Thank you all for your help.
I was able to remove most files after booting locally and stopping all IIS services.
Some files cannot be removed that easily, getting ready to try the Norton/NT boot routes suggested by magic1.
It looks like someone is running a script remotely to continually access the FTP server. There are no trojans running locally.
After I denied about 12 IP's the attacks stopped.

The ftp site is unsecured for support purposes for technicians in the field that need to upload application specific data at any time.
We are reviewing that policy

Thanks again for all of your help.