If you want to be 100% sure your system is clean what would you run?

REIUSA used Ask the Experts™
If you have a system that does not have any apparent problems but you just want to be sure it is clean and there is nothing totally hidden what would you run in addition to Micro$oft Security E$$entials, Spybot, and Malewarebytes full scans?

I'm looking for tools that are relatively easy to run but will help put the mind at ease that your system is clean.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Technology and Business Process Advisor
Most Valuable Expert 2013

Better still, with drive prices as cheap as they are, I'd buy a new drive and reinstall.

Otherwise, I run DBAN and a good antivirus (the "good" part eliminates anything made by Symantec).
Top Expert 2009
I think leew is correct in that there is no program available that can realistically claim to detect 100 percent of malware.  However, just to throw another program into your pretty good mix of programs to run, I'd include SuperAntiSpyware from


Check for rootkits
Rootreveal is one
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Typo on the last part of my first comment:
Otherwise, I run DBAN and a good antivirus (the "good" part eliminates anything made by Symantec).
should have read:
Otherwise, I run Malware Bytes and a good antivirus (the "good" part eliminates anything made by Symantec).

And to put another way - when 99% is good enough, Malware Bytes and a good antivirus (lately, VIPRE by Sunbelt/GFI).
Not possible..by any antivirus software...but would recommend running combofix first and then Malwarebytes to remove all virus from system.

Steven CarnahanAssistant Vice President\Network Manager

Just to add my 2 cents.  I run spybot, malware bytes AND adaware as well as virus protection. The most important thing is to keep all of them current.  
Aside from all the software solutions all the experts have mentioned (all were excellent), the one other highly effective thing to do is train your clients to be "good" users, inform them they haven't won anything, very little in this world is free, their bank doesn't want verification of their social security number, etc.  Train them in what many IT professionals feel is common sense; not opening every attachment, use a work computer for work and not play, help your clients create strong written acceptable use policies, then instruct them how to enforce them.  By providing some of this "common sense" information, you will build stronger bonds with your existing clients.
Yeah even the best AVs are about 95% effective, so running several one might catch something the other missed.
If you want insight into how nefarious and complex one can be, consider TDL4 rootkit, which hooks itself into the hard disk and creates it's own hidden encrypted area on the disk to reside in.  Because encrypted, no anti-malware / av is able to "see" it much less fingerprint so as to detect it, it's near impossible to clean short of a wipe and clean rebuild.  RootKitRevealer attempts to show if there are objects that can bee seen by the OS deep inside but for some reason are hidden so you cannot see them.

msconfig can show what things are in the registry as startup or services.  HiJackThis is another tool that experts use to examine everything that has hooked itself into your OS to run automatically, to run as part of your browser, to run as a service, etc.  Because there are millions of programs out there, the list can be quite daunting.  There are some obvious things to look for, such as random generated names like hfdhsghjf.exe or something like that, but also sometimes malware or viruses camouflage themselves by impersonating legitimate programs so are in the filepath and name you might be tempted to think of as legit.  That's when filesizes and checksums of files need to be compared against their known good sizes and published versions.

Another avenue is when you have older versions of things which have known vulnerabilities and exploits.  A classic is the Java runtime engine.  Some people have a half dozen or more different versions of Java on their system.  That's a bad thing that Java allowed to happen.  You should only have the latest v6 build 25, and it is better at making sure it uninstalls old versions when updating going forward.  Flash is another example.  .Net Framework.  And of course the entire operating system needs the latest Service Pack and critical hotfixes.  After Service Pack 2 XP added the digital signatures and Windows protection so only known good files should be allowed to run as part of the OS, though even that isn't perfect.  Programs like Word, Excel, Outlook, SQL etc etc also have service packs and critical security hotfixes meant to harden them from possible exploits.

Advice about seeking help from other forums edited out by rpggamergirl, Zone Advisor - Virus & Spyware

All in all, the way to be 100% certain as you say, is to wipe and clean install, only known good software programs and, latest service pack from CD, and a top-rated anti-virus as well as anti-malware, before even connecting to internet or in isolation if possible.  Don't connect to internet unless you've both active shielding for viruses and malware, preferably a top-tier program (and yes some free ones are very bit as good as pay ones for detecting).  Then about once a month supplement your AV and AM with a scan with one or more of the others, such as Malwarebytes, SpyBot, HouseCall.
Microsoft last year came out with am excellent free AV/AM called SecurityEssentials, free to all genuine Windows that is.

