Malware on server?

Hi,

on Friday our antivirus software (Symantec Endpoint Protection) detected malware on a client computer.
We use roaming profiles and Windows Server 2008 R2.

Some of the suspicious files were located in "Application Data" directory. In the meantime I had a look at previous versions (VSC) of this directory on server.
These files were allready saved in the latest snapshot . As I was checking the file details Symantec tells me the object is infected.

I didn't care about it but later I found 6 "Microsoft-Windows-RestartManager" entries in the Event Log Application.
Who started these events, maybe the malware? There was no restart and I was sure that I didn't double-click the file.

I have scanned the server using Symantec Endpoint Protection, TDSSKiller, Malwarebytes Anti-Rootkit and McAfee Labs Stinger.
No malware was found. I also checked Administrator and Windows Temp directories, startup and run entries, Services and Task Manager Processes and everything seems okay. But I haven't restart the server.

What should I do?

Have a look at the Event Log entries:

1.) The known virus alert
The virus couldn't be deleted because of VSC read only
Log Name: Application
Source:        Symantec AntiVirus
Log Name: Application
Source:        Microsoft-Windows-RestartManager
Logged:         15.03.2013 09:40:46
Event-ID:   10000
Task Category:None
Level:         Information
Keywords:
User:      XXX\Administrator
Computer:      XXX
Description:
Security Risk Found!Trojan.Gen.2 in File: \Device\HarddiskVolumeShadowCopy47\XXX\UserData\XXX\Anwendungsdaten\KB00205287.exe by: Auto-Protect scan.  Action: Clean failed : Quarantine failed : Access denied.  Action Description: The file was left unchanged.

2.)
Log Name: Application
Source:        Microsoft-Windows-RestartManager
Logged:         15.03.2013 09:40:46
Event-ID:   10000
Task Category:None
Level:         Information
Keywords:
User:      XXX\Administrator
Computer:      XXX
Description:
session will be started: 2 - 2013-03-15T08:40:46.897695300Z.

3.)
Log Name: Application
Source:        Microsoft-Windows-RestartManager
Logged:         15.03.2013 09:40:46
Event-ID:   10005
Task Category:None
Level:         Information
Keywords:
User:      XXX\Administrator
Computer:      XXX
Description:
You need to restart your computer.

4.)
Log Name: Application
Source:        Microsoft-Windows-RestartManager
Logged:         15.03.2013 09:40:46
Event-ID:   10001
Task Category:None
Level:         Information
Keywords:
User:      XXX\Administrator
Computer:      XXX
Description:
Session will be terminated: 2. - 2013-03-15T08:40:46.897695300Z will be started

5.)
Log Name: Application
Source:        Microsoft-Windows-RestartManager
Logged:         15.03.2013 09:41:50
Event-ID:   10000
Task Category:None
Level:         Information
Keywords:
User:      XXX\Administrator
Computer:      XXX
Description:
session will be started: 2 - 2013-03-15T08:41:50.086171900Z.

6.)
Log Name: Application
Source:        Microsoft-Windows-RestartManager
Logged:         15.03.2013 09:41:50
Event-ID:   10005
Task Category:None
Level:         Information
Keywords:
User:      XXX\Administrator
Computer:      XXX
Description:
You need to restart your computer.

7.)
Log Name: Application
Source:        Microsoft-Windows-RestartManager
Logged:         15.03.2013 09:41:50
Event-ID:   10001
Task Category:None
Level:         Information
Keywords:
User:      XXX\Administrator
Computer:      XXX
Description:
Session will be terminated: 2. - 2013-03-15T08:41:50.086171900Z will be started

I have translated the entries from German.
Thanks in advance for your input.

Regards,
Lionel