ZA Pro finds Win32.Trojan.Peflog.30?

ZA Pro's Anti-spwyare scan found and quarantined:

Win32.Trojan.Peflog.30

I can't find find much when Googling, although there are listings for Peflog.30.

The registry keys listed below it in the ZAlog are:

2007/02/21,12:36:18 -5:00 GMT,Win32.Trojan.Peflog.30,Trojan,Auto
RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis
RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\Soeperman Enterprises Ltd.
RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\Soeperman Enterprises Ltd.\HijackThis
RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HijackThis.exe


Is this a false positive? Does anyone have more info on this trojan or keylogger so I can search for other files and registry strings so I can check if it's a false positive or not?

 

Looks like a trojan

http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Peflog.30&threatid=75590

 

What looks like a trojan? It hasn't even found a file that could be a trojan!

All it's found are some Reg entries relating to HijackThis, so unless you've never had HJT on your system (or have had it but cleaned out its Reg entries) then this is a rather obvious fp.

All those Reg entries will be created by HJT if you use it on your system.

 

I was only referring to Trojan.Peflog.30 as by the description from the web site.
Whether he has that trojan or not I have no idea.

 

Over on the Zone Alarm forums they say this is a false positive. I've filed a report with Zone Alarm and if I hear from them, I'll post the results here.

In regard to TopperID, yes, I use Hijackthis to check the registry about once a week.

I ran a new download of it this afternoon after ZA alerted me to the trojan, and I did notice this was added:


O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\winnt\system32\zonelabs\srescan.dll,DoSpecialAction

CastleCops has this explanation:

http://www.castlecops.com/s12837-srePostpone.html

They say it's related to Zone Alarm but classify it as unknown.

Somebody posted to download.com that it's related to the 180searchassist.

http://www.download.com/ZoneAlarm-Internet-Security-Suite/3640-10435_4-10546032.html?sb=1&v=1

I'm not sure if that's true or not. I just found this explanation which seems to indicate it's a ZA process:

http://amazingtechs.com/index.php?showtopic=26898

A logical explanation is that it runs once when ZA finds what it thinks is a trojan (my thinking).


It's amazing what a trojan find can do to one's time. Regardless of whether it's a false positive, you feel that you have to use your tools to start scanning and that takes time. It also takes plenty of time to research the strings.

I've just loaded AVG Anti-spyware as extra prevention in addition to my A-squared, Ad-Aware, and SuperAntispyware. I may just load Spyware Terminator, too.

 

srescan.dll is a Zone Alarm file. What you found with HJT was a Reg entry to activate Rundll32.exe in order to run srescan.dll at a reboot. The Reg Key itself is a runonce key which means it will be deleted as soon as it has run.

These kinds of operation are carried out when a file needs to be treated in some way but cannot because it is in use by the system at the time; thus the operation will be postponed until the system is shut down and the object file released by the system.

I really don't know what operation srescan.dll was about to carry out (perhaps it was to scan a 'locked' file), but I can say that the finding by HJT is quite normal and will have gone by the time you reboot.

 

A day late and a dollar short, as usual.......but, I got the same thing on my machine today. ZAPro alerted me to the Trojan Peflog.30. I found little on the pest, however, since it was found in the Hijack This! entry, I figured it was a false positive.

I would be very interested in seeing the reply from ZA, Clay.......please post it when you get it. Until then, I have set mine to 'ignore.'

Heirloom, old and hate FP's