Well I guess we're just both doing things differently then. ;-)
Of course there is a chance that some dormant EXE still sits in wait in the Downloads folder or something of that nature. But my job isn't to kill a dormant file that isn't currently infecting the machine, especially if it's obscure enough to avoid the full scan of a capable AV. Naturally, no single AV can catch every existing threat, but with detection rates north of 97% for anything respectable (of known threats--the zero-day stuff is invariably dead once the resident memory/temp files/loading points are taken care of), it is highly unlikely that anything of any significant danger is left behind once this procedure is completed.
Like I said, it's been my course of action on literally thousands of machines to date, and to my knowledge I have not had even a single unhappy customer. I even take the time to personally place follow-up calls to ensure satisfaction, and I have the highest rating of any tech in the entire city on Google--39 perfect scores, in fact.
Not trying to brag, but the point is that this doesn't have to be a laborious procedure. If you take care of the truly dangerous stuff first (which
includes a full traversal of files modified/created within 30 days if you use a tool such as OTL), then perform a cleanup scan with a couple of capable utilities thereafter (include at least one full system scan), you can be assured that the system is as safe as it's going to get.
I could, of course, scan using two, five, ten, or more AVs to ensure that I reach some number even above 97% for the dormant/old/downloaded stuff, but the diminishing returns (and the likelihood that the infection would be caught upon execution/unpacking) negates the incentive to do so.
Finally, I'd just like to point to many of the expert malware removal communities across the internet for further reinforcement of this approach. They do precisely the same thing (barring the frequent use of ComboFix due to the complications involving offline removal via internet forum posts) and it's been their modus operandi for nearly a decade at places like BleepingComputer, Tech Support Forum (the birthplace of ComboFix), and Geeks To Go. The general procedure is:
- System analysis/log generation (including MBR checks, etc)
- Cleanup script (repeat these last two steps as needed)
- Cleanup scan (usu. MB and an AV, same as I do)
- Updates/vulnerabilities patching
- AV recommendations/closing speech
CF is used here to simplify the procedure over the internet as time is not an issue and physical access to the machine is not possible. The only difference with my approach is that I depend on offline analysis for
everything in the initial removal, which, when paired with a capable technician in the way of log analysis, means that nothing can possibly hide.
This saves time as I have no need to run CF on most machines.
