Windows 10: Bitsadmin pops up randomly and immediately disappears.

Bitsadmin window pops up in every hour/50 minutes and immediately disappear which is very annoying. I've run KasperskyTotal Security and Malwarebytes but they have not found the problem. I made a screenshot from the problem. Any help would be appreciated.





:)

 

maybe virus issues,also microsoft edge dissappeared,and unable to reset my pc.Help.

oh my god stressing here.i am hoping some kind being can guide me through as of the last few days I was having issues with two lap tops one I think has a virus as a pop up keeps showing BITSADMIN version 3.0 bitsadmin is depreciated etc and shows up every
hour,now am having issues with other lap top Microsoft edge has disappeared and i am unable to reset it or restore etc can anyone please help with all my problems???

 

Settings

I cannot run "Settings". The box pops up then disappears immediately. Can't even adjust my wallpaper... Any help?

 

Can anyone help me with this issue? Thanks in advance

 

Can anyone help me with this issue? Thanks in advance

 

Hi:

I can't provide specific help, but perhaps this recent thread has some advice?
Bitsadmin pops up randomly and immediately disappears. - Windows 10 Forums

HTH,
MM

 

Thanks, your help MoxieMomma. I've asked for help under that thread, but I was advised to open a new thread.

 

Oh, I see.
OOPS.
My bad.
Sorry -- I didn't read the entire thread or notice that you had posted there.
I merely mentioned it because the topic was the same.
Yes, it is best to start one's own topic for such matters.

I hope someone will be able to assist you.

Good luck,*Smile
MM

 

Hopefully @Superfly will pop in here to help. This is a bit greek to me. *Smile

 

It would be fantastic *Smile

 

Your system might be compromised.

For those that don't know, bitsadmin.exe is a part of the Windows operating system. It's used for downloading or uploading things from remote servers.

It's pretty much useless for and will never once be used directly by most users. It has in the past been a very popular target for a type of malware known as a "dropper". This malware is usually a very small executable which is designed first the evade anti-virus, and second to download the "payload" of malware which does the real damage.

Since bitsadmin.exe is a legitimate system executable, it can slip past the firewall, and not raise any alarms since the unsigned malware executable isn't actually downloading anything, bitsadmin.exe is.

This method is far less common today than it was 5 years ago, which makes me think that you might have a dropper on your machine but it's remote servers do not exists anymore and as such, it cannot download payload. (this is just a guess based on only the very limited information available in this thread.)


So for us to be sure, I'm writing a program which I will post here when I'm done. This program will actively monitor your system's processes until be finds bitsadmin.exe being executed, at which point it will freeze that process, determine the parent process, and if it is not a critical process, suspend that one too. Then it will gather up a bunch of info and dump it into a .txt file for you to post back here. Then at least we'll have a little more info and hopefully determine if you're compromised or not.

Just give me minute to finish writing it.

 

Thanks for your reply Hydranix. Hopefully, you're right, and this malware didn't download the payload. Since my first thread, bitsadmin.exe popped up at least 50 times, and I didn't notice any other issue but I'm concerned that neither of my anti-virus programs did not find a relatively well-known malware.

I'm looking forward to downloading your program and find out whether my system is compromised or not.

 

Sorry, I didn't have time to write it until just now. I made it simpler than originally planned. This program will just wait for bitsadmin and then print its parent process name to a file so we can see what starts it.

Also, this may not be malware, I'm just always suspicious when it comes to things potentially accessing the internet without consent.

Here's the program virus scan:Scan

Here's the program: bitsadmin buster.zip


To use it, unzip the exe somewhere. Where ever the exe is, is where the text file with parents name will be created.
Run the program and it will ask for admin access, which it requires. If you get a smartscreen pop up, hit more info link and then allow it to run.


Here's the source code, its fairly basic.

