Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C:\WINDOWS\Temp\bcdedit.exe


  • Please log in to reply
7 replies to this topic

#1 rocknock

rocknock

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:54 PM

Posted 28 December 2013 - 01:42 PM

Hi,

Thanks in advance for any help you may be able to provide.

I am running Windows XP SP3 (fully patched) on a PC and have lately noticed a copy of bcdedit.exe in folder C:\WINDOWS\Temp which has made me a little suspicious that I may have inadvertantly picked up some malware. This file seems to be modified on every boot judging by the file's properties.

Until recently I used ZAISS for protection, with regular on-demand scans using MalwareByes and SpyBot, and haven't had a virus for many years. I have recently changed to PrivateFirewall with Avast Free AV which seem to be working well together and I wonder whether the appearance of bcdedit.exe in the WINDOWS Temp folder may be linked to these installs.
 
I've searched online with no luck apart from a response in German (http://www.trojaner-board.de/146341-bcdedit-exe-c-windows-temp.html) which appears to indicate bcdedit's OK in C:\WINDOWS\Temp - but I'm not convinced. There's nothing on the Avast nor PrivateFrewall forums either.

I have run scans with Avast, TDSSKiller, ASWMBR, MalwareBytes and GMER but they've found nothing.

Anyhow,I've run DDS (as instructed) and can provide the log file. Could you please check whether there appears to be anything untoward with my machine?

Kind regards,

Rock
:)

Edit: Moved topic from Windows XP to the more appropriate forum with DDS log edited out of original topic. ~ Animal

Edited by Animal, 28 December 2013 - 02:32 PM.


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:54 AM

Posted 28 December 2013 - 01:59 PM

I see you removed the DDS log.  This type of log is not to be posted in the Windows forums, they should be posted in the Security forums.

 

If you think you may be infected I would suggest starting a topic in the Am I Infected? What Do I Do? forum.  This is a centralized place where advanced members and staff can provide initial assistance with malware removal. If your issues cannot be resolved there, then you will receive further instructions as to what you need to do.
 
Please be patient, I will have a Moderator move your topic to the appropriate forum.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 rocknock

rocknock
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:54 PM

Posted 28 December 2013 - 02:05 PM

Hi dc3,

 

Thanks very much. I'll await a response.

 

Best regards,

 

Rocky


Edited by rocknock, 28 December 2013 - 03:18 PM.


#4 rocknock

rocknock
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:54 PM

Posted 29 December 2013 - 07:31 AM

Hi,

 

I have gone a little farther into when bcdedit.exe was created in C:\WINDOWS\Temp which appears to have been 20/12/2013. This does not tie in to when I installed PrivateFirewall nor the date of Avast's last program update so it looks unlikely that these have created the file.

 

I understand that bcdedit.exe may be created during some software installation procedures, but it's usually safe to delete such instances afterwards. The worrying aspect of  this particular copy of bcdedit.exe in C:\WINDOWS\Temp is that it is executed at every boot.

 

Can anyone help as to why this may be?

 

Kind regards,

 

Rock

:)



#5 druthers

druthers

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 01 January 2014 - 12:35 PM

Here's what I know ... ( running Avast 9 updated to version 2014.9.0.2011 ) -

The file 'bcdedit.exe' that's located in C:\Windows\Temp\ is recreated and then run by AvastSvc.exe (unless you block that bcdedit.exe from running), at every Windows startup.. So far, blocking bcdedit.exe has caused no noticeable problems.

For me (running Win 7 x64 Ultimate SP1) this all began on or about 2013-12-23, which is the file-date of these two Avast files:

...under: C:\Program Files\AVAST Software\Avast\Setup\ --

ais_cmp_grimefighter-7cd.vpx ... ( 6,524,121 bytes )

...under: C:\Program Files\AVAST Software\Avast\ --

aswJSScan.dll ... ( 6,523,888 bytes )

These two files are part of "avast! GrimeFighter" -- (and both have the same internal file name: aswJSScan.dll) -- and they're both directly involved with the file 'bcdedit.exe', judging by the large number of plain-text references they contain, as you'll see if you search inside them for 'bcdedit'.

I don't know why Avast needs to run bcdedit.exe -- but perhaps it's using bcdedit.exe to look for, block or remove "hidden boot partitions" that could perhaps be created and used by trojans or other malware?

I wonder "if" bcdedit.exe (and the avast! GrimeFighter in general) are normally being run now, on _all_ new Avast installations -- or, is there some reason for Avast to run bcdedit.exe on only some systems?

_______

Note: - There's another thread regarding this new "Avast + bcdedit.exe" issue, found here on the Avast forum:

http://forum.avast.com/index.php?topic=143486.0

 

 

HTH

 



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:54 AM

Posted 01 January 2014 - 03:30 PM


http://technet.microsoft.com/en-us/library/cc709667(v=ws.10).aspx

Boot Configuration Data (BCD) files provide a store that is used to describe boot applications and boot application settings. The objects and elements in the store effectively replace Boot.ini.

BCDEdit is a command-line tool for managing BCD stores. It can be used for a variety of purposes, including creating new stores, modifying existing stores, adding boot menu options, and so on. BCDEdit serves essentially the same purpose as Bootcfg.exe on earlier versions of Windows, but with two major improvements:



It is not malware and can be cleared.


Empty your temp folders using TFC (Temporary File Cleaner)
  • Please download TFC by Old Timer and save it to your desktop.
    alternate download link
  • Save any unsaved work. (TFC will close ALL open programs including your browser!)
  • Double-click on TFC.exe to run it. (If you are using Vista, right-click on the file and choose "Run As Administrator".)
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway allowing Windows to load normally (not into Safe Mode) to ensure a complete clean.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 druthers

druthers

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 02 January 2014 - 12:15 PM

rocknock wrote:

I am running Windows XP SP3 (fully patched) on a PC and have lately noticed a copy of bcdedit.exe in folder C:\WINDOWS\Temp which has made me a little suspicious that I may have inadvertantly picked up some malware. This file seems to be modified on every boot judging by the file's properties.

 

OK, this appears to be the reason that the file 'bcdedit.exe' reappears in folder 'C:\WINDOWS\Temp' after every reboot.

 

This unwanted file appears to be related to the new GrimeFighter (Beta) 'feature' of Avast, which is currently being installed as a hidden option in the latest (updated) Avast 9.0.2011.. GrimeFighter (Beta) -- which is still under development -- can be uninstalled, and this should prevent the bcdedit.exe file from reappearing.. See:

 

"How to Uninstall GrimeFighter from Avast?"

http://techdows.com/2013/12/uninstall-avast-grimefighter.html

 

( Be sure to delete the file 'bcdedit.exe' before you reboot; reboting is required as the final step to remove Avast GrimeFighter.. That way you'll know if bcdedit.exe has been stopped from reappearing.)

 

 

Let us know if this works for you.

 



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:54 AM

Posted 02 January 2014 - 12:34 PM

The file is discussed in this avast forum topic.

A member of the avast team advised today that they will get rid of it in the next program update...so I would leave the file alone and not worry about it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users