Help Defeating Virus

[FruitBasketSilex]

Alright folks. I'm dumb, I downloaded a virus.

 

I've managed to knock out most parts of it, but I'm stumped on this last part:

I've got two folders under my \appdata\local\ directory, \sianxgo\ and \uskidge\ that are causing problems.

 

I can view the files in the folders indirectly through some programs, but not through your normal file explorer window. I get an access denied instead.

 

I've tried to right click and delete the folders. Denied because I don't have permission.

I've tried to take ownership of the folders and files through both cmd:take ownership and the security panel in the folders properties.

I've tried removing all security permissions from it and then deleting them. Nothing.

 

I've tried opening an elevated cmd and running del on them both. Access is denied.

I've tried download file assassin, unlocker, and file shredder, all of which fail to remove it.

 

I've tried enabling the hidden administrator account, logging into it, running an elevated cmd, and running the del command on them. Access is denied.

 

I've tried running in safe mode and running the del command on an elevated cmd from both my account and the built in administrator account, and access is denied.

 

I've also tried the rmdir command but it fails as well.

I've run dir /a on the directory and they are both actual folders and not reparse points.

 

I'm able to get into the recovery menu for Windows by forcing shutdowns while Windows tries to boot, so if all else fails I can wipe everything and start again, but if at all possible I'd like to avoid that.

 

I also now get vsdfimps.sys  BSODs when I try to boot up normally, so that makes things more fun.

 

At this point I don't see much option other than just taking the hit, resetting Windows entirely, and painstakingly downloading 2tb worth of stuff over a 10mbps connection. If anyone here can offer a workaround to let me destroy these folders/files and save myself the agony of a restart I'd be incredibly grateful.

[blbalsdfkjivbvwerlo3244534]

Linux live USB.

[FruitBasketSilex]

Just now, coop152 said:

Linux live USB.

Oh shit, file discovery of another OS would likely get around security restrictions of the windows OS itself wouldn't it?

 

So, just boot into a Linux live USB, delete the files, and reboot?

 

I might be able to set up a Linux USB through safe mode w/ networking, but for that I'll need to buy a USB first.

[blbalsdfkjivbvwerlo3244534]

Just now, FruitBasketSilex said:

Oh shit, file discovery of another OS would likely get around security restrictions of the windows OS itself wouldn't it?

 

So, just boot into a Linux live USB, delete the files, and reboot?

 

I might be able to set up a Linux USB through safe mode w/ networking, but for that I'll need to buy a USB first.

File permissions are baked into NTFS, but the virus might be stopping windows from changing them so it's worth a shot. If you don't have a usb, maybe dvd-rw?

[FruitBasketSilex]

1 minute ago, coop152 said:

File permissions are baked into NTFS, but the virus might be stopping windows from changing them so it's worth a shot. If you don't have a usb, maybe dvd-rw?

I can buy a USB, it's no problem, DVD-rw is actually harder because I don't have a DVD drive, though I could salvage on from a casino machine I work on. 

 

I think unetbootin can be run through safe mode w/networking to make a Linux USB.

 

Any thoughts on the vsdfimps.sys IRQL_NOT_LESS_OR_EQUAL BSOD I get on boot if I don't run safe mode? Find and destroy the file as well? Googling the file doesn't find anything, in fact this post is now the leading result for it on Google.

[blbalsdfkjivbvwerlo3244534]

Just now, FruitBasketSilex said:

I can buy a USB, it's no problem, DVD-rw is actually harder because I don't have a DVD drive, though I could salvage on from a casino machine I work on. 

 

I think unetbootin can be run through safe mode w/networking to make a Linux USB.

 

Any thoughts on the vsdfimps.sys IRQL_NOT_LESS_OR_EQUAL BSOD I get on boot if I don't run safe mode? Find and destroy the file as well? Googling the file doesn't find anything, in fact this post is now the leading result for it on Google.

IMO Rufus is better than unetbootin because it doesnt add a screen before it boots the usb and it's lightweight

The virus is likely new or undocumented if you cant find anything on the .sys file, therefore most likely not a system file and you can delete it.

[FruitBasketSilex]

1 hour ago, coop152 said:

IMO Rufus is better than unetbootin because it doesnt add a screen before it boots the usb and it's lightweight

The virus is likely new or undocumented if you cant find anything on the .sys file, therefore most likely not a system file and you can delete it.

Deleting the folders from inside of a USB xubuntu worked successfully, do you know of a way to search files inside of linuxs file manager? I can't seem to find any option to search.

[FruitBasketSilex]

1 hour ago, coop152 said:

IMO Rufus is better than unetbootin because it doesnt add a screen before it boots the usb and it's lightweight

The virus is likely new or undocumented if you cant find anything on the .sys file, therefore most likely not a system file and you can delete it.

Found the search function actually. Managed to find ?all? Folders and eradicate them through xubuntu. Thanks for the help man. Running a high heuristics, balls to the wall, search every corner, full scan with avast right now to clean up and double check. Really appreciate the quick and helpful assistance.

[blbalsdfkjivbvwerlo3244534]

16 hours ago, FruitBasketSilex said:

Found the search function actually. Managed to find ?all? Folders and eradicate them through xubuntu. Thanks for the help man. Running a high heuristics, balls to the wall, search every corner, full scan with avast right now to clean up and double check. Really appreciate the quick and helpful assistance.

Nice one getting it working, i didn't really tell you what to do except "linux live usb".

Also if you got that vsdfimps.sys file then submit it to virustotal and malwarebytes, etc. Help them get the virus it came from cause it seems new.