Thanks for the reply tuxmaster. I have looked through the forums and found a wealth of information about malware removal. Definitely a valuable resource.
However, I believe you misunderstood my question. I am rather proficient at removing malware myself. I was able to successfully remove the files, so that's why I didn't post it in the malware removal forum.
I was mainly curious about how it was possible to create filenames with question marks since the ? is a wildcard character and Windows XP won't accept filenames that contain it. Can the CreateFileA function of the Windows API be manipulated to allow it? That still wouldn't explain why the filenames appear correct in windows explorer.
I forgot to mention another unusual quirk with this. This computer had multiple folders with the ? character. One of them was in C:\Program Files\Common Files. This folder contained both an Adobe folder and a ?dobe folder. The ?dobe folder contained a piece of spyware masquerading as logonui.exe. The Adobe folder had legitimate Adobe shared files inside.
BOTH folders showed up in windows explorer as Adobe, another impossibility since duplicate folder names aren't allowed.
Edited by Craig Parton, 06 June 2007 - 07:37 PM.