Large temp files BIT????.tmp

I noticed that SVCHOST.EXE in my task manager is increasing in size and writing 32KB per second to the hard disk. On the other hand, I noticed there are files of the format BIT????.tmp in my "Local Settings\temp" folder. These files are exactly 18,453 KB in length. Only the last one cannot be deleted and these files are getting created only when connecting to the internet. I am using dial up so there is no way 32KB/s is being downloaded from the internet. It's most occuring when I am using MSN Messenger but I tried killing MSN Messenger, ZoneAlarm and NOD32 and the files are still being created and not getting deleted.

Any clues?

thanks,
Cyril
LVL 27
CaptainCyrilFounder, Software Engineer, Data ScientistAsked:
Who is Participating?
 
and235100Connect With a Mentor Commented:
Download Process Explorer (http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx)

and when you run it, have a look at each instance of svchost - and see what software is using it.

You may have a rogue svchost.

If so - do a full online scan here: http://www.trendmicro.com/hc_intro/default.asp
0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
I am downloading it and will write back when I have time to check it thoroughly.

Thanks
Cyril
0
 
Mohammed HamadaConnect With a Mentor Senior IT ConsultantCommented:
The svchost is a virus or "trojancopyself" ..... it keeps extracting these files from some hidden or unknown resource at your PC, and I suspect the " System Volume Information " folder has those files...

You first should download and run the following tools.
1- Hijackthis from www.hijackthis.de, download, extract, scan and post the log file into the square at their website. and analyse.
2- Download Ewido scan which is now AVG anti sypware, update and scan.
3- Update your Nod32 Defentions and run a full indepth scan for all the Drives.
4- If there's Any SVCHost.exe files in the directory C:\windows then, you must delete them.

Now Goto Start --> run --> type Msconfig, and goto startup tab, untick all the checkmarks next to entries except Nod32 entry and AVG antispyware.

Restart..

In any case of the previous process, If you were unable to delete any files then I recommend that you start windows in safe mode and delete the files manually, also with AVG, once the scan is finished make sure that all the results are applyed and if not record the report to your Desktop then delete the infected items manually..

Good luck

0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
I downloaded Process Explorer and monitored the activity. It turns out there is SVCHOST.exe signed by Microsoft Corporation doing the writing at 32 KB/s eventhough the maximum internet bandwidth I get is 5 KB/s on dial up. It only writes when I am connected to the internet. Once I disconnect from the internet I am able to delete all the temp files.
0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
I scanned my whole computer. SVCHOST.exe are found in my c:\windows\system32 folder. NOD32 was not able to scan the following files:

- two .sys files in c:\
- some log files in c:\windows\system32\config\*.log
- some temp files local settings\temp
0
 
Mohammed HamadaConnect With a Mentor Senior IT ConsultantCommented:
As I mentioned, SVCHost extract those files from a certain places on your computer.

Have you noticed if svchost.exe is freezing your Computer?
Open TaskManager and check if any of the processes called svchost.exe is taking more than 15% of cpu.

And please follow the insutrctions above by doing the scaning for malware, also download and run Hijackthis. and post the log link after uploading it.

If you have noticed that svchost.exe is freezing your computer and using your CPU with more than 15%, then you must check which one of these Svchost.exe is doing it, and then find out what services are assigned to it.

Do this now and I'll keep you up with what you should do.
0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
I have 5 sessions of SVCHOST.exe running. Some have few KBs and one has a few MBs. The one SVCHOST.exe has written 1 GB since the restart this morning. The computer has been on for 6 hours and connected to the internet for almost 2 hours.

All of them have 0 CPU ticks except the biggest one which is most of the time 0 and every 10 seconds shows 3% CPU.

I could not scan it online. I am having hard time with internet today from the ISP. I will try it some other time.
0
 
and235100Connect With a Mentor Commented:
Have a look here.
http://answers.yahoo.com/question/index?qid=20070216123034AAxj2Dr

Does this apply to you?
0
 
Mohammed HamadaConnect With a Mentor Senior IT ConsultantCommented:
Alright Here is what you have to do CaptinCyril.

after you have launched Task Manager, Goto View --> Select Columns --> tick the PID and then you will be able to get the Process ID.

Lets start with the biggest one here. (File) which I guess it's the one that keep writing those files.

On my pc the Biggest Svchost PID = 1204.

