Learning my own logs. Input please.

Hey all.

I came across Download.Trojan earlier today, and my norton picked it up right away. Since then all of my scans have come up clean so I'm fairly confident that it's taken care of.

I've gotten pretty good with HJT and many other standard security applications. I am, however, still learning to read and understand my own logs a little better and this norton log is confusing me. By scrolling down the log on date 1/23 there are two entries for the attack and an identical filename for each. eciinq8u.wmf Web searches came up with nothing for the file name, but all sorts of hits for the actual virus name. The path name is not of my making.

So my questions are:

1. Is the infected file eciinq8u.wmf the name of the file I got the virus from (like the WMF exploit I've been researching) or is it something placed in a temp folder or the like? Is there any way to tell?

2. As I mentioned before the directory containing the file was not created by me. I looked through it in safe mode with all files visible but nothing was there, so I deleted it. It was similar to another path on my system. Does norton quaranteen files in this fashion? Is it possible that the virus itself created this path on its own?

3. By looking at the log there are two almost identical entries at the exact same second. One says access to the file is denied, and the other says unable to repair the file. The log reads top to bottom oldest to newest, so considering a clean scan is the last entry in the log norton should have taken care of the thing on its own correct? In other words, I didn't need to run a million other scans in the first place?

As I said before, everything else I did came up clean. I'm just looking for a little help understanding why the log is written the way it is so I can maybe save some time in the future. Perhaps someone knows of a good tutorial database they can link?

Thank you for any and all help. ^^b

 

Sorry. Had some trouble getting the blasted thing to upload. 5:30am here and I'm getting really sleepy lol.

 

Yes that would be the WMF exploit.

Norton shows that it attempted to repair the file, and access was denied. That's not unusual for Norton. What the log doesn't say it what Norton did with the file; quarantined it or deleted it. The subsequent scan shows no viruses found.

If all other scans show the system is clean, and a visual inspection shows that the file doesn't exist; in all likelihood your system is clean.