10 Warning Signs Your Computer Has a Virus (2026 Checklist)

Most consumer malware in 2026 is engineered to stay quiet. The classic 1990s "your PC is infected" pop-up is now usually scareware, not a real symptom. Real infections — info-stealers, banking trojans, cryptojackers, spyware — are designed to look as boring as possible while they work. Microsoft's Digital Defense Report 2024 observed that median attacker dwell time before detection had compressed but is still measured in days for consumer endpoints, meaning most users will not notice the infection on the day it happens. This guide gives you the 10 signs worth checking, the technical reason each one occurs, and what to do once you see them.

Last updated: April 25, 2026 — Reviewed by Sarah Lin (GCTI)

Quick Answer / TL;DR

• Modern infections are usually quiet, not dramatic.
• The 10 signs below split into performance, browser, security, account, and network categories.
• Slowness alone is not proof — combine multiple signs before concluding.
• Best diagnostic step: a full scan with an AV-TEST top-rated antivirus, ideally in safe mode.
• Reset passwords from a clean device after any confirmed infection.

How to Use This Checklist

Each sign below includes:

• What you observe — the surface symptom
• Why it happens technically — the underlying cause
• What to check — the next concrete step

You do not need every sign to confirm an infection. Two or three from different categories is a strong signal. One sign in isolation — particularly slowness — is not.

Sign 1 — Unexplained Slowdown

What you observe: The computer is markedly slower than a week ago. Programs take longer to launch. The fan runs constantly at idle.

Why it happens: Cryptojackers consume CPU and GPU to mine cryptocurrency. Info-stealers and spyware periodically scan files and upload them. Rootkits hook common operations and slow them down.

What to check: Task Manager (Ctrl+Shift+Esc on Windows) or Activity Monitor (macOS), sorted by CPU. Look for unfamiliar processes at idle. Confirm disk is not full and no large OS update is in progress.

Sign 2 — Fan and CPU Activity at Idle

What you observe: Fan loud or laptop hot to the touch when nothing is open.

Why it happens: A process is consuming CPU. The most common malicious cause is a cryptojacker mining Monero or similar in the background. Less commonly, a RAT operator is actively connected.

What to check: Same as Sign 1. Cryptojackers are notoriously bad at hiding because the goal is CPU consumption. An unknown process at 70–100 percent CPU at idle is a strong signal.

Sign 3 — Pop-ups, Redirects, and Browser Hijacks

What you observe: Pop-ups inside the browser or on desktop. Search engines redirect to unfamiliar pages. Default search engine or homepage changed without your action.

Why it happens: Adware and browser-hijacker malware modify browser settings, install extensions, and inject scripts. Browser-hijacker installers often use Task Scheduler or Startup folder entries to reapply settings if changed back.

What to check: Browser → Settings → Extensions. Remove unfamiliar items. Reset default search engine and homepage. If they revert on reboot, the persistent component lives outside the browser — installed programs, Startup folder, or scheduled tasks.

Sign 4 — New Programs, Toolbars, or Browser Extensions You Did Not Install

What you observe: Apps in Settings → Apps (Windows) or Applications (macOS) that you do not remember installing.

Why it happens: Bundled installers. A free PDF reader, video downloader, or game cheat often drops adware, a browser-hijacker, or a trojan alongside. Some legitimate extensions are sold to new owners who quietly add tracking.

What to check: Uninstall what you do not recognize, then run a full antivirus scan. Audit extensions by publisher and last-update date — sudden publisher changes are a known red flag.

Sign 5 — Antivirus Disabled or Settings You Did Not Change

What you observe: Windows Security or your AV shows real-time protection off. New folder exclusions appear that you did not add. Updates fail silently.

Why it happens: Many trojans actively disable AV engines or add their own working directory to exclusions. This behavior is itself a strong infection indicator.

What to check: Re-enable real-time protection. If it switches off again, you almost certainly have an active infection. Boot into safe mode and scan there, or use a bootable rescue disk.

Sign 6 — Unfamiliar Logins or Account Activity

What you observe: Email, social, or bank accounts show logins from unfamiliar locations. Sent-mail folder contains messages you did not send. Two-factor codes arrive unbidden.

Why it happens: Often the first observable evidence of info-stealer or spyware infection. Stolen credentials are sold within hours; buyers test quickly. Verizon's 2025 DBIR lists stolen credentials among the most common entry vectors.

What to check: Account → Recent Activity on every important service (email first). Sign out all sessions, change passwords from a different clean device, and enable MFA. Treat unfamiliar two-factor prompts as active credential-stuffing.

Sign 7 — Files Are Encrypted or Renamed

What you observe: Files have unusual extensions appended (.locked, .crypted, .<random>) or refuse to open. A README explaining ransom payment appears in folders.

Why it happens: Ransomware. By the time this symptom is visible, encryption is usually complete on accessible storage.

What to check: Disconnect from the network immediately to prevent spread to mapped drives or cloud-synced folders. Do not pay. CISA's Stop Ransomware catalogs free decryption tools for older families. The cleanest recovery is wipe and restore from an offline backup.

Sign 8 — Unusual Network Activity

What you observe: Steady outbound traffic when nothing is in use. Tethered data burns faster than expected. Router logs show high upload from one device.

Why it happens: Spyware, info-stealers, and botnets communicate with C2 servers and may exfiltrate data. Cryptojackers communicate with mining pools.

What to check: Windows Resource Monitor → Network or macOS Activity Monitor → Network, sorted by bytes. Identify unfamiliar processes. The biggest tell is constant outbound data from a device that should be idle.

Sign 9 — Camera or Microphone Activates Unexpectedly

What you observe: Webcam light on when no video app is open. macOS orange mic indicator while not recording. Smartphone OS indicator dots flash.

