Bitsjobs cmd prompt random pop ups  

nicpo said:

I have also checked task scheduler and it doesn't register.

It happens every hour 04:02 05:02 etc.

Thanks

Hi nicpo and welcome to Tenforums.

We've got a few threads on this problem. Basically you need to see what, if anything it's downloading. Then if there are errors, we would need to troubleshoot for infection.

Here are the threads:
Solved Bitsadmin pops up randomly and immediately disappears. - Page 2 - Windows 10 Forums
(see post #17)

Bitsadmin pops up randomly and immediately disappears. - Windows 10 Forums

Bitsadmin pops up for just a second and vanishes. - Windows 10 Forums
@Superfly is the one to help with the BITS information. I can help with cleaning.

It would help to know if you identified exactly what infection you had on the system as well.

Yup, as @simrick suggested - check those threads out - one of the methods should rid you of the remnants of whatever infection was there.

I ran ADWcleaner this is the log

Code:

# AdwCleaner v5.201 - Logfile created 12/08/2016 at 17:15:03
# Updated 30/06/2016 by ToolsLib
# Database : 2016-08-12.1 [Server]
# Operating system : Windows 10 Home  (X64)
# Username : Alex - ALEX
# Running from : C:\Users\Alex\Downloads\adwcleaner_5.201.exe
# Option : Scan
# Support : ToolsLib - Forum: Ask for help or share your experience.


***** [ Services ] *****


Service Found : SMUpd


***** [ Folders ] *****


Folder Found : C:\Program Files (x86)\elansurfer
Folder Found : C:\Program Files (x86)\35444335-1470682019-4E35-5433-D0BF9C9BFD0A
Folder Found : C:\Users\Alex\AppData\Local\Temp\MPC
Folder Found : C:\Users\Alex\AppData\LocalLow\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}
Folder Found : C:\Users\Alex\AppData\Roaming\MCorp
Folder Found : C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\YSPackage
Folder Found : C:\Program Files\Common Files\Noobzo
Folder Found : C:\Users\Alex\AppData\Roaming\MCorp
Folder Found : C:\uninst
Folder Found : C:\Program Files (x86)\host


***** [ Files ] *****


File Found : C:\END
File Found : C:\Users\Alex\AppData\Local\Temp\zdengine.log
File Found : C:\Users\Alex\AppData\Local\Temp\ziengine.ini.log


***** [ DLL ] *****




***** [ WMI ] *****




***** [ Shortcuts ] *****




***** [ Scheduled tasks ] *****




***** [ Registry ] *****


Key Found : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL
Key Found : HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
Key Found : HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}
Key Found : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\zdwfp
Key Found : HKLM\SOFTWARE\CLASSES\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9
Key Found : HKCU\Software\Google\Chrome\Extensions\jlcgehabolcakkjhgmgpkagpolbjlhfa
Key Found : HKLM\SOFTWARE\Classes\OCComSDK.ComSDK
Key Found : HKLM\SOFTWARE\Classes\OCComSDK.ComSDK.1
Key Found : HKLM\SOFTWARE\Classes\AppID\{425F4ABF-B8E4-402D-9E49-06E494EB8DBF}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Found : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{81CA8FCD-1420-4A07-B47D-B30F3DDA79E1}
Key Found : HKCU\Software\powerpack
Key Found : HKCU\Software\PRODUCTSETUP
Key Found : HKCU\Software\MICROSOFT\OTUT
Key Found : HKCU\Software\Wizzlabs
Key Found : HKCU\Software\MICROSOFT\IDSC
Key Found : HKCU\Software\INSTALLPATH\STATUS
Key Found : HKCU\Software\AppDataLow\Software\adawarebp
Key Found : HKLM\SOFTWARE\SearchModule
Key Found : HKLM\SOFTWARE\OtherSearch
Key Found : [x64] HKLM\SOFTWARE\SearchModule
Key Found : HKU\S-1-5-21-3941189269-3556359273-2650678083-1001\Software\powerpack
Key Found : HKU\S-1-5-21-3941189269-3556359273-2650678083-1001\Software\PRODUCTSETUP
Key Found : HKU\S-1-5-21-3941189269-3556359273-2650678083-1001\Software\MICROSOFT\OTUT
Key Found : HKU\S-1-5-21-3941189269-3556359273-2650678083-1001\Software\Wizzlabs
Key Found : HKU\S-1-5-21-3941189269-3556359273-2650678083-1001\Software\MICROSOFT\IDSC
Key Found : HKU\S-1-5-21-3941189269-3556359273-2650678083-1001\Software\INSTALLPATH\STATUS
Key Found : HKU\S-1-5-21-3941189269-3556359273-2650678083-1001\Software\AppDataLow\Software\adawarebp
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Data Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Data Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKU\S-1-5-21-3941189269-3556359273-2650678083-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Data Found : HKU\S-1-5-21-3941189269-3556359273-2650678083-1001\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\mpc.am
Key Found : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\search.mpc.am
Key Found : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mpc.am
Key Found : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\search.mpc.am