Now Goto Start --> Run and type CMD then Enter

Type

tasklist /svc      and Enter
This command will list all the services assigned to the SVChost.exe files as follows, you should recognize the 1204 file by it's PID number. which will looks like the following.

D:\Documents and Settings\Moh10ly>tasklist /svc

Image Name                   PID Services
========================= ====== =============================================
System Idle Process            0 N/A
System                         4 N/A
smss.exe                     680 N/A
csrss.exe                    764 N/A
winlogon.exe              788 N/A
services.exe                832 Eventlog, PlugPlay
lsass.exe                    844 PolicyAgent, ProtectedStorage, SamSs
svchost.exe                1028 DcomLaunch, TermService
svchost.exe                1072 RpcSs
svchost.exe                1204 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
                                   dmserver, ERSvc, EventSystem,
                                   FastUserSwitchingCompatibility, helpsvc,
                                   lanmanserver, lanmanworkstation, Netman,
                                   Nla, RasMan, Schedule, seclogon, SENS,
                                   SharedAccess, ShellHWDetection, srservice,
                                   TapiSrv, Themes, TrkWks, W32Time, winmgmt,
                                   wscsvc, wuauserv, WZCSVC
StyleXPService.exe      1232 StyleXPService
svchost.exe                 1252 WudfSvc
svchost.exe                 1388 Dnscache
svchost.exe                 1480 LmHosts, RemoteRegistry, SSDPSRV, upnphost,
                                   WebClient
spoolsv.exe                 1612 Spooler
guard.exe                   1732 AVG Anti-Spyware Guard
mdm.exe                     1816 MDM
nvsvc32.exe                 1872 NVSvc
svchost.exe                 2012 stisvc
ibserver.exe                 564 InterBaseServer
alg.exe                      692 ALG
svchost.exe                 2004 HTTPFilter
explorer.exe                2088 N/A
soundman.exe                3056 N/A
daemon.exe                  3092 N/A
StyleXP.exe                 3172 N/A
ctfmon.exe                  3196 N/A
GoogleWebAccWarden.exe      2416 N/A
dslmon.exe                  2252 N/A
GoogleWebAccClient.exe      3856 N/A
iexplore.exe                3948 N/A
Skype.exe                   2764 N/A
skypePM.exe                 1564 N/A
nod32krn.exe                 436 NOD32krn
taskmgr.exe                 3076 N/A
wuauclt.exe                 1848 N/A
cmd.exe                     3024 N/A
wmiprvse.exe                1912 N/A
tasklist.exe                3464 N/A

So those are the services assigned to the 1028 svchost.exe process..
AudioSrv, BITS, Browser, CryptSvc, Dhcp, dmserver, ERSvc, EventSystem, FastUserSwitchingCompatibility, helpsvc, lanmanserver, lanmanworkstation, Netman, Nla, RasMan, Schedule, seclogon, SENS, SharedAccess, HWDetection, srservice, TapiSrv, Themes, TrkWks, W32Time, winmgmt,  wscsvc, wuauserv, WZCSVC.

Now You can Check each service by using Google, and what it does. or by going to Microsoft Management Consol (Services) and disable one by one of these services on each boot to see weather the problem persists or not.

Goto Start --> run --> Type services.msc and enter
Now you can view each service to stop or disable them.

Do These and I'll keep you updated on what to do
0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
and235100,

yes it applies to me. What should I do in this case?

moh10ly,

I will check it this weekend after I get rid of this splitting headache from lack of sleep :-).

Thank you both for the great help!
Have a nice weekend!
0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
and235100,

I have the same bit???.tmp or bit????.tmp but not bit1.tmp to bit4.tmp. I have MSN Messenger 8.1 Final.

I don't have any Google running on my PC. I have Google Desktop and Google Maps dormant.
0
 
Mohammed HamadaConnect With a Mentor Senior IT ConsultantCommented:
it could be anything else like virus/trojan, check this link.
http://www.google.com.ly/search?hl=en&q=what+is+using+BIT4.tmp
0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
I do not have BIT4.tmp.

It always has 2 to 4 hexadecimals after BIT.

BITAC.tmp
BIT2F3.tmp
BITA2B3.tmp
0
 
Mohammed HamadaConnect With a Mentor Senior IT ConsultantCommented:
Same thing, a virus or trojan.. check this link below
http://www.google.com.ly/search?hl=en&q=BITAC.tmp
Follow my recommandation above please.

