Messed up editing registry, need previous values

[peg2009]

I'm running WinXP Pro, SP2. I messed up while trying to remove a trojan with
instructions in an article from Symantec. Article said to remove changes in a
list of registry keys, if required. Some of the keys in my registry had the
same value as on the list in Symantec's article, some did not. I started
changing the ones that differed from the values in the Symantec article. Then
I realized the article must be showing the "bad" values that might have been
assigned by the trojan. So I was changing to the wrong values.

I had made a backup of the registry before doing any editing, but when I
tried to import it, I got the message that it could not be imported because
some keys were in use. ("All data was not written.")

I had changed maybe 8 keys, all in
HK_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\
I went back after trying to import the registry backup file and checked
these keys against the values in the Symantec article. Some do appear to have
gone back to a previous value, but I can't be sure now if all of them are
changed back. Also, most of them had the same value as the potentially "bad"
value in the Symantec writeup. In short, now I don't know what would be the
right values for any of these registry keys.

Of course, the first thing I did was to disable System Restore per the
Symantec instructions, so I can't go to a restore point.

My questions:
1. What did the original error message I got when importing the backup
registry file mean? That the backup wasn't good, or that it just couldn't be
restored because programs were running?
2. Would other parts of the registry have been affected/corrupted by my
attempting to import a file unsuccessfully?
3. Is there any other way to correct these keys such as through Internet
Settings?
4. Is there anything else I can do? Is there a way to diagnose what other
problems I might have caused?

The method I used to create a registry backup was to run a tool on
Symantec's site, linked in their writeup.

I really appreciate any help.

 

[Richard in AZ]

| I'm running WinXP Pro, SP2. I messed up while trying to remove a trojan with
| instructions in an article from Symantec. Article said to remove changes in a
| list of registry keys, if required. Some of the keys in my registry had the
| same value as on the list in Symantec's article, some did not. I started
| changing the ones that differed from the values in the Symantec article. Then
| I realized the article must be showing the "bad" values that might have been
| assigned by the trojan. So I was changing to the wrong values.
|
| I had made a backup of the registry before doing any editing, but when I
| tried to import it, I got the message that it could not be imported because
| some keys were in use. ("All data was not written.")
|
| I had changed maybe 8 keys, all in
| HK_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Internet
| Settings\Zones\
| I went back after trying to import the registry backup file and checked
| these keys against the values in the Symantec article. Some do appear to have
| gone back to a previous value, but I can't be sure now if all of them are
| changed back. Also, most of them had the same value as the potentially "bad"
| value in the Symantec writeup. In short, now I don't know what would be the
| right values for any of these registry keys.
|
| Of course, the first thing I did was to disable System Restore per the
| Symantec instructions, so I can't go to a restore point.
|
| My questions:
| 1. What did the original error message I got when importing the backup
| registry file mean? That the backup wasn't good, or that it just couldn't be
| restored because programs were running?
| 2. Would other parts of the registry have been affected/corrupted by my
| attempting to import a file unsuccessfully?
| 3. Is there any other way to correct these keys such as through Internet
| Settings?
| 4. Is there anything else I can do? Is there a way to diagnose what other
| problems I might have caused?
|
| The method I used to create a registry backup was to run a tool on
| Symantec's site, linked in their writeup.
|
| I really appreciate any help.

Do a "System Restore" to a date before your editing.
Then you may have to redo the Symantec instructions again.
BUT, I would use malwarebytes (www.malwarebytes.org) to get rid of the Trojan rather than manual
registry editing.

 

[peg2009]

| I'm running WinXP Pro, SP2. I messed up while trying to remove a trojan with
| instructions in an article from Symantec. Article said to remove changes in a
| list of registry keys, if required. Some of the keys in my registry had the
| same value as on the list in Symantec's article, some did not. I started
| changing the ones that differed from the values in the Symantec article. Then
| I realized the article must be showing the "bad" values that might have been
| assigned by the trojan. So I was changing to the wrong values.
|
| I had made a backup of the registry before doing any editing, but when I
| tried to import it, I got the message that it could not be imported because
| some keys were in use. ("All data was not written.")
|
| I had changed maybe 8 keys, all in
| HK_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Internet
| Settings\Zones\
| I went back after trying to import the registry backup file and checked
| these keys against the values in the Symantec article. Some do appear to have
| gone back to a previous value, but I can't be sure now if all of them are
| changed back. Also, most of them had the same value as the potentially "bad"
| value in the Symantec writeup. In short, now I don't know what would be the
| right values for any of these registry keys.
|
| Of course, the first thing I did was to disable System Restore per the
| Symantec instructions, so I can't go to a restore point.
|
| My questions:
| 1. What did the original error message I got when importing the backup
| registry file mean? That the backup wasn't good, or that it just couldn't be
| restored because programs were running?
| 2. Would other parts of the registry have been affected/corrupted by my
| attempting to import a file unsuccessfully?
| 3. Is there any other way to correct these keys such as through Internet
| Settings?
| 4. Is there anything else I can do? Is there a way to diagnose what other
| problems I might have caused?
|
| The method I used to create a registry backup was to run a tool on
| Symantec's site, linked in their writeup.
|
| I really appreciate any help.

Do a "System Restore" to a date before your editing.
Then you may have to redo the Symantec instructions again.
BUT, I would use malwarebytes (www.malwarebytes.org) to get rid of the Trojan rather than manual
registry editing.

Unfortunately, I can't do a system restore, as the first step in removing
the trojan was to disable System Restore because resotre points might have
been infected. I'll check into getting malwarebytes. It will be a long time
before I ever open the registry again (once I get this problem fixed.)

 

[Peter Foldes]

Peg

Use the following to return your Registry to it's default .Ignore the Title and
Ignore Part 1 and Start from Part 2 which is halfway down the page

http://support.microsoft.com/default.aspx?scid=kb;en-us;q307545

And next time DO NOT TOUCH the Registry

 

[Jose]

Unfortunately, I can't do a system restore, as the first step in removing
the trojan was to disable System Restore because resotre points might have
been infected. I'll check into getting malwarebytes. It will be a long time
before I ever open the registry again (once I get this problem fixed.)

You may try to boot in Safe Mode with minimal (no) options - just as
basic as you can and try the import then.

If you are sure of the location in the registry where you were making
the changes, there are tools to read the exported file and just export
out the key you changed and then try importing just that section.

Try the Safe Mode first.

Reboot and before XP has a chance to load, start tapping the F8 key to
bring up a menu. Choose Safe Mode with no options. Things will look
different, but will be functional for what you need.

 

[peg2009]

Thanks for this information. I'm not sure I should do this because it says
not to use this method with a OEM-installed operating system, which is what I
have. Also, do I want to restore this far? What will it do to any programs I
have installed, that are registered? I'm very leery of making this problem
even worse. I do appreciate your help, was just hoping to hear that the minor
changes I made could be more easily corrected. Windows does boot up, but I
haven't had a chance to run the computer to see what problems there might be.

Thanks for your input.

 

[Peter Foldes]

Then the only choice is to reformat and reinstall after saving all Data that is
needed

 

[Gerry]

Peg

I agree with Peter.

What is your computer make and model?


--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[nass]

I'm running WinXP Pro, SP2. I messed up while trying to remove a trojan with
instructions in an article from Symantec. Article said to remove changes in a
list of registry keys, if required. Some of the keys in my registry had the
same value as on the list in Symantec's article, some did not. I started
changing the ones that differed from the values in the Symantec article. Then
I realized the article must be showing the "bad" values that might have been
assigned by the trojan. So I was changing to the wrong values.

I had made a backup of the registry before doing any editing, but when I
tried to import it, I got the message that it could not be imported because
some keys were in use. ("All data was not written.")

I had changed maybe 8 keys, all in
HK_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\
I went back after trying to import the registry backup file and checked
these keys against the values in the Symantec article. Some do appear to have
gone back to a previous value, but I can't be sure now if all of them are
changed back. Also, most of them had the same value as the potentially "bad"
value in the Symantec writeup. In short, now I don't know what would be the
right values for any of these registry keys.

Of course, the first thing I did was to disable System Restore per the
Symantec instructions, so I can't go to a restore point.

My questions:
1. What did the original error message I got when importing the backup
registry file mean? That the backup wasn't good, or that it just couldn't be
restored because programs were running?
2. Would other parts of the registry have been affected/corrupted by my
attempting to import a file unsuccessfully?
3. Is there any other way to correct these keys such as through Internet
Settings?
4. Is there anything else I can do? Is there a way to diagnose what other
problems I might have caused?

The method I used to create a registry backup was to run a tool on
Symantec's site, linked in their writeup.

I really appreciate any help.

Hi,
Please Open a Notepad and copy and paste the following into it, then save as
Zones.reg on your Desktop.
Right click on the Zones.reg and select Merge from the list to merge to your
registry.

====/* copy code below this line*/=====
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0]
"1206"=dword:00000000
"1806"=dword:00000000
@=""
"DisplayName"="Computer"
"Description"="Your computer"
"Icon"="explorer.exe#0100"
"CurrentLevel"=dword:00000000
"Flags"=dword:00000021
"1001"=dword:00000000
"1004"=dword:00000000
"1200"=dword:00000000
"1201"=dword:00000001
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000000
"1407"=dword:00000000
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000000
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000000
"1805"=dword:00000000
"1A00"=dword:00000000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000000
"1A05"=dword:00000000
"1A06"=dword:00000000
"1A10"=dword:00000000
"1C00"=dword:00020000
"1E05"=dword:00030000
"1207"=dword:00000000
"1807"=dword:00000000
"1808"=dword:00000000
"2000"=dword:00000000
"2100"=dword:00000000
"2101"=dword:00000003
"2102"=dword:00000000
"2200"=dword:00000000
"2201"=dword:00000000
"2300"=dword:00000001
"1809"=dword:00000003
"1208"=dword:00000000
"1209"=dword:00000000
"120A"=dword:00000000
"1408"=dword:00000000
"160A"=dword:00000000
"180A"=dword:00000000
"180C"=dword:00000000
"180D"=dword:00000000
"2103"=dword:00000000
"2104"=dword:00000000
"2105"=dword:00000000
"2301"=dword:00000003
"2400"=dword:00000000
"2401"=dword:00000000
"2402"=dword:00000000
"2500"=dword:00000003
"2600"=dword:00000000
"LowIcon"="inetcpl.cpl#005422"
"PMDisplayName"="Computer [Protected Mode]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1]
"1206"=dword:00000000
"1806"=dword:00000000
@=""
"DisplayName"="Local intranet"
"Description"="This zone is for all websites that are found on your intranet."
"Icon"="shell32.dll#0018"
"CurrentLevel"=dword:00010500
"MinLevel"=dword:00010000
"RecommendedLevel"=dword:00010500
"Flags"=dword:00000143
"1001"=dword:00000001
"1004"=dword:00000003
"1200"=dword:00000000
"1201"=dword:00000003
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000001
"1407"=dword:00000000
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000001
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000001
"1805"=dword:00000000
"1A00"=dword:00020000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000000
"1A05"=dword:00000000
"1A06"=dword:00000000
"1A10"=dword:00000000
"1C00"=dword:00020000
"1E05"=dword:00020000
"1207"=dword:00000000
"1807"=dword:00000000
"1808"=dword:00000000
"2000"=dword:00000000
"2100"=dword:00000000
"2101"=dword:00000000
"2102"=dword:00000000
"2200"=dword:00000000
"2201"=dword:00000000
"2300"=dword:00000001
"1809"=dword:00000003
"1208"=dword:00000000
"1209"=dword:00000000
"120A"=dword:00000003
"1408"=dword:00000000
"160A"=dword:00000000
"180A"=dword:00000000
"180C"=dword:00000003
"180D"=dword:00000000
"2103"=dword:00000000
"2104"=dword:00000000
"2105"=dword:00000000
"2301"=dword:00000003
"2400"=dword:00000000
"2401"=dword:00000000
"2402"=dword:00000000
"2500"=dword:00000000
"2600"=dword:00000000
"LowIcon"="inetcpl.cpl#005423"
"PMDisplayName"="Local intranet [Protected Mode]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\2]
"1206"=dword:00000003
"1806"=dword:00000001
@=""
"DisplayName"="Trusted sites"
"Description"="This zone contains web sites that you trust not to damage
your computer or your files"
"Icon"="inetcpl.cpl#00004480"
"CurrentLevel"=dword:00011000
"MinLevel"=dword:00010000
"RecommendedLevel"=dword:00011000
"Flags"=dword:00000047
"1001"=dword:00000001
"1004"=dword:00000003
"1200"=dword:00000000
"1201"=dword:00000003
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000003
"1407"=dword:00000001
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000003
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000001
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000001
"1805"=dword:00000001
"1A00"=dword:00020000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000003
"1A05"=dword:00000001
"1A06"=dword:00000000
"1A10"=dword:00000001
"1C00"=dword:00010000
"1E05"=dword:00020000
"1207"=dword:00000000
"1807"=dword:00000001
"1808"=dword:00000000
"2000"=dword:00000000
"2100"=dword:00000000
"2101"=dword:00000000
"2102"=dword:00000003
"2200"=dword:00000003
"2201"=dword:00000003
"2300"=dword:00000001
"1809"=dword:00000000
"1208"=dword:00000000
"1209"=dword:00000003
"120A"=dword:00000003
"1408"=dword:00000000
"160A"=dword:00000000
"180A"=dword:00000003
"180C"=dword:00000003
"180D"=dword:00000000
"2103"=dword:00000000
"2104"=dword:00000000
"2105"=dword:00000000
"2301"=dword:00000000
"2400"=dword:00000000
"2401"=dword:00000000
"2402"=dword:00000000
"2500"=dword:00000003
"2600"=dword:00000000
"LowIcon"="inetcpl.cpl#005424"
"PMDisplayName"="Trusted sites [Protected Mode]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3]
"1206"=dword:00000003
"1806"=dword:00000001
@=""
"DisplayName"="Internet"
"Description"="This zone is for Internet websites, except those listed in
trusted and restricted zones."
"Icon"="inetcpl.cpl#001313"
"CurrentLevel"=dword:00011500
"MinLevel"=dword:00011000
"RecommendedLevel"=dword:00011500
"Flags"=dword:00000001
"1001"=dword:00000001
"1004"=dword:00000003
"1200"=dword:00000000
"1201"=dword:00000003
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000003
"1407"=dword:00000001
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000003
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000001
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000001
"1805"=dword:00000001
"1A00"=dword:00020000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000003
"1A05"=dword:00000001
"1A06"=dword:00000000
"1A10"=dword:00000001
"1C00"=dword:00010000
"1E05"=dword:00020000
"1207"=dword:00000003
"1807"=dword:00000001
"1808"=dword:00000000
"2000"=dword:00000000
"2100"=dword:00000000
"2101"=dword:00000000
"2102"=dword:00000003
"2200"=dword:00000003
"2201"=dword:00000003
"2300"=dword:00000001
"1809"=dword:00000000
"1208"=dword:00000003
"1209"=dword:00000003
"120A"=dword:00000003
"1408"=dword:00000003
"160A"=dword:00000000
"180A"=dword:00000003
"180C"=dword:00000003
"180D"=dword:00000001
"2103"=dword:00000003
"2104"=dword:00000003
"2105"=dword:00000003
"2301"=dword:00000000
"2400"=dword:00000000
"2401"=dword:00000000
"2402"=dword:00000000
"2500"=dword:00000000
"2600"=dword:00000000
"LowIcon"="inetcpl.cpl#005425"
"PMDisplayName"="Internet [Protected Mode]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\4]
"1206"=dword:00000003
"1806"=dword:00000003
@=""
"DisplayName"="Restricted sites"
"Description"="This zone is for websites that might damage your computer or
your files."
"Icon"="inetcpl.cpl#00004481"
"CurrentLevel"=dword:00012000
"MinLevel"=dword:00012000
"RecommendedLevel"=dword:00012000
"Flags"=dword:00000003
"1001"=dword:00000003
"1004"=dword:00000003
"1200"=dword:00000003
"1201"=dword:00000003
"1400"=dword:00000003
"1402"=dword:00000003
"1405"=dword:00000003
"1406"=dword:00000003
"1407"=dword:00000003
"1601"=dword:00000001
"1604"=dword:00000003
"1605"=dword:00000000
"1606"=dword:00000003
"1607"=dword:00000003
"1608"=dword:00000003
"1609"=dword:00000001
"1800"=dword:00000003
"1802"=dword:00000001
"1803"=dword:00000003
"1804"=dword:00000003
"1805"=dword:00000001
"1A00"=dword:00010000
"1A02"=dword:00000003
"1A03"=dword:00000003
"1A04"=dword:00000003
"1A05"=dword:00000003
"1A06"=dword:00000003
"1A10"=dword:00000003
"1C00"=dword:00000000
"1E05"=dword:00010000
"1207"=dword:00000003
"180B"=dword:00000001
"1807"=dword:00000001
"1808"=dword:00000000
"2000"=dword:00000003
"2100"=dword:00000003
"2101"=dword:00000003
"2102"=dword:00000003
"2200"=dword:00000003
"2201"=dword:00000003
"2300"=dword:00000003
"1809"=dword:00000000
"1208"=dword:00000003
"1209"=dword:00000003
"120A"=dword:00000003
"1408"=dword:00000003
"160A"=dword:00000003
"180A"=dword:00000003
"180C"=dword:00000003
"180d"=dword:00000001
"2103"=dword:00000003
"2104"=dword:00000003
"2105"=dword:00000003
"2301"=dword:00000000
"2400"=dword:00000003
"2401"=dword:00000003
"2402"=dword:00000003
"2500"=dword:00000000
"2600"=dword:00000003
"LowIcon"="inetcpl.cpl#005426"
"PMDisplayName"="Restricted sites [Protected Mode]"