Why it happens: Spyware, RATs, and stalkerware can capture video or audio. Modern OSes light hardware indicators specifically to expose this category.

What to check: macOS Sequoia menu bar shows orange (mic) / green (camera). iOS and Android show dots at the top of the screen. Windows 11 Privacy & Security → Camera/Microphone shows recent app activity. An unknown process here is a high-priority finding.

Sign 10 — Crashes, Blue Screens, and Unexplained Freezes

What you observe: System crashes, hangs, or BSODs more often than it used to.

Why it happens: Some malware — especially poorly written rootkits and bootkits — destabilizes the system. Stability issues are also commonly caused by bad drivers, failing memory, or overheating.

What to check: Note the crash error code or panic log. Run hardware diagnostics (Windows Memory Diagnostic; Apple Diagnostics). If hardware checks pass and a full AV scan is clean, treat it as a software bug rather than an infection.

At-a-Glance Symptom Map

#	Sign	Category	Most Likely Cause
1	Slowdown	Performance	Cryptojacker, spyware, rootkit
2	Fan / CPU at idle	Performance	Cryptojacker, RAT
3	Pop-ups, redirects	Browser	Adware, browser hijacker
4	Unknown apps / extensions	System	Bundled installer, adware
5	AV disabled	Security	Active trojan, rootkit
6	Unfamiliar logins	Account	Info-stealer, spyware
7	Encrypted files	System	Ransomware
8	Unusual network	Network	Spyware, info-stealer, botnet
9	Camera / mic activity	Privacy	Spyware, RAT, stalkerware
10	Crashes / BSOD	Stability	Rootkit, bootkit (or hardware)

What to Do If You See Multiple Signs

If two or more of the above show up at once, treat the system as compromised until proven otherwise. The standard incident-response flow is:

1. Disconnect from the network to halt exfiltration and prevent spread.
2. Boot into safe mode. Most malware loads less of itself in safe mode, making it easier to find and remove.
3. Run a full scan with a top-tier antivirus. Use one that has earned a recent AV-TEST or AV-Comparatives top score.
4. Run a second-opinion scanner with a different engine. Different vendors catch different things.
5. Check persistence locations: Task Scheduler, Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run), Services, Startup folder, and scheduled login items on macOS.
6. Reset passwords from a separate, clean device. Email first, then bank, then the rest.
7. Apply pending OS and application updates so the same exploit cannot be reused.
8. If a rootkit, bootkit, or ransomware is confirmed, reinstall the OS from clean media. This is faster and safer than chasing kernel-mode persistence.

For more on each malware category that produces the symptoms above, see our explainers on the 12 types of malware, trojan viruses, and spyware.

Prevention: How to Keep Symptoms From Appearing in the First Place

• Auto-update OS and browser. Most exploit kits target already-patched vulnerabilities.
• Default-deny Office macros. Enable only for documents from a verified sender.
• Install software from official sources — vendor sites, Microsoft Store, App Store, Google Play.
• Use a top-rated antivirus with recent independent lab certifications and keep it enabled.
• Use a password manager and unique passwords.
• Enable multi-factor authentication on email, banking, social, and cloud accounts.
• Back up important files offline. A versioned cloud or disconnected external drive neutralizes ransomware.
• Audit browser extensions and app permissions every few months.

FAQs

What are the first signs of a computer virus?

Early signs typically include unexplained slowdown, fan and CPU activity at idle, pop-ups in the browser, default search engine changes, and antivirus alerts that suddenly stop appearing. The earlier you notice these, the smaller the post-incident cleanup.

Can a virus run without any visible symptoms?

Yes — and that is increasingly common. Modern info-stealers and spyware are deliberately quiet. They often run for minutes, exfiltrate data, and exit. The clearest evidence is found by checking account history (unusual logins, unfamiliar devices) rather than by watching the PC itself.

Is a slow computer always a sign of a virus?

No. Slowness is most often caused by full disks, fragmented updates, too many startup apps, browser tab overload, or aging hardware. Treat slowness as a possible indicator, not a definitive one. Compare it against the rest of the checklist before assuming infection.

What should I do first if I think my computer has a virus?

Disconnect from the internet to halt exfiltration, boot into safe mode, run a full scan with a top-tier antivirus, then run a second-opinion scan with a different engine. Once clean, change passwords from a separate device and apply pending OS and application updates.

Do Macs and Chromebooks get viruses?

Macs increasingly do, especially via info-stealer trojans that target browser-saved credentials. Chromebooks have the smallest attack surface among consumer devices because Chrome OS isolates everything in containers, but malicious extensions and side-loaded Android apps still pose risks.

How can I tell the difference between a virus and a hardware problem?

Hardware problems are usually consistent and tied to specific tasks — a failing drive slows file copies, bad RAM causes blue screens during memory-heavy work. Malware symptoms are typically broader and behavioral: pop-ups, browser hijacks, unknown processes, and unfamiliar account activity. Run a full antivirus scan first; if it comes up clean and symptoms persist, run hardware diagnostics.

The Bottom Line

The 10 signs in this checklist are most useful when read together. A slow PC alone is not evidence; a slow PC plus pop-ups plus unfamiliar logins is a near-certain infection. Modern malware is built to be quiet, so the most reliable diagnostic in 2026 is not what you see on the desktop — it is a full scan with an antivirus that has earned recent independent lab certifications, plus a check of account login history on email, bank, and cloud services.

If you want to understand the categories that produce each symptom, our types of malware guide maps the 12 main families. For deeper dives on the two highest-impact categories for consumers, see our trojan virus and spyware explainers. When you are ready to compare antivirus products on the basis of independent lab data — not affiliate ranking deals — our best antivirus rankings consolidate AV-TEST, AV-Comparatives, and SE Labs results in one place.