i usually peek inside system volume information once in awhile to see whats in there.
i have 8, yes 8 hard drives.
today on the 7 after the "C" drive i found a folder called EFA DATA. inside the folder i found a file called efadata.db
since i have never seen this file in all my days of computing i tried to delete it. what a surprise that i couldnt. i went to safe mode and could only delete it after i changed permissions.
Download Filemon.exe from Microsoft (was Sysinternals) and see if you can find out what process is using. The boot from a Linux live CD and see if you can delete it. If neither goes well start breaking out the rootkit detection software.
__________________ He either fears his fate too much, or his deserts are small, that dares not put it to the touch, to gain or lose it all.
- James Graham
as you say i cant find any reference to efadata.db on the web, i have never seen them before or since. as i said i deleted them in safe mode.
the only thing i have did this weekend that i have never done was to go into the regedit and force a name change for one of my hard drives. windows had for whatever reason picked the letter "J:" for the system drive. this led to numerous problems with windows update. so i forced the name change and ended up doing a reformat (again). i also elected to put service pack 3 on and all other high priority windows updates.
i think either the name change or the service pack 3 had something to do with it.
i scan nightly with updated spybot and norton. i am also behind 3 software and 1 hardware firewalls. i also have norton set to scan continuously for virus like activities. for years now i have removed system volume information from the exceptions list. i do not think it was an infection. probably some new thing from microsoft.
Just a shot in the dark, but is it possible that it's tracking information for the drive letter change? (i.e. program X tries to access something on "j" drive, XP redirects it to "c" drive and writes a report for registry to automatically redirect the query).