I reckon it was a ghost file?..but I am so glad it's gone. (I danced a little jig, if your from the south you'll know what that means)
but want to say, it's been a pleasure.
I reckon it was a ghost file?..but I am so glad it's gone. (I danced a little jig, if your from the south you'll know what that means)
but want to say, it's been a pleasure.
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
I know what dancing a jig is all about!Originally Posted by Juliet
Just out of curiosity, I have something going on now (not related to the original problem!). One of the registry keys seems to have been... corrupted? System restore is not working due to a known problem put out by Microsoft. Somewhere along the line, a registry backup was done. I still have those files where the program put them. How can I restore the registry?
I know that's going to put back entries that we removed, but, I still have the scripts available in this thread, so I can remove them again.
Early on, did you download and use Tweaking, registry backup
2015-02-28 18:21 - 2015-02-28 18:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2015-02-28 18:21 - 2015-02-28 18:21 - 00000000 ____D () C:\Program Files (x86)\Tweaking.com
2015-02-21 11:06 - 2015-02-21 11:06 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-ELSERVICE13-Windows-7-Professional-(64-bit).dat
2015-02-21 11:06 - 2015-02-21 11:06 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-ELSERVICE13-Windows-7-Professional-(64-bit).dat
C:\Windows\tweaking.com-regbackup-ELSERVICE13-Windows-7-Professional-(64-bit).dat
http://forums.spybot.info/showthread...nce%29-Updated
did you follow requirements here on post #2?
There will now be a folder at the root of the Hard-Drive named C:\RegBackup
Can you give me info on what registry key is messing up?
Last edited by Juliet; 2015-03-15 at 22:02.
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
Yes, I did, and I have the backups still available. I thought I had posted this already, but I figured out how to do the registry restore, and all is working well again. The registry key that was 'not quite right' is in the attached screen capture.
Before I did the restore, I exported the entire registry into a separate folder. Now, I'm going to export it again into another folder, and then do a file compare to see what changed. If you've ever heard of TotalCommand, it absolutely outstanding for that. Highlight one file in the left window, highlight another file in the right window, and have it compare by content. It will highlight all the differences. Once I find the difference with that class ID, I'll let you know.
OK... the following is the results of comparing the two registry files. The section "Reg2" is the registry that I was having the problem with. The section "Reg3" is the restored registry that works. Note that there a 5 entries in the problem registry, and 10 entries in the working registry.
Missing ClassID
Reg2
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}]
@="Task Bar Communication"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,65,00,78,00,\
70,00,6c,00,6f,00,72,00,65,00,72,00,66,00,72,00,61,00,6d,00,65,00,2e,00,64,\
00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}]
@="Task Bar Communication"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}]
@="Task Bar Communication"
"LastKey"="Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Classes\\CLSID\\{56FDF344-FD6D-
11d0-958A-006097C9A090}"
Reg3
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}]
@="Task Bar Communication"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,65,00,78,00,\
70,00,6c,00,6f,00,72,00,65,00,72,00,66,00,72,00,61,00,6d,00,65,00,2e,00,64,\
00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}]
@="Task Bar Communication"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56FDF344-FD6D-11d0-958A-
006097C9A090}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,65,00,78,00,\
70,00,6c,00,6f,00,72,00,65,00,72,00,66,00,72,00,61,00,6d,00,65,00,2e,00,64,\
00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}]
@="Task Bar Communication"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{56FDF344-FD6D-11d0-958A-
006097C9A090}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,65,00,78,00,\
70,00,6c,00,6f,00,72,00,65,00,72,00,66,00,72,00,61,00,6d,00,65,00,2e,00,64,\
00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
[HKEY_USERS\S-1-5-21-1310488628-551009281-1505269296-1000\Software\Classes\Wow6432Node\CLSID
\{56FDF344-FD6D-11d0-958A-006097C9A090}]
@="Task Bar Communication"
[HKEY_USERS\S-1-5-21-1310488628-551009281-1505269296-1000\Software\Classes\Wow6432Node\CLSID
\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32]
@="C:\\Users\\Henry\\AppData\\Roaming\\xaeojhej\\colers.dll"
"ThreadingModel"="Apartment"
[HKEY_USERS\S-1-5-21-1310488628-551009281-1505269296-1000_Classes\Wow6432Node\CLSID\{56FDF344-
FD6D-11d0-958A-006097C9A090}]
@="Task Bar Communication"
[HKEY_USERS\S-1-5-21-1310488628-551009281-1505269296-1000_Classes\Wow6432Node\CLSID\{56FDF344-
FD6D-11d0-958A-006097C9A090}\InProcServer32]
@="C:\\Users\\Henry\\AppData\\Roaming\\xaeojhej\\colers.dll"
"ThreadingModel"="Apartment"
yes!I figured out how to do the registry restore, and all is working well again
In Reg3, all those items were restored?
I see the bad folder and the bad file?
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
The entire registry was restored - the whole shootin' match. Like I had mentioned in one of my last posts, this will restore all the 'bad' stuff too... but we know what was removed. The fixlist entries are still in the messages here. Even though it will be 'been there, done that', at least we're not shooting in the dark looking for the problem. And on that subject, the original problem did *not* return with the registry restore. The registry entries were restored, not the folder or the files. When the folder with the files was deleted, the problem went away. Those files are still gone.
The restored registry now references non-existent files, but I can fix that. I can go back through the message thread, get all the FRST fixlist files, and re-run them.
Was thinking I was getting ready to shoot you!, then read it over again and see it's better then expected.the original problem did *not* return with the registry restore. The registry entries were restored, not the folder or the files. When the folder with the files was deleted, the problem went away. Those files are still gone.
The restored registry now references non-existent files, but I can fix that. I can go back through the message thread, get all the FRST fixlist files, and re-run them.
goodness gracious, ok, the computer still in good shape?
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
I was wearing my bulletproof vest...I had thought about the possibility of bringing the original problem back, then remembered that the folder was deleted, so the offending DLL's are no longer available. If they're not on the system, they can't be executed. I'm going to locate the fixlist where the coler.dll entries were removed, and run that one only, since that DLL was the problem. At least the references to it will be gone also.
And so far, so good. I haven't seen the rogue processes yet. I'll be keeping an eye on it for a few days again, but I'm confident that I won't see the problem.
LOL!I was wearing my bulletproof vest
You know, if it ain't broke?
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
Posting Permissions
