[vhfpmr (OP)]

As per the title, if antivirus like Norton, McAfee, & Malwarebytes won't find the malware, how do you go about removing it?

[evan_au]

How do you know that you have malware?
- How do you distinguish that from a software bug, or a corrupted hard disk?

A "well-designed" and well-entrenched malware might detect your attempt to install antivirus software and block it
- So you have to wrest control from the malware
- When my old Windows computer was attacked by ransomware, I created a LINUX boot disk on read-only media.
- I rebooted the computer under LINUX (not giving the malware a familiar environment to run in), and had a look around the disk
- I recovered what was still readable (not much - all images had been encrypted)
- I started again with a new computer, moving in the files I wanted from a backup disk.

So the best way to recover from malware is:
- Keep your operating system up-to-date
- With up-to-date virus scanning software
- Take regular offline backups of everything that is important to you
- ie the best time to recover from malware is before you get infected... (not much comfort for you, I'm afraid!)

[vhfpmr (OP)]

How do you know that you have malware?
- How do you distinguish that from a software bug, or a corrupted hard disk?

Because a tiny handful of very specific files containing legal evidence, including all the backups, have been deleted by a powerful organisation with an interest in them going missing. I think it must have arrived in a Word file attached to an email, then gone from the computer to all my storage media, then from that media to a new computer.

McAfee insist it's not possible to write malware that can evade their antivirus, and when I referred them to Stuxnet that the US government managed to spread around the world undetected, they said "Stux what? Never heard of it".

I've found a company that specialises in forensic data recovery, but the organisation hacking me is one of their best clients.

[evan_au]

very specific files containing legal evidence, including all the backups, have been deleted

It sounds more like a hacker, interested in these specific files.
- Antivirus software won't find them or stop them, because they are a user (pretending to be you), not a virus.

Your backups should not be attached to your computer, except while actually doing the backing-up. That will stop remote hackers.
- Presumably, cloud backups can be accessed at any time
- An in-person hacker will find all your non-connected backups, and delete files from them too - but this is a much more risky operation
- If you have important files, storing them offline and offsite is a good idea

[vhfpmr (OP)]

Your backups should not be attached to your computer, except while actually doing the backing-up.

Backups that are never connected to the computer are of no use.

That will stop remote hackers.

If the hacker places malware on the computer that's been primed to look for a specific file and delete it when ever external media are connected, then backups are useless. Whenever I connect media with sensitive files, the fan on the computer runs continuously all day long. It rarely runs at other times, and then only briefly.

- An in-person hacker

If there's one of those, someone's breaking into the house.

- If you have important files, storing them offline and offsite is a good idea

I have no clean equipment to make clean copies with/from. (I also have no other site than the house.) I've considered buying a new computer, but it seems to me it's useless if I have no way of transferring (even non-sensitive) files from the old one, and can't connect it to the infected media with the relevant data on.

The idea that I could search one backup to check whether anything's missing before connecting another would be a non-starter, there are hundreds of files, and it's not necessarily apparent which ones will become important until months/years later. I'm trying to piece togther what has happened to me, and it's often not apparent that something is significant until I stumble across a snippet of information much later.

[nicephotog]

In ms windows you press cntrl+alt+del keys together , then choose the "task manager" (of the most recent , Linux Slackware 15 has a "task manager" gui prog) and look for names that indicate the name of the program, either a .exe or .dll , also open "services" and look for names that indicate the program if you have some idea from an icon or company name it placed  in the taskbar or desktop. Terminate the process and watch for a minute to see if the process switches on again and if it does then look for another, there can be up to three or four other programs of it of similar or unsimilar name supporting as watch to see they are not switched off.
If that occurs , you need to use the OS rescue / boot from disc disc and use the command line to go into the directories and remove all the .dll and .exe that support it.