April 12th, 2003, 09:58 PM
c:\$logfile & $mft & $bitmap
I fired up filemon to see what was going on behind the scenes and I saw some interesting stuff... I tried to locate these files but can't find them. It will also not let me create them.
The files found as depicted in the image I've attaced are:
I've never seen file names start with $. I know that some rootkits use this technique.. but normally start with a _. Example: _hiddenfile.ext in a directory with _hiddendirectory
These are in c:\
Does anyone know what or why these files are being accessed, but I can't find them?
They are running under system:4 privledges.
I've been searching for a bit now, and can't find anything on it.
I have up2date virus protection, a firewall, and regualarly capture traffic just to make sure that I don't have stuff accessing the web that shouldn't. I haven't noticed anything weird lately... by that I mean, unexpected traffic, connections or logs going off. I have also run trojan cleaners and adware cleaners.
<edit> My OS is XPpro with SP1 and all available updates and service patches </edit>
Ok, I tried to see if it was happening on a 2k box. It is not. I have nothing in the filemon logs for win2k referencing those... and I don't have another XPpro box on hand to check out.
April 12th, 2003, 10:29 PM
The files in question are meta-data files relating to the NTFS file system. If I remeber right there are more as well ($MFTMirr,$Volume, $AttrDef, $Boot, $BadClus, $Quota and $UpCase).
Actually, I just found a linke I had with some information. Here is some information about them:
April 12th, 2003, 10:55 PM
Sweet! Thanks. I couldn't find anything on it.
I wonder why my 2kpro box doesn't have that showing.. its NTFS...
oh well... off to do some reading!
Thanx again. I had never seen that before.