Tech Support banner

Not open for further replies.
1 - 2 of 2 Posts

2 Posts
Discussion Starter #1
Noticed that there are several files generated dynamically on the system with the name BIT*.tmp each of size 20 to 30MB and they keep increasing in number sequentially untill the hardisk is filled. All but the most recent of them can be deleted. When trying to delete the most recent it gives a message that its in use but occassionally it can be deleted. After a few minutes these files reappear independent of of having a net connection.

Please advice next course of action.

PASSMA was detected and cleaned by stinger, i've run ewido, cwsweeper, ad-aware, spy bot and finally HKT log enclosed...
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at

***Security Programs Detected***

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\\Shared\mcappins.exe /v=3 /cleanup
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe


Logfile of HijackThis v1.99.1
Scan saved at 3:53:24 PM, on 9/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
d:\antispyware\ewido\security suite\ewidoctrl.exe
d:\antispyware\ewido\security suite\ewidoguard.exe
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe
C:\Program Files\PLANEX\bRoad Lanner Wave\N11BCFG.exe
D:\Program Files\WordWeb\wweb32.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=;gopher=;http=;https=;socks=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.182.*;<local>
O1 - Hosts: '
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\antispyware\Spybot-Search&Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ ASaP] C:\WINDOWS\myCIO\Agent\myAgtTry.Exe
O4 - HKLM\..\Run: [ Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\\agent\mcregwiz.hwd /autorun
O4 - HKCU\..\Run: [RediffAlerter] C:\Program Files\\Alerter\alerter.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\antispyware\Spybot-Search&Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Planex GW-NS11X utility.lnk = C:\Program Files\PLANEX\bRoad Lanner Wave\N11BCFG.exe
O4 - Global Startup: WordWeb.lnk = D:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Download with &DAP - .\dapextie.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} ( Operating System Class) -,0,0,90/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -,0,0,23/
O17 - HKLM\System\CCS\Services\Tcpip\..\{02E1A4A8-6076-4A5B-9ACB-4E95D190F2E9}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DF005C0-889A-43C6-924E-D7D3C15EA46E}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{B78AD143-C6AF-4362-8A32-5C46D75EB19F}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFDB818C-6F69-4D82-BDB1-48FE7F5E69E8}: NameServer =,,
O17 - HKLM\System\CS1\Services\Tcpip\..\{02E1A4A8-6076-4A5B-9ACB-4E95D190F2E9}: NameServer =,
O17 - HKLM\System\CS2\Services\Tcpip\..\{02E1A4A8-6076-4A5B-9ACB-4E95D190F2E9}: NameServer =,
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINDOWS\myCIO\Agent\myRmProt2.7.1.248.dll
O23 - Service: ANTS Load distributed test service (ANTSLoad) - Unknown owner - D:\Program Files\ANTS Load\RedGate.Ants.AntsService.exe
O23 - Service: AXMail Server (AXMail) - Unknown owner - C:\Program Files\Axxonet Solutions\AxMail ver 1.0\bin\AXMail.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - d:\antispyware\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\antispyware\ewido\security suite\ewidoguard.exe
O23 - Service: McShield - Network Associates, Inc. - C:\WINDOWS\myCIO\VScan\McShield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\\Agent\mcupdmgr.exe (file missing)
O23 - Service: VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\\vso\mcvsrte.exe
O23 - Service: McAfee Agent (myAgtSvc) - Network Associates, Inc. - C:\WINDOWS\myCIO\Agent\myAgtSvc.Exe
O23 - Service: MySql - Unknown owner - C:/apache/mysql/bin/mysqld-nt.exe
O23 - Service: SVNService - Unknown owner - D:\Subversion\bin\SVNService.exe (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Xdrive Service (XdriveService) - Unknown owner - C:\Program Files\XdriveNT\xdService.exe

End of KRC HijackThis Analyzer Log.

Premium Member
14,311 Posts
One of your programs might be creating those BIT*.tmp files. Can you upload one or two of them to and see what it reports back?
1 - 2 of 2 Posts
Not open for further replies.