Troj/SCLog-B

Please follow the instructions for removing Trojans.

Troj/SCLog-B is a Trojan for the Windows platform.

When first run Troj/SCLog-B displays a fake error message that reads:

"Not Valid Win32 Application !"

The Trojan then copies itself to the Windows system folder as EXPLORER.EXE and drops a file named EXPLORER.DLL. The Trojan sets the following registry entries:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
EXPLORER\
DllName
"EXPLORER.dll"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
EXPLORER\
Asynchronous
dword:00000000

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
EXPLORER\Impersonate
dword:00000000

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
EXPLORER\Lock
"WLEvtLock"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
EXPLORER\
Logoff
"WLEvtLogoff"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
EXPLORER\
Logon
"WLEvtLogon"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
EXPLORER\
Shutdown
"WLEvtShutdown"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
EXPLORER\
StartScreenSaver
"WLEvtStartScreenSaver"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
EXPLORER\
Startup
"WLEvtStartup"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
EXPLORER\
StopScreenSaver
"WLEvtStopScreenSaver"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
EXPLORER\
Unlock
"WLEvtUnlock"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
EXPLORER
"<Windows system folder>\EXPLORER.exe"

Troj/SCLog-B logs keypresses and system activities to temporary files named rerolpxe.dat and rerolpxe.le are also located in the Windows system folder. The Trojan periodically creates a ZIP file of the collected information and sends it to a remote user via email.