When your computer is slow, overheats, or strange windows pop up everywhere, the natural reaction is to install antivirus software and cross your fingers. But often, even with a powerful security suite, certain types of malware go completely undetected And they continue to do their thing in the background.
The good news is that Windows (and macOS too) include a lot of tools you can use to Audit suspicious processes without relying on third-party antivirus softwareIt's not magic, and you don't need to be a hacker: with a little method, common sense, and the right tools, you can detect malicious processes, stop them, and clean up most of the most common infections.
What is stealth malware and why does it evade antivirus software?
When we talk about viruses and modern threats, we're not just referring to the typical malware that deletes files. These days, much more discreet campaigns abound, where The malware integrates itself into the system to go undetected. for weeks or months.
Within this group, the following stand out: rootkitswhich are components designed for hide in the deepest layers of the operating systemThey can attach themselves to the boot process, the kernel, or system drivers, so that the user and many tools cannot see their files, services, or registry keys.
Another very dangerous family is that of polymorphic malwareThese programs They are constantly changing their own code and digital signature.This makes it harder for signature-based antivirus engines to recognize them. Even if you use up-to-date security software, it may take some time to detect new variants.
And then there are the threats of day zeroThese exploit vulnerabilities that have not yet been patched or publicly documented. In these cases, Antivirus developers still don't have specific rules.So part of the game involves detecting strange behaviors rather than specific files.
All of this makes learning to Manually monitor critical processes, network, boot, and filesIt does not replace a antivirusBut it's one more layer that can make all the difference.
How to detect suspicious processes in Windows
Windows includes several utilities that let you see exactly what's running on your computer. If you suspect something unusual is consuming resources, The first place you should check is the Task Manager, which offers a real-time view of processes, CPU, memory, disk and network.
To open it you can Right-click on the Start button and choose "Task Manager"or use shortcuts like Ctrl + Shift + Esc or the combination Ctrl + Alt + Delete and then select the tool. As soon as you enter, you'll see several tabs, but the most important one for an initial audit is the one for "Processes".
That screen lists all the applications and background processes, along with the percentage of CPU, memory, network, and disk resources they consumeYou'll usually recognize browsers, open programs, and some system services. What we're interested in are elements that:
- They don't ring a bell at all.neither as an application nor as a regular part of Windows.
- They appear to be consuming far more resources than the rest. without you doing anything demanding.
- They change their name or They close and reopen in a few seconds while trying to stop them.
If you detect such a process, the ideal thing to do is Right-click and first check "Properties"There you will see the file path, the provider (for example, Microsoft Corporation or a well-known manufacturer), the creation date, and other data that help distinguish whether it is something legitimate or potentially malicious.
When doubt persists, you can turn to external resources: Search for the process name in search engines or on specialized websites such as File.net It usually gives pretty clear clues as to whether it's part of Windows, a reliable program, or something problematic that other users have already reported.
If you confirm that it doesn't look good, you have two immediate options: complete the task from the Administrator itself (right-click > "End task") to stop its temporary execution, and then open your "File Location" to delete the executable and prevent it from being launched again.
Keep in mind that if the malware has a component that reinstalls itself or launches from another part of the system, Simply killing the process or deleting the main exe file may not be enoughEven so, it's a useful first step towards regaining productivity and being able to continue researching more calmly.
Process Explorer and Autoruns: an advanced overview of the system
In addition to the standard Task Manager, Microsoft offers a number of free advanced utilities (Sysinternals) that are invaluable for auditing a computer. The two most interesting for this purpose are Process Explorer and Autorunswhich allow you to see much more information than the basic Windows tools.
Process Explorer is, simply put, a Task Manager on steroidsOnce downloaded from the official Microsoft website and run, it displays all active processes in a tree structure, indicating what launched what, what DLLs they have loaded, what files they keep open, and what digital signature they have.
Double-clicking on a process opens a detailed window with route information, user, GPU usage, open connections, and even module versionsThis is especially useful for unmasking processes that try to impersonate Windows components by changing a letter in their name or by placing themselves in suspicious folders.
For its part, Autoruns It serves for review everything that starts automatically in the systemPrograms that run at startup, scheduled tasks, browser extensions, services, drivers, and much more. Malware typically registers itself in one of these places to reactivate when the PC is turned on.
After running Autoruns, you'll see tabs organized by category. The most practical thing to do is start by reviewing anything you don't recognize or the items marked in yellow (orphaned entries, non-existent paths, etc.). Anything suspicious can be unchecked to prevent execution, or you can use the context menu to go to its registry key or associated file.
This approach is more subtle than simply deleting an .exe file, because It allows you to remove the malware's automatic boot pointDo it carefully, though: disabling critical system inputs can cause strange behavior, so if you're unsure about something, it's best to look up information first.
Review of logs and suspicious startup paths
Much of the malware that runs as soon as Windows starts does so through the registry. Although it's not advisable to blindly mess with the registry, There are some very specific routes that are worth knowing about. and check when there are signs of infection.