***** [ Web browsers ] *****


[C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Found : hxxp://www1.delta-search.com/?affID=120519&babsrc=HP_ss&mntrId=F82F5E95AE021070
[C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Found : hxxp://search.conduit.com/?ctid=CT3289847&SearchSource=48&CUI=UN68053831623824720&UM=2
[C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Found : hxxps://uk.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_freaudedtr_16_09&param1=1&param2=f%3D7%26b%3DChrome%26cc%3Dgb%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0D0AyD0D0EtB0C0D0AyB0F0D0E0A0CyCtN0D0Tzu0StCyDtBtDtN1L2XzutAtFtCzztFtCtFtCtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StDtDyBtCtD0F0E0DtGtC0FzyyDtGyB0D0EtAtGyBzz0CtCtGyB0ByB0EyBtAyC0C0EyDyB0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0Azy0DtByE0C0BtGyDtCtD0AtGyEzyyBtCtGzz0FtDtBtGzy0DyEtBtAtBtAyE0FyBtCyD2QtN0A0LzuyE%26cr%3D784703646%26a%3Dwncy_freaudedtr_16_09%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
[C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : jlcgehabolcakkjhgmgpkagpolbjlhfa
[C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : khnpeclbnipcdacdkhejifenadikeghk
[C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : lfmhcpmkbdkbgbmkjoiopeeegenkdikp
[C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Homepage] Found : hxxp://www1.delta-search.com/?affID=120519&babsrc=HP_ss&mntrId=F82F5E95AE021070


*************************


C:\AdwCleaner\AdwCleaner[S1].txt - [7570 bytes] - [12/08/2016 17:15:03]


########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [7643 bytes] ##########

nicpo said:

I ran powershell with the command code listed. It does nothing, maybe i am trying it wrong as this is new to me sorry.

No, you are not doing anything wrong... it just means there is nothing being transferred via BITS and thus does not display anything. If you are still getting that error go to services and disable bits - if it goes away there is still malware trying download stuff on your PC.

nicpo said:

I do not see BITS listed within services, maybe it is listed as something else?

It's here...

Just looking at your ADWCleaner log:

adawarebp was removed
Ad-Aware Browsing Protection - adawarebp.exe - Program Information
That's your Lavasoft toolbar. I don't think I'd bother with that.

Lots of search redirectors/hijackers/spyware/adware-operated search functions like SearchScopes, Conduit, Wizzlabs (Hostify), delta-search, yahoo, etc.

You'll want to run the following as well, in this order:

RKILL
JRT
MBAR or TDSSKiller
Ccleaner Free - run on all browsers to clean all temp files, history, cache, etc., then run on registry.
(if you're not familiar with this program, let me know)
Flush DNS cache
Then run ADWCleaner one more time.

If at any point in time you need to reboot from one of the tools, please run RKILL again before proceeding, as everything RKILL does is undone by a reboot.

Posting the logs will help determine what was cleaned, what infections were present, and course of action necessary. I'm not seeing anything terribly alarming at this point.

Once finished, an online ESET scan will give the all-clear. Please see detailed instructions here:
BSOD after boot up, during login or right after, (bad spool header?) Solved - Page 3 - Windows 7 Help Forums

Thanks.