[9.0.2011] running bcdedit.exe at startup?

NON · 2013-12-26T11:40:32.000Z

After updating to 9.0.2011, Online Armor is repeatedly asking that AvastSvc.exe is trying to run bcdedit.exe from temporary directory.

What is this behavior?

Windows Vista SP2 32bit / avast! 2014 Free 9.0.2011 / Online Armor Free

system · 2013-12-26T11:48:04.000Z

yes, i can confirm that.
i m on win xp, and there is no reason to run Bcdedit.exe on xp.
and it avast 9.0.2011 free .

magna86 · 2013-12-26T12:38:58.000Z

http://technet.microsoft.com/en-us/library/cc709667(v=ws.10).aspx
If Online Armor telling that avast wanna configure BCD, then we must assume that this action is legitimate. But such action can easily be malicious as well.

Do you wish to check that? FRST shall resolved the mystery. Or you/we can clean temp files. All files in %temp% should be safe to remove. This CMD commands shall attempt to clean files from %temp% folder:

CMD (aka command prompt) > type:

DEL %TEMP%\*.* /F /S /Q

Enter and then type …

CMD: RD /S /Q %TEMP%

Enter …

system · 2013-12-26T14:24:15.000Z

@magna86

The file is NOT malicious, checked with online scanner.
But i m sure it comes from avast’s “AvastEmUpdate.exe”.

I use ccleaner frequently, and my TEMP folder seems to be clean always.

I m just curious why avast extract and running bcdedit.exe at logon.

I know about bcdedit ,it is command line to configure bcd database. It was introduced in vista and still being used in win8.1.

bruceb · 2013-12-26T19:23:22.000Z

I also have XP Pro with SP3 and the latest Avast Free version. Sometime last week, I also noticed BCDEDIT.EXE being created daily in C:/Windows/Temp … not sure why this is happening, but it does not seem to be causing any issues. It would be nice to know if this is a side affect of some update by Avast or not.

Thanks

system · 2013-12-26T20:56:22.000Z

bruce_b post:5:

I also have XP Pro with SP3 and the latest Avast Free version. Sometime last week, I also noticed BCDEDIT.EXE being created daily in C:/Windows/Temp … not sure why this is happening, but it does not seem to be causing any issues. It would be nice to know if this is a side affect of some update by Avast or not.

Thanks

It’s Avast. It just keeps messing with your OS. I’m going back to the previous version.

NON · 2013-12-26T23:39:24.000Z

Thank you for all your answers and advices.

I myself did not consider this is a malicious behavior, just wondering why this is needed.
Now I suppose this is related to GrimeFigher, as it is some kind of Linux system and might need a change of boot configuration.

magna86 post:3:

http://technet.microsoft.com/en-us/library/cc709667(v=ws.10).aspx
If Online Armor telling that avast wanna configure BCD, then we must assume that this action is legitimate. But such action can easily be malicious as well.

Do you wish to check that? FRST shall resolved the mystery. Or you/we can clean temp files. All files in %temp% should be safe to remove. This CMD commands shall attempt to clean files from %temp% folder:

CMD (aka command prompt) > type:
DEL %TEMP%\*.* /F /S /Q
Enter and then type …
CMD: RD /S /Q %TEMP%
Enter …

Thanks for the advice.
I deleted all TEMP files and rebooted the computer. Then, bcdedit.exe is created again.

Could you tell me how to use FRST tool?

ank91 post:4:

But i m sure it comes from avast’s “AvastEmUpdate.exe”.

Strange, Online Armor says it’s from AvastSvc.exe not AvastEmUpdate.exe…

bruce_b post:5:

I also have XP Pro with SP3 and the latest Avast Free version. Sometime last week, I also noticed BCDEDIT.EXE being created daily in C:/Windows/Temp … not sure why this is happening, but it does not seem to be causing any issues. It would be nice to know if this is a side affect of some update by Avast or not.

I also don’t have any troubles about it.

I hope I have a clarification from avast! team about what this behavior is.
It is not my wish to make any criticism or rant towards avast!

magna86 · 2013-12-26T23:45:34.000Z

@ ank91
I did not say that BCDedit.exe is the malicious origin (although it could be if file isn’t where is supposed to be) but changes BCD (activity itself) may be malicious and legitimate origin.

@NON

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

NON · 2013-12-27T00:08:52.000Z

Thanks magna64, much appreciated.

FRST.txt and Addition.txt are attached.

magna86 · 2013-12-27T00:41:40.000Z

@NON

May we please continue tomorow? I’m tired …

NON · 2013-12-27T04:14:25.000Z

magna86 post:10:

@NON

May we please continue tomorow? I’m tired …

Please take your time, this is not urgent

magna86 · 2013-12-27T12:51:43.000Z

Hey NON,

FRST doesn’t show active malware. Yes I see changes in BCD but in my opinion you do not need to pay attention on these changes, also as edit BCD may lead system in non-boot state.

There are no loaded files in %temp%, nor BCDEdit.exe in temp and that was the question right?

Unrelated to this case, you may use TFC to clean all your temp folders.
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

Also, download and run CCleaner if you will to clean some leftover registry keys.

You may delete FRST.exe (drag & drop FRST icon into recycle). C:\FRST <= folder you may delete or you may keep as \Hivs folder contains healthy registry hivs backup.

I hope I at least helped a little.

NON · 2013-12-27T14:51:10.000Z

Thank you for checking.
I’m glad my mobile machine seems clean

I blocked BCDEdit.exe in temp folder when OnlineArmor asked me to decide, so it could be the reason of the file not-loading / not-existing.

system · 2014-01-01T10:07:24.000Z

What is Avast doing with BCDEDIT?

How can I stop this? Avast should not mess up my boot-config.

And BCDEDIT in TEMP (6.1.7600.16385) is not the same as in WinSXS (6.1.7601.17514) - suspicious?

system · 2014-01-01T15:15:35.000Z

it is not suspicious.
actualy the bcdedit in your temp is old version.
it is from win 7 sp0.

do you have grime fighter installed?

system · 2014-01-01T18:33:06.000Z

Excuse me, but if something is running an older version of a system program that’s already been updated by a service pack from your TEMP folder the yes, it’s most certainly suspicious activity - unless you know for certain it’s supposed to work that way. That knowledge changes it from “suspicious” to “awfully rinky dink”, though. Is Avast really doing this?

FYI, I don’t have a BCDEdit.exe in my TEMP folder.

-Noel

system · 2014-01-01T20:28:10.000Z

It’s actually a good way to make changes to boot configurations for your software…

If you understand what BCDEdit does, and you know Avast is running it, it should not be a concern.

system · 2014-01-01T20:49:46.000Z

Of course there’s no problem with software using parts of the operating system to do its work.

The “suspicious” aspect would come in if something were to write a copy of an outdated operating system tool into the TEMP folder and execute it from there. Malware more often does stuff like that.

Not to mention that redistributing parts of Windows that way would likely be illegal.

Given what others have written above, it’s possible that it was just a coincidence that Avast0815User happened to have an older copy of BCDEdit.exe in the TEMP folder. Perhaps Avast sets its current folder to TEMP when it runs. I’ve not observed any Windows update / installation process that left a copy of BCDEdit.exe in the TEMP folder, though.

-Noel

system · 2014-01-01T21:52:22.000Z

aswAR.dll and aswEngin.dll reference BCDEdit.

Thanks to NirSoft’s SearchMyFiles utility…

system · 2014-01-01T23:11:16.000Z

NoelC post:16:

Excuse me, but if something is running an older version of a system program that’s already been updated by a service pack from your TEMP folder the yes, it’s most certainly suspicious activity

I agree, and if it were to be done intentionally by any brand product, then it would indicate very poor design concept indeed.

Announcements