Page 2 of 13 FirstFirst 123412 ... LastLast
  1.    31 May 2016 #11
    Join Date : Jul 2015
    California
    Posts : 203
    Kernel 4.x.x

    Quote Originally Posted by tkrisz0403 View Post
    Thanks for your reply Hydranix. Hopefully, you're right, and this malware didn't download the payload. Since my first thread, bitsadmin.exe popped up at least 50 times, and I didn't notice any other issue but I'm concerned that neither of my anti-virus programs did not find a relatively well-known malware.

    I'm looking forward to downloading your program and find out whether my system is compromised or not.
    Sorry, I didn't have time to write it until just now. I made it simpler than originally planned. This program will just wait for bitsadmin and then print its parent process name to a file so we can see what starts it.

    Also, this may not be malware, I'm just always suspicious when it comes to things potentially accessing the internet without consent.

    Here's the program virus scan:Scan

    Here's the program: bitsadmin buster.zip


    To use it, unzip the exe somewhere. Where ever the exe is, is where the text file with parents name will be created.
    Run the program and it will ask for admin access, which it requires. If you get a smartscreen pop up, hit more info link and then allow it to run.


    Here's the source code, its fairly basic.

    Code:
    #include <Windows.h>
    #include <TlHelp32.h>
    #include <fstream>
    #include <string>
    #include <thread>
    
    typedef LONG(NTAPI *NtSuspendProcess)(IN HANDLE procHandle);
    
    void SuspendProcess(DWORD pid);
    bool GetProcInfo(const std::wstring name, PROCESSENTRY32 &pe32);
    bool GetProcInfo(DWORD pid, PROCESSENTRY32 &pe32);
    
    int WINAPI WinMain(HINSTANCE, HINSTANCE, char*, int)
    {
      std::wstring name(L"bitsadmin.exe");
      PROCESSENTRY32 pe32;
      while (!GetProcInfo(name, pe32))
      {
        std::this_thread::sleep_for(std::chrono::milliseconds(25));
      }
      SuspendProcess(pe32.th32ProcessID);
      PROCESSENTRY32 p_pe32;
      if (GetProcInfo(pe32.th32ParentProcessID, p_pe32))
      {
        std::wofstream file(L"bitsadmin_info.txt");
        if (file.is_open())
        {
          file << L"Parent Process Name: " << p_pe32.szExeFile;
          file.flush();
          file.close();
        }
      }
      else
      {
        return GetLastError();
      }
      return 0;
    }
    
    void SuspendProcess(DWORD pid)
    {
      HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
      if (hProc)
      {
        NtSuspendProcess pNtSuspendProcess = (NtSuspendProcess)GetProcAddress(GetModuleHandle(L"ntdll"), "NtSuspendProcess");
        pNtSuspendProcess(hProc);
        CloseHandle(hProc);
      }
    }
    
    bool GetProcInfo(const std::wstring name, PROCESSENTRY32 &pe32)
    {
      bool found = false;
      HANDLE hSnap;
      pe32.dwSize = sizeof(PROCESSENTRY32);
      hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
      if (hSnap)
      {
        if (Process32First(hSnap, &pe32))
        {
          do
          {
            if (name == pe32.szExeFile)
            {
              found = true;
              break;
            }
          } while (Process32NextW(hSnap, &pe32));
        }
        CloseHandle(hSnap);
      }
      return found;
    }
    
    bool GetProcInfo(DWORD pid, PROCESSENTRY32 &pe32)
    {
      bool found = false;
      HANDLE hSnap;
      pe32.dwSize = sizeof(PROCESSENTRY32);
      hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
      if (hSnap)
      {
        if (Process32First(hSnap, &pe32))
        {
          do
          {
            if (pid == pe32.th32ProcessID)
            {
              found = true;
              break;
            }
          } while (Process32NextW(hSnap, &pe32));
        }
        CloseHandle(hSnap);
      }
      return found;
    }
      My ComputersSystem Spec
  2.    01 Jun 2016 #12
    Join Date : May 2016
    Posts : 18
    Windows 10
    Thread Starter

    I created a new folder on Desktop and downloaded the .zip file. After I extracted the file, I run the bitsdadmin buster.exe as an Administrator. I also found the program in Background processes. I waited until bitsadmin popped up but I didn't get an info link or anything just the cmd.exe running with some text.(You can see screenshot) Your program also created a bitsadmin_info.txt file with only one line "Parent Process Name: cmd.exe". Can you advise me what to do next? Thanks
    Attached Thumbnails Attached Thumbnails bitsadmin.jpg  
      My ComputerSystem Spec
  3.    01 Jun 2016 #13

    to see exactly what is downloading from where, use this:

    Get-BitsTransfer -AllUsers | select -ExpandProperty FileList | Select -ExpandProperty RemoteName

    eg: output

    Code:
    PS C:\windows\system32> Get-BitsTransfer -AllUsers | select -ExpandProperty FileList | Select -ExpandProperty RemoteName
    http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/crup/2013/11/osfclientintl-es-es_e4fd9148b340b88749168889b6c1d16
    22142cd1d.cab
    http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/crup/2016/03/filterpack-x-none_abcb4c38ba24d2604f41627e7239ffe87
    4ed328b.cab
    http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/crup/2016/03/exppdf-x-none_d26ff402da11f90e52e2628622ae35aceeb1d
    fb3.cab
    http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/crup/2016/03/powerpoint-x-none_09f6f08b9fa32d45df0a3ea9aef138fb7
    0c3d796.cab
    http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/crup/2016/03/riched20-x-none_bfbff3fbd92db33dbd6aaf6e40af803f35c
    366e6.cab
    http://fg.v4.download.windowsupdate.com/c/msdownload/update/software/secu/2016/03/lync-x-none_efb7db8acecd7058aa59396646d40d7bfef8f41
    5.cab
    http://fg.v4.download.windowsupdate.com/c/msdownload/update/software/secu/2016/03/excel-x-none_048fcaebbf5ef27800c68d4231fe9d40f2190f
    c4.cab
    http://fg.v4.download.windowsupdate.com/c/msdownload/update/software/crup/2016/04/vbe7-x-none_3870756cfe700509a4fb55f98499b0f7c2996b2
    d.cab
    If nothing is returned, BITS has nothing in it's queue. If then BitAdmin is displaying errors, some rogue app may be trying to transfer files... but that will require some HitmanPro troubleshooting.
      My ComputerSystem Spec
  4.    01 Jun 2016 #14
    Join Date : May 2016
    Posts : 18
    Windows 10
    Thread Starter

    Where should I use this line?

    "Get-BitsTransfer -AllUsers | select -ExpandProperty FileList | Select -ExpandProperty RemoteName"

    Enter to cmd? or where? Sorry, I'm a beginner.

    Thanks
      My ComputerSystem Spec
  5.    01 Jun 2016 #15
    Join Date : Apr 2015
    Posts : 12,942
    W10Prox64

    Quote Originally Posted by tkrisz0403 View Post
    Where should I use this line?

    "Get-BitsTransfer -AllUsers | select -ExpandProperty FileList | Select -ExpandProperty RemoteName"

    Enter to cmd? or where? Sorry, I'm a beginner.

    Thanks
    I think you would right-click on the Start button and select Command Prompt (Admin). Then type in (or copy) this code:

    Code:
    Get-BitsTransfer -AllUsers | select -ExpandProperty FileList | Select -ExpandProperty RemoteName
    Then press ENTER.
      My ComputerSystem Spec
  6.    02 Jun 2016 #16
    Join Date : May 2016
    Posts : 18
    Windows 10
    Thread Starter

    Please, find attached screenshotClick image for larger version. 

Name:	error.png 
Views:	306 
Size:	138.4 KB 
ID:	82880
      My ComputerSystem Spec
  7.    02 Jun 2016 #17

    Quote Originally Posted by tkrisz0403 View Post
    Please, find attached screenshotClick image for larger version. 

Name:	error.png 
Views:	306 
Size:	138.4 KB 
ID:	82880
    click start - type powershell - right-click it - run as administrator.

    Click image for larger version. 

Name:	Capture.PNG 
Views:	16 
Size:	9.9 KB 
ID:	82887
      My ComputerSystem Spec
  8.    02 Jun 2016 #18
    Join Date : May 2016
    Posts : 18
    Windows 10
    Thread Starter

    Click image for larger version. 

Name:	power.png 
Views:	26 
Size:	143.7 KB 
ID:	82889
      My ComputerSystem Spec
  9.    02 Jun 2016 #19

    Hmmm .. looks like cloudfront.net is the issue... I'm not familiar with that but see if this helps.
    http://answers.microsoft.com/en-us/p...3b6b4e2?auth=1

    Note: you can get rid of the (non-Windows update downloads) by using :
    Get-BitsTransfer -AllUsers | Remove-BitsTransfer

    or this in command prompt:

    Code:
    @echo off
    net stop BITS
    ipconfig /flushdns
    del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr0.dat" 
    del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr1.dat" 
    net start BITS
    
    net stop wuauserv
    net start wuauserv
      My ComputerSystem Spec
  10.    02 Jun 2016 #20
    Join Date : May 2016
    Posts : 18
    Windows 10
    Thread Starter

    CMD did something Click image for larger version. 

Name:	cmd.png 
Views:	304 
Size:	21.1 KB 
ID:	82923
      My ComputerSystem Spec

 
Page 2 of 13 FirstFirst 123412 ... LastLast


Similar Threads
Thread Forum
Bitsadmin pops up randomly and immediately disappears.
During the day a cmd window will pop up and immediately disappear without warning, kicking me out of fullscreen applications and being a general annoyance. I suspect something more sinister but Windows Defender, Malwarebytes and SuperAntiSpyware...
AntiVirus, Firewalls and System Security
Edge appears when I click on it, then disappears immediately
Edge appears when I click on it--or something does--then immediately disappears. Is there a way to reinstall it? or correct this behavior? I recently had huge problems with setting permissions and to solve them I restored to an earlier restore...
Browsers and Email
Bottom taskbar disappears randomly after using external monitor
Hi there connecting a bog standard laptop (display res 768 X 1366) to a second monitor and setting that as the primary display (HD 1920 X 1080) the bottom taskbar randomly disappears or becomes non functional. The strange thing is that if I...
General Support
Calculator pops up every second
Calculator pops up every second. Can not stop it only by shutting down my pc. How can I resolve this or how do I delete calculator? Thnx! Ron
Software and Apps
Solved Pops and clicks when using MPC-HC
Please delete
Software and Apps
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 00:42.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums