Bitsadmin pops up randomly and immediately disappears.

Page 2 of 13 FirstFirst 123412 ... LastLast

  1. Posts : 201
    Kernel 4.x.x
       #11

    tkrisz0403 said:
    Thanks for your reply Hydranix. Hopefully, you're right, and this malware didn't download the payload. Since my first thread, bitsadmin.exe popped up at least 50 times, and I didn't notice any other issue but I'm concerned that neither of my anti-virus programs did not find a relatively well-known malware.

    I'm looking forward to downloading your program and find out whether my system is compromised or not.
    Sorry, I didn't have time to write it until just now. I made it simpler than originally planned. This program will just wait for bitsadmin and then print its parent process name to a file so we can see what starts it.

    Also, this may not be malware, I'm just always suspicious when it comes to things potentially accessing the internet without consent.

    Here's the program virus scan:Scan

    Here's the program: bitsadmin buster.zip


    To use it, unzip the exe somewhere. Where ever the exe is, is where the text file with parents name will be created.
    Run the program and it will ask for admin access, which it requires. If you get a smartscreen pop up, hit more info link and then allow it to run.


    Here's the source code, its fairly basic.

    Code:
    #include <Windows.h>
    #include <TlHelp32.h>
    #include <fstream>
    #include <string>
    #include <thread>
    
    typedef LONG(NTAPI *NtSuspendProcess)(IN HANDLE procHandle);
    
    void SuspendProcess(DWORD pid);
    bool GetProcInfo(const std::wstring name, PROCESSENTRY32 &pe32);
    bool GetProcInfo(DWORD pid, PROCESSENTRY32 &pe32);
    
    int WINAPI WinMain(HINSTANCE, HINSTANCE, char*, int)
    {
      std::wstring name(L"bitsadmin.exe");
      PROCESSENTRY32 pe32;
      while (!GetProcInfo(name, pe32))
      {
        std::this_thread::sleep_for(std::chrono::milliseconds(25));
      }
      SuspendProcess(pe32.th32ProcessID);
      PROCESSENTRY32 p_pe32;
      if (GetProcInfo(pe32.th32ParentProcessID, p_pe32))
      {
        std::wofstream file(L"bitsadmin_info.txt");
        if (file.is_open())
        {
          file << L"Parent Process Name: " << p_pe32.szExeFile;
          file.flush();
          file.close();
        }
      }
      else
      {
        return GetLastError();
      }
      return 0;
    }
    
    void SuspendProcess(DWORD pid)
    {
      HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
      if (hProc)
      {
        NtSuspendProcess pNtSuspendProcess = (NtSuspendProcess)GetProcAddress(GetModuleHandle(L"ntdll"), "NtSuspendProcess");
        pNtSuspendProcess(hProc);
        CloseHandle(hProc);
      }
    }
    
    bool GetProcInfo(const std::wstring name, PROCESSENTRY32 &pe32)
    {
      bool found = false;
      HANDLE hSnap;
      pe32.dwSize = sizeof(PROCESSENTRY32);
      hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
      if (hSnap)
      {
        if (Process32First(hSnap, &pe32))
        {
          do
          {
            if (name == pe32.szExeFile)
            {
              found = true;
              break;
            }
          } while (Process32NextW(hSnap, &pe32));
        }
        CloseHandle(hSnap);
      }
      return found;
    }
    
    bool GetProcInfo(DWORD pid, PROCESSENTRY32 &pe32)
    {
      bool found = false;
      HANDLE hSnap;
      pe32.dwSize = sizeof(PROCESSENTRY32);
      hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
      if (hSnap)
      {
        if (Process32First(hSnap, &pe32))
        {
          do
          {
            if (pid == pe32.th32ProcessID)
            {
              found = true;
              break;
            }
          } while (Process32NextW(hSnap, &pe32));
        }
        CloseHandle(hSnap);
      }
      return found;
    }
      My Computers


  2. Posts : 18
    Windows 10
    Thread Starter
       #12

    I created a new folder on Desktop and downloaded the .zip file. After I extracted the file, I run the bitsdadmin buster.exe as an Administrator. I also found the program in Background processes. I waited until bitsadmin popped up but I didn't get an info link or anything just the cmd.exe running with some text.(You can see screenshot) Your program also created a bitsadmin_info.txt file with only one line "Parent Process Name: cmd.exe". Can you advise me what to do next? Thanks
    Attached Thumbnails Attached Thumbnails Bitsadmin pops up randomly and immediately disappears.-bitsadmin.jpg  
      My Computer