===/* End Of Code*/============================

Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah

HTH,
nass

 

[Jose]

Thanks for this information. I'm not sure I should do this because it says
not to use this method with a OEM-installed operating system, which is what I
have. Also, do I want to restore this far? What will it do to any programs I
have installed, that are registered? I'm very leery of making this problem
even worse. I do appreciate your help, was just hoping to hear that the minor
changes I made could be more easily corrected.  Windows does boot up, but I
haven't had a chance to run the computer to see what problems there mightbe.

Thanks for your input.

Whatever - it's up to you of course.

I see 3 logical choices:

1. Use your original exported registry file and chop out the section
into a small .reg file and just import that section containing the
original values (which may still contain your issue).

2. You can make a .reg file as suggested by nass which was generated
from some other machine and hope it works on your machine.

3. You can do nothing and address any problems that might come up as
they occur.

Easy!

 

[peg2009]

Thanks, Gerry and Peter. The PC is an HPD 325UT. I am considering what Nass
suggested in a post this morning, as a last ditch effort before starting
over.

 

[peg2009]

Thanks very much for this. My question is whether I caused a more widespread
problem with the backup and import methods I used, such that it's not going
to be enough to fix this section of the registry. Also, do these settings
correspond to a certain level of internet security settings? The PC had a
custom level of IE security settings. Sorry if these are dumb questions.

Thanks again.

I'm running WinXP Pro, SP2. I messed up while trying to remove a trojan with
instructions in an article from Symantec. Article said to remove changes in a
list of registry keys, if required. Some of the keys in my registry had the
same value as on the list in Symantec's article, some did not. I started
changing the ones that differed from the values in the Symantec article. Then
I realized the article must be showing the "bad" values that might have been
assigned by the trojan. So I was changing to the wrong values.

I had made a backup of the registry before doing any editing, but when I
tried to import it, I got the message that it could not be imported because
some keys were in use. ("All data was not written.")

I had changed maybe 8 keys, all in
HK_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\
I went back after trying to import the registry backup file and checked
these keys against the values in the Symantec article. Some do appear to have
gone back to a previous value, but I can't be sure now if all of them are
changed back. Also, most of them had the same value as the potentially "bad"
value in the Symantec writeup. In short, now I don't know what would be the
right values for any of these registry keys.

Of course, the first thing I did was to disable System Restore per the
Symantec instructions, so I can't go to a restore point.

My questions:
1. What did the original error message I got when importing the backup
registry file mean? That the backup wasn't good, or that it just couldn't be
restored because programs were running?
2. Would other parts of the registry have been affected/corrupted by my
attempting to import a file unsuccessfully?
3. Is there any other way to correct these keys such as through Internet
Settings?
4. Is there anything else I can do? Is there a way to diagnose what other
problems I might have caused?

The method I used to create a registry backup was to run a tool on
Symantec's site, linked in their writeup.

I really appreciate any help.

Hi,
Please Open a Notepad and copy and paste the following into it, then save as
Zones.reg on your Desktop.
Right click on the Zones.reg and select Merge from the list to merge to your
registry.

