I noticed Symantec flagging malware that kept getting downloaded to this infected computer. The rootkit on it kept trying to download the malware and Symantec kept deleting it (even though it missed the rootkit’s initial infection). I managed to get the computer cleaned up with a handful of scanners and it seems like the rootkit and various downloaders and trojan droppers were all removed. The folder that caught my attention in the first place was still there and I wanted to delete it.
The problem was the path was c:windowssystem32configsystemprofileAppDataLocalGoogleDesktopInstall{423E35-883-42E} …{423E35} and the Windows file explorer wouldn’t let me delete the folder tree starting at Google or even browse down to the bottom folder to see what was in there. I turned to the command prompt to navigate there but ran into similar problems once it hit the empty folders.
I tried deleting the folder tree with the command: rmdir /S /Q
which tells it to remove the directory (/S) recursively on all files and folders beneath it and (/Q) without asking for confirmation. Upon running the command, I got back the error message “Directory not empty”. The /S should have taken care of that problem but apparently something else was getting in the way.
In order to navigate all the way to the bottom of the folder tree, I used an administrator-level command prompt. I then used the CD command to change to each directory underneath it. When I reached the empty/space named folders, I hit the Tab key to autocomplete the folder name and was then able to navigate to the next folder down. When I reached the ‘…’ folder, it was now a series of three shapes like the Spades symbol and other non-alphanumeric characters. I again used the Tab key to autocomplete the name and continue navigating to the bottom. When I finally got to the last folder, I received “File not found” in response to entering DIR. That seemed a little unusual.
In retrospect, I now know that I should have used takeown, icacls, or other commands that would have allowed me to take ownership of the folder. Since I still wasn’t able to browse the computer in Windows File Explorer, I didn’t look at security permissions to realize that I didn’t have ownership of the folder or any access to it.
To proceed, I used the REN command in command prompt from the bottom folder to the top. I was able to rename the symbol folders, the space folders, and the ones with the curly braces and long numbers.
REN “{423E35-883-42E}” bad
I typed REN and then hit the Tab key to autocomplete the folder names and then entered a new name. For this case, I renamed each of them to ‘bad’. After they were renamed, I was able to navigate them in Windows.
Then I saw that I had no access to the last folder. I took ownership of the folder, which also granted me full access to the folder. I saw it was empty and then I was able to delete the entire folder tree from Google and down through the Windows File Explorer.