What lancecurwensville said is an excellent point, you need to make your users aware of the ABCs of security.  Users should not turn off their AV because it slows them down too much or such nonsense.  Users should not have "no password" or an easy to guess password of "123456" or "password" etc.
Author of the Year 2011
Top Expert 2006
You might want to review my Article here for more details:
http://www.experts-exchange.com/A_1958.html (MALWARE - "An Ounce of Prevention...")
Steven CarnahanAssistant Vice President\Network Manager

Basically what we are all attempting to say is the ONLY way to be 100% sure is to unplug the computer and put it away in a secure room and never turn it on.  

On the other hand, there are a multitude of tools out there and finding the right combination is a daunting task.  I have a standard that any machine I work on has Malware Bytes, Spybot and Adaware installed and updated. Since there are so many virus software packages out there it is hard to dictate to a user what they should use.

ocanada techguy mentioned running multiple virus softwares. I have done that in the past however you need to be careful as some of them don't work well with others (Symantic) and will actually end up causing other issues. (Norton with another is known to give you a BSOD)
Most Valuable Expert 2011
Top Expert 2011

Not to mention running as a limited user account. Takes some people a bit to get used to it, but it does limit an incoming infection to thier profile only, while preventing (in most cases) damage to the system as a whole....
Top Expert 2007
If I were you I would run a diagnostic tool like OTL or even ComboFix as these tools will list all files/folders created or modified in the last 30 days so when you look at the logs you should know any suspicious files being created within that time frame. Or in the case of OTL you can do a custom scan to make OTL list files/folders created in the last 90 days or so.
We can help you creating custom scans/analyzing the logs here if needed.

Also, an online virus scan with a reliable scanners is a good idea(Kaspersky is my choice) and see if they find any.

Bear in mind that common antivirus will miss mbr infections/TDL4 (Avast boot scan does detect it). So scanning with TDSSKiller, ComboFix, aswMBR.exe is good to check the status of mbr.

Normal scanners might still miss keyloggers, so it would also be handy to run a good scanners that scans for rootkits(IceSword is good) for advance users but we can help you is needed.

With all the scanners already mentioned with their logs showing clean... that would be a reassurance that the system is clean.
But to be 100% sure the system is clean would to reformat and reinstall the OS.


Thanks for the info everyone. I agree nothing is 100%, I would be happy for 99% :)

I see a lot of people mention ComboFix so I will have to try that one out. The Bleeping Computer site is
the only one that has the official download right?

I'm going to try the TDSSKiller scan too.

You mentioned that some scanners won't find key loggers, does that include TDSSKiller and ComboFix? I'll try out IceSword too.

Are there any other good rootkit scanners I should look at?

Top Expert 2007

Every scanner has its own strong points, some finds more than others.
Some scanners automatically fixes while others need user input to remove rootkits.

TDSSKiller is a good rootkit scanner, it's specialized for TDSS rootkits also known as alureon or Tidserv, excellent for TDL3, and TDL4 which infects mbr.

ComboFix is an all-round scanner that also detects and remove TDSS rootkits, also fixes mbr infections. But it isn't a "scan and forget it" kind of scanner. It needs user input some of the time because CF won't remove every bad files in its first scan. Some bad files that CF doesn't recognized needs a script or those hard to remove infections often need a script for them to be removed. That's why the tutorial warns not to run it unless a Helper is guiding you who can analyze the log and make the right script.

IceSword is good too, but careful on what to remove since AFAIK it doesn't have a backup, and of course FP happens. ComboFix action, btw is reversible as it create backups so any deleted files can be restored and the system's state can be restored back to the way it was before the scan if RC is installed.

In IceSword, you can get logs from these sections:
Win32 Services

If using IceSword, take note of red entries from Processes, Startup, Win32 Services, and SSDT, and checks the Message Hooks function and take note of the Process Path for any entries that are Type WH_KEYBOARD (for keyloggers).

Gmer is another good rootkit scanner but needs user input to delete any bad files.
Um, I'll ask you to reconsider and put it back.  I was made aware of the rule, so I'm pretty sure I did not refer the asker to another forum, unless I made a mistake, in which case I apologize.
If I recall I think I said some tools outputs are complex and daunting, and so need help of experts via forums to do that.  I didn't say that wasn't here, did I?


Thanks for lal the info. This will give me some more tools to look at.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial