FWIW, that USER32 entry is identical to one in my system log after automatic updates were installed. But immediately before that there are several events from Windows Update Agent and NtServicePack that I assume you would've noticed.
Is it possible that no events have happened since then that are ones your system is configured to write to the system log? Since you know it was at least logging restarts prior to this, have you tried rebooting then looking for that in the log?
Just looking at the information it looks to me like a fairly standard reboot after an update. The activity after you see after the message seems to be normal. To verify that just reboot the machine manually and you should get the same lists of events.
What will make a differance as to weather this is a normal shut-down or an attack are the messages before the shut-down warning in the log. If it was a standard update of windows or your antivirus it should show up in the system log and maybe in the application log.
If you want to check for connection attempts you can check you security event log. That is if auditing is enabled. To activate auditing on an xp machine you open the control panel, go to administration tools then open the local security policy. Open the local policy and then audit policy's. I would advise you to only activate the audit policys that interest you as too much auditing is as bad as no auditing. One thing to remeber is if the machine is in a domain and there is already a domain wide audit policy in place for the workstations then it will be applied and not the local security policy.
Dont forget that there is also the possiability that windows just decided to reboot itself. :D That is to say that some proccess run into a problem and forced the reboot. It happens a lot less with windows XP that other versions of windows but may happen depending on the other applications that are running on the workstation at the time.
In regards to the 10 connection limit, there is a hack for it. Its a hex setting in a file. I can't remember the exact name of the hack, but i know the people at Shareaza.com had/have it figured out. The hack came out about a week or 2 after SP2 fully deployed, and you could set the limit to pretty much anything, running the default set you to 50. Now, I heard a month or two ago, one of the updates restored this setting back to the original, and i'm not sure if there is a new hack for it, or if the old one still works. Here's a link to the thread if anyone wants it:
There is a link at the bottom for after April 05, there wasn't a significant change, so the old hack still works. Here's a link to the creator of the patch (its a mirror, his real site went down)
the old site was lvllord.com i think. something to that effect.
Just saw someone mention that, so i figured i'd post the patch, sorry if its redundant and this info is sitting in another thread. i didn't have time to search.