visible threat, use Gridinsoft Anti-Malware to check hidden files, startup entries, scheduled tasks, bundled apps, browser changes, and other persistence points that can restore malware.
Download Anti-MalwareWhat to check before deleting a service
| Signal | Why it matters |
|---|---|
| Unknown publisher or unsigned file | Common for dropped miners and loaders, especially from cracks or fake installers. |
Path in AppData, Temp, ProgramData, Downloads, or a game/mod folder |
Legitimate Windows services rarely run from these user-writable locations. |
| Recently created task or service | Miners often arrive with a task or service that re-launches the worker after reboot. |
| CPU/GPU usage falls when the process is stopped, then returns | This points to persistence rather than a one-time runaway process. |
| Same folder contains an installer, script, DLL, or random EXE | Remove the whole infection chain, not only the visible worker. |
Related miner symptoms
If you are not sure whether the issue is service-based, compare it with the broader coin miner malware symptoms and removal guide. Service miners are one persistence pattern inside the larger cryptomining malware problem: constant fan noise, idle CPU/GPU load, overheating, suspicious outbound connections, and processes that hide behind familiar Windows-like names.
FAQ
Is every high-CPU service malware?
No. Some legitimate services use CPU during updates, indexing, backups, or security scans. The warning signs are unknown publisher, suspicious path, recent unwanted install, and a process that returns after you stop it.
Can a miner steal passwords too?
Some miners arrive with loaders, stealers, or bundled adware. If the infection came from a crack, fake installer, or unknown browser extension, protect important accounts after cleanup and change passwords from a clean device when needed.
Should I delete services manually?
Only if you clearly identify the malicious service and its executable path. Removing the wrong Windows service can break normal system behavior. When in doubt, disable the suspicious entry, scan, and verify before deleting.
References
- Microsoft Security Intelligence: Trojan:Win32/SvcMiner.A
- MITRE ATT&CK: Create or Modify System Process – Windows Service
- MITRE ATT&CK: Scheduled Task
- Microsoft Sysinternals: Autoruns
For a current browser-supply-chain example with the same Windows service-miner pattern, see the Hola Browser me.exe miner warning, which lists the HolaMonitorService.exe and hola_monitor_svc indicators.
