Solved

Figure out what is creating a file

Posted on 2011-02-23
15
462 Views
Last Modified: 2013-12-06
Symantec keeps finding a BIT.tmp file in the software distribution folder on a couple of my pcs. I've run every virus scan known to man, and come up empty. Symantec says its a Trojan.Zbot.B!inf, however I dont see any registry entries or any other files on the PC that would point to a virus. I'm 99% sure someone made a Bat file to run and it produceds this BIT.TMP file. Just need to figure out what.

Location of file is always, C/windows/softwaredistribution/download/(bunch of numbers)
0
Comment
Question by:FEDEXECA
  • 7
  • 7
15 Comments
 
LVL 9

Expert Comment

by:davealford
ID: 34961402
Softwaredistribution folder is WIndows Updates - do you have an update failing to install?
0
 

Author Comment

by:FEDEXECA
ID: 34961628
not that i can tell, BIT.tmp seems to recreate upon log in if that helps at all.
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34962816
Since it's in the software distribution directory which is directly related to Window Updates, I would say that the client begins to download a package upon reconnection and it stalls, thus creating the BIT.tmp.  On those PCs, do you have BITS running?  At the command line, type tasklist /svc and look for BITS.  
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34962861
Also, to check to see if you are having issues with those PCs downloading updates, go to c:\windows\windowsupdate.log and see if there are any errors listed.
0
 

Author Comment

by:FEDEXECA
ID: 34963373
ok i'll try stopping bits just to see "net stop bits" i'll let you know how that one turns out. Problem seems to be on a ghost image i have so every time i reuse it, this comes back up! lol
0
 

Author Comment

by:FEDEXECA
ID: 34963415
also file contains alot of "* Update is not allowed to download due to regulation."
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34964549
There is a kb article about that.  I'll do a quick summary here: Recent updates are not downloaded or installed on the computer.
The Automatic Updates icon does not display the status of downloads that are in progress.
Additionally, the following entry may be logged in the Windowsupdate.log file:

Date Time 1304 fb0 DnldMgr
* Update is not allowed to download due to regulation.
This issue does not affect updates that come from Windows Server Update Services
During periods of heavy download traffic, the Automatic Updates service can reschedule download requests on a day-to-day basis. This rescheduling can occur over several days.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 6

Expert Comment

by:Melannk24
ID: 34964623
I would say that is why you are seeing the BIT temp files, it seems like those machines try to download the updates, but cannot complete the download.  I would try to manually go to the Windows Update website, windowsupdate.microsoft.com, choose custom and try to install the updates from there.  If this is related to a ghost image, maybe a corrupt Wups2.dll file??  
0
 

Author Comment

by:FEDEXECA
ID: 34979337
Tried downloading most recent updates, BIT tmp files still appear. Checking into Wups2.dll file now.
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34981452
So, may I assume the updates failed then?  Were there ANY other errors in the update log?
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34981550
One thing to do when checking your .dll files, try to register it,
At the command prompt, type the following command, and then press ENTER:
regsvr32 %windir%\system32\wups2.dll.

If you do determine that it's a Win Update issue, you can always choose to reinstall the agent too, http://support.microsoft.com/kb/949104.

I hope this helps.  
0
 

Author Comment

by:FEDEXECA
ID: 34991944
There aren't any more errors in the updated log although the bits.tmp are still creating, reinstalled the agent. Still no luck. I''m going to try a few more things. I'll update when i isoloate it more
0
 

Author Comment

by:FEDEXECA
ID: 34992094
Its internet explorer updates specifically that casue the fake malware flag. (BITC, BITA,... ect) If i go to the microsoft updates and download just the internet explorer ones, instantly the symantec malware for Tronjan.ZBot!iBinf pops up, although its not failing. Hopefully when i get all the updates downloaded it won't pop up agian. Interesting problem.
0
 

Author Comment

by:FEDEXECA
ID: 34997012
Stuck again, new agent, downloaded the latest updates for Internet explorer (which poped the BIT found up from symantec). Going to figure out how to disable automatic updates just to see if it stops. Although, all the options are greyed out and in regedit the "DisableAuOptions" is not there. Not sure what's blocking me from turning them off. (I have admin log on)
0
 
LVL 6

Accepted Solution

by:
Melannk24 earned 500 total points
ID: 34997780
What version of Internet Explorer are you using?  I remember reading that there were issues with Symantec and IE 9.  

Also, you may have to manually add the keys when wanting to use the registry to manipulate Windows Update options.  This is something I refer you when I have issues:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Add any one of the following settings:
Value name: NoAutoUpdate
Value data: 0 or 1
0: Automatic Updates is enabled (default).
1: Automatic Updates is disabled.
Registry Value Type: Reg_DWORD
Value name: AUOptions
Value data: 1 to 4
1: Keep my computer up to date has been disabled in Automatic Updates.
2: Notify of download and installation.
3: Automatically download and notify of installation.
4: Automatically download and scheduled installation.
Registry Value Type: Reg_DWORD
Value name: ScheduledInstallDay
Value data: 0 to 7
0: Every day.
1 through 7: The days of the week from Sunday (1) to Saturday (7).
Registry Value Type: Reg_DWORD
Value name: ScheduledInstallTime
Value data: n, where n equals the time of day in a 24-hour format (0-23).
Registry Value Type: Reg_DWORD
Value name: UseWUServer
Value data: Set this value to 1 to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update.
Registry Value Type: Reg_DWORD
Value name: RescheduleWaitTime
Value data: m, where m equals the time to wait between the time Automatic Updates starts and the time it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes)
Registry Value Type: Reg_DWORD

Note This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later.
Value name: NoAutoRebootWithLoggedOnUsers
Value data: Reg_DWORD: 0 (false) or 1 (true). If set to 1, Automatic Updates does not automatically restart a computer while users are logged on.
Registry Value Type: Reg_DWORD

0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Windows 10 Mail 7 42
.ceber extension on my files 5 174
Kaspersky remote uninstall failing 3 97
Anti-virus for Linux Server 15 87
PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now