Fan Won't Quiet? A Bonnyrigg Guide to Hidden Malware

Laptop fan roaring when nothing's open? Hidden malware often causes it. A Bonnyrigg technician's guide to spotting the signs and cleaning it out safely.

14 July 2026 7 min read Cybersecurity Alex M.
Fan Won't Quiet? A Bonnyrigg Guide to Hidden Malware

The last three Bonnyrigg laptops that came in for a "slow computer" were all doing the same thing. The desktop looked idle, no browser was open, no Word document, no game — and yet the fan was spinning flat out, the palm rest was uncomfortable to touch, and the battery was draining while plugged in. Every owner was convinced the laptop was on its way out. Two of the three were actually infected.

Hidden malware — cryptominers, remote-access tools and fileless PowerShell payloads — is one of the most common things we see at the workshop now, and it almost never looks like the dramatic Hollywood version. It hides. It uses idle CPU. It waits for you to walk away. This guide covers what those infections actually look like on a real bench, what a Bonnyrigg family can safely check at home, and when it's time to bring the machine in for professional virus and malware removal.

What "Nothing's Running" Really Means

An idle Windows laptop, with no apps open and the browser closed, should sit at around 1–5% CPU. That's it. Windows itself has a handful of background tasks — indexing, telemetry, the occasional update check — and modern hardware breezes through them without the fan ever climbing beyond a quiet whisper.

If you close everything and the CPU stays at 40, 60 or 80 percent, something is running. If Task Manager shows no obvious culprit — no browser tab, no download, no antivirus scan mid-flight — then something is running that doesn't want to be seen. That's the tell we chase down. It's rarely a single tidy process labelled "malware.exe"; it's usually a legitimate Windows process (svchost, PowerShell, wscript) doing work on behalf of an attacker.

The Symptoms We Actually Look For on the Bench

Every infected machine that comes in has a slightly different fingerprint, but a few patterns turn up again and again. Fan noise at idle, especially within a minute or two of the last user activity. Battery life on a laptop suddenly halving without any obvious explanation. The casing running hot enough on the underside that you wouldn't rest it on your knees. Windows Update failing repeatedly. The router's WAN light blinking through the night when the household is asleep.

None of those on their own prove anything. Two or three together, on a machine that used to be fine, is when we start opening Process Explorer instead of Task Manager. Related reading: our post on signs your PC has a virus covers the broader symptom list.

A Bonnyrigg Family Laptop: What We Found

A recent drop-off from a family on the Hopefield estate is a good example. Mid-range Lenovo, two years old, used by the parents for admin and by the teenager for schoolwork and gaming. It had started running "loud and slow" a fortnight earlier. Two full scans with the built-in antivirus came back clean.

On the bench with no apps open, Task Manager showed 68% CPU and no obvious process to blame. Process Explorer told a different story: a lone PowerShell process, launched by the Windows Task Scheduler every fifteen minutes, running a heavily obfuscated script downloaded from a legitimate-looking cloud storage URL. Autoruns found the entry point — a scheduled task hiding in the Microsoft folder using a name almost identical to a real Windows one. The trigger, once we traced it, was an unofficial copy of a paid PC game the teenager had installed a month earlier from a link on a Discord server.

Cleanup was three hours: kill the running processes, remove the scheduled task, delete the payload directory, check for persistence in the registry and the WMI subscriptions, patch Windows to current, then a full offline scan. Then the important bit — the parents changed every important password from a different device, because a machine that will run someone else's PowerShell will also, given time, hand over saved logins.

What You Can Check on Your Own PC

You can do a lot of the same investigation at home without any specialist tools. Close every app you opened yourself. Wait two minutes. Then press Ctrl + Shift + Esc to open Task Manager, click More details if needed, go to the Processes tab and sort by CPU. Anything above about 15% on a supposedly idle machine is worth writing down. Do the same on the Details tab, which shows the raw process names rather than the friendly grouped view.

