[9.0.2011] running bcdedit.exe at startup?

[NON]

After updating to 9.0.2011, Online Armor is repeatedly asking that AvastSvc.exe is trying to run bcdedit.exe from temporary directory.

What is this behavior?


Windows Vista SP2 32bit / avast! 2014 Free 9.0.2011 / Online Armor Free

[ank91]

yes, i can confirm that.
i m on win xp, and there is no reason to run Bcdedit.exe on xp.
and it avast  9.0.2011 free .

[magna86]

http://technet.microsoft.com/en-us/library/cc709667%28v=ws.10%29.aspx
If Online Armor telling that avast wanna configure BCD, then we must assume that this action is legitimate. But such action can easily be malicious as well.

Do you wish to check that? FRST shall resolved the mystery. Or you/we can clean temp files. All files in %temp% should be safe to remove. This CMD commands shall attempt to clean files from %temp% folder:

CMD (aka command prompt) > type:

Code: [Select]

DEL %TEMP%\*.* /F /S /Q
Enter and then type ...

Code: [Select]

CMD: RD /S /Q %TEMP%
Enter ...

[ank91]

@magna86

The file is NOT malicious, checked with online scanner.
But i m sure it comes from avast's "AvastEmUpdate.exe".

I use ccleaner frequently, and my TEMP folder seems to be clean always.

I m just curious why avast extract and running bcdedit.exe at logon.

I know about bcdedit ,it is command line to configure bcd database. It was introduced in vista and still being used in win8.1.

[bruce_b]

I also have XP Pro with SP3 and the latest Avast Free version. Sometime last week, I also noticed BCDEDIT.EXE being created daily in C:/Windows/Temp  ... not sure why this is happening, but it does not seem to be causing any issues. It would be nice to know if this is a side affect of some update by Avast or not.

Thanks

[Tetsuo]

I also have XP Pro with SP3 and the latest Avast Free version. Sometime last week, I also noticed BCDEDIT.EXE being created daily in C:/Windows/Temp  ... not sure why this is happening, but it does not seem to be causing any issues. It would be nice to know if this is a side affect of some update by Avast or not.

Thanks

It's Avast. It just keeps messing with your OS. I'm going back to the previous version.

[NON]

Thank you for all your answers and advices.

I myself did not consider this is a malicious behavior, just wondering why this is needed.
Now I suppose this is related to GrimeFigher, as it is some kind of Linux system and might need a change of boot configuration.

http://technet.microsoft.com/en-us/library/cc709667%28v=ws.10%29.aspx
If Online Armor telling that avast wanna configure BCD, then we must assume that this action is legitimate. But such action can easily be malicious as well.

Do you wish to check that? FRST shall resolved the mystery. Or you/we can clean temp files. All files in %temp% should be safe to remove. This CMD commands shall attempt to clean files from %temp% folder:

CMD (aka command prompt) > type:

Code: [Select]

DEL %TEMP%\*.* /F /S /Q
Enter and then type ...

Code: [Select]

CMD: RD /S /Q %TEMP%
Enter ...

Thanks for the advice.
I deleted all TEMP files and rebooted the computer. Then, bcdedit.exe is created again.

Could you tell me how to use FRST tool?

But i m sure it comes from avast's "AvastEmUpdate.exe".

Strange, Online Armor says it's from AvastSvc.exe not AvastEmUpdate.exe...

I also have XP Pro with SP3 and the latest Avast Free version. Sometime last week, I also noticed BCDEDIT.EXE being created daily in C:/Windows/Temp  ... not sure why this is happening, but it does not seem to be causing any issues. It would be nice to know if this is a side affect of some update by Avast or not.

I also don't have any troubles about it.

I hope I have a clarification from avast! team about what this behavior is.
It is not my wish to make any criticism or rant towards avast!

[magna86]

@ ank91
I did not say that BCDedit.exe is the malicious origin (although it could be if file isn't where is supposed to be) but changes BCD (activity itself) may be malicious and legitimate origin.

@NON


Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "List BCD" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[NON]

Thanks magna64, much appreciated.

FRST.txt and Addition.txt are attached.

[magna86]

@NON

May we please continue tomorow? I'm tired ... 

[NON]

@NON

May we please continue tomorow? I'm tired ... 

Please take your time, this is not urgent

[magna86]

Hey NON,

FRST doesn't show active malware. Yes I see changes in BCD but in my opinion you do not need to pay attention on these changes, also as edit BCD may lead system in non-boot state.

There are no loaded files in %temp%, nor BCDEdit.exe in temp and that was the question right?

Unrelated to this case, you may use TFC to clean all your temp folders.
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

Also, download and run CCleaner if you will to clean some leftover registry keys.

You may delete FRST.exe (drag & drop FRST icon into recycle). C:\FRST <= folder you may delete or you may keep as \Hivs folder contains healthy registry hivs backup.



I hope I at least helped a little. 

[NON]

Thank you for checking.
I'm glad my mobile machine seems clean

I blocked BCDEdit.exe in temp folder when OnlineArmor asked me to decide, so it could be the reason of the file not-loading / not-existing.

[Avast0815User]

What is Avast doing with BCDEDIT?

How can I stop this? Avast should not mess up my boot-config.


And BCDEDIT in TEMP (6.1.7600.16385) is not the same as in WinSXS (6.1.7601.17514) - suspicious?

[ank91]

it is not suspicious.
actualy the bcdedit in your temp is old version.
it is from win 7 sp0.


do you have grime fighter installed?