I fired up filemon (http://www.sysinternals.com/ntw2k/source/filemon.shtml) to see what was going on behind the scenes and I saw some interesting stuff... I tried to locate these files but can't find them. It will also not let me create them.

The files found as depicted in the image I've attaced are:

c:\$LogFIle
c:\$BitMap
c:\$Mft

I've never seen file names start with $. I know that some rootkits use this technique.. but normally start with a _. Example: _hiddenfile.ext in a directory with _hiddendirectory

These are in c:\

Does anyone know what or why these files are being accessed, but I can't find them?
They are running under system:4 privledges.

I've been searching for a bit now, and can't find anything on it.

I have up2date virus protection, a firewall, and regualarly capture traffic just to make sure that I don't have stuff accessing the web that shouldn't. I haven't noticed anything weird lately... by that I mean, unexpected traffic, connections or logs going off. I have also run trojan cleaners and adware cleaners.

<edit> My OS is XPpro with SP1 and all available updates and service patches </edit>

Ok, I tried to see if it was happening on a 2k box. It is not. I have nothing in the filemon logs for win2k referencing those... and I don't have another XPpro box on hand to check out.

The files in question are meta-data files relating to the NTFS file system. If I remeber right there are more as well ($MFTMirr,$Volume, $AttrDef, $Boot, $BadClus, $Quota and $UpCase).

Actually, I just found a linke I had with some information. Here is some information about them:

http://www.pcguide.com/ref/hdd/file/ntfs/archFiles-c.html

Sweet! Thanks. I couldn't find anything on it.

I wonder why my 2kpro box doesn't have that showing.. its NTFS...

oh well... off to do some reading!

Thanx again. I had never seen that before.