W32/Trats!inf gone from bad to worse

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

FLSHBCK

Thread Starter
Joined
Feb 6, 2008
Messages
38
Hi, I was wrestling with an infection of W32.trats!inf on a laptop - Windows XP home.

Norton Antivirus keeps finding it and has been unable to get rid of it, so I was attempting to remove it manually.

vtstr.dll is in the Windows/system32 folder along with various registry entries related to it

I just tried to boot into safe mode, and it now will not log in and says "Unable to log you on because of an account restriction" in both safe and normal boot modes

Any suggestions?

Thanks!
 

Cookiegal

Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,519
First Name
Karen
Hi and welcome to TSG,

Can you boot the computer to the Last Known Good Configuration?
 

FLSHBCK

Thread Starter
Joined
Feb 6, 2008
Messages
38
I can, but it's the same result - "Unable to log you on because of an account restriction"
 

Cookiegal

Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,519
First Name
Karen
Can you boot to Safe Mode with Command Prompt? If so, enter this command:

%systemroot%\system32\restore\rstrui.exe

This will start the system restore wizard and then you can try to restore to an earlier date before this happened.
 

FLSHBCK

Thread Starter
Joined
Feb 6, 2008
Messages
38
I get the same thing for any of the Safe Modes... "Unable to log you on because of an account restriction"
 

Cookiegal

Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,519
First Name
Karen
are you trying to log in as administrator? How many other accounts are there?
 

FLSHBCK

Thread Starter
Joined
Feb 6, 2008
Messages
38
In safe mode, just Administrator and USER

Not in safe mode just USER

I get the same error no matter which account I try to log into in any mode.
 

Cookiegal

Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,519
First Name
Karen
is this XP Pro or Home?

What program(s) had you run just before and/or what registry entries were deleted?
 

Cookiegal

Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,519
First Name
Karen
Also, if you just click OK when you get that message does it not continue on?
 

FLSHBCK

Thread Starter
Joined
Feb 6, 2008
Messages
38
XP Home

Unfortunately I don't recall what I did right before that happened. I've found other information on the web that leads me to believe perhaps the problem might be helped by changing HKEY_LOCAL_MACHINE/System/CurrentControlSet/Lsa/limitblankpassworduse to 0, but I have no idea how to do that from outside the system.

I have a boot CD that will let me explore the affected drive from outside the system.

If I click OK, it goes on to the logon screen where I can click on the USER account (or in Safe Mode either Administrator or USER) It pops up a password box (machine had no password previously If I hit enter there, I get the same message.
 

Cookiegal

Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,519
First Name
Karen
I'm sure I know what's happened. You probably deleted this key:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_SZ msv1_0

Because it had malware loading there but by doing so it's preventing the logon process.

Do you remember the name of the file that might have been insert there beside msv1_0? You mentioned vtstr.dll, could that be it?


Do you have the installation CD so that we can install the recovery console?
 

FLSHBCK

Thread Starter
Joined
Feb 6, 2008
Messages
38
That's quite possible. Yes I have the installation CD and can get the recovery console.
 

Cookiegal

Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,519
First Name
Karen
Do you know how to install the recovery console?
 

FLSHBCK

Thread Starter
Joined
Feb 6, 2008
Messages
38
If it's booting to the install CD, then pressing R, then yes. I have no idea what to do when I get there however.
 

Cookiegal

Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,519
First Name
Karen
This is meant to copy the valid MSV1_0.DLL to replace the file that "may" be there so you can be authenticated. It's a longshot especially since we're not sure of the file name but at worst, it just won't work.

If your path is not C:\Windows\System32 then change it in the command line accordingly please.

When typing the line below at the command prompt, be careful to type it exactly.

Important notes:
There's a space between copy and C:\windows
There's a space between MSV1_0.DLL and C:\windows

MSV1_0.DLL - the 1 after MSV is the digit 1 and the 0 is the digit 0 (not the letter O)


Insert the CD into the CD-ROM and boot the machine from CD-ROM
Follow the instructions from the following pictures:









At the command prompt (c:\Windows>) type the following line followed by ENTER

copy C:\windows\system32\MSV1_0.DLL C:\windows\system32\vtstr.dll

Type EXIT at the prompt to exit the recovery console.

Remove the CD.

See if the machine will reboot to Windows normally.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top