Incident Response Guide

Something Suspicious Is Running on My Windows Computer

Your computer is slow, your antivirus flagged something, or you spotted an unfamiliar process. Here's how to check what's going on and what to do.

Updated 7 May 2026

What Brought You Here?

Different symptoms lead to this same question. Find your situation below.

My computer is unusually slow, hot, or the fan is running constantly

Heavy, continuous CPU or disk usage is one of the clearest signs that something is running in the background without your knowledge — whether that is malware, a cryptominer using your computer to generate cryptocurrency, or something unwanted that was installed alongside another program.

This does not always mean infection — Windows Update and antivirus scans can also cause temporary slowdowns — but if it has been going on for more than a day or two, it is worth checking.

Check what is using your resources:

  1. Press Ctrl + Shift + Esc to open Task Manager
  2. Click the CPU column header to sort by CPU usage (highest at the top)
  3. Look for any process using a high percentage of CPU continuously that you do not recognise

If you see an unfamiliar process near the top, continue to the How to Check a Process section below.

I saw an unfamiliar process name in Task Manager

Most processes running in Task Manager are legitimate Windows components or programs you have installed. However, malware in 2026 commonly disguises itself by using names nearly identical to real Windows processes — for example svch0st.exe (with a zero) instead of svchost.exe, or winlogon.exe running from an unusual folder instead of C:\Windows\System32.

Common legitimate Windows processes that are often impersonated:

  • svchost.exe — genuine copy lives in C:\Windows\System32
  • explorer.exe — genuine copy lives in C:\Windows
  • lsass.exe — genuine copy lives in C:\Windows\System32
  • csrss.exe — genuine copy lives in C:\Windows\System32

If you see any of these names running from a different location, or with slight spelling variations, that is a red flag.

Continue to the How to Check a Process section below.

My antivirus or Windows Security flagged a threat

If Windows Security (or a third-party antivirus) has already detected something and is asking what to do, choose Quarantine or Remove — not “Allow” or “Ignore” unless you are certain it is a false positive.

After removing the flagged item:

  1. Run a Full Scan in Windows Security (Start menu → “Windows Security” → Virus & threat protection → Scan options → Full scan)
  2. Restart your computer
  3. Run a second scan after restart to confirm the threat is gone

Then continue to the After Removing Malware section to check for any changes the malware may have made.

My browser is behaving strangely

Browser hijacking — where malware changes your homepage, default search engine, or injects ads into every webpage — is common and often arrives bundled with free software downloads.

Signs of browser hijacking:

  • Your homepage or new tab page changed to something you did not set
  • Searches redirect to an unfamiliar search engine
  • You see extra ads, pop-ups, or banners on websites that did not have them before
  • A new toolbar or extension appeared that you did not install

To fix browser hijacking:

  1. Open your browser’s Extensions or Add-ons settings and remove anything unfamiliar
  2. Reset your browser’s homepage and search engine back to your preference
  3. If the problem persists after removing extensions, reset the browser to default settings (available in browser Settings → Advanced → Reset)

Check all browsers you have installed, not just the one you use most.

Other warning signs I noticed

Additional signs that malware may be present:

  • Contacts tell you they received strange emails or messages from you — your email or social media account may have been compromised, or malware may be sending messages automatically
  • Programs or files appeared that you did not install
  • Task Manager or other system tools are blocked — some malware disables these to prevent removal
  • Your antivirus software turned itself off and you cannot turn it back on
  • Pop-ups appear even when you are not browsing — especially if they claim your computer is infected and ask you to call a phone number (this is a scam — do not call)

If you see fake infection warnings with a phone number to call, close them and do not call. These are tech support scams, not real alerts.

How to Check a Process

If you found a process name you do not recognise in Task Manager:

Step 1: Find the file location

Right-click the process in Task Manager and select Open file location. This shows you where the file is stored on your computer.

  • Legitimate Windows processes are almost always in C:\Windows\System32 or C:\Windows
  • Legitimate installed programs are usually in C:\Program Files or C:\Program Files (x86)
  • A process running from C:\Users\YourName\AppData\, a Temp folder, or a random folder you do not recognise is suspicious

Step 2: Search for the process name

Open a browser on your phone or another computer (not the suspect machine) and search for the exact process name. Sites like processlibrary.com and security forums will usually tell you whether it is known malware, a legitimate Windows component, or a third-party program.

Step 3: Run a scan

Do not try to manually delete the process — run a proper scan instead (see below).

Run a Malware Scan

Windows Security (built-in — free)

Windows 10 and 11 include Windows Security (also called Windows Defender), which is capable of detecting most common threats.

  1. Open the Start menu and search for Windows Security
  2. Click Virus & threat protection
  3. Click Scan options
  4. Select Full scan and click Scan now

A full scan takes 30–60 minutes. Allow it to complete, then follow any instructions it gives about found threats (choose Quarantine or Remove).

Free second-opinion scanners

Running a second scan with a different tool catches things the first one may have missed. Use one of these:

Microsoft Safety Scanner (official Microsoft tool, no installation needed):

  1. Download it from microsoft.com/en-us/safety/scanner — choose the version matching your Windows (64-bit for most modern computers)
  2. Run msert.exe and select Full Scan
  3. Remove anything it finds
  4. The tool expires after 10 days — delete it after use and download fresh if needed again

Malwarebytes (free version):

  1. Download from malwarebytes.com
  2. Install and run a Threat Scan
  3. Quarantine or remove anything it finds
  4. Restart your computer

Check Startup Items

Malware often adds itself to the startup list so it runs automatically every time Windows starts.

  1. Press Ctrl + Shift + Esc to open Task Manager
  2. Click the Startup apps tab (Windows 11) or Startup tab (Windows 10)
  3. Review the list — right-click any unfamiliar entry and select Disable
  4. If you are unsure about an entry, search for its name online before disabling

Disabling a startup item does not delete it — it just stops it from running automatically. You can re-enable it if it turns out to be legitimate.

After Removing Malware

Once scans are clean, check whether the malware made any lasting changes:

  • Change your passwords — from a different device first. Malware often logs keystrokes or steals saved passwords from your browser. Use our password generator for each account. Start with email, banking, and any account where you have payment details saved.
  • Check your browser extensions — remove anything you did not install
  • Check your browser’s saved passwords — consider whether any stored passwords could have been read by the malware. Change any sensitive ones.
  • Review your email — check if any forwarding rules were added that you did not set up (see the sent folder for emails sent without your knowledge)

When to Consider a Full Windows Reset

If scans keep finding the same threats, if your computer remains slow after cleaning, or if you suspect a deep infection (rootkit), the most reliable solution is a clean reinstall of Windows.

This is not as drastic as it sounds:

  • Windows 11 and 10 both have a built-in reset option: Start → Settings → System → Recovery → Reset this PC
  • The “Keep my files” option reinstalls Windows while keeping your personal documents (but removes all installed programs)
  • The “Remove everything” option is a complete fresh start

Back up your personal files to an external drive before resetting.

Prevention Checklist

  • Windows Update is set to automatic — Start → Settings → Windows Update → turn on automatic updates
  • Windows Security is enabled and up to date — check it has not been turned off
  • Only download software from official sources — the developer’s own website or the Microsoft Store; avoid “free download” aggregator sites
  • Do not install software from pop-up ads or from links in emails
  • Review browser extensions regularly — remove anything you no longer use or do not recognise
  • Back up important files to an external drive or cloud storage — if malware destroys or encrypts your files, a backup means you do not lose them permanently