perhaps i'm not explaining clearly. the features of the windows system file checker are a small part of it, but only part. I'm talking not only file replacements, I'm talking about extra files, also md5/sha1sum info on every file inside the windows folder compared against an independent database. a complete listing of all of the files inside the folder, along with color coded highlights that tell you what is standard, what is extra, what files are changed from original system versions. In some ways the same thing, but in a much nicer layout to help advanced users. It would be more of an information tool, than a cleanup tool. An alert that the system is infected or clean is nice but less important, than to possess knowledge about what is different. There would not actually be an "infected" listing, but just a mark to show that its different. A lot of malware tends to leave behind files such as batch files, downloaders, even log files, and things that are not system file replacements, per se, but are simply leftovers. a quick google search on a particular file and its location, a rough example: googling c:\windows\temp.exe can often lead to information about malware that might have used such a file as a downloader. sometimes you can look inside batch files that have not been normally present in a windows system and google the text inside. You can use file analysis tools to determine what is inside of a file, if it is suspect, and look at strings inside, etc. We have tools like Hijack this! for findings inside the registry, etc. but the principle I'm thinking on is roughly the same thing, only more file based. I can't count how many times I've simply fired up windows explorer and found malware that an antivirus did not find simply by noticing things that seem unusual. One memorable occasion was when I connected via vnc to a friend's computer over the internet, and within 10 minutes i had determined that her computer was infected by a rootkit virus. Why? because her id*** boyfriend who coded the thing was capturing all of her internet activity and dumping it to a gigantic 1 gig file simply located in c:\. (he admitted it was his him) It has happened so often I now make it a point to fire up windows explorer for just a quick peek while I'm working with a customer. I know that sort of method can be effective because I've done it so often just by eye. One could only think it would be even more useful if much of the process were automated.