Solved

Figure out what is creating a file

Posted on 2011-02-23
15
481 Views
Last Modified: 2013-12-06
Symantec keeps finding a BIT.tmp file in the software distribution folder on a couple of my pcs. I've run every virus scan known to man, and come up empty. Symantec says its a Trojan.Zbot.B!inf, however I dont see any registry entries or any other files on the PC that would point to a virus. I'm 99% sure someone made a Bat file to run and it produceds this BIT.TMP file. Just need to figure out what.

Location of file is always, C/windows/softwaredistribution/download/(bunch of numbers)
0
Comment
Question by:FEDEXECA
  • 7
  • 7
15 Comments
 
LVL 9

Expert Comment

by:davealford
ID: 34961402
Softwaredistribution folder is WIndows Updates - do you have an update failing to install?
0
 

Author Comment

by:FEDEXECA
ID: 34961628
not that i can tell, BIT.tmp seems to recreate upon log in if that helps at all.
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34962816
Since it's in the software distribution directory which is directly related to Window Updates, I would say that the client begins to download a package upon reconnection and it stalls, thus creating the BIT.tmp.  On those PCs, do you have BITS running?  At the command line, type tasklist /svc and look for BITS.  
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34962861
Also, to check to see if you are having issues with those PCs downloading updates, go to c:\windows\windowsupdate.log and see if there are any errors listed.
0
 

Author Comment

by:FEDEXECA
ID: 34963373
ok i'll try stopping bits just to see "net stop bits" i'll let you know how that one turns out. Problem seems to be on a ghost image i have so every time i reuse it, this comes back up! lol
0
 

Author Comment

by:FEDEXECA
ID: 34963415
also file contains alot of "* Update is not allowed to download due to regulation."
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34964549
There is a kb article about that.  I'll do a quick summary here: Recent updates are not downloaded or installed on the computer.
The Automatic Updates icon does not display the status of downloads that are in progress.
Additionally, the following entry may be logged in the Windowsupdate.log file:

Date Time 1304 fb0 DnldMgr
* Update is not allowed to download due to regulation.
This issue does not affect updates that come from Windows Server Update Services
During periods of heavy download traffic, the Automatic Updates service can reschedule download requests on a day-to-day basis. This rescheduling can occur over several days.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 6

Expert Comment

by:Melannk24
ID: 34964623
I would say that is why you are seeing the BIT temp files, it seems like those machines try to download the updates, but cannot complete the download.  I would try to manually go to the Windows Update website, windowsupdate.microsoft.com, choose custom and try to install the updates from there.  If this is related to a ghost image, maybe a corrupt Wups2.dll file??  
0
 

Author Comment

by:FEDEXECA
ID: 34979337
Tried downloading most recent updates, BIT tmp files still appear. Checking into Wups2.dll file now.
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34981452
So, may I assume the updates failed then?  Were there ANY other errors in the update log?
0
 
LVL 6

Expert Comment

by:Melannk24
ID: 34981550
One thing to do when checking your .dll files, try to register it,
At the command prompt, type the following command, and then press ENTER:
regsvr32 %windir%\system32\wups2.dll.

If you do determine that it's a Win Update issue, you can always choose to reinstall the agent too, http://support.microsoft.com/kb/949104.

I hope this helps.  
0
 

Author Comment

by:FEDEXECA
ID: 34991944
There aren't any more errors in the updated log although the bits.tmp are still creating, reinstalled the agent. Still no luck. I''m going to try a few more things. I'll update when i isoloate it more
0
 

Author Comment

by:FEDEXECA
ID: 34992094
Its internet explorer updates specifically that casue the fake malware flag. (BITC, BITA,... ect) If i go to the microsoft updates and download just the internet explorer ones, instantly the symantec malware for Tronjan.ZBot!iBinf pops up, although its not failing. Hopefully when i get all the updates downloaded it won't pop up agian. Interesting problem.
0
 

Author Comment

by:FEDEXECA
ID: 34997012
Stuck again, new agent, downloaded the latest updates for Internet explorer (which poped the BIT found up from symantec). Going to figure out how to disable automatic updates just to see if it stops. Although, all the options are greyed out and in regedit the "DisableAuOptions" is not there. Not sure what's blocking me from turning them off. (I have admin log on)
0
 
LVL 6

Accepted Solution

by:
Melannk24 earned 500 total points
ID: 34997780
What version of Internet Explorer are you using?  I remember reading that there were issues with Symantec and IE 9.  

Also, you may have to manually add the keys when wanting to use the registry to manipulate Windows Update options.  This is something I refer you when I have issues:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Add any one of the following settings:
Value name: NoAutoUpdate
Value data: 0 or 1
0: Automatic Updates is enabled (default).
1: Automatic Updates is disabled.
Registry Value Type: Reg_DWORD
Value name: AUOptions
Value data: 1 to 4
1: Keep my computer up to date has been disabled in Automatic Updates.
2: Notify of download and installation.
3: Automatically download and notify of installation.
4: Automatically download and scheduled installation.
Registry Value Type: Reg_DWORD
Value name: ScheduledInstallDay
Value data: 0 to 7
0: Every day.
1 through 7: The days of the week from Sunday (1) to Saturday (7).
Registry Value Type: Reg_DWORD
Value name: ScheduledInstallTime
Value data: n, where n equals the time of day in a 24-hour format (0-23).
Registry Value Type: Reg_DWORD
Value name: UseWUServer
Value data: Set this value to 1 to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update.
Registry Value Type: Reg_DWORD
Value name: RescheduleWaitTime
Value data: m, where m equals the time to wait between the time Automatic Updates starts and the time it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes)
Registry Value Type: Reg_DWORD

Note This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later.
Value name: NoAutoRebootWithLoggedOnUsers
Value data: Reg_DWORD: 0 (false) or 1 (true). If set to 1, Automatic Updates does not automatically restart a computer while users are logged on.
Registry Value Type: Reg_DWORD

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now