====/* copy code below this line*/=====
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0]
"1206"=dword:00000000
"1806"=dword:00000000
@=""
"DisplayName"="Computer"
"Description"="Your computer"
"Icon"="explorer.exe#0100"
"CurrentLevel"=dword:00000000
"Flags"=dword:00000021
"1001"=dword:00000000
"1004"=dword:00000000
"1200"=dword:00000000
"1201"=dword:00000001
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000000
"1407"=dword:00000000
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000000
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000000
"1805"=dword:00000000
"1A00"=dword:00000000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000000
"1A05"=dword:00000000
"1A06"=dword:00000000
"1A10"=dword:00000000
"1C00"=dword:00020000
"1E05"=dword:00030000
"1207"=dword:00000000
"1807"=dword:00000000
"1808"=dword:00000000
"2000"=dword:00000000
"2100"=dword:00000000
"2101"=dword:00000003
"2102"=dword:00000000
"2200"=dword:00000000
"2201"=dword:00000000
"2300"=dword:00000001
"1809"=dword:00000003
"1208"=dword:00000000
"1209"=dword:00000000
"120A"=dword:00000000
"1408"=dword:00000000
"160A"=dword:00000000
"180A"=dword:00000000
"180C"=dword:00000000
"180D"=dword:00000000
"2103"=dword:00000000
"2104"=dword:00000000
"2105"=dword:00000000
"2301"=dword:00000003
"2400"=dword:00000000
"2401"=dword:00000000
"2402"=dword:00000000
"2500"=dword:00000003
"2600"=dword:00000000
"LowIcon"="inetcpl.cpl#005422"
"PMDisplayName"="Computer [Protected Mode]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1]
"1206"=dword:00000000
"1806"=dword:00000000
@=""
"DisplayName"="Local intranet"
"Description"="This zone is for all websites that are found on your intranet."
"Icon"="shell32.dll#0018"
"CurrentLevel"=dword:00010500
"MinLevel"=dword:00010000
"RecommendedLevel"=dword:00010500
"Flags"=dword:00000143
"1001"=dword:00000001
"1004"=dword:00000003
"1200"=dword:00000000
"1201"=dword:00000003
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000001
"1407"=dword:00000000
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000001
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000001
"1805"=dword:00000000
"1A00"=dword:00020000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000000
"1A05"=dword:00000000
"1A06"=dword:00000000
"1A10"=dword:00000000
"1C00"=dword:00020000
"1E05"=dword:00020000
"1207"=dword:00000000
"1807"=dword:00000000
"1808"=dword:00000000
"2000"=dword:00000000
"2100"=dword:00000000
"2101"=dword:00000000
"2102"=dword:00000000
"2200"=dword:00000000
"2201"=dword:00000000
"2300"=dword:00000001
"1809"=dword:00000003
"1208"=dword:00000000
"1209"=dword:00000000
"120A"=dword:00000003
"1408"=dword:00000000
"160A"=dword:00000000
"180A"=dword:00000000
"180C"=dword:00000003
"180D"=dword:00000000
"2103"=dword:00000000
"2104"=dword:00000000
"2105"=dword:00000000
"2301"=dword:00000003
"2400"=dword:00000000
"2401"=dword:00000000
"2402"=dword:00000000
"2500"=dword:00000000
"2600"=dword:00000000
"LowIcon"="inetcpl.cpl#005423"
"PMDisplayName"="Local intranet [Protected Mode]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\2]
"1206"=dword:00000003
"1806"=dword:00000001
@=""
"DisplayName"="Trusted sites"
"Description"="This zone contains web sites that you trust not to damage
your computer or your files"
"Icon"="inetcpl.cpl#00004480"
"CurrentLevel"=dword:00011000
"MinLevel"=dword:00010000
"RecommendedLevel"=dword:00011000
"Flags"=dword:00000047
"1001"=dword:00000001
"1004"=dword:00000003
"1200"=dword:00000000
"1201"=dword:00000003
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000003
"1407"=dword:00000001
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000003
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000001
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000001
"1805"=dword:00000001
"1A00"=dword:00020000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000003
"1A05"=dword:00000001
"1A06"=dword:00000000
"1A10"=dword:00000001
"1C00"=dword:00010000
"1E05"=dword:00020000
"1207"=dword:00000000
"1807"=dword:00000001
"1808"=dword:00000000
"2000"=dword:00000000
"2100"=dword:00000000
"2101"=dword:00000000
"2102"=dword:00000003
"2200"=dword:00000003
"2201"=dword:00000003
"2300"=dword:00000001
"1809"=dword:00000000
"1208"=dword:00000000
"1209"=dword:00000003
"120A"=dword:00000003
"1408"=dword:00000000
"160A"=dword:00000000
"180A"=dword:00000003
"180C"=dword:00000003
"180D"=dword:00000000
"2103"=dword:00000000
"2104"=dword:00000000
"2105"=dword:00000000
"2301"=dword:00000000
"2400"=dword:00000000
"2401"=dword:00000000
"2402"=dword:00000000
"2500"=dword:00000003
"2600"=dword:00000000
"LowIcon"="inetcpl.cpl#005424"
"PMDisplayName"="Trusted sites [Protected Mode]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3]
"1206"=dword:00000003
"1806"=dword:00000001
@=""
"DisplayName"="Internet"
"Description"="This zone is for Internet websites, except those listed in
trusted and restricted zones."
"Icon"="inetcpl.cpl#001313"
"CurrentLevel"=dword:00011500
"MinLevel"=dword:00011000
"RecommendedLevel"=dword:00011500
"Flags"=dword:00000001
"1001"=dword:00000001
"1004"=dword:00000003
"1200"=dword:00000000
"1201"=dword:00000003
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000003
"1407"=dword:00000001
"1601"=dword:00000000
"1604"=dword:00000000

 

[nass]

Thanks very much for this. My question is whether I caused a more widespread
problem with the backup and import methods I used, such that it's not going
to be enough to fix this section of the registry. Also, do these settings
correspond to a certain level of internet security settings? The PC had a
custom level of IE security settings. Sorry if these are dumb questions.

Thanks again.

Hi,
This the standard Regisrty Key and it doesn't have special or diferent
entries than the default Registry Key can have.

At this stage you don't need to worry about certain level of Internet
Security Settings. It is infected what more than this you want compromisation
in security!

This Reg will put your regsitry back to where it was a default key without
any ceratin security level and then after cleaning the system you can set up
the level you want.

Download the Hijackthis and send the report to one of
many forums for analysis and troubleshooting or you can send it to me on my
email provided at the bottom:
When all else fails, HijackThis v2.0.2
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)

Can you please send me a copy at (e-mail address removed) ,
remove the obvious to email me, note ( _ it is underscore not - ).

 

[Richard]

Hi "peg2009",

First a reminder that if you do not yet have complete backup copies of all
your Valued Data, then as soon as possible you need to do that. (Notice I
said "copies" plural.

