[9.0.2011] running bcdedit.exe at startup?

system · 2013-12-26T20:56:22.000Z

bruce_b post:5:

I also have XP Pro with SP3 and the latest Avast Free version. Sometime last week, I also noticed BCDEDIT.EXE being created daily in C:/Windows/Temp … not sure why this is happening, but it does not seem to be causing any issues. It would be nice to know if this is a side affect of some update by Avast or not.

Thanks

It’s Avast. It just keeps messing with your OS. I’m going back to the previous version.

NON · 2013-12-26T23:39:24.000Z

Thank you for all your answers and advices.

I myself did not consider this is a malicious behavior, just wondering why this is needed.
Now I suppose this is related to GrimeFigher, as it is some kind of Linux system and might need a change of boot configuration.

magna86 post:3:

http://technet.microsoft.com/en-us/library/cc709667(v=ws.10).aspx
If Online Armor telling that avast wanna configure BCD, then we must assume that this action is legitimate. But such action can easily be malicious as well.

Do you wish to check that? FRST shall resolved the mystery. Or you/we can clean temp files. All files in %temp% should be safe to remove. This CMD commands shall attempt to clean files from %temp% folder:

CMD (aka command prompt) > type:
DEL %TEMP%\*.* /F /S /Q
Enter and then type …
CMD: RD /S /Q %TEMP%
Enter …

Thanks for the advice.
I deleted all TEMP files and rebooted the computer. Then, bcdedit.exe is created again.

Could you tell me how to use FRST tool?

ank91 post:4:

But i m sure it comes from avast’s “AvastEmUpdate.exe”.

Strange, Online Armor says it’s from AvastSvc.exe not AvastEmUpdate.exe…

bruce_b post:5:

I also have XP Pro with SP3 and the latest Avast Free version. Sometime last week, I also noticed BCDEDIT.EXE being created daily in C:/Windows/Temp … not sure why this is happening, but it does not seem to be causing any issues. It would be nice to know if this is a side affect of some update by Avast or not.

I also don’t have any troubles about it.

I hope I have a clarification from avast! team about what this behavior is.
It is not my wish to make any criticism or rant towards avast!

magna86 · 2013-12-26T23:45:34.000Z

@ ank91
I did not say that BCDedit.exe is the malicious origin (although it could be if file isn’t where is supposed to be) but changes BCD (activity itself) may be malicious and legitimate origin.

@NON

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

NON · 2013-12-27T00:08:52.000Z

Thanks magna64, much appreciated.

FRST.txt and Addition.txt are attached.

magna86 · 2013-12-27T00:41:40.000Z

@NON

May we please continue tomorow? I’m tired …

NON · 2013-12-27T04:14:25.000Z

magna86 post:10:

@NON

May we please continue tomorow? I’m tired …

Please take your time, this is not urgent

magna86 · 2013-12-27T12:51:43.000Z

Hey NON,

FRST doesn’t show active malware. Yes I see changes in BCD but in my opinion you do not need to pay attention on these changes, also as edit BCD may lead system in non-boot state.

There are no loaded files in %temp%, nor BCDEdit.exe in temp and that was the question right?

Unrelated to this case, you may use TFC to clean all your temp folders.
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

Also, download and run CCleaner if you will to clean some leftover registry keys.

You may delete FRST.exe (drag & drop FRST icon into recycle). C:\FRST <= folder you may delete or you may keep as \Hivs folder contains healthy registry hivs backup.

I hope I at least helped a little.

NON · 2013-12-27T14:51:10.000Z

Thank you for checking.
I’m glad my mobile machine seems clean

I blocked BCDEdit.exe in temp folder when OnlineArmor asked me to decide, so it could be the reason of the file not-loading / not-existing.

system · 2014-01-01T10:07:24.000Z

What is Avast doing with BCDEDIT?

How can I stop this? Avast should not mess up my boot-config.

And BCDEDIT in TEMP (6.1.7600.16385) is not the same as in WinSXS (6.1.7601.17514) - suspicious?

system · 2014-01-01T15:15:35.000Z

it is not suspicious.
actualy the bcdedit in your temp is old version.
it is from win 7 sp0.

do you have grime fighter installed?

system · 2014-01-01T18:33:06.000Z

Excuse me, but if something is running an older version of a system program that’s already been updated by a service pack from your TEMP folder the yes, it’s most certainly suspicious activity - unless you know for certain it’s supposed to work that way. That knowledge changes it from “suspicious” to “awfully rinky dink”, though. Is Avast really doing this?

FYI, I don’t have a BCDEdit.exe in my TEMP folder.

-Noel

system · 2014-01-01T20:28:10.000Z

It’s actually a good way to make changes to boot configurations for your software…

If you understand what BCDEdit does, and you know Avast is running it, it should not be a concern.

system · 2014-01-01T20:49:46.000Z

Of course there’s no problem with software using parts of the operating system to do its work.

The “suspicious” aspect would come in if something were to write a copy of an outdated operating system tool into the TEMP folder and execute it from there. Malware more often does stuff like that.

Not to mention that redistributing parts of Windows that way would likely be illegal.

Given what others have written above, it’s possible that it was just a coincidence that Avast0815User happened to have an older copy of BCDEdit.exe in the TEMP folder. Perhaps Avast sets its current folder to TEMP when it runs. I’ve not observed any Windows update / installation process that left a copy of BCDEdit.exe in the TEMP folder, though.

-Noel

system · 2014-01-01T21:52:22.000Z

aswAR.dll and aswEngin.dll reference BCDEdit.

Thanks to NirSoft’s SearchMyFiles utility…

system · 2014-01-01T23:11:16.000Z

NoelC post:16:

Excuse me, but if something is running an older version of a system program that’s already been updated by a service pack from your TEMP folder the yes, it’s most certainly suspicious activity

I agree, and if it were to be done intentionally by any brand product, then it would indicate very poor design concept indeed.

system · 2014-01-02T00:17:11.000Z

olddog post:20:

NoelC post:16:

Excuse me, but if something is running an older version of a system program that’s already been updated by a service pack from your TEMP folder the yes, it’s most certainly suspicious activity

I agree, and if it were to be done intentionally by any brand product, then it would indicate very poor design concept indeed.

It’s also possible that the “older” version is the only one fully compatible with all supported versions of Windows.

OndraP · 2014-01-02T08:14:46.000Z

Hi guys, bcdedit.exe is currently used by avast! GrimeFighter. We will get rid of it (bcdedit :)) in next program update.

Thanks

NON · 2014-01-02T09:54:31.000Z

alquist post:22:

Hi guys, bcdedit.exe is currently used by avast! GrimeFighter. We will get rid of it (bcdedit :)) in next program update.

Many thanks alquist for clarification. I’m glad avast! team is now taken part in my thread
Now we’re clear what it does and what it will be

system · 2014-01-02T13:20:15.000Z

alquist post:22:

Hi guys, bcdedit.exe is currently used by avast! GrimeFighter. We will get rid of it (bcdedit :)) in next program update.

Thanks for the explanation alquist

system · 2014-01-05T09:43:59.000Z

As someone mentioned GrimeFigher I checked the menu “tools”, but only rescue medium was listed as active.
Sandbox, firewall and safezone listed as optional items (showing plus symbol with green background when hovering over it).

Then I checked “programs and software” in control panel, clicked Avast and “deinstall/repair” and (surprise, surprise) GrimeFighter was checked!
Unchecked it, run setup, reboot and the revenant bcdedit.exe is gone!

Announcements