The other day we had a discussion on the virus and worms if a 0 byte file could hold maware? Because of possible *rootkit action, and if empty system files should be left untouched (yes because of it being necessary to place them back later, you better leave them). Then I found this very interesting link full of great info, the owner does not want us to give quotations of material, just because it can be outdated as it is given, so I just give the source link here:
http://www.heysoft.de/en/information/registry-security.php
http://www.heysoft.de/en/information/ntfs-ads.php
http://www.heysoft.de/en/information/eventlog-1.php
http://www.heysoft.de/en/information/eventlog-2.php
pol