To open the Registry Editor, simply type "regedit" in the Start menu and run it. Once inside, one of the key locations is the path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
That key shows the programs configured for Start automatically for all usersThere is also an equivalent path in the user branch:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In these sections, you should only find things you recognize: graphics card drivers, laptop manufacturer utilities, software you've installed yourself, etc. If you see strange names, paths pointing to temporary folders, user profiles with unusual names, or executables without an apparent signature, It is very likely that they are part of some type of malware.
You can access these keys more easily from Autoruns, but if you prefer to do it manually from Regedit, The safest thing to do is export the key before deleting anything (File menu > Export) to have a backup in case something goes wrong.
Sometimes, the most aggressive rootkits insert components in other places such as "Services" or "Drivers"This causes them to load as system services or drivers. In these cases, if you notice very serious symptoms (screen crashes, random restarts, missing files), you may need to use external media or specific tools, and not just manually modify the registry.
Monitor the network: unusual connections and open ports
A very typical behavior of modern malware is connect silently to remote servers to exfiltrate data, receive commands, or download additional modules. Therefore, another part of the audit involves monitoring what's happening on your network.
In Windows, the classic command to view open connections and ports is netstatIf you open the console (by typing "CMD" in Start, right-clicking and selecting "Run as administrator") and run:
netstat -ano
You will get a list with all active connections, the local port, the remote IP address, and the associated process identifier (PID). With that PID, you can return to Task Manager or Process Explorer and see which program is behind a specific connection.
Beyond netstat, a very powerful tool is WiresharkA packet analyzer that allows you to capture all the traffic passing through your network card. The idea is to select the appropriate interface (Wi-Fi or Ethernet), start the capture, and, if you want to narrow it down, Filter by your IP address or by specific protocols.
For example, if you write ipconfig In a console, you can see your local IP address and then use filters such as ip.addr == TU_IP or focus on HTTP, HTTPS, or other traffic. When you stop the capture, You can inspect individual packages and see which domains your computer is connecting to, which ports it's using, and if there are repetitive communications with destinations you don't recognize.
Obviously, interpreting all the traffic generated by a system is not trivial, but even with a basic level you can detect suspicious patterns such as constant connections to unknown IPs, communication attempts to unusual ports or packets that are sent out when you are not using the computer.
Using the command line and native Windows tools
In addition to graphical user interface utilities, Windows includes several console tools that can help Detect and repair damage caused by malware without resorting to external antivirus software.However, many of them require running the terminal with administrator privileges.
One of the best known is SFC (System File Checker), which analyzes protected system files and replaces those it detects as corrupt or alteredTo use it, open CMD as administrator and run:
sfc /scannow
The process may take a while, but if the malware has been modifying core Windows components, this tool can restore many of them to their original state.
Another useful tool, especially for dealing with hidden files or files marked as system files by a virus, is the command attribFrom the console, you can navigate to the folder where you suspect malicious files are located and use something like:
attrib -s -h /s /d
With this, Remove system and hidden attributes from all files and subdirectories from that route, which makes it easier to locate and subsequently remove them with of theIt's a slightly more advanced method and you need to be clear about what you're deleting, but it's useful when malware tries to hide by changing attributes.
Windows also includes the tool MRT (Malicious Software Removal Tool)It comes updated through Windows Update. It's not a full-fledged antivirus, but it does a scanner specifically designed for widespread malware familiesTo launch it, you can press Windows + R, to write mrt and choose a comprehensive system analysis.
Once completed, the report will indicate whether any malicious software has been found and, if so, It will offer the option to delete itMicrosoft recommends using MRT as a complement, not as a permanent replacement for antivirus software, but when you can't install anything else at the time, it's a very valuable resource.
Safe mode, temporary files, and system restore
When an infection is active, fighting it from within the existing system can be complicated. Many viruses protect themselves with vigilant processes that They relaunch the executable if you close it or restore files if you delete them.This is where the use of Safe Mode and certain Windows maintenance functions.
Booting into Safe Mode makes the system Load only the minimum components required to functionThis excludes most third-party programs, additional drivers, and non-critical services. In modern versions of Windows, it can be enabled from Settings > Update & Security > Recovery > Advanced startup, or by holding down the Shift key while clicking "Restart" and accessing the advanced startup options.
Once in Safe Mode, repeat the steps of inspecting processes, using Autoruns, deleting files, and cleaning registry keys. it is much more effectivebecause the malware has less room to maneuver to reactivate itself or block actions.
Another important focus is the temporary foldersMany malicious executables are downloaded and run from locations like these, so it's worth cleaning them up when you have any suspicions. To do this quickly, you can use the Run dialog again (Windows + R) and write:
%temp%to open the user's temporary folder.tempfor the system's general temporary folder (according to the configuration).
Within these folders you can select and delete all its contentWindows will regenerate the temporary files it needs, and along the way you'll have gotten rid of many remnants of installations, suspicious downloads, and elements that could be being exploited by malware.
If the system has been misbehaving for some time and you've noticed it getting worse, a very useful tactic is... System restoreThis feature allows you to restore the device to a previous state where you know it was working correctly. reversing changes to system files, registry, and settingsbut without touching your personal documents.