Download hijackthis and post your log to www.hijackthis.de to analyse.
Download AVG Antispyware from www.ewido.com and do full system scan after updating it.

Download Regcure and scan for any errors...
0
 
and235100Commented:
These temp files could apply to Google Desktop...

Could you try uninstalling Google Desktop (and Maps if possible) - and see if the problem continues?
0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
Here is the log

Logfile of HijackThis v1.99.1
Scan saved at 23:55:23, on 30/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Documents and Settings\CaptainCyril\Desktop\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E-&mail Page - c:\windows\web\Mailto_URL.HTM
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.captain
O15 - Trusted Zone: http://dentsu.integration-online.net
O15 - Trusted Zone: http://mco.integration-online.net
O15 - Trusted Zone: http://mco1.integration-online.net
O15 - Trusted Zone: http://mco2.integration-online.net
O15 - Trusted Zone: http://nissan.integration-online.net
O15 - Trusted Zone: http://s2.integration-online.net
O15 - Trusted Zone: http://s3.integration-online.net
O15 - Trusted Zone: http://s4.integration-online.net
O15 - Trusted IP range: http://194.42.142.15
O15 - Trusted IP range: http://194.42.142.18
O15 - Trusted IP range: http://62.84.74.186
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C9E67DE-91F7-43AA-9E95-844F82B09169}: NameServer = 193.227.177.130 194.126.16.38
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
moh10ly,

here it is

SVCHOST.EXE                  884 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
                                 ERSvc, EventSystem, helpsvc, HidServ, Iprip,
                                 lanmanserver, lanmanworkstation, Messenger,
                                 Netman, Nla, RasMan, Schedule, seclogon,
                                 SENS, SharedAccess, ShellHWDetection,
                                 TapiSrv, TermService, Themes, TrkWks,
                                 uploadmgr, W32Time, winmgmt, wuauserv, WZCSVC
0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
Should I stop each service in services.msc and see which one is the culprit.
0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
I installed Windows XP SP2 and by itself reinstalled MSN Messenger Live 8.1.0178 without me asking and it's working normally without creating these files.
0
 
Mohammed HamadaSenior IT ConsultantCommented:
So no more bit files? if so then it should be some windows system corruption.!
0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
Yes no more bit files at all. The funny thing on the final boot when Windows XP SP2 was still upgrading, it somehow reinstalled MSN Messenger (reconfiguring) by itself.

I detect something cheezey here for users to upgrade. ;-)
0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
I do have a whole bunch of temp files. They are mostly withing 0 to 120 KB. Some are in the 700 range but all are access denied until I close the internet connection. They they get deleted by themselves.
0
 
Mohammed HamadaSenior IT ConsultantCommented:
Hmm, This is probably some Add-ons installed on your Internet explorer, Maybe Google toolbar, Try to go to tools on IE then select internet options and goto Programs Tab --> Manage Add-ons, Disable the add-ons one by one and see if you can delete those temp files while the IE is open...
Good luck
0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
I only had Yahoo! toolbar and it's disabled.
NAV toolbar was long gone.
MSN Toolbar I don't let install.

IE is virgin state like first install.
0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
When I installed SP2 yesterday I had 750 MB free space go up to 1.61 GB.

There was no logs then. I deleted the BIT files before the install.

Today the free space went down to 300 MB. I noticed that ZoneAlarm was logging like crazy.

I deleted all the logs of ZoneAlarm and now I have 800 MB free space.
0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
I still do not know why MSN was creating the files but after installing SP2 it never did it again. The funny thing is that installing SP2 forced the automatic reinstallation of MSN 8.1 Live.

Thanks for the help. I learned quite a bit from you two.
0
 
and235100Commented:
Glad I could help.

Thank you.
0
 
newgentechnologiesCommented:
So what exactly was the fix here? Looks like it was not ever explained fully.
0
 
CaptainCyrilFounder, Software Engineer, Data ScientistAuthor Commented:
I always had problems like that.

This particular one was solved by installing Windows XP SP2 and it re-installed MSN Messenger.

I had the same problem later with another format. So I got rid of Zone Alarm. Recently I switched from Outpost Security to Microsoft Security Essentials and I no longer have any of these problems.
0
All Courses

From novice to tech pro — start learning today.