Can't Delete Folder Called COM1 on Windows Server 2019

Question

Hackers attacked a Windows Server 2019, and in the process put a folder called COM1 on Drive C. I have made a number of attempts to delete this folder. Unfortunately, COM1 is a reserved name. Here is what I have tried and have failed.

I took ownership of the folder back to the Administrators group, which I was able to do. However, it did not allow the folder removal process through File Explorer.

Then I tried removing the directory from a DOS prompt.

rmdir \?\<x>:\<path_to_folder>\<COM1>

Result: "Access denied".

Then i tried renaming the folder.

ren "\.\C:\<path to folder>\COM1 TEMP

Result: "Access denied".

File Explorer shows the folder is shared, but if go to Advanced Options, it does not show up as a Share. It also does not show up
as a shared folder in Computer Management.

I tried running the attrib command from a DOS prompt. It will display the attributes of the folder, (only Archive shows). Trying to set attributes results in,

Path not found - \.\com1\

I am running out of ideas. Any help would be appreciated.

Answer 1

So it came back with a file or directory called FRArX with access denied.

Try this sequence.

icacls \\.\c:\Progra~3\COM1  /inheritance:r  /grant:R  everyone:f /t 
attrib -R -S -H  \\.\c:\Progra~3\com1   
attrib -R -S -H  \\.\c:\Progra~3\com1\*  /S /D 
rd  \\.\c:\Progra~3\COM1 /s /q 

If that doesn't work, try the rename. If that works, then there should not be any restrictions on the name.

ren \\.\c:\Progra~3\COM1 XXX

Answer 2

Is this server a VM or a physical server?
If it is a VM and the challenge is to delete just the folder, why not shutdown the VM, mounting the virtual disk to a "clean VM" as an additional drive and try to delete the folder (after taking ownership and modifying the ACL if required)?
If successful mount he drive back to the exchange VM again.

Just an idea.

---

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Answer 3

cacls .\c:\Progra~3\COM1
.\c:\Progra~3\COM1 NT AUTHORITY\SYSTEM:(DENY)(W,D)

You've got a deny acl for system on the folder. Try this sequence from an admin command prompt. If that doesn't work try it from psexec.

icacls \\.\c:\Progra~3\com1 /inheritance:d
icacls \\.\c:\Progra~3\com1 /grant:r  everyone:f
icacls \\.\c:\Progra~3\com1
rd  \\.\c:\Progra~3\com1 

Answer 4

Ok, this appears to be working.

icacls \\.\c:\Progra~3\COM1   
icacls \\.\c:\Progra~3\COM1 /reset  
icacls \\.\c:\Progra~3\COM1  /inheritance:r  /grant:R  everyone:f  
icacls \\.\c:\Progra~3\COM1  
rd  \\.\c:\Progra~3\COM1  
dir  \\.\c:\Progra~3  

Point 1 is inherited and explicit credentials on a folder named COM1.
Point 2 is where COM1 only has everyone full control.
Point 3 is COM deleted.

If you still get access denied, then I can only conclude that your server is still infected, and the malware is still running.

Answer 5

If this is a physical server and maybe the malware is maybe still running ...
What about booting the computer from a different source/media to get just the disk access?

---

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten