|
Posted by squishy on May 27, 2007, 5:25 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>>>I tried to connect to a WinXP machine on my network that is in the same
>>> domain as my other 2 XP PCs and has folders shared for use by everyone.
>>>
>>> But, when I tried to connect to that PC to view the shared folders, I
>>> got a
>>> message that said "XXXXXXX is not accessible. You might not have
>>> permission
>>> to use this network resource. Access is denied."
>>>
>>> When I searched for a solution, I found a KB article at Microsoft
>>> (http://support.microsoft.com/kb/913628) that explained that the problem
>>> could be due to the
>>> "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous"
>>> setting being set to "1". The article said to set this to "0" to allow
>>> anonymous file sharing on the local network.
>>>
>>> So, I set the "restrictanonymous" setting to "0" and rebooted as the KB
>>> article said. But, when my PC rebooted, I still had the same problem and
>>> the
>>> "restrictanonymous" setting was back at "1".
>>>
>>> I tried to change it several more times - each time I got the same
>>> result.
>>>
>>> Finally (thinking that something may be changing it before logging off)
>>> I
>>> reset "restrictanonymous" to "0" and did a hard reboot by hitting my
>>> system's restart button. But, again, the "restrictanonymous" setting was
>>> back to "1".
>>>
>>> I even tried disabling the XP firewall (no reboot) and got the same
>>> error.
>>>
>>> I am running NOD32 antivirus (www.eset.com) and Windows XP Firewall. No
>>> other security applications are running (AFAIK).
>>>
>>> I even disabled the firewall, uninstalled NOD32 and retried changinf the
>>> "restrictanonymous" setting with the same result. (I re-installed NOD32
>>> and re-enabled the firewall afterwards.)
>>>
>>> PC is running slower than normal and NOD32 was picking up a lot of
>>> threats last week (mostly in the temp files - which I deleted).
>>>
>>> I have worked with a lot of XP PCs, but I have never seen this before.
>>>
>>> What could be resetting my
>>> "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous"
>>> setting to "1"?
>>>
>>> squishy
>>
>> I thought I'd use ProcessMonitor
>> (http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx)
>> to monitor which file was changing my registry setting. Strangely
>> enough, I cannot download the exe from the website. I just keep timing
>> out.
>>
>> Now, normally, I am not a paranoid-type person....but I am starting to
>> wonder.
>>
>> squishy
>
> Now I have found "avp.exe" running in my processes. Some report this as a
> Kapersky antivirus file. Only problem with that is that I have never
> loaded Kapersky on my PC.
>
> There are also 2 "McAfee Online Virus Scannner" entries in my startup
> (according to TuneUp Utilities 2007) and I have never (and would never)
> run anything from McAfee. They suck.
>
> I have disabled them from TuneUp Utilities 2007 only to have them
> re-enabled when I restart the PC.
>
> There is no uninstall for the Mcafee stuff. They don't show in IE's
> add-on manager and there is no McAfee folder in my Program Files
> directory.
>
> The McAfee stuff was pointing to the avp.exe. file so I deleted it.
>
> In msconfig/Services I see an entry named
> "##Id_String1.6844F930_1682_4223_B5CC_5BB94B879762##". I don't know wht
> the hell that is, so I disabled it.
>
> I also found "C:\WINDOWS\retadpu173.exe
> 61A847B5BBF728133598284503996897C881250221C8670836AC4FA7C8833201749139" in
> HKLM\software\microsoft\windows\currentversion\run. I don't know what the
> hell that is - so I disabled it.
>
> Looks like I may be in for another fucking re-install!
>
> Well, I guess my days of trusting NOD32 are now officially over.
>
> squishy
Found this at http://eset.com/threat-center/blog/?feed=rss2&p=62
"I don't know where to post this, but I find out that the Time
C:\WINDOWS\retadpu173.exe Win32/TrojanDownloader.Agent.NKY trojan
Also modifies this entry on the windows registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
"restrictanonymous"=dword:00000000
It changes "restrictanonymous" to 1
Also there are others registry keys that i find out different to the default
values.."
NOD32 has not cleaned this in 4 deep system scans.
squishy
| 
XML site map