anyone know what this file is?

Going through my documents and settings local settings temp folder I stumbled across a 7mb file called bitf8.tmp. Does anyone know what this file relates to or if it’s of any danger? (tried to scan it with av, didn’t appear to be a virus).

Since it is in the Temp folder and is a .tmp (temporary) file I see no problem with deleting it or clearing your temporary folders.
If it is greater than a day old even less of a problem removing it, if it is in use (which I doubt), windows won’t let you delete it and will tell you it is in use.

Well I know it’s used by my internet connection, whenever internet is on then I can’t delete it. When I log off then it’s okay to be removed. And then when I log on next then it’s back there.

If you can’t delete it when you are using the internet, then it is in use. There is a little program WhoLockMe that will tel you the program that is locking (using) it, from that you can see if it is legit.
http://www.dr-hoiby.com/WhoLockMe/index.php

Okay I dled it and then tried to run it but no window opens up whenever I try and use the wholockme option on bitf8.tmp. Any ideas what’s wronge?

Oh I forgot to mention, it’s also a hidden file.

If you can right click on the file, wholockme should still be able to check it, if no window comes up it is not locked so you should be able to delete it.

However, I have just done some checks on files that I thought would have a lock on them and nothing was displayed, so I’m confused too.

I think you need to delete that file.

Boot your computer in a Safe Mode (by pressing F8 before the Windows loading starts)

Then make next step:
Open “My computer” go to “Tools” → “folder options”
After open it go to the “View” tab
then find Hidden files and folders, and switch radio button to “show hidden files and folders”

After this all find that file and delete it.

Oh gosh, now they’re multiplying. A new file called bit3d.tmp was created, bout same size.

If you delete one and it is a legit program that is creating them, then it will obviously create another one.
Have you any other security programs that might be taking snapshots for roll back/recovery, etc.?
Because 7MB ish is a very large file with the ‘bit’ at the start of the file being the only common factor in the naming, is there any program that it might be, such as BitDefender, clutching at straws here but I’m running out of ideas. Google doesn’t return anything on either file name.
Is there anything in Task Manager that looks strange?

Did you run a boot time scanning?
Can you boot in SafeMode and scan from there?
Did you run antispyware cleaning (ad-aware, spybot, etc.)?

I am currently running Spybot, ad-aware, spywareblaster, avast, zone alarm, and recently micro trend anti spyware (the latter was installed today). I’ve run all these things to no avail, the files continue to spawn.

I haven’t tried boot time scanning yet and quite unfamiliar with what it is.

I’ve yet to try scanning in safe mode.

Are you using Windows XP? If so, start avast antivirus, right click the skin and choose the ‘boot time scanning’.
Set it to scan archive files and to prompt on infections.
Boot.
If you could, post the name of the infected file here using another computer.
If you can’t use a second computer, just ‘move’ the file to a known folder.

and recently micro trend anti spyware (the latter was installed today)
I'm not sure if this may or may not conflict with avast, if it is a resident on-access style scanner then both avast and trend anti-spyware could be fighting over any infected file. This however wouldn't account for the 7mb temp file.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

Or post the contents of the log file here.

Well I just uninstalled anti spyware then did a scan on safe mode. Nothing showed up.

I’ve managed to stop the files from spawning by stopping the BIT service through administrative tools.

As for the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:28:24 PM, on 8/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\hijack\y\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120702999156
O17 - HKLM\System\CCS\Services\Tcpip..{1FFA7F00-559E-46AA-862B-2EFD4A49FF0F}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip..{1FFA7F00-559E-46AA-862B-2EFD4A49FF0F}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Did the boot scan and nothing showed.

I’ll realy suggest an online scanning…

http://www.virustotal.com/flash/index_en.html or http://www.kaspersky.com/virusscanner
See either: http://www.mwti.net/antivirus/mwav.asp or http://www.security-ops.tk

Other: TrendMicro Housecall, Bit Defender, F-Secure (ActiveX required).

I have my Background Intelligent Transfer Service set to manual so if a program needs it like Windows Update it can be started. If the file is indeed created by the BITS service, then I doubt you have a problem.

The log looks ok, other than check:
The 017 entries are fine provided the IP address relates to your ISP or who you connect through.

OrgName: Level 3 Communications, Inc. OrgID: LVLT Address: 1025 Eldorado Blvd. City: Broomfield StateProv: CO PostalCode: 80021 Country: US

ReferralServer: rwhois://rwhois.level3.net:4321

NetRange: 209.244.0.0 - 209.247.255.255
CIDR: 209.244.0.0/14
NetName: LEVEL3-CIDR
NetHandle: NET-209-244-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LEVEL3.NET
NameServer: NS2.LEVEL3.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1998-05-22
Updated: 2001-05-30

Uhhh… I know my ISP is based in NY and I’m in Arizona and those numbers don’t come anywhere near matching my IP address, I just called a couple of folks in tech support and they don’t know anything about it, they passed my number alonge to administrators. Going off topic, any cause for concern from this?

Well I tried to delete the two 017 files via hijack but they came back.