"restrictanonymous" setting problem.....

[squishy]

I tried to connect to a WinXP machine on my network that is in the same
domain as my other 2 XP PCs and has folders shared for use by everyone.

But, when I tried to connect to that PC to view the shared folders, I got a
message that said "XXXXXXX is not accessible. You might not have permission
to use this network resource. Access is denied."

When I searched for a solution, I found a KB article at Microsoft
(http://support.microsoft.com/kb/913628) that explained that the problem
could be due to the
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous"
setting being set to "1". The article said to set this to "0" to allow
anonymous file sharing on the local network.

So, I set the "restrictanonymous" setting to "0" and rebooted as the KB
article said. But, when my PC rebooted, I still had the same problem and the
"restrictanonymous" setting was back at "1".

I tried to change it several more times - each time I got the same result.

Finally (thinking that something may be changing it before logging off) I
reset "restrictanonymous" to "0" and did a hard reboot by hitting my
system's restart button. But, again, the "restrictanonymous" setting was
back to "1".

I even tried disabling the XP firewall (no reboot) and got the same error.

I am running NOD32 antivirus (www.eset.com) and Windows XP Firewall. No
other security applications are running (AFAIK).

I even disabled the firewall, uninstalled NOD32 and retried changinf the
"restrictanonymous" setting with the same result. (I re-installed NOD32 and
re-enabled the firewall afterwards.)

PC is running slower than normal and NOD32 was picking up a lot of threats
last week (mostly in the temp files - which I deleted).

I have worked with a lot of XP PCs, but I have never seen this before.

What could be resetting my
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous"
setting to "1"?

squishy

 

[squishy]

I tried to connect to a WinXP machine on my network that is in the same
domain as my other 2 XP PCs and has folders shared for use by everyone.

But, when I tried to connect to that PC to view the shared folders, I got
a
message that said "XXXXXXX is not accessible. You might not have
permission
to use this network resource. Access is denied."

When I searched for a solution, I found a KB article at Microsoft
(http://support.microsoft.com/kb/913628) that explained that the problem
could be due to the
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous"
setting being set to "1". The article said to set this to "0" to allow
anonymous file sharing on the local network.

So, I set the "restrictanonymous" setting to "0" and rebooted as the KB
article said. But, when my PC rebooted, I still had the same problem and
the
"restrictanonymous" setting was back at "1".

I tried to change it several more times - each time I got the same result.

Finally (thinking that something may be changing it before logging off) I
reset "restrictanonymous" to "0" and did a hard reboot by hitting my
system's restart button. But, again, the "restrictanonymous" setting was
back to "1".

I even tried disabling the XP firewall (no reboot) and got the same error.

I am running NOD32 antivirus (www.eset.com) and Windows XP Firewall. No
other security applications are running (AFAIK).

I even disabled the firewall, uninstalled NOD32 and retried changinf the
"restrictanonymous" setting with the same result. (I re-installed NOD32
and re-enabled the firewall afterwards.)

PC is running slower than normal and NOD32 was picking up a lot of threats
last week (mostly in the temp files - which I deleted).

I have worked with a lot of XP PCs, but I have never seen this before.

What could be resetting my
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous"
setting to "1"?

squishy

I thought I'd use ProcessMonitor
(http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx)
to monitor which file was changing my registry setting. Strangely enough, I
cannot download the exe from the website. I just keep timing out.

Now, normally, I am not a paranoid-type person....but I am starting to
wonder.

squishy

 

[squishy]

I thought I'd use ProcessMonitor
(http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx)
to monitor which file was changing my registry setting. Strangely enough,
I cannot download the exe from the website. I just keep timing out.

Now, normally, I am not a paranoid-type person....but I am starting to
wonder.

squishy

Now I have found "avp.exe" running in my processes. Some report this as a
Kapersky antivirus file. Only problem with that is that I have never loaded
Kapersky on my PC.

There are also 2 "McAfee Online Virus Scannner" entries in my startup
(according to TuneUp Utilities 2007) and I have never (and would never) run
anything from McAfee. They suck.

I have disabled them from TuneUp Utilities 2007 only to have them re-enabled
when I restart the PC.

There is no uninstall for the Mcafee stuff. They don't show in IE's add-on
manager and there is no McAfee folder in my Program Files directory.

The McAfee stuff was pointing to the avp.exe. file so I deleted it.

In msconfig/Services I see an entry named
"##Id_String1.6844F930_1682_4223_B5CC_5BB94B879762##". I don't know wht the
hell that is, so I disabled it.

I also found "C:\WINDOWS\retadpu173.exe
61A847B5BBF728133598284503996897C881250221C8670836AC4FA7C8833201749139" in
HKLM\software\microsoft\windows\currentversion\run. I don't know what the
hell that is - so I disabled it.

Looks like I may be in for another ****ing re-install!

Well, I guess my days of trusting NOD32 are now officially over.

squishy

 

[squishy]

Now I have found "avp.exe" running in my processes. Some report this as a
Kapersky antivirus file. Only problem with that is that I have never
loaded Kapersky on my PC.

There are also 2 "McAfee Online Virus Scannner" entries in my startup
(according to TuneUp Utilities 2007) and I have never (and would never)
run anything from McAfee. They suck.

I have disabled them from TuneUp Utilities 2007 only to have them
re-enabled when I restart the PC.

There is no uninstall for the Mcafee stuff. They don't show in IE's
add-on manager and there is no McAfee folder in my Program Files
directory.

The McAfee stuff was pointing to the avp.exe. file so I deleted it.

In msconfig/Services I see an entry named
"##Id_String1.6844F930_1682_4223_B5CC_5BB94B879762##". I don't know wht
the hell that is, so I disabled it.

I also found "C:\WINDOWS\retadpu173.exe
61A847B5BBF728133598284503996897C881250221C8670836AC4FA7C8833201749139" in
HKLM\software\microsoft\windows\currentversion\run. I don't know what the
hell that is - so I disabled it.

Looks like I may be in for another ****ing re-install!

Well, I guess my days of trusting NOD32 are now officially over.

squishy

Found this at http://eset.com/threat-center/blog/?feed=rss2&p=62

"I don't know where to post this, but I find out that the Time
C:\WINDOWS\retadpu173.exe Win32/TrojanDownloader.Agent.NKY trojan
Also modifies this entry on the windows registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
"restrictanonymous"=dword:00000000

It changes "restrictanonymous" to 1
Also there are others registry keys that i find out different to the default
values.."

NOD32 has not cleaned this in 4 deep system scans.

squishy