ZA Pro finds Win32.Trojan.Peflog.30?

Discussion in 'other anti-malware software' started by Clay Aichin, Feb 21, 2007.

Thread Status:
Not open for further replies.
  1. Clay Aichin

    Clay Aichin Registered Member

    Joined:
    Feb 21, 2007
    Posts:
    3
    ZA Pro's Anti-spwyare scan found and quarantined:

    Win32.Trojan.Peflog.30

    I can't find find much when Googling, although there are listings for Peflog.30.

    The registry keys listed below it in the ZAlog are:

    2007/02/21,12:36:18 -5:00 GMT,Win32.Trojan.Peflog.30,Trojan,Auto
    RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis
    RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\Soeperman Enterprises Ltd.
    RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\Soeperman Enterprises Ltd.\HijackThis
    RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HijackThis.exe


    Is this a false positive? Does anyone have more info on this trojan or keylogger so I can search for other files and registry strings so I can check if it's a false positive or not?
     
  2. Texcritter

    Texcritter Registered Member

    Joined:
    May 6, 2005
    Posts:
    1,985
    Location:
    Teesside, North East England
  3. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    What looks like a trojan? It hasn't even found a file that could be a trojan!

    All it's found are some Reg entries relating to HijackThis, so unless you've never had HJT on your system (or have had it but cleaned out its Reg entries) then this is a rather obvious fp.

    All those Reg entries will be created by HJT if you use it on your system.
     
  4. Texcritter

    Texcritter Registered Member

    Joined:
    May 6, 2005
    Posts:
    1,985
    Location:
    Teesside, North East England
    I was only referring to Trojan.Peflog.30 as by the description from the web site.
    Whether he has that trojan or not I have no idea.
     
  5. Clay Aichin

    Clay Aichin Registered Member

    Joined:
    Feb 21, 2007
    Posts:
    3
    Over on the Zone Alarm forums they say this is a false positive. I've filed a report with Zone Alarm and if I hear from them, I'll post the results here.

    In regard to TopperID, yes, I use Hijackthis to check the registry about once a week.

    I ran a new download of it this afternoon after ZA alerted me to the trojan, and I did notice this was added:


    O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\winnt\system32\zonelabs\srescan.dll,DoSpecialAction

    CastleCops has this explanation:

    http://www.castlecops.com/s12837-srePostpone.html

    They say it's related to Zone Alarm but classify it as unknown.

    Somebody posted to download.com that it's related to the 180searchassist.

    http://www.download.com/ZoneAlarm-Internet-Security-Suite/3640-10435_4-10546032.html?sb=1&v=1

    I'm not sure if that's true or not. I just found this explanation which seems to indicate it's a ZA process:

    http://amazingtechs.com/index.php?showtopic=26898

    A logical explanation is that it runs once when ZA finds what it thinks is a trojan (my thinking).


    It's amazing what a trojan find can do to one's time. Regardless of whether it's a false positive, you feel that you have to use your tools to start scanning and that takes time. It also takes plenty of time to research the strings.

    I've just loaded AVG Anti-spyware as extra prevention in addition to my A-squared, Ad-Aware, and SuperAntispyware. I may just load Spyware Terminator, too.
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    srescan.dll is a Zone Alarm file. What you found with HJT was a Reg entry to activate Rundll32.exe in order to run srescan.dll at a reboot. The Reg Key itself is a runonce key which means it will be deleted as soon as it has run.

    These kinds of operation are carried out when a file needs to be treated in some way but cannot because it is in use by the system at the time; thus the operation will be postponed until the system is shut down and the object file released by the system.

    I really don't know what operation srescan.dll was about to carry out (perhaps it was to scan a 'locked' file), but I can say that the finding by HJT is quite normal and will have gone by the time you reboot.
     
  7. Heirloom

    Heirloom Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    34
    A day late and a dollar short, as usual.......but, I got the same thing on my machine today. ZAPro alerted me to the Trojan Peflog.30. I found little on the pest, however, since it was found in the Hijack This! entry, I figured it was a false positive.

    I would be very interested in seeing the reply from ZA, Clay.......please post it when you get it. Until then, I have set mine to 'ignore.'

    Heirloom, old and hate FP's
     
Loading...
Thread Status:
Not open for further replies.