• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 541
  • Last Modified:

Figure out what is creating a file

Symantec keeps finding a BIT.tmp file in the software distribution folder on a couple of my pcs. I've run every virus scan known to man, and come up empty. Symantec says its a Trojan.Zbot.B!inf, however I dont see any registry entries or any other files on the PC that would point to a virus. I'm 99% sure someone made a Bat file to run and it produceds this BIT.TMP file. Just need to figure out what.

Location of file is always, C/windows/softwaredistribution/download/(bunch of numbers)
0
FEDEXECA
Asked:
FEDEXECA
  • 7
  • 7
1 Solution
 
davealfordCommented:
Softwaredistribution folder is WIndows Updates - do you have an update failing to install?
0
 
FEDEXECAAuthor Commented:
not that i can tell, BIT.tmp seems to recreate upon log in if that helps at all.
0
 
Melannk24Commented:
Since it's in the software distribution directory which is directly related to Window Updates, I would say that the client begins to download a package upon reconnection and it stalls, thus creating the BIT.tmp.  On those PCs, do you have BITS running?  At the command line, type tasklist /svc and look for BITS.  
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
Melannk24Commented:
Also, to check to see if you are having issues with those PCs downloading updates, go to c:\windows\windowsupdate.log and see if there are any errors listed.
0
 
FEDEXECAAuthor Commented:
ok i'll try stopping bits just to see "net stop bits" i'll let you know how that one turns out. Problem seems to be on a ghost image i have so every time i reuse it, this comes back up! lol
0
 
FEDEXECAAuthor Commented:
also file contains alot of "* Update is not allowed to download due to regulation."
0
 
Melannk24Commented:
There is a kb article about that.  I'll do a quick summary here: Recent updates are not downloaded or installed on the computer.
The Automatic Updates icon does not display the status of downloads that are in progress.
Additionally, the following entry may be logged in the Windowsupdate.log file:

Date Time 1304 fb0 DnldMgr
* Update is not allowed to download due to regulation.
This issue does not affect updates that come from Windows Server Update Services
During periods of heavy download traffic, the Automatic Updates service can reschedule download requests on a day-to-day basis. This rescheduling can occur over several days.
0
 
Melannk24Commented:
I would say that is why you are seeing the BIT temp files, it seems like those machines try to download the updates, but cannot complete the download.  I would try to manually go to the Windows Update website, windowsupdate.microsoft.com, choose custom and try to install the updates from there.  If this is related to a ghost image, maybe a corrupt Wups2.dll file??  
0
 
FEDEXECAAuthor Commented:
Tried downloading most recent updates, BIT tmp files still appear. Checking into Wups2.dll file now.
0
 
Melannk24Commented:
So, may I assume the updates failed then?  Were there ANY other errors in the update log?
0
 
Melannk24Commented:
One thing to do when checking your .dll files, try to register it,
At the command prompt, type the following command, and then press ENTER:
regsvr32 %windir%\system32\wups2.dll.

If you do determine that it's a Win Update issue, you can always choose to reinstall the agent too, http://support.microsoft.com/kb/949104.

I hope this helps.  
0
 
FEDEXECAAuthor Commented:
There aren't any more errors in the updated log although the bits.tmp are still creating, reinstalled the agent. Still no luck. I''m going to try a few more things. I'll update when i isoloate it more
0
 
FEDEXECAAuthor Commented:
Its internet explorer updates specifically that casue the fake malware flag. (BITC, BITA,... ect) If i go to the microsoft updates and download just the internet explorer ones, instantly the symantec malware for Tronjan.ZBot!iBinf pops up, although its not failing. Hopefully when i get all the updates downloaded it won't pop up agian. Interesting problem.
0
 
FEDEXECAAuthor Commented:
Stuck again, new agent, downloaded the latest updates for Internet explorer (which poped the BIT found up from symantec). Going to figure out how to disable automatic updates just to see if it stops. Although, all the options are greyed out and in regedit the "DisableAuOptions" is not there. Not sure what's blocking me from turning them off. (I have admin log on)
0
 
Melannk24Commented:
What version of Internet Explorer are you using?  I remember reading that there were issues with Symantec and IE 9.  

Also, you may have to manually add the keys when wanting to use the registry to manipulate Windows Update options.  This is something I refer you when I have issues:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Add any one of the following settings:
Value name: NoAutoUpdate
Value data: 0 or 1
0: Automatic Updates is enabled (default).
1: Automatic Updates is disabled.
Registry Value Type: Reg_DWORD
Value name: AUOptions
Value data: 1 to 4
1: Keep my computer up to date has been disabled in Automatic Updates.
2: Notify of download and installation.
3: Automatically download and notify of installation.
4: Automatically download and scheduled installation.
Registry Value Type: Reg_DWORD
Value name: ScheduledInstallDay
Value data: 0 to 7
0: Every day.
1 through 7: The days of the week from Sunday (1) to Saturday (7).
Registry Value Type: Reg_DWORD
Value name: ScheduledInstallTime
Value data: n, where n equals the time of day in a 24-hour format (0-23).
Registry Value Type: Reg_DWORD
Value name: UseWUServer
Value data: Set this value to 1 to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update.
Registry Value Type: Reg_DWORD
Value name: RescheduleWaitTime
Value data: m, where m equals the time to wait between the time Automatic Updates starts and the time it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes)
Registry Value Type: Reg_DWORD

Note This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later.
Value name: NoAutoRebootWithLoggedOnUsers
Value data: Reg_DWORD: 0 (false) or 1 (true). If set to 1, Automatic Updates does not automatically restart a computer while users are logged on.
Registry Value Type: Reg_DWORD

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now