|
Hi, We have an issue whereby some files have been deleted by a local user account with (according to the watch logs) Source: 254.128.0.0 [254.128.0.0] I expected to see an internal or external IP address if it was a real user Have searched for the Ip and seen reference to UDP 254.128.0.0:50046 : 2192 svchost.exe Am I looking at a virus/trojan? Thanks Pete |
|
Hi Pete -- It's really hard to say. It could be. I'd look really hard at that process ID. See if you can find the full path to the svchost.exe that is being referenced. In Task Manager you can go to the Services tab and see what service that process maps to if it's legit. |
|
Hi Thanks for the reply. Just guessing at svchost. The log only shows 29 Jul 2013 11:56:15 PM, "Computer: servername", "Monitor Title: Watch C: watch", "Description: The following activities have occurred: Op: Deleted File: C: watch filename.doc User: domainname username Source: 254.128.0.0 [254.128.0.0] App: System or Network " User says she was tucked up in bed so I have forced a password reset and virus scan on all accounts/pc's. Thanks |