Also, you should read every topic in the Registry Editor HELP file, and in
particular, note this paragraph that is repeated in 26 out of 29 topics:

[begin quote:]
Caution - Incorrectly editing the registry may severely damage your system.
Before making changes to the registry, you should back up any valued data on
your computer.
[:end quote]

I'm running WinXP Pro, SP2. I messed up while trying to remove a trojan
with instructions in an article from Symantec. Article said to remove
changes in a list of registry keys, if required. Some of the keys in my
registry had the same value as on the list in Symantec's article, some
did not. I started changing the ones that differed from the values in the
Symantec article. Then I realized the article must be showing the "bad"
values that might have been assigned by the trojan. So I was changing to
the wrong values.

What trojan? What version of Internet Explorer? It should be possible to
reverse what was done, but you need to go back to that article and make sure
you know exactly what it is telling you to do, before proceeding further
with corrections.

I had made a backup of the registry before doing any editing, but when I
tried to import it, I got the message that it could not be imported
because some keys were in use. ("All data was not written.")

You were probably trying to import the entire registry, and all the data was
written except to a few keys that were in use, which would not be any of the
keys you had been trying to edit, and you probably do not need to be
concerned about that. It might help us to better advise you, if you post a
copy of the Symantec instructions here, or point us to a web page where we
can see what all Symantec thinks you should do. Were you viewing the
Symantec instructions in Internet Explorer, while connected to the internet,
while making registry changes? It is best to close all applications and any
open windows before such. NotePad is an exception. You could copy the
information from the page and paste it into a NotePad text document, which
can be open while editing the registry and doing other things.

I had changed maybe 8 keys, all in
HK_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\

OK, if you want to verify that the registry got changed back to the way it
was before you modified it, you need to look at three things. 1. The
Symantec article instructions. 2. The registry branch you indicated above in
the previous paragraph. 3. The backup copy of the registry, which you can
open with NotePad to view, (Right click and Edit,) and then search for
"HK_Local_Machine\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\"
(without the quotes,) to find the branch where the changes were attempted.
(Note that the words in quotes are all a single line, that may have been
split in newsgroup messages.)

I went back after trying to import the registry backup file and checked
these keys against the values in the Symantec article. Some do appear to
have gone back to a previous value, but I can't be sure now if all of
them are changed back. Also, most of them had the same value as the
potentially "bad" value in the Symantec writeup. In short, now I don't
know what would be the right values for any of these registry keys.

Again, your backup reg file will have the pre-change values for that branch,
and make sure you know what Symantec is saying you should do to fix things.
(It "sounds" like things got changed back to the previous reg version.)

Of course, the first thing I did was to disable System Restore per the
Symantec instructions, so I can't go to a restore point.

No sweat. (Close the barn door after the horse returns.

My questions:
1. What did the original error message I got when importing the backup
registry file mean? That the backup wasn't good, or that it just couldn't
be restored because programs were running?

The backup was good, and probably undid your changes, so you need to
continue with the Symantec guidance, after addressing the other things
mentioned above.

2. Would other parts of the registry have been affected/corrupted by my
attempting to import a file unsuccessfully?

Probably not. See above.

3. Is there any other way to correct these keys such as through Internet
Settings?

After you complete the Symantec guidance, and if things are not completely
back to normal, report your results back here. (It is a good idea to write
down everything you have done and are doing, in case you need to back track
again, and for future reference if another alien invasion descends upon your
computer.) The "zone.reg" that "Nass" suggested is a further thing that
could be tried, but before using that, you may need to splice lines that got
split into 2 lines by the newsreader software. Sections beginning and ending
with square brackets are a single line. When rejoining split lines within
brackets, there should be no spaces where you join them. (Make sure NotePad
word wrap is off.)

I would suggest that before trying the zone.reg thing, you first go to
Control Panel> Internet Options, and on the Security tab, click on each one
of the zones near the top of that dialog and click the Default level button
to reset your zones. You can then check to see what that changed in the
registry, and maybe compare that with the Symantec guidance.

4. Is there anything else I can do? Is there a way to diagnose what other
problems I might have caused?

Malwarebytes has already been suggested as an additional step. Report your
progress back here. You have already shown wisdom in hesitating to resort to
extreme measures. It never hurts to seek a 2nd opinion if you have the
slightest uncertainty what to do.

The method I used to create a registry backup was to run a tool on
Symantec's site, linked in their writeup.

