How do I Ferret out a Trojan When Anti-Malware Doesn't Detect it?

[ThatPlace928]

I have a customer with a 250gb SSD that takes 31 minutes to fully load to the desktop. Many of her functions are not working, such as search, taskbar settings, etc. I also cannot get to Windows Updates and have had troubleshooter "fix" the issues which, sadly, were not. The Windows button doesn't work so there's no way to turn the laptop off without going to task manager and shutting it down from there or pressing the power button long enough.

I've installed SuperAntiSpyware and MalwareBytes but neither have found anything beyond 441 cookies. I'm convinced there is a Trojan on the drive somewhere. The Firewall had been turned off for who knows how long. I turned it back on but it's kinda like closing the gate after the cows are gone. Windows Defender hasn't given me any messages that there's an issue.

So that's the background. I put a drive of my own in her laptop and installed Windows 10 on it. It boots quickly and functions exactly as it should, got all the updates and it's ready now to move her files onto it.

So my question is now, if I move files onto a flash drive, is there a way of ferreting out a Trojan on the flash drive before moving them onto the laptop's drive? I'm not going to put them directly on the new drive, for fear of the Trojan moving with it. What's the best software to use to run on an external or flash drive?

 

[britechguy]

Why do you think this is malware? All the signs of either a failing drive, corrupted Windows instance, or both are more likely scenarios.

Get her user data and settings (likely via Fabs), collect the list of programs that need to be reinstalled, and start with a fresh Windows install on a brand spankin' new SSD.

 

[ThatPlace928]

Why do you think this is malware? All the signs of either a failing drive, corrupted Windows instance, or both are more likely scenarios.

Get her user data and settings (likely via Fabs), collect the list of programs that need to be reinstalled, and start with a fresh Windows install on a brand spankin' new SSD.

A failing drive was my other thought, as well. I already have a new drive in her laptop and am ready to begin moving files. I just want to make doubly sure there isn't a Trojan before I do that.

 

[britechguy]

If Windows Defender, Malwarebytes, and SuperAntiSpyware haven't detected anything, there's nothing to detect in all probability. Hence my position.

 

[ThatPlace928]

If Windows Defender, Malwarebytes, and SuperAntiSpyware haven't detected anything, there's nothing to detect in all probability. Hence my position.

You are probably right. I want to get this wrapped up today but I was hesitant to begin without covering a couple bases first. Thank you.

 

[ThatPlace928]

Just for general knowledge, though, is there software out there that can detect a Trojan on a flash drive or external drive, like if I were to put her old drive into an enclosure? Seems most of the antivirus software is just for the drive I've installed it on, nothing external. I'm not going to spend a lot of time on this but if someone knows of any software that can do that, it would be nice to know.

 

[Larry Sabo]

Connect it to your system and run a malware scan targeting the external drive. If you don't want to jeopardize your system, boot Strelec PE and run one of the several offline scanners it has.

PS - I agree with @britechguy that it's a failing drive or badly corrupted Windows installation.

 

[ThatPlace928]

Connect it to your system and run a malware scan targeting the external drive. If you don't want to jeopardize your system, boot Strelec PE and run one of the several offline scanners it has.

PS - I agree with @britechguy that it's a failing drive or badly corrupted Windows installation.

I'll look into that in a little bit. Thank you. I also feel it could be failing hard drive. I'm getting ready to move files over to the new drive. Fingers crossed.

 

[Canadian Tech]

Clone old ssd to new one, if it's acting up on a new drive then there's something else going on. Most times it's best to install Windows on a new drive and transfer data.

 

[ThatPlace928]

Clone old ssd to new one, if it's acting up on a new drive then there's something else going on. Most times it's best to install Windows on a new drive and transfer data.

I cloned the drive 2 days ago and the same thing happened. Took a full 31 minutes on the cloned drive, too. It's okay, the data transfer is coming right along with no issues. I've already restarted it once and it comes up like it should and loads the desktop within seconds. So far, so good.

