Virus?

smarshall007
smarshall007 used Ask the Experts™
on
I've cleaned this computer with Trend OfficeScan, but the security log continues to fill up within a few days. The most common log looks like:

Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      C:\WINDOWS\Tasks\User_Feed_Synchronization-{5AD0929F-8FF9-4B91-A3F6-44506094E207}.job
       Handle ID:      3096
       Operation ID:      {0,29132298}
       Process ID:      836
       Image File Name:      C:\WINDOWS\system32\svchost.exe
       Primary User Name:      *computername*$
       Primary Domain:      *domain*
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses:            READ_CONTROL
                  SYNCHRONIZE
                  WriteData (or AddFile)
                  AppendData (or AddSubdirectory or CreatePipeInstance)
                  WriteEA
                  ReadAttributes
                  WriteAttributes
                  
       Privileges:            -
       Restricted Sid Count: 0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Is there a virus remaining?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I'm a MS Certified Engineer
Look, I wouldn't recommend personally a software like that, something like BitDefender or Norton Internet Security is much faster and better.
By the way your logs looks like there is a loop svchost activity on a scheduled job, something normally unexpected, but it's being referred to user feed sync what means that there is something using the process to sync files or information.
Be aware of filtering you connection with a good firewall such as Microsoft Products or Norton Internet Security 2009.

Warm regards,

Author

Commented:
Thank for the advice, but the anti-virus product isn't my call.

How should I identify the offending job?

This computer is behind a firewall appliance.

Thanks again for the help.
No worries,

Well you should check you schedule manager to verify if you have any-kind of job that could run permanently, according to the times that you see in the log. That way you can identify the process.
If not, the best way would be to talk with you IT department and analyze the job cron, either way, just remove it.

Warm Regards.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
The task named in the event was hidden in Scheduled Tasks. Tasks were removed, and the events stopped flooding.

Thanks for pointing me in the right direction.
You are welcome, any time, Im here.
I'm glad to know that you found and solved the problem.

Author

Commented:
It did turn out to be malware. Six hours after accepting the solution, the logs and a scheduled task were back. Nine hours after that, I found a trojan with Adaware and cleaned it manually. Scheduled tasks and excessive logging have not come back since then.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial