The first thing to do is figure out how they were able to add files. Do you have a file upload field or file manager in a place where it isn't password protected that would allow a hacker to upload files to your server?
We only have .htaccess files in the KCFinder folder and file upload folder for that tool. I think you can safely remove most, but I'm more concerned about how a hacker was able to do that and closing the security hole. If you send me FTP access to your server I can take a look and see if I can spot the security hole they might be taking advantage of.