I’d like to get some advice from those with more knowledge on the subject as I’ve been happily using Avast, but only for the past six months. Thankfully, I realized quickly what must have happened with the bad def file and had minimal fallout compared to some of what I’ve been reading here. I sincerely hope everyone’s gotten sorted or close to it by now.
Of the files I’d quarantined before recognizing the FP, almost all were Spybot related, so no problem there, it’s working as it should. However, two of the remaining four quarantined files came from c:\windows….a trz68.tmp (not sure what it is, but it scans clean) and RTHDCPL.exe that I believe is Realtek. I recall always seeing it in the processes in task manager, so I’m fairly certain it was loading at boot, and now I seem to have to launch it. That in itself is no problem, I haven’t actually used it and it does launch from control panel. Being logical (and a worrier by nature ;)), it does raise a question to me though; could there be things that were affected that I just haven’t stumbled across yet or can’t “see”? I clicked “no action” to a whole lot of files after the first bunch of FP’s. (It was flagging a new one as soon as I clicked!) I’m considering using system restore to go back to the previous day (12.1)to be certain things are as they were and would like some advice. This PC is only 3 months old and I’d prefer not to tamper with anything needlessly. (Perhaps that’s my answer
I’ m running Avast, have SAS, MBAM and Spybot (the freeware versions; all up to date, clean scan earlier that day for all except a few cookies removed with SAS) on Windows XP Pro/SP3. I don’t use it for gaming or anything so for the most part just common software like Office Small Biz 2007, Acrobat Reader 9, Roxio, Power DVD etc. are loaded. All seem to be functioning properly as near as I can tell.
My questions then:
–Is my concern valid? Again, I’m fully aware my situation is minimal compared to what some have experienced. System seems quite stable; programs appear to be working properly so far…maybe wait a few more days to evaluate?
–If I choose to restore to 12.1.09, I presume I would then just have to go back and update the definitions for all of the programs….will Avast’s update automatically give me the correct version as though the bad one never existed? Does the update add to/edit existing or replace the whole file? I was up to date the morning (my time) of 12.2 before the bad file late that night. Am I opening myself to muddy things up again if I do this?
– A How-To question. During the event I figured out that turning off Standard Shield gave me access to Spybot, but for future reference is the “Stop On Access Protection” the equivalent of turning off Avast completely? Is there an easy, ie: “please don’t send me to the registry” (I don’t do registry ;D) way to stop Avast from starting at boot if necessary? I can’t seem to find its switch in the settings function in Simple User Interface…do I need to switch to Enhanced (and just how much trouble can I get into there)?
Sorry for the long post and TIA for any input you can provide. Still like the program in spite of the hiccup, no intention on switching. (And thanks to all the folks who posted in that first hour; I credit my damage control in part to the fact I was fortunate enough to get to the board to confirm FP and experienced users gave helpful advice.)
Regards-
Munz
Hi, Munz,
welcome to the forum. Well done for common sense (and a bit of good fortune/luck. Similar to my own experience. No damage done.)
I would not be inclined to use system restore. System restore will change settings, but can not replace files that have been deleted. As you say, if it’s all working OK, leave it alone.
If files re-scan clean from within the chest, they can be restored, or manually extracted and moved to their original locations.
The file trz68.tmp appears to be to do with Ms debugging tools. It probably isn’t essential, being a temp file, but you could extract it to your desktop, look at the properties, if it says something like this: “Microsoft Corporation; Windows Usermode Driver Debugger Extensions; 6.0.5308.17 (winmain_idx01.060217-2200)” it can be restored, but it probably is not needed.
The file RTHDCPL.exe can be restored. I think it is a Realtek file. It’s up to you if you have this running at start. (I don’t. I just set the equalizer, then prevented it starting, don’t need it.)
All the spybot ones should be restored if you haven’t already.
If you need more info on how to restore from the chest, please ask. It’s pretty straightforward, with a right-click menu.
I’ve deleted nothing, learned that early on from an IT guy I worked with.