  3. Posts : 3,453
       #13

    to see exactly what is downloading from where, use this:

    Get-BitsTransfer -AllUsers | select -ExpandProperty FileList | Select -ExpandProperty RemoteName

    eg: output

    Code:
    PS C:\windows\system32> Get-BitsTransfer -AllUsers | select -ExpandProperty FileList | Select -ExpandProperty RemoteName
    http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/crup/2013/11/osfclientintl-es-es_e4fd9148b340b88749168889b6c1d16
    22142cd1d.cab
    http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/crup/2016/03/filterpack-x-none_abcb4c38ba24d2604f41627e7239ffe87
    4ed328b.cab
    http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/crup/2016/03/exppdf-x-none_d26ff402da11f90e52e2628622ae35aceeb1d
    fb3.cab
    http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/crup/2016/03/powerpoint-x-none_09f6f08b9fa32d45df0a3ea9aef138fb7
    0c3d796.cab
    http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/crup/2016/03/riched20-x-none_bfbff3fbd92db33dbd6aaf6e40af803f35c
    366e6.cab
    http://fg.v4.download.windowsupdate.com/c/msdownload/update/software/secu/2016/03/lync-x-none_efb7db8acecd7058aa59396646d40d7bfef8f41
    5.cab
    http://fg.v4.download.windowsupdate.com/c/msdownload/update/software/secu/2016/03/excel-x-none_048fcaebbf5ef27800c68d4231fe9d40f2190f
    c4.cab
    http://fg.v4.download.windowsupdate.com/c/msdownload/update/software/crup/2016/04/vbe7-x-none_3870756cfe700509a4fb55f98499b0f7c2996b2
    d.cab
    If nothing is returned, BITS has nothing in it's queue. If then BitAdmin is displaying errors, some rogue app may be trying to transfer files... but that will require some HitmanPro troubleshooting.
      My Computer


  4. Posts : 18
    Windows 10
    Thread Starter
       #14

    Where should I use this line?

    "Get-BitsTransfer -AllUsers | select -ExpandProperty FileList | Select -ExpandProperty RemoteName"

    Enter to cmd? or where? Sorry, I'm a beginner.

    Thanks
      My Computer


  5. Posts : 16,325
    W10Prox64
       #15

    tkrisz0403 said:
    Where should I use this line?

    "Get-BitsTransfer -AllUsers | select -ExpandProperty FileList | Select -ExpandProperty RemoteName"

    Enter to cmd? or where? Sorry, I'm a beginner.

    Thanks
    I think you would right-click on the Start button and select Command Prompt (Admin). Then type in (or copy) this code:

    Code:
    Get-BitsTransfer -AllUsers | select -ExpandProperty FileList | Select -ExpandProperty RemoteName
    Then press ENTER.
      My Computer


  6. Posts : 18
    Windows 10
    Thread Starter
       #16

    Please, find attached screenshotBitsadmin pops up randomly and immediately disappears.-error.png
      My Computer


  7. Posts : 3,453
       #17

    tkrisz0403 said:
    Please, find attached screenshotBitsadmin pops up randomly and immediately disappears.-error.png
    click start - type powershell - right-click it - run as administrator.

    Bitsadmin pops up randomly and immediately disappears.-capture.png
      My Computer


  8. Posts : 18
    Windows 10
    Thread Starter
       #18

    Bitsadmin pops up randomly and immediately disappears.-power.png
      My Computer


  9. Posts : 3,453
       #19

    Hmmm .. looks like cloudfront.net is the issue... I'm not familiar with that but see if this helps.
    http://answers.microsoft.com/en-us/p...3b6b4e2?auth=1

    Note: you can get rid of the (non-Windows update downloads) by using :
    Get-BitsTransfer -AllUsers | Remove-BitsTransfer

    or this in command prompt:

    Code:
    @echo off
    net stop BITS
    ipconfig /flushdns
    del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr0.dat" 
    del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr1.dat" 
    net start BITS
    
    net stop wuauserv
    net start wuauserv
      My Computer


  10. Posts : 18
    Windows 10
    Thread Starter
       #20

    CMD did something Bitsadmin pops up randomly and immediately disappears.-cmd.png
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 23:49.
Find Us




Windows 10 Forums