Group -- anyone seen this?

I was looking at a system that had a web-defacement. We could not figure out exactly how it was done. Before I got to the system, the administrators removed the defaced files and applied "about eight" (yes, eight) missing security patches. Admins claim everything locked down at the firewall and only allowing port 80...

After the usual routine (virus scan, spyware check with 3 different utils, trojan scan, logs, etc.) I noticed a few files that had the date stamp for the day the system was hit. One included pagerror.gif that was actually a text file. It looks like it contains some kind of web authoring code, but I'm not sure. Here's the contents of the GIF:

vti_encoding:SR|utf8-nl
vti_timelastmodified:TR|03 Jun 1999 23:13:40 -0000
vti_extenderversion:SR|4.0.2.4426
vti_lastwidth:IX|0
vti_lastheight:IX|0
vti_cacheddtm:TX|03 Jun 1999 23:13:40 -0000
vti_filesize:IR|2806
vti_backlinkinfo:VX|

Also, their was an iisstart.asp file that did not contain asp type data. Again, it had aurhoring type of info; here it is:

vti_encoding:SR|utf8-nl
vti_timelastmodified:TR|13 Nov 2004 19:58:25 -0000
vti_extenderversion:SR|4.0.2.7802
vti_filesize:IR|32
vti_backlinkinfo:VX|
vti_nexttolasttimemodified:TR|03 Jun 1999 23:13:40 -0000
vti_author:SR|IUSR_MYSERVER
vti_modifiedby:SR|IUSR_MYSERVER
vti_timecreated:TR|13 Nov 2004 19:58:25 -0000
vti_cacheddtm:TX|13 Nov 2004 19:58:25 -0000
vti_cachedlinkinfo:VX|
vti_cachedsvcrellinks:VX|
vti_cachedhasbots:BR|false
vti_cachedhastheme:BR|false
vti_cachedhasborder:BR|false

Any insight would be appreciated...