To manage it, you can search for "Create a restore point" in the Start menu, go to the tab of System protection and verify that it's enabled on the system drive. From there you can manually create restore points (highly recommended before major changes) and also launch a "System Restore" to choose a point prior to the moment you detected the infection.
Many people choose to have several recent restoration pointsupdating them periodically. This way, if you're unsure when the malware infiltrated your system, you have more leeway to try different dates without having to reformat the entire computer right away.
Malware on macOS: Activity Monitor and Diagnostics
Although macOS generally has a better reputation in terms of security, Macs are not immune to malware. Invasive advertising, hidden miners, and Trojans that steal credentials are becoming increasingly common, so it's also good to know about these. How to audit suspicious processes without using third-party tools of entry.
The equivalent of Task Manager in macOS is the Activity MonitorYou can find it in Applications > Utilities, or simply by searching "Activity Monitor" with Spotlight. When you open it, you'll see a list with all running processes and applications, its CPU, memory, power and network consumption.
As with Windows, it's normal not to recognize many of the names that appear, but that doesn't mean they're bad. The interesting thing is to look at... processes that consume resources disproportionately or that remain active even when you have closed everything you usually use.
Selecting any process and pressing the information icon (letter "i") opens a window with additional details, including the path of the associated application and the user who runs itThis allows you to distinguish legitimate system utilities from potentially installed apps or malicious scripts.
If you find something suspicious, simply Select it and press the icon with the "X" to force its closure. In parallel, it's advisable to go to the Applications folder or the path indicated by Activity Monitor and remove the associated app or componentIf the computer continues to act strangely, the Monitor itself has a gear-shaped icon that allows you to run some basic system diagnostics.
In any case, just like in Windows, Combine process monitoring with the use of a good antivirus for macOS It remains the most sensible strategy in the medium term, especially if you download software from outside the App Store or connect many USB devices.
Online services and tricks without installing antivirus
It's possible that, for whatever reason, you can't install a full antivirus program right now: permission limitations, a work team with strict policies, or you're simply dealing with a specific issue. Even so, you still have options available. Several online services help analyze suspicious files and URLs.
The most popular is VirusTotalIt's a platform where you can upload files or paste links to be analyzed by dozens of different antivirus engines. It doesn't install anything on your computer and lets you quickly see if an executable file, document, or website is infected with malware. It matches known threats in multiple databases..
Besides VirusTotal, there are other similar solutions provided by security companies such as F-Secure or Trend Micro, which offer on-demand scans of the system or specific files from the browser.
Interestingly, even everyday tools like Google Drive includes its own analysis mechanismsWhen you upload a file, the service performs certain checks, and if it detects something suspicious, it may block the download or display warnings. It's not as sophisticated as a dedicated antivirus program, but it adds another layer of protection if you're reviewing potentially suspicious documents.
As a complement, a very effective digital hygiene measure is Review and uninstall any browser extensions you don't use or that you recently added.Many infections that only affect browsing (pages that open by themselves, redirects, constant pop-ups) enter precisely through malicious plugins.
In Chrome, for example, simply open the three-dot menu, go to Settings > Extensions and Remove any suspicious add-ons or add-ons you don't remember installingIn Firefox, Edge, and other browsers, the process is similar. This simple step can restore your online experience to normal without the need for complex scans.
In complicated situations, when malware has affected very sensitive areas of the system such as the boot process, deep registry, or even the MBR (Master Boot Record), It may be necessary to take cleaning measures to the next level. and consider somewhat more drastic options.
One of them is to use safe boot media or rescue disksMany antivirus manufacturers offer images that can be burned to a USB drive or DVD, allowing you to boot your computer from there. Analyzing the system from outside of WindowsThis way, the malware is not active and it is much harder for it to hide or interfere.
Another possibility in extreme cases is repair the MBR and boot components Using the Windows installation media itself. Booting from that media and accessing the repair options, you can open a command prompt and run commands such as:
bootrec /fixmbr
With this, the system rewrites the master boot recordThis helps remove certain rootkits that are inserted in that area. However, it's only advisable to do this when there are strong indications that the problem lies in the boot process, as unnecessarily tampering with these parts doesn't offer any advantages.
If, after all of the above, the infection persists or you notice that the system has become too unstable, it's time to consider last-resort solutions such as Reset Windows while keeping your files or, in the most radical case, format the disk and install from scratchHere it is vital to have backup on external drives or in the cloud, carefully checking what you save so as not to include in the backup the same executables that caused the problem.
To avoid having to go through this entire process over and over again, it's key to combine good practices for daily use with the auditing tools offered by the system itselfKeeping Windows and applications up to date, avoiding opening attachments from suspicious sources, scanning suspicious files on online services, and occasionally monitoring processes, startup items, and network connections greatly reduces the chances of a serious infection. And if something does manage to slip through, knowing these techniques allows you to react calmly and judiciously, even if you don't yet have third-party antivirus software available.