I’ve restored everything that I’d moved to the chest, but the difference in behavior raised the question in my mind. No real harm as far as I can tell though. I felt the same way about the .tmp, but was taking no chances, lol.
Another one for you (if you know): are restore and extract basically the same function? I used restore for all of the ones that offered that option, but there were 4 .zip files from Spybot I could only use the extract option on (presumably because it was a .zip) which meant manually replacing the file. Should I have used extract on all of them? Does it make a difference?
Also, I see some posts where the chest has reached capacity for some users. Is there a manner to tell how much of the chest has been used? I have the default set (256 MB), but don’t know how much (in megs) is in there from this…I don’t plan on removing them until I’m certain things are fine. It was empty before, which is good I guess.
Restore and extract are both similar functions; extract to be used where (1) the file is maybe suspicious, and you need access to it to do more research, (2) where “restore”, for whatever reason fails to work.
Do feel free to restore (or extract) any files that re-scan clean, particularly any that were added yesterday as a result of the problem, back to their original locations.
Is there any difference or problem in the way the computer is working now?
I’m not certain, but I am fairly sure that a way to find the occupied space in the chest is to navigate to this folder:“C:\Program Files\Alwil Software\Avast4\DATA\chest” and view the total size. (Mine is currently 2.88MB)
I think a lot of users probably ended up deleting a lot of files that should not have been deleted, once their chest filled up.
Fortunately, a lot of other users realized something was not right with all these detections, and did the right thing.
I had 179 deletions, due to the false positive problem.
I am awaiting a fix.
Fortunately, I pulled by backup drive off line.
I was using my XP Pro OS at the time.
But, my separate harddrive with Win 7 was accessed by Avast.
I have have first tried to delete Spyware Doctor, and re-install it, but it will not un-install.
Just the Realtek blip I mentioned. It really doesn’t take much for me to worry.
Oh, my. If you’re correct (I’d think you’re right) there are some good sized files in there (all from 12.2 except the files Avast itself creates). I’m at 125mb, guess I need to increase capacity or delete some I know for certain are okay to go. (I see one is the download of Spybot I installed from, should have deleted it anyway.)
Thanks for the clarification on extract/restore. Makes sense why one wouldn’t want to just restore a suspect file.
I truly feel bad for those who deleted important files. I think it’s the natural inclination unless you’ve been told differently or experienced something similar in the past. Some indicated it was their only option, don’t know what I’d have done in that case knowing it’s not a good idea.
Munz,
The chest size can be increased to unlimited, by right clicking the Avast tray icon>program settings>chest and entering the number you would like. (zero means unlimited).
Except in rare cases like this, it is not normally necessary, of course. But I would suggest some housecleaning. 125Mb is a huge load of malware (or FP’s) in the chest.
I feel bad for those that deleted important files, too. Especially those that allowed the boot scan to remove files.
Would have been nice to be able to access the forum when it was going on, be more help. My access was limited (as many) by server overload. Plus it took me an hour or so to realize bad things were afoot. I got very few false detections at first, and by the time I did, already had a bit of a handle on it.
debitka
Did you quarantine any files, or simply delete them? What circumstances were at play when they were deleted? (Boot scan/regular scan/random detection+response?)
Are either of those systems bootable? I am guessing by your post that XP is, but 7 isn’t?
We need to try and find the file that will allow the removal or repair of SpywareDoctor, alternatively (if the file cannot be found in the chest) a tool such as the Windows uninstaller cleanup utility (direct download) or Revo Uninstaller (from here) might be used.
There is no specific SD removal tool that I am aware of.
Anyone else with previously un-posted issues, I wonder if you would be better served by starting a new topic, as it is possibly more likely to be read and responded to.
When a lot of users post to one thread about an issue - even if it is the same/similar issue, the focus of help can become diluted or confused, IMO.
Everyone seems to have a similar problem. Each user/computer, however, is unique, and I think it is better to have your own threads.
[edited] removed incorrect example.