How to Check If Your Computer Has a Virus (2026)

Open Task Manager with Ctrl+Shift+Esc, click the CPU column to sort by usage. If your CPU is sitting at 80-100% with nothing visibly running, that’s worth investigating. A customer called because his three-year-old Dell had become “unusably slow” — he’d already ordered a new SSD convinced the drive was dying. We opened Task Manager and found “WindowsUpdateService.exe” using 94% of his CPU. That’s not a real Windows process. Windows Update runs through svchost.exe, not a standalone executable with that name. It was a cryptominer that had been running for four months. Killed it, ran Malwarebytes, found seven more infected files, cleaned them all. The computer ran like new. He cancelled the SSD order.

About 35% of infected machines we clean have cryptominers. Most owners thought their PC was just getting old.

Task Manager

Most of the processes in Task Manager are harmless. “System” and “System Idle Process” are supposed to be there. “Antimalware Service Executable” is Windows Defender scanning — it spikes for 10-20 minutes then drops back. Multiple svchost.exe instances are normal. SearchIndexer.exe chews resources on machines with lots of files. If Chrome is using 3 GB across 40 tabs, that’s Chrome, not malware.

What should concern you is anything that mimics a real Windows process but gets the name slightly wrong. I’ve personally seen “svch0st.exe” with a zero where the O should be. “csrrs.exe” with two R’s when the real one has one. “lsas.exe” pretending to be lsass.exe. “RuntimeBroker32.exe” tacking “32” onto a legitimate name. Malware authors know nobody memorizes process names.

Right-click any suspicious process, Open file location. Legitimate Windows processes live in C:\Windows\System32. If the file is in AppData, a Temp folder, or a random numbered directory — that’s not right. Also check Properties, Digital Signatures tab. Real Windows processes are signed by “Microsoft Windows.” No signature at all on a process using significant CPU is a red flag. If you’re not sure about something, copy the filename and search it on virustotal.com — it checks against 70+ antivirus engines.

If Task Manager shows high CPU but nothing obvious eating it, that guide covers the specific svchost and WMI scenarios. And if the slowness came on gradually over months with Task Manager looking normal, it’s almost certainly not a virus — it’s age, startup bloat, or a dying drive, and our speed guide handles that.

Three Scans

Running Windows Defender alone and calling it done is checking one room and declaring the house clear. Here’s the approach I use on every machine.

Microsoft Defender Offline first — it’s built into Windows. Open Windows Security, Virus & threat protection, Scan options, Microsoft Defender Offline scan, Scan now. The computer reboots into a stripped-down environment and scans before the full OS loads. Malware that hides while Windows is running gets caught because it can’t run in this environment. Takes about 15 minutes.

Malwarebytes free from malwarebytes.com next. Full system scan, not quick scan. The reason to pair this with Defender is that Malwarebytes catches what Microsoft deliberately ignores — browser hijackers, adware bundles, potentially unwanted programs. Defender classifies those as “not technically viruses” and shrugs. Go directly to malwarebytes.com for the download — the top Google result has been a sponsored ad for a fake version more than once. Don’t leave Malwarebytes running in real-time alongside Defender though; two scanners monitoring every file access simultaneously grind the machine to a halt. Install, scan, close.

HitmanPro from hitmanpro.com is the third pass. Doesn’t even install — runs as a portable executable using cloud-based behavioral analysis rather than local signatures. It picks up newer threats that the other two haven’t catalogued yet. Slowest but catches the stealth infections.

If all three come back clean, the machine is clean. If any find something, remove it and run all three again to confirm.

What If Scans Found Something

Most of the time the scanner quarantines automatically — the file gets locked away where it can’t run. Let it sit quarantined for a week. If nothing breaks, delete it. If a program stops working, the “infected” file might have been a false positive.

For stubborn infections that survive or keep coming back, boot into Safe Mode and scan again. Hold Shift while clicking Restart, Troubleshoot, Startup Settings, press 4. Safe Mode loads minimal drivers so malware’s startup hooks can’t execute. If the infection still returns after Safe Mode scanning, you’re dealing with something embedded deeper than consumer scanners reach — at that point a clean Windows reinstall is the realistic fix, or our full malware removal guide covers the manual registry and Task Scheduler cleanup for persistent infections.

Confirming It’s Gone

Open Task Manager again, Performance tab. At idle with no apps open, CPU should be 2-10%, disk at 0-5% once boot-up housekeeping finishes. Check the Startup tab for anything new that wasn’t there before. Open Event Viewer (Win+R, eventvwr.msc, Windows Logs, Application) and scroll through recent entries — look for repeated errors from the same source at the same time each day, which is a sign of malware phoning home on a schedule.

Give it three full days before declaring victory. Some infections ping their command server every 24-48 hours to redownload themselves. If the machine stays clean through a long weekend with normal resource usage, you’re genuinely clear. If you had any kind of info-stealer — or you’re not sure what type it was — change passwords for email, banking, and anything sensitive from a different device, and check bank statements going back a couple months. If the infection keeps returning or all three scanners say clean but the machine still acts wrong, we can run enterprise-grade tools remotely that catch what the free ones miss.