I’ve Seen It All—Until This
I’ve been working on computers for over 25 years. I’ve dealt with hardware failures, registry corruption, blue screens from bad drivers, even the occasional rootkit back in the early 2000s. I’ve cleaned up friend and client systems so riddled with adware it’s a wonder they still booted.
So when my main PC suddenly hit 100% CPU usage for no apparent reason, I didn’t panic. I assumed it would be another quick fix—maybe a runaway background service, bad Windows update, or some forgotten startup app eating cycles.
What I didn’t expect was malware so stealthy, so smart, that even with two and a half decades of experience under my belt, I couldn’t track it down. It was a silent hijack by an invisible crypto miner—and it eventually forced me to do something I almost never do: completely wipe and reinstall Windows.
It Started with Subtle Signs
My system wasn’t crashing, but it was acting off. Programs lagged. My fans were running hot during idle time. And when I opened Task Manager, the CPU usage in the Performance tab was stuck at 100%—yet the Processes tab didn’t list anything unusual.
No browser tabs gone rogue. No update processes looping. No weird executables showing up. Just the same trusted processes I’d seen hundreds of times.
I thought maybe it was a glitch with Windows 11’s resource reporting, but the system’s responsiveness told me something real was happening. It was being pushed hard by something I couldn’t see.
Digging Deeper with Power Tools
This wasn’t my first rodeo. I opened up Process Explorer to get a better look. It gave more detail, but again—nothing obvious. No process was using more than a few percent of the CPU at any given moment.
So I went further. Autoruns to scan startup entries. Checked services and scheduled tasks. I even looked through svchost.exe instances and ran command-line queries against WMI to see if something was injecting itself there.
Still, nothing looked out of place.
But something interesting happened: when Task Manager or Process Explorer was open, the CPU usage dropped back to normal. As soon as I closed them, the fans kicked back up and usage spiked again. That behavior was no coincidence.
The Realization: This Wasn’t Ordinary Malware
After searching around, I came across several security posts and forums describing a new breed of cryptojacking malware—specifically miners that are smart enough to monitor your behavior. These things can detect when Task Manager or monitoring tools are opened and shut themselves down temporarily to avoid detection.
They also inject themselves into legitimate Windows processes or run under randomized names to avoid scrutiny. Some even live in scheduled tasks and run obfuscated command-line miners in memory only.
That’s when it hit me: I wasn’t dealing with a misbehaving app—I had a full-blown invisible crypto miner running on my system, likely using something like XMRig.
What Didn’t Work
I threw everything I had at it:
- Full system scan with Windows Defender: clean.
- Malwarebytes: clean.
- HitmanPro: clean.
- Safe Mode boot and manual scans: nothing.
- Checked scheduled tasks and hidden startup entries: no smoking gun.
- Restored a clean system image from three months back: miner came right back.
It didn’t matter what tool I used or how deep I dug. The miner had cloaked itself so well that unless I knew exactly where it was hiding, I wasn’t going to find it. It was faster, smarter, and more evasive than anything I’d dealt with in years.
The Only Real Solution
At that point, I had two options: keep wasting time chasing a ghost… or nuke the system from orbit.
I chose the second.
I backed up only essential files—no executables, no installers, nothing I couldn’t verify 100%. Then I downloaded a fresh Windows 11 ISO from Microsoft, wiped the SSD, and started over from scratch.
Clean install. No trace of the old system. No restoration of anything outside of documents and media.
Once the OS was reinstalled, CPU usage dropped to a normal idle range, between 1% and 4%. The miner was gone, and my machine was back to normal.
How It Likely Got In
After thinking it over, I suspect the infection came from either:
- A bundled freeware tool I was testing from a third-party site, or
- A sketchy “fix” for a game mod or driver utility I downloaded without verifying.
Even with all my experience, I let my guard down just long enough—and that’s all it took.
These miners aren’t the noisy, glitchy messes from the early days. They’re refined. Polished. Designed to run silently and hide from even skilled users. Some only run when the machine is idle or when specific conditions are met. And many of them update themselves or get new commands from remote servers without ever touching your disk in a way that would flag antivirus tools.
What I’m Doing Differently Now
This experience reminded me that even seasoned users aren’t invincible. Going forward, here’s how I’m tightening up:
- Only using known-good software sources. No freeware from third-party mirrors.
- Running Windows Defender Offline scans weekly.
- Setting up hardware monitoring alerts so I can see if CPU usage spikes unexpectedly when idle.
- Watching network activity more closely using tools like GlassWire.
- Creating a system image immediately after fresh installs so I have a real restore point if anything like this ever happens again.
The Takeaway
If you’re seeing unexplained 100% CPU usage and can’t figure out why—even with tools like Task Manager or Process Explorer—it might be an invisible crypto miner on Windows. And if that miner is smart enough to hide from you, it may not be worth your time trying to catch it.
You’re not crazy. You’re not incompetent. These threats are getting better. They’re built to blend in, to trick even veteran techs, and to operate just below the threshold of detection.
Sometimes, the only clean fix is a clean slate.
Let this be a reminder: experience helps, but nothing replaces vigilance.
And sometimes, even the pros have to hit reset.