That is one way. To make your own backup, simply goto Registry Editor, click
on "My Computer" at the top of the folder tree in the left panel. On the
menu bar, click File, and then Export. A normal SaveAs type dialog box will
appear for you to type a filename. Note that the bottom section of the
dialog is "Export Range" and the "All" item is selected. I usually use the
current date/time for a file name, for example, "200906230715.reg" in
yyyymmddhhmm form. I also keep a separate "changes.txt" text file in the
same folder as the regs, describing what was done before, during and after
the .reg file was made. In your case, if you were only making changes to the
"zones" branch, you could have selected the first item of that branch on the
folder tree, then click File and click Export, and when the dialog appears,
the "Export Range" at the bottom of the dialog would have the "Selected
Branch" already chosen for you, with the path information in the bottom box.
I would name that exported file "ie_zones.reg", rather than a date/time,
since it is not the complete registry. To undo any changes to zones, you
could then simply right-click "ie_zones.reg" and choose Merge, and click Yes
when the message asks, "Are you sure"? ("To boldly go..." Where?

If your computer is set up for more than one user, each account has separate
user data, and only the currently logged on user's data appears in the
Current User section of the Registry. During the time that the trojan was
active on your computer, if more than one user account was active, then you
would need to logon with each user account, and verify that the affected
registry sections have the correct values.

I really appreciate any help.

(Got "Valued Data" backed up?

I'm hopefully looking forward to the resolution of your problem.
FWIW. --Richard

 

[peg2009]

Hi,
This the standard Regisrty Key and it doesn't have special or diferent
entries than the default Registry Key can have.

At this stage you don't need to worry about certain level of Internet
Security Settings. It is infected what more than this you want compromisation
in security!

This Reg will put your regsitry back to where it was a default key without
any ceratin security level and then after cleaning the system you can set up
the level you want.

Download the Hijackthis and send the report to one of
many forums for analysis and troubleshooting or you can send it to me on my
email provided at the bottom:
When all else fails, HijackThis v2.0.2
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)

Can you please send me a copy at (e-mail address removed) ,
remove the obvious to email me, note ( _ it is underscore not - ).

I ended up not using this method because I had additional registry keys in
these zones and wasn't sure if this would be advisable. Thanks for your help.

 

[peg2009]

Richard, thank you so much for this very comprehensive reply. Unfortunately,
because I needed to get this resolved quickly, I made a decision to follow
the recommendations of others on this thread and reformat/reinstall. I did
this also because even my backup registry file had been compromised by a
trojan, so I was backing up with (possibly) bad data. Starting over seemed
like the best shot at getting a cleaned-up system.

:

(snipped)

What trojan? What version of Internet Explorer? It should be possible to
reverse what was done, but you need to go back to that article and make sure
you know exactly what it is telling you to do, before proceeding further
with corrections.

The trojan was called Fakeavalert, the IE version is 7. The Symantec writeup
is here:
http://www.symantec.com/security_response/writeup.jsp?docid=2007-101013-3606-99&tabid=3

Where I made my error was this line:
"Restore the following registry entries to their previous values, if
required:"

This was followed by a long list of registry keys, and I proceeded thinking
that the values shown were the *correct* values. After I finished checking
the section relating to Internet Zones, I realized that this wasn't the case.
These were the values that might be assigned by the trojan. I confirmed by
comparing it to a list of possible registry changes in the Technical Details
part of the article. Both lists were the same. Of course, by this time I
didn't know what the original values had been, so I went to my backup.

You were probably trying to import the entire registry, and all the data was
written except to a few keys that were in use, which would not be any of the
keys you had been trying to edit, and you probably do not need to be
concerned about that. It might help us to better advise you, if you post a
copy of the Symantec instructions here, or point us to a web page where we
can see what all Symantec thinks you should do. Were you viewing the
Symantec instructions in Internet Explorer, while connected to the internet,
while making registry changes? It is best to close all applications and any
open windows before such. NotePad is an exception. You could copy the
information from the page and paste it into a NotePad text document, which
can be open while editing the registry and doing other things.

Since the backup was created using a tool on Symantec's site, IE was open
during the backup. And it was open during the import as well. Common sense
should have told me to close programs during the import, but better to know
late than never.

Thanks, again, for all the helpful suggestions in this post. I'm keeping a
copy of it, although it will be a long time (if ever) before I use regedit
again. However, it's good to know a better way to perform a registry backup,
or to backup certain sections.

Now if only I knew where the trojan came from.

Peggy

 

[Gerry]

Peg

Has it worked? Is your computer now working properly?


--


Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[nass]

I ended up not using this method because I had additional registry keys in
these zones and wasn't sure if this would be advisable. Thanks for your help.

It will not hurt if you tried. But I read your reply to Richard and hope
your clean installation working okay.
Don't forget to install the latest drivers for your Motherboard from the
motherboard manufacturer website.
Good luck

 

[peg2009]

To the best of my knowledge and belief, everything is working OK. The person
who uses it regularly hasn't reported any more problems. Thanks to all for
your help.

Peggy

 

[Gerry]

You're welcome.


--


Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~