Jump to content
Beaker1024

____.tmp file in C:\Windows\SoftwareDistribution\Download\***********

Recommended Posts

So for some reason yesterday (after 9 months of paid version scanning daily) I had two "trojan" hits.  They are both the same time of file found in:

c:\Windows\SoftwareDistribution\Download\bunch_of_letters_and_numbers_folder

 

The files are both the same size looking like:
BIT61D1.tmp

 

When you open in Notepad they look like normal temp files from MS windows updates being applied.  I decided to upload one to "VirusTotal" and got a full clean (all green check marks) even from MalwareBytes.

 

So I believe they are both Temp files created when I "uninstalled" KB3035583 (didn't want the GWX on my one PC).

 

Since these are just Temp files I figured I'd let my local MalwayreBytes go ahead and quarantine both of them just because I don't see it hurting anything.

 

I have a screen capture of VirusTotal saying the tmp file is all clean (0/54).

 

I am also uncertain if the Temp files had any personal data in them so I have requested VIrustotal to remove it when possible.  Like I said MalwareBytes found 2 of these exact same temp files that I believe were generated by the two times I had to uninstall the same KB Win7 update.

Share this post


Link to post
Share on other sites

Hi,

 

Can you post the malwarebytes log where it shows these detections? That way we can figure out better what triggered this.

 

Thanks!

Share this post


Link to post
Share on other sites

Here's a copy paste of the log.  Sorry it's in the XML format.  I did change the username, PC name & IP.  The rest I promise is untouched.

 

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2016/02/10 14:35:32 -0500</date>
<logfile>mbam-log-2016-02-10 (14-35-32).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.2.0.1024</version>
<malware-database>v2016.02.10.05</malware-database>
<rootkit-database>v2016.02.08.01</rootkit-database>
<license>premium</license>
<file-protection>enabled</file-protection>
<web-protection>enabled</web-protection>
<self-protection>enabled</self-protection>
</engine>
<system>
<hostname>PC</hostname>
<ip>192.168.1.xx</ip>
<osversion>Windows 7 Service Pack 1</osversion>
<arch>x64</arch>
<username>**Removed**</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>9654</objects>
<time>375</time>
<processes>0</processes>
<modules>0</modules>
<keys>0</keys>
<values>0</values>
<datas>0</datas>
<folders>0</folders>
<files>2</files>
<sectors>0</sectors>
</summary>
<options>
<memory>disabled</memory>
<startup>disabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<file><path>C:\Windows\SoftwareDistribution\Download\b4cfbeff3736ba2990142a0029960c9e\BIT7B5F.tmp</path><vendor>Trojan.Agent.Generic</vendor><action>success</action><hash>917cea75dabf6cca269594559071aa56</hash></file>
<file><path>C:\Windows\SoftwareDistribution\Download\d937e328b45ba30759f04fac28b32b5e\BIT61D1.tmp</path><vendor>Trojan.Agent.Generic</vendor><action>success</action><hash>40cdbba43267a4929d1ed7129a679769</hash></file>
</items>
</mbam-log>
 

Share this post


Link to post
Share on other sites

miekiemoes - Thank you very much!  I'll give it a few days and restore the two files.  Do a custom scan over those folders and see what happens.

 

Thank you again!!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.