"restrictanonymous" setting problem.....

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I tried to connect to a WinXP machine on my network that is in the same
domain as my other 2 XP PCs and has folders shared for use by everyone.

But, when I tried to connect to that PC to view the shared folders, I got a
message that said "XXXXXXX is not accessible. You might not have permission
to use this network resource. Access is denied."

When I searched for a solution, I found a KB article at Microsoft
(http://support.microsoft.com/kb/913628) that explained that the problem
could be due to the
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous"
setting being set to "1". The article said to set this to "0" to allow
anonymous file sharing on the local network.

So, I set the "restrictanonymous" setting to "0" and rebooted as the KB
article said. But, when my PC rebooted, I still had the same problem and the
"restrictanonymous" setting was back at "1".

I tried to change it several more times - each time I got the same result.

Finally (thinking that something may be changing it before logging off) I
reset "restrictanonymous" to "0" and did a hard reboot by hitting my
system's restart button. But, again, the "restrictanonymous" setting was
back to "1".

I even tried disabling the XP firewall (no reboot) and got the same error.

I am running NOD32 antivirus (www.eset.com) and Windows XP Firewall.  No
other security applications are running (AFAIK).

I even disabled the firewall, uninstalled NOD32 and retried changinf the
"restrictanonymous" setting with the same result.  (I re-installed NOD32 and
re-enabled the firewall afterwards.)

PC is running slower than normal and NOD32 was picking up a lot of threats
last week (mostly in the temp files - which I deleted).

I have worked with a lot of XP PCs, but I have never seen this before.

What could be resetting my
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous"
setting to "1"?

squishy




...it gets worse.....

Quoted text here. Click to load it

I thought I'd use ProcessMonitor
(http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx)
to monitor which file was changing my registry setting.  Strangely enough, I
cannot download the exe from the website.  I just keep timing out.

Now, normally, I am not a paranoid-type person....but I am starting to
wonder.

squishy



Re: ...it gets worse.....

Quoted text here. Click to load it

Now I have found "avp.exe" running in my processes.  Some report this as a
Kapersky antivirus file.  Only problem with that is that I have never loaded
Kapersky on my PC.

There are also 2 "McAfee Online Virus Scannner" entries in my startup
(according to TuneUp Utilities 2007) and I have never (and would never) run
anything from McAfee.  They suck.

I have disabled them from TuneUp Utilities 2007 only to have them re-enabled
when I restart the PC.

There is no uninstall for the Mcafee stuff.  They don't show in IE's add-on
manager and there is no McAfee folder in my Program Files directory.

The McAfee stuff was pointing to the avp.exe. file so I deleted it.

In msconfig/Services I see an entry named
"##Id_String1.6844F930_1682_4223_B5CC_5BB94B879762##".  I don't know wht the
hell that is, so I disabled it.

I also found "C:\WINDOWS\retadpu173.exe
61A847B5BBF728133598284503996897C881250221C8670836AC4FA7C8833201749139" in
HKLM\software\microsoft\windows\currentversion\run.  I don't know what the
hell that is - so I disabled it.

Looks like I may be in for another fucking re-install!

Well, I guess my days of trusting NOD32 are now officially over.

squishy



Re: ...it gets worse.....


Quoted text here. Click to load it

Found this at http://eset.com/threat-center/blog/?feed=rss2&p=62

"I don't know where to post this, but I find out that the Time
C:\WINDOWS\retadpu173.exe Win32/TrojanDownloader.Agent.NKY trojan
Also modifies this entry on the windows registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
"restrictanonymous"=dword:00000000

It changes "restrictanonymous" to 1
Also there are others registry keys that i find out different to the default
values.."

NOD32 has not cleaned this in 4 deep system scans.

squishy



Site Timeline