Bizarre/misleading event viewer message or something more insidious?

Discussion in 'malware problems & news' started by tonton, Apr 2, 2009.

Thread Status:
Not open for further replies.
  1. tonton

    tonton Registered Member

    Apr 2, 2009
    I've tentatively concluded that the following is probably nothing.

    I'm running Windows XP SP2, by the way.

    But since about an hour of googling hasn't yielded anything definitive, and I'm still anxious about it, I wanted to seek the opinions of others.

    I decided to go browsing through my event logs, and I noticed this entry:

    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 540
    Date: 4/2/2009
    Time: 5:06:31 AM
    Computer: (removed)*
    Successful Network Logon:
    User Name:
    Logon ID: ( 0x0,0x1DCF8 )
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name:
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    For more information, see Help and Support Center at

    *I have no idea if any harm can result from posting a computer's "name," so I chose to omit it.

    As the "anonymous logon" part was troubling to me, I found this entry worrisome and decided to do some digging.

    Apparently, "Logon Type: 3" is a network logon. Which made it seem even more troubling.

    At this point I figured I might have something funny going on.

    Now mind you, beyond that one entry, I have no reason whatsoever to expect I have any sort of malware.

    No funny behavior, no weird programs/processess running, etc.

    Netstat -a also didn't show any unexpected/bizarre connections.

    So I updated and ran MalwareBytes' Antimalware (full scan), rootkit revealer, rootalyzer (quick scan), and Hijack This.

    None of the scans found anything, and my Hijack This log didn't contain anything unusual or suspicious.

    I would've ran Avast, Spybot, Asquared, etc as well, but I figured I was probably just being paranoid and this computer's pretty ancient so it would've taken forever. Plus I scanned it more thoroughly pretty recently and everything came back clean.

    After that, I decided to reboot my computer and check the system log again.

    And I found that the anonymous logon entry occurs everytime I turn on my computer, and there isn't another, seperate logon/logoff entry.

    Also, I should say that I'm not running a server (knowingly).

    Furthermore, I had my internet connection disabled (by going into network connections and disabling my network adapter) when I rebooted my computer, so it's not like someone's dialing in/a trojan's successfully dialing out the minute my system goes live.

    My current theory based on something my googling about this turned up (that I can't remember now) is that the logon/logoff entry is showing up as anonymous because while the administrator account and guest account are both password protected, the user account (of which there is only one) we use is not. Or some combination of that and having it set to bypass the welcome screen and go straight to the desktop when we turn the computer on, so we don't actually select a user name.

    I know, I know. The fact that it isn't password protected is beyond my control, as it isn't my computer and that was a real sticking point with people. All I can do is try to make it as secure as I know how in ways that they're willing to tolerate.

    Or perhaps it's due to some weird bug resulting from having certain services disabled, or a registry tweak?

    I don't recall everything I've done to the registry at this point. Just a few performance tweaks (make the computer shut down faster, etc.)

    I also checked the event log on another computer here with basically the same services disabled/registry tweaks applied that's also running Windows XP SP 2 with no password on the user account, and it has the exact same entry, though I don't know if it coincides with logging on/logging off.

    I'd check, but it's stupid late and I just wanted to fire this off before I got to bed.

    So what do you think?

    Is this just a whole lot of nothing to worry about, or is there cause for concern here?

    And if there is cause for concern, does anyone have any recommendations about how to investigate further beyond just running scans?

    Frankly, there are a lot of things in the event logs that are simply beyond my ken.

    So thanks in advance for any help you might offer.

    Oh, and I didn't know if this subforum was the right place for this post, or if this forum in general would be the best for this question. So feel free to move the post/refer me to a place better suited for the question.

    But I've learned a lot from browsing these forums in the past, and people here seem very knowledgable, so I thought I'd take a shot.

  2. stapp

    stapp Global Moderator

    Jan 12, 2006
  3. Joeythedude

    Joeythedude Registered Member

    Apr 19, 2007
    Is your other PC the same as regards as password for admin and a password for guest.

    My guess is that its too do with your user ac with no password and nothing funny.

    As your network access was off and it still happened then i'd be even more sure its ok.
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    May 9, 2005
    Do you have other machines in your network?
    Did you disable the IPC share? Did you play with the RPC service?

    I guess you're seeing some sort of a null session from another host on the network, possibly with crippled RPC service... Do you use WWDC?

  5. tonton

    tonton Registered Member

    Apr 2, 2009
    We have about 4 computers on the same subnet behind a router, but none of them are set up to share files/printers/etc with each other.

    I actually did not disable the IPC$ share.

    Would that be a good idea, and would doing so be likely to break anything?

    The RPC Locator service is disabled, the RPC service is enabled.

    I do/did use WWDC. I decided to pull it up again to see what it said, and it reports everything as disabled except for the third button (close 137:139), which is odd because "disable netBIOS over TCP/IP" is selected in advanced TCP/IP settings, and netstat reports that those ports are closed.

    I decided to shut down all the other computers in the house, reboot the computer experiencing the anonymous logon entry, and check the event log again.

    And the "anonymous logon" entry still shows up.

    These entries only seem to appear when I turn on the computer, and the time of the entries always coincide with when the computer was turned on.

    Since I get these entries even with my network connection disabled on the machine in question, and with all other computers in the house off (which I guess wouldn't matter if the connection on this computer was off anyway), it's seeming more and more like this must be benign.

    But I'm not an expert, so I can't say for sure.

    Thanks for all the helpful replies, and I welcome any further input anyone may have.
Thread Status:
Not open for further replies.