Open the Startup apps tab and look for anything you don't recognise, especially recently added entries. Then press the Windows key, type Task Scheduler, and browse the Task Scheduler Library in the left pane. Legitimate Microsoft tasks live in specific folders and have Microsoft-signed triggers; a scheduled task that runs PowerShell from your user AppData folder every fifteen minutes is almost never legitimate.

Don't delete anything you don't fully understand — some genuine Windows components look suspicious to an untrained eye. If in doubt, write down the process names and paths and let a technician look. Our software troubleshooting team can walk through it remotely for straightforward cases.

Why Antivirus Alone Often Misses It

Consumer antivirus is signature-based first and behavioural second. It's very good at catching files it has seen before — the classic virus in an email attachment, the well-known ransomware executable. It struggles with two things that dominate modern infections: fileless payloads that live in PowerShell, WMI and the registry rather than on disk, and cryptominers that deliberately throttle themselves whenever the mouse moves so the user never notices the slowdown.

Microsoft Defender in Windows 11 is genuinely capable, and we recommend it as the day-to-day scanner for most Bonnyrigg homes. But even the best scanner catches maybe eighty percent of what turns up on the bench. The rest hides behind a signed Windows process and needs somebody looking with Process Explorer, Autoruns and a sensible eye for what's out of place.

When It Isn't Malware

To be fair to the machines we clear rather than clean: about a third of the "hot and loud" laptops that arrive at the workshop aren't infected at all. Sometimes it's a Windows Search Indexer runaway after a big file move. Sometimes it's a stuck Windows Update loop. Sometimes the SSD is failing and the operating system is thrashing it trying to recover bad sectors. And sometimes the fan grille is packed solid with dust and pet hair — see our guide on why laptop fans run constantly for the hardware side of the same symptom.

The diagnostic path is the same either way: rule out the software culprit first, because it's the quicker thing to test for, then look at hardware. That order matters and it's the order we work in on every bench job.

What to Do If You Think You've Got It

If the symptoms fit and you can't find the cause in Task Manager, don't panic and don't wipe the machine yet — a proper cleanup can preserve your documents and settings in most cases. Unplug the Ethernet cable or turn Wi-Fi off, so nothing further leaves the machine. From a different device — your phone is fine — change your email password first, then your banking, then anything else the browser had saved. Then drop the laptop off with us, or book a home callout if getting to the workshop isn't easy.

Bonnyrigg drop-offs come to us in Parkhead in about twenty minutes via the bypass. We cover Dalkeith, Lasswade, Loanhead, Rosewell and Roslin on the same routes, and it's the same job whether the machine came from a family home in Bonnyrigg South or a small business in Dalkeith centre. What matters is catching the infection before it reaches the account it was quietly working on.

Last updated: 14 July 2026

Frequently Asked Questions

Common hidden-malware questions from Bonnyrigg and Midlothian callouts.

Yes — Bonnyrigg, Lasswade, Loanhead, Rosewell, Roslin and Dalkeith are all inside our regular Midlothian callout area from the workshop in Parkhead. Most infections are a same-day drop-off; a heavier fileless infection may need overnight for a full behavioural sweep.

Yes, and it happens more often than most people expect. Consumer antivirus is very good at catching known files, but fileless payloads that run entirely inside PowerShell or WMI leave no file on disk to scan. That's why we use Process Explorer and Autoruns alongside a scanner — the two together find things neither would find alone.

Only as a last resort. A Windows reset removes most malware, but it also removes your programs and — depending on which option you pick — potentially your files. A targeted cleanup usually preserves everything and is faster. If a reset is the right call after diagnosis, we'll say so, and we'll back your documents up first.

In almost every case yes. Schoolwork lives in Documents and OneDrive; legitimate games from Steam, Epic or the Microsoft Store re-install cleanly if we have to remove one. Any game installed from an unofficial source is likely the vector the infection arrived through and needs to go — a conversation to have as a family before we start.

Laptop Running Hot for No Reason in Bonnyrigg?

A proper diagnostic will tell you whether it's malware, a failing drive, or a fan full of dust — and fix it either way.