No sound problem in XP after trojan (corrupted driver32 registry key)

User Rating:  / 1
PoorBest 

        I recently repaired an XP computer with a nasty bootkit trojan. None of the usual programs would touch it. Combofix came up with nothing and TDSSkiller wouldn't even start. I finally fixed it with the Kaspersky Rescue Disk. But that was only the beginning of my problem.

 

       This article was written with an experienced computer tech in mind so if it reads like Greek, you should probably seek help elsewhere.

       I brought back the PC, plugged it in and fired it up. There was silence.  The normal windows event sounds like click, chime, and tada would not work. I could not get the volume icon to show up in the system tray. Sound would work, however, in Itunes and Windows Media Player. I could not adjust anything in the Sounds and Audio Devices. I reset the sound theme. The PLAY triangle next to each windows sound was grayed out. The sound card showed up as the playback device but I could not adjust it.

       Naturally I uninstalled the sound driver and reinstalled it (from Dell's website). It installed fine but still no sounds. I tried a system restore but was unable to go back. I thought maybe the audio codecs were messed up so I ran some script that I found to restore them. No luck.

       Finally I decided to download the K-Lite Codec pack and install it. To my surprise I got an error message about having no permission to write to a registry key. The key was HKLM/Software/Microsoft/Windows NT/CurrentVersion/Drivers32. I went into regedit and tried to access it, sure enough no access to Drivers32 at all. I rebooted into safe mode and logged on as the Administrator. Still I could not access that key. I cound not take ownership. I could not change permissions. I booted with my BartPE disk and loaded up the Software hive and I still had no access and couldn't take ownership. I concluded that the bootkit had corrupted my registry.

       I managed to fix this stubborn problem. I started by going into the System Volume Information on the C drive ( I was still in BartPE), and found a backup copy of my Software hive from before the infection and copied it back to C:/Windows/System32/Config folder. Here are some directions on how to manually restore registry files from the system restore folder: http://www.overclock.net/faqs/126252-how-manually-restore-system-registry-windows.html. I usually do it from my BartPe disk but SystemRescueCD works fine too. I restarted, crossed my fingers, and I've never heard such sweet music.