2

I have a win 10 HP laptop. Recently, I got infected with some malware (don't know what exactly, installed antivirus detected a couple of trojan generics, out of which one was most definitely a false positive as internet said, a worm, and a couple of coin miners. I'm pretty sure there's other stuff the antivirus didn't catch. Tdss killer found no rootkits, however a scan with Gmer in safe mode kept crashing, so possibly rootkits too.)

Now, I had some recent data on the D and E drives that I hadn't gotten the chance to back up, and I cannot pinpoint the date of infection either so no idea if my previous backups were infected too. So I took the drive and connected it to another computer so I could take my data off of it relatively safely, without the malware from the OS actually becoming active. (Understand there are risks still though)

Last I seem to remember, I had around 250 gb of data on my two non system drives. However now that I check on the other computer, I see around 300 gb. I read in some other threads here that some malware can hide files, or reduce disk space, or make it appear smaller or something, and vice versa. Now, when I look inside the folders, I don't see any unrecognized folders or files, really, but I'm still a little paranoid that I might miss something (obviously 300 gb is a lot) and would like to check the actual occupied and available disk spaces somehow. Is there any way to do that, without the malware interfering? I'm already checking the drives outside of the infected OS in question (i.e I haven't booted into the infected Windows, but am checking the drive as a guest disk in a clean Windows environment) but maybe something else?

Would appreciate some solution, if there is any. I already enabled show hidden items in the view toolbar.

Side note - If I copy a folder which has hidden items inside it, and show hidden items isn't enabled, do those hidden files actually get copied? I mean, since I'm copying the entire parent folder, all files inside it hidden or not should get copied, right?

Improve this question
3
  • Please click on edit and expand on what you mean by "I'm already checking the drives outside of the infected OS in question." Also, what is the make and model of the laptop? Please provide the model number from the serial number plate underneath.
    – K7AAY
    Commented Dec 20, 2018 at 20:05
  • If you don't trust your Windows installation, use a Linux live USB.
    – harrymc
    Commented Dec 20, 2018 at 21:08
  • Dobby, everything needed to explain the issue should be in the question, so when you reply to a Comment, please click on edit and put your response in the question, not in a Comment as you did above. When Comments pile up, some get hidden, whereas if you revise and improve your question, everyone can see it. Then, once you have incorporated what you had in a Comment, please delete that Comment to make room for more Comments.
    – K7AAY
    Commented Dec 26, 2018 at 17:58

1 Answer 1

Reset to default
1

The change in file size could be due to any number of things, and using file size change as an indicator of malware is not reliable. Instead, here's a well known and accepted procedure; use Linux to look for Windows viruses, which is effective.

First step is to generate a Linux LiveUSB or a LiveCD on a clean machine. Make it with persistence so you can add apps to it. The process for a LiveUSB using Ubuntu 18.04.1 LTS is shown here, but this works with just about any Debian based Linux distro.

  1. Download the Linux LiveUSB Creator app and the ISO for Ubuntu 18.04.1 LTS.
  2. Select the USB drive you want to use in the “Step 1: Choose Your Key” box.
  3. Click the “ISO / IMG / ZIP” button under “Step 2: Choose a Source”, browse to the ISO file on your computer, and double-click it.
  4. Use the options in the “Step 3: Persistence” section to select how much space your want to use for persistent storage on the USB drive. Drag the slider all the way to the right to select the maximum amount of storage.
  5. The last step is to choose persistent storage, so click the lightning icon under “Step 5: Create”.

Once you have the LiveUSB, reboot and choose the LiveUSB to boot from. Different models of PC use different keys at POST time to choose an external drive to boot from; older Lenovos typically have a blue key, newer Lenovos prompt you to press Enter for alternate boot choices. Gigabytes use F12

Once you have booted into Linux, open a terminal emulator window (what Windows calls a Command Prompt Window) from its menu, and do sudo apt-get install clamtk to install a virus scanner, and update its virus definitions with sudo freshclam. It can scan and find Windows malware once you select your Windows drive. Then, launch Clam TK (which searches for the same kinds or malware as Kaspersky and Avast) from the Apps menu, and choose Scan | Recursive Scan.

When that completes, shut down, remove the flash drive, and power back up.

Go to https://www.eset.com/us/home/online-scanner/ and run a One Time Scan.

Improve this answer
2
  • Hello, thank you @K7AAY If I didn't have a USB and used a CD drive, I hope the process works in the same way? And I didn't know that Linux antivirus could also detect Windows malware effectively. I admit I don't know much about Clam TK, does it target the same file types as popular Windows antiviruses like Kaspersky or Avast? Thank you very much
    – Dobby
    Commented Dec 24, 2018 at 15:44
  • Yes, yes, and yes.
    – K7AAY
    Commented Dec 25, 2018 at 21:39

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .