http://blogs.technet.com/robert_hensing/archive/2005/01/10/350359.aspxAt long last - a blog post about Incident Response in the self-proclaimed 'Incident Response' blog! Before I finally crash for the night there are two things I wanted to bring to the attention of folks interested in Windows IR that my team has come acrossen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/robert_hensing/archive/2005/01/10/350359.aspx#354172Mon, 17 Jan 2005 05:58:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:354172OdeToCode Linkshttp://blogs.technet.com/robert_hensing/archive/2005/01/10/350359.aspx#356418Thu, 20 Jan 2005 02:09:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:356418slinkWe have about 5 systems with the explorer.exe (along with some other files) that have the pre-1980 date. It appears that it may be causing our backup problems, but I'm even more concerned about the systems having been comprimised. Any suggestions on how to proceed in fixing this or tracking down the cause? All the systems in question are W2K3 server.http://blogs.technet.com/robert_hensing/archive/2005/01/10/350359.aspx#360728Wed, 26 Jan 2005 14:06:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:360728And CloverThis is the adware PurityScan/NRnd, controlled by clickspring.net. You should also find a BHO in a randomly-named DLL in System32. <br> <br>It doesn't always go for explorer.exe/??plorer.exe, though that name does seem to be quite common. Others I've seen are logonui.exe/l?gonui.exe and svchost.exe/??chost.exe. I suspect it picks a .exe name with one of the spoofable characters out of System32 at random. <br>http://blogs.technet.com/robert_hensing/archive/2005/01/10/350359.aspx#368330Mon, 07 Feb 2005 14:13:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:368330bbeDo you have link for this &quot;renamer&quot; tool ? I've seen plenty of spyware using this technique for awhile now. I guess the kiddies have picked up on it. Thanks.http://blogs.technet.com/robert_hensing/archive/2005/01/10/350359.aspx#368462Mon, 07 Feb 2005 19:09:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:368462Robert HensingIt's not a public tool that is available for download - but I believe if you open up a support case for a problem that requires its use you can get a copy from the support professional. If you referrence these articles you will probably get it. I'll see if there is a reason we can't get this posted on download.microsoft.com and see if we can make that happen. <br> <br>315226 How to Remove Files with Reserved Names in Windows XP <br><a target="_new" href="http://support.microsoft.com/?id=315226">http://support.microsoft.com/?id=315226</a> <br> <br>315688 How to Locate and Correct Disk Space Problems on NTFS Volumes in Windows <br><a target="_new" href="http://support.microsoft.com/?id=315688">http://support.microsoft.com/?id=315688</a> <br> <br>303079 How to Locate and Correct Disk Space Problems on NTFS Volumes <br><a target="_new" href="http://support.microsoft.com/?id=303079">http://support.microsoft.com/?id=303079</a> <br> <br>http://blogs.technet.com/robert_hensing/archive/2005/01/10/350359.aspx#368831Tue, 08 Feb 2005 05:36:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:368831bbeThat's what I figured. I'll keep a eye out to see if it's ever posted. Thanks for the links. I didn't know you could remove the ??filename files the same way as dos devices. That's good, makes remove easy.