When you attempt to delete these new folders from your FTP site, using Windows Explorer, you receive:

Access is denied
Cannot delete <File Name>
Cannot read from the source file or disk

When you attempt to use the RD command to remove the folder(s), you receive:

The system cannot find the file specified.

When you try to view the Properties of these folders, the Security tab is missing.

These new folders have names similar to:

Com1
Lpt1
Con
PRN

This behavior is generally the result of a malicious attacker altering your FTP site.

To give yourself a good chance of recovering from this attack:

01. Use your favorite backup program to backup the FTP folder structure. If you don't have a backup device, use NTBackup.exe to back up to a file. Make sure you have a working backup before you proceed.

02. Close all Windows Explorer and CMD.EXE windows.

03. Open the Add / Remove Programs applet in Control Panel.

04. Open the Add / Remove Windows Components applet.

05. Select Internet Information Services and press the Details button.

06. Clear the File Transfer Protocol (FTP) Server box and press OK.

07. Press Next and Finish.

08. Open a CMD.EXE window.

09. Using the technique from tip 0167, type RmDir \\.\C:\Inetpub\ftproot\<DamagedFolder> /s and press Enter. Alter the path to your <DamagedFolder> if it is NOT in the default location.

10. Respond Y to confirm the deletion.

11. Open the Add / Remove Programs applet in Control Panel.

12. Open the Add / Remove Windows Components applet.

13. Select Internet Information Services and press the Details button.

14. Check the File Transfer Protocol (FTP) Server box and press OK.

15. Press Next and Finish.

16. Configure your restore process to restore the FTP folder structure, without restoring the hacked (new) folders.