Re: Messed up editing registry, need previous values

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance


Richard, thank you so much for this very comprehensive reply. Unfortunately,
because I needed to get this resolved quickly, I made a decision to follow
the recommendations of others on this thread and reformat/reinstall. I did
this also because even my backup registry file had been compromised by a
trojan, so I was backing up with (possibly) bad data. Starting over seemed
like the best shot at getting a cleaned-up system.

"Richard" wrote:

(snipped)

What trojan? What version of Internet Explorer? It should be possible to
reverse what was done, but you need to go back to that article and make sure
you know exactly what it is telling you to do, before proceeding further
with corrections.

The trojan was called Fakeavalert, the IE version is 7. The Symantec writeup
is here:
http://www.symantec.com/security_response/writeup.jsp?docid=2007-101013-3606-99&tabid=3

Where I made my error was this line:
"Restore the following registry entries to their previous values, if
required:"

This was followed by a long list of registry keys, and I proceeded thinking
that the values shown were the *correct* values. After I finished checking
the section relating to Internet Zones, I realized that this wasn't the case.
These were the values that might be assigned by the trojan. I confirmed by
comparing it to a list of possible registry changes in the Technical Details
part of the article. Both lists were the same. Of course, by this time I
didn't know what the original values had been, so I went to my backup.

I had made a backup of the registry before doing any editing, but when I
tried to import it, I got the message that it could not be imported
because some keys were in use. ("All data was not written.")

You were probably trying to import the entire registry, and all the data was
written except to a few keys that were in use, which would not be any of the
keys you had been trying to edit, and you probably do not need to be
concerned about that. It might help us to better advise you, if you post a
copy of the Symantec instructions here, or point us to a web page where we
can see what all Symantec thinks you should do. Were you viewing the
Symantec instructions in Internet Explorer, while connected to the internet,
while making registry changes? It is best to close all applications and any
open windows before such. NotePad is an exception. You could copy the
information from the page and paste it into a NotePad text document, which
can be open while editing the registry and doing other things.

Since the backup was created using a tool on Symantec's site, IE was open
during the backup. And it was open during the import as well. Common sense
should have told me to close programs during the import, but better to know
late than never.

Thanks, again, for all the helpful suggestions in this post. I'm keeping a
copy of it, although it will be a long time (if ever) before I use regedit
again. However, it's good to know a better way to perform a registry backup,
or to backup certain sections.

Now if only I knew where the trojan came from.

Peggy

My questions:
1. What did the original error message I got when importing the backup
registry file mean? That the backup wasn't good, or that it just couldn't
be restored because programs were running?

The backup was good, and probably undid your changes, so you need to
continue with the Symantec guidance, after addressing the other things
mentioned above.

2. Would other parts of the registry have been affected/corrupted by my
attempting to import a file unsuccessfully?

Probably not. See above.

3. Is there any other way to correct these keys such as through Internet
Settings?

After you complete the Symantec guidance, and if things are not completely
back to normal, report your results back here. (It is a good idea to write
down everything you have done and are doing, in case you need to back track
again, and for future reference if another alien invasion descends upon your
computer.) The "zone.reg" that "Nass" suggested is a further thing that
could be tried, but before using that, you may need to splice lines that got
split into 2 lines by the newsreader software. Sections beginning and ending
with square brackets are a single line. When rejoining split lines within
brackets, there should be no spaces where you join them. (Make sure NotePad
word wrap is off.)

I would suggest that before trying the zone.reg thing, you first go to
Control Panel> Internet Options, and on the Security tab, click on each one
of the zones near the top of that dialog and click the Default level button
to reset your zones. You can then check to see what that changed in the
registry, and maybe compare that with the Symantec guidance.

4. Is there anything else I can do? Is there a way to diagnose what other
problems I might have caused?

Malwarebytes has already been suggested as an additional step. Report your
progress back here. You have already shown wisdom in hesitating to resort to
extreme measures. It never hurts to seek a 2nd opinion if you have the
slightest uncertainty what to do.

The method I used to create a registry backup was to run a tool on
Symantec's site, linked in their writeup.

That is one way. To make your own backup, simply goto Registry Editor, click
on "My Computer" at the top of the folder tree in the left panel. On the
menu bar, click File, and then Export. A normal SaveAs type dialog box will
appear for you to type a filename. Note that the bottom section of the
dialog is "Export Range" and the "All" item is selected. I usually use the
current date/time for a file name, for example, "200906230715.reg" in
yyyymmddhhmm form. I also keep a separate "changes.txt" text file in the
same folder as the regs, describing what was done before, during and after
the .reg file was made. In your case, if you were only making changes to the
"zones" branch, you could have selected the first item of that branch on the
folder tree, then click File and click Export, and when the dialog appears,
the "Export Range" at the bottom of the dialog would have the "Selected
Branch" already chosen for you, with the path information in the bottom box.
I would name that exported file "ie_zones.reg", rather than a date/time,
since it is not the complete registry. To undo any changes to zones, you
could then simply right-click "ie_zones.reg" and choose Merge, and click Yes
when the message asks, "Are you sure"? ("To boldly go..." Where? :)

If your computer is set up for more than one user, each account has separate
user data, and only the currently logged on user's data appears in the
Current User section of the Registry. During the time that the trojan was
active on your computer, if more than one user account was active, then you
would need to logon with each user account, and verify that the affected
registry sections have the correct values.

I really appreciate any help.

(Got "Valued Data" backed up? :)

I'm hopefully looking forward to the resolution of your problem.
FWIW. --Richard

.

Quantcast