 

[Canadian Tech]

I cloned the drive 2 days ago and the same thing happened. Took a full 31 minutes on the cloned drive, too. It's okay, the data transfer is coming right along with no issues. I've already restarted it once and it comes up like it should and loads the desktop within seconds. So far, so good.

Windows may have been too corrupted to work properly then.

 

[Philippe]

The antivirus program will scan the files while they're transferred to the new drive. So you will know.
(On the presumed infected drive this could not be the case as an active virus can hide itself to avoid detection).

 

[ThatPlace928]

Windows may have been too corrupted to work properly then.

That's the conclusion I'm coming to, actually. The customer is aware that some files may be too corrupt to use and that some programs may have to be reinstalled. Thankfully, she's good with all the changes. Makes my job a little less stressful.

 

[ThatPlace928]

The antivirus program will scan the files while they're transferred to the new drive. So you will know.
(On the presumed infected drive this could not be the case as an active virus can hide itself to avoid detection).

That's precisely what I was wondering. I should be able to run it with the old drive in an enclosure and it will scan that, as well and not just the hard drive, correct? It would scan all connected drives? I've never thought to try it, to be honest.

 

[Philippe]

It would scan all connected drives? I've never thought to try it, to be honest.

Not necessarily, but it will scan the files which are being copied.

 

[ThatPlace928]

Not necessarily, but it will scan the files which are being copied.

Once they're copied, then? I would like to find something that would scan files on an external or flash drive before they're moved. Just for future knowledge. Seems like this was a bad Windows install. Everything's moving to the new drive with no issues and the system is updating itself to Windows 11 now, just like it's supposed to. So far, I'm pretty happy and I don't think there was a Trojan at all.

 

[Philippe]

Once they're copied, then?

Both:
- Files will be scanned "on the fly" while being copied / read -> Active proctection
- Files will also be scanned * once * copied via a regular scan
On many antivirus you can ask for a manual scan and then point it to a specified drive.

 

[ThatPlace928]

Both:
- Files will be scanned "on the fly" while being copied / read -> Active proctection
- Files will also be scanned * once * copied via a regular scan
On many antivirus you can ask for a manual scan and then point it to a specified drive.

Good to know. Thank you!

 

[Markverhyden]

Every software scanning tool I've ever seen will always allow scanning storage on directly attached storage, either via USB bridge or native interface (SATA, etc).

I'm with the others. Statistically speaking it's almost certain it's a corrupt OS install and/or failing drive. Actual malware? To be honest It's been ages since I've seen a computer that's actually been infected with malware. All problem have been PEBCAK. Calling the number on the popup.
Years ago I was updating some mall kiosks and had the unpleasant experience of "hidden" malware. This vector planted a hidden file autorun on a removable media for spreading. I noticed it because the very first computer I updated was fine but after it was like molasses on a winter day. When I plugged the stick in my MBP I could see newly created invisible files when opening the stick in finder.

 

[ThatPlace928]

Every software scanning tool I've ever seen will always allow scanning storage on directly attached storage, either via USB bridge or native interface (SATA, etc).

I'm with the others. Statistically speaking it's almost certain it's a corrupt OS install and/or failing drive. Actual malware? To be honest It's been ages since I've seen a computer that's actually been infected with malware. All problem have been PEBCAK. Calling the number on the popup.
Years ago I was updating some mall kiosks and had the unpleasant experience of "hidden" malware. This vector planted a hidden file autorun on a removable media for spreading. I noticed it because the very first computer I updated was fine but after it was like molasses on a winter day. When I plugged the stick in my MBP I could see newly created invisible files when opening the stick in finder.

I haven't dealt with a Trojan in over 20 years and have only seen a handful of nasty viruses in the past 14 years, since I started using MalwareBytes.

The only reason I thought it might be one now is because even the cloned drive produced the same results as her original drive and I wasn't sure enough about the cloning to know whether or not a virus would escape cloning or come over with it. I haven't had to deal with a situation quite like this before and the fact I couldn't even get Windows updates, I was sure there was something blocking it from doing so.