Solved

Figure out what is creating a file

Posted on 2011-02-23
15
492 Views
Last Modified: 2013-12-06
Symantec keeps finding a BIT.tmp file in the software distribution folder on a couple of my pcs. I've run every virus scan known to man, and come up empty. Symantec says its a Trojan.Zbot.B!inf, however I dont see any registry entries or any other files on the PC that would point to a virus. I'm 99% sure someone made a Bat file to run and it produceds this BIT.TMP file. Just need to figure out what.

Location of file is always, C/windows/softwaredistribution/download/(bunch of numbers)
0
Comment
Question by:FEDEXECA
  • 7
  • 7
15 Comments
 
LVL 9

Expert Comment

by:davealford
ID: 34961402
Softwaredistribution folder is WIndows Updates - do you have an update failing to install?
0
 

Author Comment

by:FEDEXECA
ID: 34961628
not that i can tell, BIT.tmp seems to recreate upon log in if that helps at all.
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34962816
Since it's in the software distribution directory which is directly related to Window Updates, I would say that the client begins to download a package upon reconnection and it stalls, thus creating the BIT.tmp.  On those PCs, do you have BITS running?  At the command line, type tasklist /svc and look for BITS.  
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 6

Expert Comment

by:Melannk24
ID: 34962861
Also, to check to see if you are having issues with those PCs downloading updates, go to c:\windows\windowsupdate.log and see if there are any errors listed.
0
 

Author Comment

by:FEDEXECA
ID: 34963373
ok i'll try stopping bits just to see "net stop bits" i'll let you know how that one turns out. Problem seems to be on a ghost image i have so every time i reuse it, this comes back up! lol
0
 

Author Comment

by:FEDEXECA
ID: 34963415
also file contains alot of "* Update is not allowed to download due to regulation."
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34964549
There is a kb article about that.  I'll do a quick summary here: Recent updates are not downloaded or installed on the computer.
The Automatic Updates icon does not display the status of downloads that are in progress.
Additionally, the following entry may be logged in the Windowsupdate.log file:

Date Time 1304 fb0 DnldMgr
* Update is not allowed to download due to regulation.
This issue does not affect updates that come from Windows Server Update Services
During periods of heavy download traffic, the Automatic Updates service can reschedule download requests on a day-to-day basis. This rescheduling can occur over several days.
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34964623
I would say that is why you are seeing the BIT temp files, it seems like those machines try to download the updates, but cannot complete the download.  I would try to manually go to the Windows Update website, windowsupdate.microsoft.com, choose custom and try to install the updates from there.  If this is related to a ghost image, maybe a corrupt Wups2.dll file??  
0
 

Author Comment

by:FEDEXECA
ID: 34979337
Tried downloading most recent updates, BIT tmp files still appear. Checking into Wups2.dll file now.
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34981452
So, may I assume the updates failed then?  Were there ANY other errors in the update log?
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34981550
One thing to do when checking your .dll files, try to register it,
At the command prompt, type the following command, and then press ENTER:
regsvr32 %windir%\system32\wups2.dll.

If you do determine that it's a Win Update issue, you can always choose to reinstall the agent too, http://support.microsoft.com/kb/949104.

I hope this helps.  
0
 

Author Comment

by:FEDEXECA
ID: 34991944
There aren't any more errors in the updated log although the bits.tmp are still creating, reinstalled the agent. Still no luck. I''m going to try a few more things. I'll update when i isoloate it more
0
 

Author Comment

by:FEDEXECA
ID: 34992094
Its internet explorer updates specifically that casue the fake malware flag. (BITC, BITA,... ect) If i go to the microsoft updates and download just the internet explorer ones, instantly the symantec malware for Tronjan.ZBot!iBinf pops up, although its not failing. Hopefully when i get all the updates downloaded it won't pop up agian. Interesting problem.
0
 

Author Comment

by:FEDEXECA
ID: 34997012
Stuck again, new agent, downloaded the latest updates for Internet explorer (which poped the BIT found up from symantec). Going to figure out how to disable automatic updates just to see if it stops. Although, all the options are greyed out and in regedit the "DisableAuOptions" is not there. Not sure what's blocking me from turning them off. (I have admin log on)
0
 
LVL 6

Accepted Solution

by:
Melannk24 earned 500 total points
ID: 34997780
What version of Internet Explorer are you using?  I remember reading that there were issues with Symantec and IE 9.  

Also, you may have to manually add the keys when wanting to use the registry to manipulate Windows Update options.  This is something I refer you when I have issues:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Add any one of the following settings:
Value name: NoAutoUpdate
Value data: 0 or 1
0: Automatic Updates is enabled (default).
1: Automatic Updates is disabled.
Registry Value Type: Reg_DWORD
Value name: AUOptions
Value data: 1 to 4
1: Keep my computer up to date has been disabled in Automatic Updates.
2: Notify of download and installation.
3: Automatically download and notify of installation.
4: Automatically download and scheduled installation.
Registry Value Type: Reg_DWORD
Value name: ScheduledInstallDay
Value data: 0 to 7
0: Every day.
1 through 7: The days of the week from Sunday (1) to Saturday (7).
Registry Value Type: Reg_DWORD
Value name: ScheduledInstallTime
Value data: n, where n equals the time of day in a 24-hour format (0-23).
Registry Value Type: Reg_DWORD
Value name: UseWUServer
Value data: Set this value to 1 to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update.
Registry Value Type: Reg_DWORD
Value name: RescheduleWaitTime
Value data: m, where m equals the time to wait between the time Automatic Updates starts and the time it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes)
Registry Value Type: Reg_DWORD

Note This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later.
Value name: NoAutoRebootWithLoggedOnUsers
Value data: Reg_DWORD: 0 (false) or 1 (true). If set to 1, Automatic Updates does not automatically restart a computer while users are logged on.
Registry Value Type: Reg_DWORD

0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Website BlackListed 22 86
systemdown@india.com and McAfee 3 115
Dealing with Locky ransomware... 13 106
Opinions of Sophos Intercept X and Endpoint Security 2 24
These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question