Sign in with
Sign up | Sign in
Your question

What is the event Viewer telling me?

Tags:
  • Event Viewer
  • Computers
  • Microsoft
  • Windows XP
Last response: in Windows XP
Share
Anonymous
September 8, 2004 2:54:01 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

I just found the event viewer in the program menu under admin tools. When I
click the Security tab it lists what looks like a series of network events.
User is shown as me, system, network services, local service or guest most
of the time. Guest appears to be when another computer on my network (2
other family members) accesses my disk. Event numbers are usually 528 or
576 or 850 or 849 or 680 plus a few others.

My concern is that every few hours there is an entry of event 540 with user
Anonymous Logon ! Properties says logon type = 3 and windows help says that
is somebody on the network logging in, but this is happening when only me is
using the computer and nothing else on the network is switched on.

I have not noticed anything going on that is suspicious but this entry in
the event viewer certainly does look suspicious.

Have I been hacked or is there an innocent explanation?

More about : event viewer telling

Anonymous
September 8, 2004 2:54:02 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Please try your question on the windowsxp.network_web newsgroup.

--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/

"Lorne" <Lorne_Anderson@hotmail.com> wrote in message
news:u%23GlmUSlEHA.2340@TK2MSFTNGP11.phx.gbl...
>I just found the event viewer in the program menu under admin tools. When
>I click the Security tab it lists what looks like a series of network
>events. User is shown as me, system, network services, local service or
>guest most of the time. Guest appears to be when another computer on my
>network (2 other family members) accesses my disk. Event numbers are
>usually 528 or 576 or 850 or 849 or 680 plus a few others.
>
> My concern is that every few hours there is an entry of event 540 with
> user Anonymous Logon ! Properties says logon type = 3 and windows help
> says that is somebody on the network logging in, but this is happening
> when only me is using the computer and nothing else on the network is
> switched on.
>
> I have not noticed anything going on that is suspicious but this entry in
> the event viewer certainly does look suspicious.
>
> Have I been hacked or is there an innocent explanation?
>
>
Anonymous
September 8, 2004 3:06:59 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Just one more thing. I have now seen that in the application tab WMDM PMSP
Service is starting 2 seconds before every anonymous login. There is an
article about a security hole related to Media Player & this service but I
do have all the critical updates installed as far as I know.


"Lorne" <Lorne_Anderson@hotmail.com> wrote in message
news:u%23GlmUSlEHA.2340@TK2MSFTNGP11.phx.gbl...
>I just found the event viewer in the program menu under admin tools. When
>I click the Security tab it lists what looks like a series of network
>events. User is shown as me, system, network services, local service or
>guest most of the time. Guest appears to be when another computer on my
>network (2 other family members) accesses my disk. Event numbers are
>usually 528 or 576 or 850 or 849 or 680 plus a few others.
>
> My concern is that every few hours there is an entry of event 540 with
> user Anonymous Logon ! Properties says logon type = 3 and windows help
> says that is somebody on the network logging in, but this is happening
> when only me is using the computer and nothing else on the network is
> switched on.
>
> I have not noticed anything going on that is suspicious but this entry in
> the event viewer certainly does look suspicious.
>
> Have I been hacked or is there an innocent explanation?
>
>
Related resources
Anonymous
September 8, 2004 3:07:00 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Media Player does check the web periodically though usually it needs to be
invoked to do so. Was it open when this happened?

You might also want to check the following Knowledge Base Article:
http://support.microsoft.com/?kbid=321677

--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/

"Lorne" <Lorne_Anderson@hotmail.com> wrote in message
news:o 7hT2bSlEHA.3876@TK2MSFTNGP15.phx.gbl...
> Just one more thing. I have now seen that in the application tab WMDM
> PMSP Service is starting 2 seconds before every anonymous login. There is
> an article about a security hole related to Media Player & this service
> but I do have all the critical updates installed as far as I know.
>
>
> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
> news:u%23GlmUSlEHA.2340@TK2MSFTNGP11.phx.gbl...
>>I just found the event viewer in the program menu under admin tools. When
>>I click the Security tab it lists what looks like a series of network
>>events. User is shown as me, system, network services, local service or
>>guest most of the time. Guest appears to be when another computer on my
>>network (2 other family members) accesses my disk. Event numbers are
>>usually 528 or 576 or 850 or 849 or 680 plus a few others.
>>
>> My concern is that every few hours there is an entry of event 540 with
>> user Anonymous Logon ! Properties says logon type = 3 and windows help
>> says that is somebody on the network logging in, but this is happening
>> when only me is using the computer and nothing else on the network is
>> switched on.
>>
>> I have not noticed anything going on that is suspicious but this entry in
>> the event viewer certainly does look suspicious.
>>
>> Have I been hacked or is there an innocent explanation?
>>
>>
>
>
Anonymous
September 8, 2004 3:40:46 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Its not Media Player - I got another anonymous logon 10 minutes ago when it
was not playing. Also I just started it and invoked a request for album
information but got no entry in the event log.

The KB article was the one I read myself, but as far as I can tell I have
installed the relevant update. I tried posting this to the network group as
you suggested so maybe one of them can help but if you can suggest how I can
find out what is invoking this I would be grateful. I am connected to the
web 24/7 so a hacker may have an opportunity but then I have firewall in my
router as well as McAfee & Spy Sweeper running so the lack of any other
signs suggest it is innocent, but never the less a bit concerning.

Lorne


"Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> wrote in
message news:u39sVmSlEHA.596@TK2MSFTNGP11.phx.gbl...
> Media Player does check the web periodically though usually it needs to be
> invoked to do so. Was it open when this happened?
>
> You might also want to check the following Knowledge Base Article:
> http://support.microsoft.com/?kbid=321677
>
> --
> Michael Solomon MS-MVP
> Windows Shell/User
> Backup is a PC User's Best Friend
> DTS-L.Org: http://www.dts-l.org/
>
> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
> news:o 7hT2bSlEHA.3876@TK2MSFTNGP15.phx.gbl...
>> Just one more thing. I have now seen that in the application tab WMDM
>> PMSP Service is starting 2 seconds before every anonymous login. There
>> is an article about a security hole related to Media Player & this
>> service but I do have all the critical updates installed as far as I
>> know.
>>
>>
>> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
>> news:u%23GlmUSlEHA.2340@TK2MSFTNGP11.phx.gbl...
>>>I just found the event viewer in the program menu under admin tools.
>>>When I click the Security tab it lists what looks like a series of
>>>network events. User is shown as me, system, network services, local
>>>service or guest most of the time. Guest appears to be when another
>>>computer on my network (2 other family members) accesses my disk. Event
>>>numbers are usually 528 or 576 or 850 or 849 or 680 plus a few others.
>>>
>>> My concern is that every few hours there is an entry of event 540 with
>>> user Anonymous Logon ! Properties says logon type = 3 and windows help
>>> says that is somebody on the network logging in, but this is happening
>>> when only me is using the computer and nothing else on the network is
>>> switched on.
>>>
>>> I have not noticed anything going on that is suspicious but this entry
>>> in the event viewer certainly does look suspicious.
>>>
>>> Have I been hacked or is there an innocent explanation?
>>>
>>>
>>
>>
>
>
Anonymous
September 8, 2004 3:40:47 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

The firewall in your router won't tell you if anything is trying to phone
home and what that application is. You need a software firewall as well.
XP's built in firewall doesn't handle outgoing requests but there are
several free firewalls with this capability:
www.agnitum.com
www.zonelabs.com
www.sygate.com
http://www.tinysoftware.com/home/tiny2?la=EN
http://www.kerio.com/kerio.html

Also check for any malware on your system, download, install and run Ad
Aware:
www.lavasoftusa.com.

Also check your applications for options that automatically check for
updates as this could be the issue as well.


--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/

"Lorne" <Lorne_Anderson@hotmail.com> wrote in message
news:uXUluuSlEHA.1652@TK2MSFTNGP09.phx.gbl...
> Its not Media Player - I got another anonymous logon 10 minutes ago when
> it was not playing. Also I just started it and invoked a request for
> album information but got no entry in the event log.
>
> The KB article was the one I read myself, but as far as I can tell I have
> installed the relevant update. I tried posting this to the network group
> as you suggested so maybe one of them can help but if you can suggest how
> I can find out what is invoking this I would be grateful. I am connected
> to the web 24/7 so a hacker may have an opportunity but then I have
> firewall in my router as well as McAfee & Spy Sweeper running so the lack
> of any other signs suggest it is innocent, but never the less a bit
> concerning.
>
> Lorne
>
>
> "Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> wrote in
> message news:u39sVmSlEHA.596@TK2MSFTNGP11.phx.gbl...
>> Media Player does check the web periodically though usually it needs to
>> be invoked to do so. Was it open when this happened?
>>
>> You might also want to check the following Knowledge Base Article:
>> http://support.microsoft.com/?kbid=321677
>>
>> --
>> Michael Solomon MS-MVP
>> Windows Shell/User
>> Backup is a PC User's Best Friend
>> DTS-L.Org: http://www.dts-l.org/
>>
>> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
>> news:o 7hT2bSlEHA.3876@TK2MSFTNGP15.phx.gbl...
>>> Just one more thing. I have now seen that in the application tab WMDM
>>> PMSP Service is starting 2 seconds before every anonymous login. There
>>> is an article about a security hole related to Media Player & this
>>> service but I do have all the critical updates installed as far as I
>>> know.
>>>
>>>
>>> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
>>> news:u%23GlmUSlEHA.2340@TK2MSFTNGP11.phx.gbl...
>>>>I just found the event viewer in the program menu under admin tools.
>>>>When I click the Security tab it lists what looks like a series of
>>>>network events. User is shown as me, system, network services, local
>>>>service or guest most of the time. Guest appears to be when another
>>>>computer on my network (2 other family members) accesses my disk. Event
>>>>numbers are usually 528 or 576 or 850 or 849 or 680 plus a few others.
>>>>
>>>> My concern is that every few hours there is an entry of event 540 with
>>>> user Anonymous Logon ! Properties says logon type = 3 and windows help
>>>> says that is somebody on the network logging in, but this is happening
>>>> when only me is using the computer and nothing else on the network is
>>>> switched on.
>>>>
>>>> I have not noticed anything going on that is suspicious but this entry
>>>> in the event viewer certainly does look suspicious.
>>>>
>>>> Have I been hacked or is there an innocent explanation?
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Anonymous
September 9, 2004 5:49:01 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

In case you are interested I have now traced it - it seems to be mapped
drives on other computers on my home network.


"Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> wrote in
message news:%232nxO6UlEHA.3432@TK2MSFTNGP14.phx.gbl...
> The firewall in your router won't tell you if anything is trying to phone
> home and what that application is. You need a software firewall as well.
> XP's built in firewall doesn't handle outgoing requests but there are
> several free firewalls with this capability:
> www.agnitum.com
> www.zonelabs.com
> www.sygate.com
> http://www.tinysoftware.com/home/tiny2?la=EN
> http://www.kerio.com/kerio.html
>
> Also check for any malware on your system, download, install and run Ad
> Aware:
> www.lavasoftusa.com.
>
> Also check your applications for options that automatically check for
> updates as this could be the issue as well.
>
>
> --
> Michael Solomon MS-MVP
> Windows Shell/User
> Backup is a PC User's Best Friend
> DTS-L.Org: http://www.dts-l.org/
>
> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
> news:uXUluuSlEHA.1652@TK2MSFTNGP09.phx.gbl...
>> Its not Media Player - I got another anonymous logon 10 minutes ago when
>> it was not playing. Also I just started it and invoked a request for
>> album information but got no entry in the event log.
>>
>> The KB article was the one I read myself, but as far as I can tell I have
>> installed the relevant update. I tried posting this to the network group
>> as you suggested so maybe one of them can help but if you can suggest how
>> I can find out what is invoking this I would be grateful. I am connected
>> to the web 24/7 so a hacker may have an opportunity but then I have
>> firewall in my router as well as McAfee & Spy Sweeper running so the lack
>> of any other signs suggest it is innocent, but never the less a bit
>> concerning.
>>
>> Lorne
>>
>>
>> "Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> wrote in
>> message news:u39sVmSlEHA.596@TK2MSFTNGP11.phx.gbl...
>>> Media Player does check the web periodically though usually it needs to
>>> be invoked to do so. Was it open when this happened?
>>>
>>> You might also want to check the following Knowledge Base Article:
>>> http://support.microsoft.com/?kbid=321677
>>>
>>> --
>>> Michael Solomon MS-MVP
>>> Windows Shell/User
>>> Backup is a PC User's Best Friend
>>> DTS-L.Org: http://www.dts-l.org/
>>>
>>> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
>>> news:o 7hT2bSlEHA.3876@TK2MSFTNGP15.phx.gbl...
>>>> Just one more thing. I have now seen that in the application tab WMDM
>>>> PMSP Service is starting 2 seconds before every anonymous login. There
>>>> is an article about a security hole related to Media Player & this
>>>> service but I do have all the critical updates installed as far as I
>>>> know.
>>>>
>>>>
>>>> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
>>>> news:u%23GlmUSlEHA.2340@TK2MSFTNGP11.phx.gbl...
>>>>>I just found the event viewer in the program menu under admin tools.
>>>>>When I click the Security tab it lists what looks like a series of
>>>>>network events. User is shown as me, system, network services, local
>>>>>service or guest most of the time. Guest appears to be when another
>>>>>computer on my network (2 other family members) accesses my disk.
>>>>>Event numbers are usually 528 or 576 or 850 or 849 or 680 plus a few
>>>>>others.
>>>>>
>>>>> My concern is that every few hours there is an entry of event 540 with
>>>>> user Anonymous Logon ! Properties says logon type = 3 and windows
>>>>> help says that is somebody on the network logging in, but this is
>>>>> happening when only me is using the computer and nothing else on the
>>>>> network is switched on.
>>>>>
>>>>> I have not noticed anything going on that is suspicious but this entry
>>>>> in the event viewer certainly does look suspicious.
>>>>>
>>>>> Have I been hacked or is there an innocent explanation?
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Anonymous
September 9, 2004 5:49:02 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Thanks for the information, glad you got it sorted out.

--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/

"Lorne" <Lorne_Anderson@hotmail.com> wrote in message
news:uXGgTtmlEHA.1244@TK2MSFTNGP15.phx.gbl...
> In case you are interested I have now traced it - it seems to be mapped
> drives on other computers on my home network.
>
>
> "Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> wrote in
> message news:%232nxO6UlEHA.3432@TK2MSFTNGP14.phx.gbl...
>> The firewall in your router won't tell you if anything is trying to phone
>> home and what that application is. You need a software firewall as well.
>> XP's built in firewall doesn't handle outgoing requests but there are
>> several free firewalls with this capability:
>> www.agnitum.com
>> www.zonelabs.com
>> www.sygate.com
>> http://www.tinysoftware.com/home/tiny2?la=EN
>> http://www.kerio.com/kerio.html
>>
>> Also check for any malware on your system, download, install and run Ad
>> Aware:
>> www.lavasoftusa.com.
>>
>> Also check your applications for options that automatically check for
>> updates as this could be the issue as well.
>>
>>
>> --
>> Michael Solomon MS-MVP
>> Windows Shell/User
>> Backup is a PC User's Best Friend
>> DTS-L.Org: http://www.dts-l.org/
>>
>> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
>> news:uXUluuSlEHA.1652@TK2MSFTNGP09.phx.gbl...
>>> Its not Media Player - I got another anonymous logon 10 minutes ago when
>>> it was not playing. Also I just started it and invoked a request for
>>> album information but got no entry in the event log.
>>>
>>> The KB article was the one I read myself, but as far as I can tell I
>>> have installed the relevant update. I tried posting this to the network
>>> group as you suggested so maybe one of them can help but if you can
>>> suggest how I can find out what is invoking this I would be grateful. I
>>> am connected to the web 24/7 so a hacker may have an opportunity but
>>> then I have firewall in my router as well as McAfee & Spy Sweeper
>>> running so the lack of any other signs suggest it is innocent, but never
>>> the less a bit concerning.
>>>
>>> Lorne
>>>
>>>
>>> "Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> wrote in
>>> message news:u39sVmSlEHA.596@TK2MSFTNGP11.phx.gbl...
>>>> Media Player does check the web periodically though usually it needs to
>>>> be invoked to do so. Was it open when this happened?
>>>>
>>>> You might also want to check the following Knowledge Base Article:
>>>> http://support.microsoft.com/?kbid=321677
>>>>
>>>> --
>>>> Michael Solomon MS-MVP
>>>> Windows Shell/User
>>>> Backup is a PC User's Best Friend
>>>> DTS-L.Org: http://www.dts-l.org/
>>>>
>>>> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
>>>> news:o 7hT2bSlEHA.3876@TK2MSFTNGP15.phx.gbl...
>>>>> Just one more thing. I have now seen that in the application tab WMDM
>>>>> PMSP Service is starting 2 seconds before every anonymous login.
>>>>> There is an article about a security hole related to Media Player &
>>>>> this service but I do have all the critical updates installed as far
>>>>> as I know.
>>>>>
>>>>>
>>>>> "Lorne" <Lorne_Anderson@hotmail.com> wrote in message
>>>>> news:u%23GlmUSlEHA.2340@TK2MSFTNGP11.phx.gbl...
>>>>>>I just found the event viewer in the program menu under admin tools.
>>>>>>When I click the Security tab it lists what looks like a series of
>>>>>>network events. User is shown as me, system, network services, local
>>>>>>service or guest most of the time. Guest appears to be when another
>>>>>>computer on my network (2 other family members) accesses my disk.
>>>>>>Event numbers are usually 528 or 576 or 850 or 849 or 680 plus a few
>>>>>>others.
>>>>>>
>>>>>> My concern is that every few hours there is an entry of event 540
>>>>>> with user Anonymous Logon ! Properties says logon type = 3 and
>>>>>> windows help says that is somebody on the network logging in, but
>>>>>> this is happening when only me is using the computer and nothing else
>>>>>> on the network is switched on.
>>>>>>
>>>>>> I have not noticed anything going on that is suspicious but this
>>>>>> entry in the event viewer certainly does look suspicious.
>>>>>>
>>>>>> Have I been hacked or is there an innocent explanation?
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
!