The latest version may be downloaded from: Link
Compatible with 32 and 64 bit versions of Windows 7, 8, 10 & 11
DoesNotBelong is a lightweight (3.02MB) and specialized program for additional system scanning that compliments the main antivirus. It helps to identify and delete threats not detected by the main antivirus and is useful if you suspect an infection despite a clean scan result.
The name, DoesNotBelong, comes from its ability to find and remove files in locations where files do not belong. This is a common theme throughout the tool’s scanning sequence.
There is a miscellaneous section which is the tools ‘scan report’ rather than showing deletions. Here you can find things such as:
- It will list any contents from the current month of the C:\Windows\Minidump folder. These files contain information about BSODs that have occurred on the system.
- It will list any contents of CrashDump folders. These folders show which processes crashed.
- It will list the quarantine contents of several other tools, as well as show filepaths to their log files. Some examples are: HitmanPro, TDSSKiller, Malwarebytes.
- It will list any exclusions currently active within Windows Defender
- It will report if 7-Zip, Google Drive Desktop, Notepad2, SumatraPDF, UniGetUI are installed. These are just programs I like to have installed on my own computers, except for Google Drive Desktop. That one is added for my regular work and saves me the step of having to open Programs and Features afterwards.
- It will report if a network reset was performed.
- It will report if any particularly difficult infections were found. This is mostly focused around two prevalent bitcoinminers these days. It will recommend that the user reboot the computer and run the tool a second time to ensure removal is complete.
- It will report if important system files are missing and which ones (occurs rarely in modern versions of Windows).
- It will report if shortcuts were repaired.
- The transparency that all jobs in the transfer queue have been cancelled.
- The transparency that event viewer logs have been cleared.
- Which antivirus(es) the user is running.
The rest of the log report is what you’ve probably come to expect from an antivirus log over the past decade or so. Files, folders, services, drivers, packages, registry... are all listed alongside its findings underneath its section of the log.
+ DoesNotBelong is designed to be a non-interactive yet highly effective tool. The user only has to accept the disclaimer to begin scanning. A log file is placed in two areas on the system afterwards. The log files do not automatically open (I hate regular Notepad…)
– DoesNotBelong does not have a dequarantine option like many other tools. Items found are permanently deleted!
— To prevent accidental data loss, the tool incorporates strict regular expression patterns that have shown to be very safe for the past 9+ months of development and testing. I do my own quality assurance and I’ve only had to ‘roll-back’ the tool once and it was only out of caution as I felt I should test a new feature more before releasing. No critical data has been reported lost as far as I know. The tool’s logs are monitored daily if the report is shared publicly. The tool does not incorporate any telemetry of its own.
What else is unique about DoesNotBelong?
- The tool takes a very aggressive stance on scheduled tasks. If the task isn’t protected by Windows itself and isn’t on the whitelist, it gets deleted.
- The tool takes a ‘scarier’ approach of terminating processes first, and this includes removing threats that may be injected into Windows Explorer. When this process gets terminated, most users naturally somewhat panic. However, the Windows Explorer is relaunched later on after persistent mechanisms have been removed (around Stage 5). In the future, it may be necessary to add a ‘Delete on Reboot’ type of feature, but I’ve been trying to avoid this since inception. Not only does it inhibit my ability to run the tool many times in rapid succession, but it also forces every user to reboot.
A list of reported bugs can be found here. You can also use this link to suggest new detections if you wish.
The following operating system languages are supported as well:
- Arabic
- Bulgarian
- Chinese
- Czech
- Dutch (Thanks to Maxstar)
- English
- Filipino
- French
- German (Thanks to M-K-D-B)
- Greek
- Hindi
- Italian
- Japanese
- Korean
- Polish (Thanks to Picasso)
- Portuguese
- Russian (Thanks to Dragokas)
- Scottish Gaelic
- Serbian
- Spanish
- Swedish
- Turkish
Special thanks to Dragokas for helping me A LOT with getting the tool to work properly for users who weren’t on a English operating system. He also highlighted many of the quirks of batch programming and ways to navigate around them.
I hope you find the tool helpful 
How to run a scan on your computer:
- Download DoesNotBelong.exe to your Desktop.
- Right-mouse click the saved file and select ‘Run as administrator’ to begin the scan. This step is important, simply double-clicking the file limits permissions required for the tool to be successful at its functions.
- It is recommended to temporarily disable your antivirus software so it does not interfere with the scanner. Watch this video if you’d like to understand why antivirus detects unknown, new (or frequently updated), and rarely downloaded software.
- Review the report which is created when the scan is complete. The log file can be found on your desktop or at C: That’s it! The tool removes itself after execution, which is also part of maintaining a clean PC so you don’t have to waste time trying to uninstalling or deleting it afterwards
- Screenshots and video demonstrations available:
