Hello,
I’m using the latest free version of Avast!
When I run a quick scan or upon rebooting (I can’t tell which), Avast! automatically corrects an entry in the registry that I’ve changed deliberately. I haven’t gone through the logs, but I don’t think it even notifies me about this change. Does anyone know how I can force Avast! to ignore one particular registry modification?
(I’m using windows XP)
I’ve modified my Explorer.exe with the software called ResHack. I’ve done this for my own use, and not to redistribute or violate any agreements - in fact, the only thing I changed was removing the text that says “start” from the start button because it looks good with the msstyle theme I made.
Rather than replace the original Explorer.exe in C:/Windows, I placed my modified version in C:/Windows/MyShell. Therefore, in LocalMachine/…/Winlogon, the registry entry for what shell windows loads with needs to point to C:/Windows/MyShell. Avast! is somehow switching this back to C:/Windows without giving me a chance to place it on a whitelist.
Basically it’s a small inconvenience where I wrote a batch script that kills Explorer on logon, and loads C:/Windows/MyShell/Explorer instead, but I never had to do that before I got Avast!.
Thanks for your time.
Interesting…
Well, I can imagine that registry location may be modified if that modified shell executable was detected by mistake (was it?) and removed, but if there was no detection during the scan, it shouldn’t happen.
What exactly did you change the “Shell” registry value to? Was it really
C:/Windows/MyShell/Explorer.exe
?
Or was it rather with backslashes
C:\Windows\MyShell\Explorer.exe
?
Or something like %SystemRoot%\MyShell.…
?
It seems I was incorrect in believing that a Quick Scan in Avast! was auto-correcting the modified entry without informing me.
What I now assume is that running a scheduled boot-time scan was causing this change. I have previously run that type of scan before going to sleep, and as such, would select the option to Quarantine All, or Send All to Chest, whatever the option’s name is. I may have overlooked any indication Avast! gave that this entry had been changed as a result of that procedure. I’ll try to verify this later, but even if I can’t duplicate the issue, I’m more than content to let it go now that I know a Quick Scan won’t duplicate it.
Thanks a lot for your time and for getting me to reexamine my logic.
And for the curious, the original Shell entry was:
Explorer.exe
and my modified entry was:
myshell\Explorer.exe
given that windows must know to prepend:
C:\Windows
to whatever’s in that entry.
I suppose that what you’re seeing is a result of some detection (unrelated to the explorer.exe file) that happened during the boot-time scan - and the subsequent attempt to fix the problems in critical registry entries (just in case the removed file was, for example, the one the Shell entry pointed to).
I believe the problem is the relative path you used… if you put the full path (C:\Windows\myshell\Explorer.exe) into the key, it shouldn’t happen anymore.