Code: #include <Windows.h> #include <TlHelp32.h> #include <fstream> #include <string> #include <thread> typedef LONG(NTAPI *NtSuspendProcess)(IN HANDLE procHandle); void SuspendProcess(DWORD pid); bool GetProcInfo(const std::wstring name, PROCESSENTRY32 &pe32); bool GetProcInfo(DWORD pid, PROCESSENTRY32 &pe32); int WINAPI WinMain(HINSTANCE, HINSTANCE, char*, int) { std::wstring name(L"bitsadmin.exe"); PROCESSENTRY32 pe32; while (!GetProcInfo(name, pe32)) { std::this_thread::sleep_for(std::chrono::milliseconds(25)); } SuspendProcess(pe32.th32ProcessID); PROCESSENTRY32 p_pe32; if (GetProcInfo(pe32.th32ParentProcessID, p_pe32)) { std::wofstream file(L"bitsadmin_info.txt"); if (file.is_open()) { file << L"Parent Process Name: " << p_pe32.szExeFile; file.flush(); file.close(); } } else { return GetLastError(); } return 0; } void SuspendProcess(DWORD pid) { HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); if (hProc) { NtSuspendProcess pNtSuspendProcess = (NtSuspendProcess)GetProcAddress(GetModuleHandle(L"ntdll"), "NtSuspendProcess"); pNtSuspendProcess(hProc); CloseHandle(hProc); } } bool GetProcInfo(const std::wstring name, PROCESSENTRY32 &pe32) { bool found = false; HANDLE hSnap; pe32.dwSize = sizeof(PROCESSENTRY32); hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnap) { if (Process32First(hSnap, &pe32)) { do { if (name == pe32.szExeFile) { found = true; break; } } while (Process32NextW(hSnap, &pe32)); } CloseHandle(hSnap); } return found; } bool GetProcInfo(DWORD pid, PROCESSENTRY32 &pe32) { bool found = false; HANDLE hSnap; pe32.dwSize = sizeof(PROCESSENTRY32); hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnap) { if (Process32First(hSnap, &pe32)) { do { if (pid == pe32.th32ProcessID) { found = true; break; } } while (Process32NextW(hSnap, &pe32)); } CloseHandle(hSnap); } return found; }[/quote]

 

I created a new folder on Desktop and downloaded the .zip file. After I extracted the file, I run the bitsdadmin buster.exe as an Administrator. I also found the program in Background processes. I waited until bitsadmin popped up but I didn't get an info link or anything just the cmd.exe running with some text.(You can see screenshot) Your program also created a bitsadmin_info.txt file with only one line "Parent Process Name: cmd.exe". Can you advise me what to do next? Thanks

 

to see exactly what is downloading from where, use this:

Get-BitsTransfer -AllUsers | select -ExpandProperty FileList | Select -ExpandProperty RemoteName

eg: output

Code: PS C:\windows\system32> Get-BitsTransfer -AllUsers | select -ExpandProperty FileList | Select -ExpandProperty RemoteName http://fg.v4.download.windowsupdate...entintl-es-es_e4fd9148b340b88749168889b6c1d16 22142cd1d.cab http://fg.v4.download.windowsupdate...pack-x-none_abcb4c38ba24d2604f41627e7239ffe87 4ed328b.cab http://fg.v4.download.windowsupdate...-x-none_d26ff402da11f90e52e2628622ae35aceeb1d fb3.cab http://fg.v4.download.windowsupdate...oint-x-none_09f6f08b9fa32d45df0a3ea9aef138fb7 0c3d796.cab http://fg.v4.download.windowsupdate...20-x-none_bfbff3fbd92db33dbd6aaf6e40af803f35c 366e6.cab http://fg.v4.download.windowsupdate...-none_efb7db8acecd7058aa59396646d40d7bfef8f41 5.cab http://fg.v4.download.windowsupdate...x-none_048fcaebbf5ef27800c68d4231fe9d40f2190f c4.cab http://fg.v4.download.windowsupdate...-none_3870756cfe700509a4fb55f98499b0f7c2996b2 d.cab[/quote] If nothing is returned, BITS has nothing in it's queue. If then BitAdmin is displaying errors, some rogue app may be trying to transfer files... but that will require some HitmanPro troubleshooting.