While investigating a malware infection in a Windows Server 2012 R2, I noticed the malicious file sits in c:\Windows\Vss\Logs\WsmRes64.dll.
The problem is that I can't cd c:\Windows\Vss\Logs, and the c:\Windows\Vss directory only lists the Writers one, not the Logs.
But if I try direct access to the file (either relative or absolute paths works), I can get its contents, open it, etc.
Trying the icacls or takeown straight to the directory c:\Windows\Vss\Logs doesn't work at all. It always says the path/directory doesn't exist.
The same tools straight to the file works! I can take ownership and manipulate permissions at will if I input the exact path (relative or absolute) to the file. But again, I can't remove or rename the file!
Is there a way I can either gain access to the Logs directory to delete it or remove the malicious DLL (without a full fresh system reinstall and disk reformat)? Preferably not an "offline" method as I can only access the server via RDP.
Just in case, I already "isolated" the infected DLL by severing the link that loaded it into memory.
EDIT:
Greg suggested this question is similar to How do I deal with a compromised server?. I'm not looking for general ways to deal with compromised servers. My goal here is to know how could I remove a file from the C:\Windows\Vss directory. This is a protected system directory but one could put a file in there along a "super-hidden" directory, in a live system. There got to be a way to take it out, right?
I'm aware that just this single aspect is far from enough to deal with a full server compromise by malware; this is just a small part of a much bigger architecture involved in systems compromise. But I'd like to keep the focus in the specific file-in-VSS-folder topic in this question.
