MachineLearning/Anomalous.100% - Unsure if this is a false positive?

[Firstprime]

My last scan came back with one item detected with the following details (also see attached log file):

Name: MachineLearning/Anomalous.100%

Type: File

Location: C:\USERS\[NAME]\APPDATA\LOCAL\TEMP\BIT4704.TMP

I've quarantined and deleted the file several times now but it keeps coming back after a while.

How can I tell if this is a legitimate concern or just a false positive? Also is there any way to determine which program is creating this .tmp file?

All help and advice is appreciated. Thanks!

Scan Results 02-12-21.txt

[Firstprime]

The file reappeared just after my last post and I tried to delete it again, but directly through File Explorer this time instead of using Malwarebytes. It gives the following message:

The action can't be completed because the file is open in Background Intelligent Transfer Service

I'm not familiar with this service. Again, advice is appreciated.

[Firstprime]

I also scanned the file in question with Windows Defender, and it didn't detect anything (if that's any help).

[Firstprime]

I've just noticed that there are also several other files with similar names (BITXXXX.tmp) in my Temp folder, but Malwarebytes is only detecting the one I mentioned above. All of the others appear to be older files created several weeks/months ago.

From what I'm reading online it seems that these files are a normal part of the windows BITS service for downloading updates, so the issue here is why only the most recent file is being flagged, and if it is a legitimate issue. I'm hoping that it's just a false positive, but want to be careful.

[Maurice Naggar]

Hello @Firstprime

My name os Maurice.

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

• Please attach  mbst-grab-results.zip    to your reply , like displayed here.
• To send  ( upload)   attachments please click the "ADD Files"  link . Then browse to where your file is located and select it and click the Open button.

 

 

The set of data from the report will provide much needed information.

Please always attach reports as we go along.

Cheers.

Edited December 3, 2021 by Maurice Naggar

[Firstprime]

@Maurice Naggar Thanks for the response.

I've attached the file you requested below.

mbst-grab-results.zip

[Maurice Naggar]

I just want to take a moment & simply advise that these BIT**.tmp files are in no way related to Windows Update or Windows BITS service (Background Intelligent Transfer service.

That is because the folder involved is just not one that Windows Update uses.  That said, the flagging of these files may well be a false positive due to a over-agressive "artifical intelligence" detection component in Malwarebytes.  There is no call for undue alarm.  I doubt this is any actual "threat".  I will guide you as we go along.

Thanks for the report file.  I will review it  and will have further advice.

 

 

[Maurice Naggar]

I'd like to insure your pc has the very latest release version of  Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

This is simply a first follow-up.

[Maurice Naggar]

Observation.  The  recent  Malwarebytes scan for today, your 2021-12-02   at your local  15:44:52  reported no malware.

I am in process of reviewing the rest of the data.   more later.

[Firstprime]

There was an update available and I have installed it. I ran another scan after the update and it was clean. It looks like the .tmp file in question hasn't re-appeared since the last time I manually deleted it, but I have a feeling it will be back.

I'll keep an eye on it and re-test when/if it does appear. If you can tell me anything else from the data you're reviewing it will be appreciated. Thanks for your help!

[Firstprime]

11 minutes ago, Maurice Naggar said:

Observation. The recent Malwarebytes scan for today, your 2021-12-02 at your local 15:44:52 reported no malware.

I am in process of reviewing the rest of the data. more later.

I believe the most recent scan taken before that log file I sent you would have been after I had already deleted the .tmp file and then re-scanned. The detection in question would have appeared on previous scans.

[Maurice Naggar]

Hi.  I do not see any malware or infection on the reports collected and sent.  What follows is in the nature of pc housekeeping & a couple of Windows system checks.

One guess on my part is that the BIT*.tmp files may have been some files from a Game, perhaps.  Or perhaps some sort of instant=messenger app.

[  1   ]

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[    2    ]

We will use FRSTENGLISH.exe  on  Downloads    folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Firstprime  only / for this machine only.

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will also run the Windows 10 DISM to check the system integruty. 

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Fixlist.txt

Start the Windows Explorer and then, to the Downloads  folder

RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it run and finish.   I will look forward to getting the log.

[Firstprime]

Thank you. I can't do this right now as I have some important work in progress.

I'll get back to you once I've had a chance to run it. Please keep this topic open for now.

[Maurice Naggar]

That is alright.  Do it at a convenient point.  Maybe after end-of-work-day.   Thanks.

[Maurice Naggar]

Hello. Just simply wanted to express this advice. That this custom script can be run at the end-of-day & once it is in progress you can just leave it to run.  It will be a run of under one hour ( at most).

[Maurice Naggar]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks