Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Event viewer in XP  (Read 7346 times)

sheddyian

  • Kitizen
  • ****
  • Posts: 1159
    • My Shed Blog
Event viewer in XP
« on: August 15, 2012, 06:24:55 PM »


What could be the cause of my event logs to have been cleared at 01:15 last night, other than me going into event viewer and clearing them?  (which I didn't do).

Background :

I've an old Pentium 3 machine running XP Pro that acts as an occasional FTP Server, using IIS.  Most of the time it's not even switched on, but when it is, there is a rule in my NAT enabled router that gives access to it to the internet by port 21 only. 

I access it on the local network via Remote Desktop.

I'd left it switched on yesterday as, after having applied the latest Microsoft patches, I thought I'd run CHKDSK, ccleaner and then defrag it.  I left it defragging.

Today I went to look at the event log, where the boot-time CHKDSK will record anything interesting about what it found, only to discover that at 01:15, all the event logs had been cleared!  I cannot say for certain if I was logged into the machine at 01:!5 or not (you know how time flies when you're fiddling with computers!) and it may be that I'd run ccleaner about that time, though I would have guessed it was a fair bit earlier than that.

I don't think ccleaner resets the event viewer.  It doesn't on other computers I've run it on.  and I'm certain I didn't clear the event logs using event viewer.

Could it have been hacked and the event log cleared to cover tracks?

A virus scan hasn't picked anything up, and so far I've not noticed anything else different, other than some temporary folders getting created, also at 01:15.  This makes me more suspicious!

Thoughts?

Ian

Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33881
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Event viewer in XP
« Reply #1 on: August 16, 2012, 09:38:09 AM »

I may be wrong because its a while since I last used ccleaner and dont have it installed on this pc to check,....... but Im pretty sure that windows sys and event logs are one of the things that ccleaner will delete.  Theres some checkbox settings where you should be able to check what it does and doesnt cleanup. 
iirc ccleaner also creates some temp files when you run it as it does a backup of the registry before deleting certain types of files.
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

sheddyian

  • Kitizen
  • ****
  • Posts: 1159
    • My Shed Blog
Re: Event viewer in XP
« Reply #2 on: August 16, 2012, 10:27:17 AM »

Thanks for reply  :)

The obvious way to check was to run ccleaner again and see if the event log was reset once more, but I didn't want to do that until I'd checked around a bit to see if there was anything wrong/hacked/infected.

I ran 4 different malware/antivirus programs (3 online ones & MSE), had brief bit of excitement when one said it had found something, but it turned out to be a tracking cookie!

Couldn't see anything obviously missing or wrong, so I re-ran ccleaner on the machine... and it didn't reset the event log.  The entry from the night before, telling me that the log had been reset, was still there.

So there is a mystery - how did it get cleared?  All the event logs were reset at the same time - in event viewer you have to click each one in turn to reset it, and there's confirmation dialogue to click each time as well - this wasn't an accidental slip of the mouse on my part.  All very odd, or at least curious.

Ian
Logged

sheddyian

  • Kitizen
  • ****
  • Posts: 1159
    • My Shed Blog
Re: Event viewer in XP
« Reply #3 on: August 16, 2012, 10:57:44 AM »

I've solved a bit of the puzzle, and can make some conclusions from that.

The strange temporary folders that appeared, and were timed and dated at exactly the same time that the event log was cleared, are created by ccleaner, as kitz suspected.  They get left behind, although there's nothing in them, if you de-select the delete temporary files option.  (I assume this option is temporary files as a whole, not just those created by ccleaner!)

I've attached a picture of some temp folders that clceaner left behind when I ran it just now.  These are the same format as those I was suspicious of yesterday.  So, it doesn't look malicious.

What's odd though is why the even log got reset at the exact time I ran ccleaner previously, sice I can't get it to do it again, and from what I've read, it doesn't reset the event log.  There doesn't appear to be an option to let you even do this in ccleaner.

Maybe some disk corruption, and the event logger had to reset it? I'm still puzzled, but happier that it doesn't look like it was anything malicious.  Having the event log reset and strangely named temp folders appear with the same date/timestamp as the event log makes you a bit paranoid!

Ian
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33881
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Event viewer in XP
« Reply #4 on: August 17, 2012, 12:20:05 AM »

Im glad you found out what the temp files are at least :)

>> sice I can't get it to do it again, and from what I've read, it doesn't reset the event log.  There doesn't appear to be an option to let you even do this in ccleaner.

Sorry if Ive sent you up a blind alley on that one, it is a while since I used it, but I really did seem to recall seeing some checkboxes in the settings that allowed you to configure whether it should delete windows log files.  Perhaps its not in the latest version?

-----------
Edited to add.

Or maybe it does...  Ive just found this....

Quote
Memory Dumps - When Windows crashes, it stores small memory dumps so that technical users can debug their systems. CCleaner will delete these files.

Chkdsk File Fragments - These are clusters and chains that are left over after you run CHKDSK. CCleaner will delete them.

Windows Log Files - Windows logs many events and activities, such as access, policy changes, Internet use, tasks, and so on. As a result, the dozens of logs it creates are scattered across the system. They will all be deleted by CCleaner.

Windows Error Reporting - (Vista only) Whenever a program crashes, Windows saves details of the crash to report back to Microsoft. This option will clean all the error reports from your system.

From that page theres tons more stuff listed that it will delete if you go into Advanced options.
As prev mentioned I dont have it installed on here to double check, but it certainly may be worth another look.



« Last Edit: August 17, 2012, 12:27:54 AM by kitz »
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

sheddyian

  • Kitizen
  • ****
  • Posts: 1159
    • My Shed Blog
Re: Event viewer in XP
« Reply #5 on: August 17, 2012, 10:09:08 AM »

>> sice I can't get it to do it again, and from what I've read, it doesn't reset the event log.  There doesn't appear to be an option to let you even do this in ccleaner.

Sorry if Ive sent you up a blind alley on that one, it is a while since I used it, but I really did seem to recall seeing some checkboxes in the settings that allowed you to configure whether it should delete windows log files.  Perhaps its not in the latest version?

Or maybe it does...  Ive just found this....

From that page theres tons more stuff listed that it will delete if you go into Advanced options.
As prev mentioned I dont have it installed on here to double check, but it certainly may be worth another look.

Thanks for the suggestions, I didn't ever think it was a blind alley, it's all worth looking at, if only to rule it out.

Having re-run ccleaner several times on the machine, it hasn't reset the event log.  Indeed, on other machines I also use it on from time to time, it's left the event log alone as well.

I'll have another tinker with it later, see if I can make it reset the log, though the options are all set as they were when the log got reset, and it's not resetting now!

I like ccleaner - I found that on a sluggish machine, particularly running XP, if you run it with the options set to clear the windows size/location cache amongst others, the machine seems noticeably more responsive after a reboot.  (Although any preferred settings like showing detailed file views in explorer are reset to default, but they can quickly be put back without appearing to slow everything down again).

Ian

« Last Edit: August 17, 2012, 04:58:10 PM by sheddyian »
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33881
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Event viewer in XP
« Reply #6 on: August 17, 2012, 12:25:25 PM »

I think the main thing is that since the logs were cleared at about the same time that the temp files were created, and youve now ascertained that the temp files were from ccleaner, its at least looking like it wasnt any nasties that has done this and you can breathe a sigh of relief that the machine is clean :)


>> I like ccleaner - I found that on a sluggish machine,

I agree its a very good tool, and Ive used it a lot in the past - particularly in the days when I used to spend a lot of time cleaning up others machines.
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

sheddyian

  • Kitizen
  • ****
  • Posts: 1159
    • My Shed Blog
Re: Event viewer in XP
« Reply #7 on: August 17, 2012, 05:02:41 PM »

I think the main thing is that since the logs were cleared at about the same time that the temp files were created, and youve now ascertained that the temp files were from ccleaner, its at least looking like it wasnt any nasties that has done this and you can breathe a sigh of relief that the machine is clean :)

Indeed.  It does seem that ccleaner had something to do with it, even though I can't now get it to do it again to prove it >:(  But, yes, I'm a lot happier that it wasn't something malicious being done to the machine!  Thanks  :)

Ian
Logged
 

anything