For one or two of our Windows XP Home Edition profiles (too many kids), but not all profiles, we've been getting a Windows Defender Warning stating WD has "detected programs that might compromise privacy or damage our computer." It names "TrojanDownloader:Win32/Renos.DZ." Paired with this is a 'b.exe' message stating b.exe 'has encountered a problem and needs to close". And, once in a while, we get a "CiceroUIWndFrame: b.exe - Application Error" stating 'the exception unknown software exception (0xe06d7363) occurred in the application at location 0x7c812afb' and/or a "b.exe Application Error" stating the 'instruction at 0x7c910cbd referenced memory at 0x69766f6d. The memory could not be 'read'.'

Our internet (Mozilla) is very slow.

Reading a few threads, I've downloaded MBAM and HJT, scanned, removed threats, and attached logs. Note: when I rebooted after running MBAM (to complete threat removal), the warning and error messages popped-up as if I'd done nothing.

Any help would be appreciated.


Recommended Answers

All 5 Replies

First of all, it would seem you have a Trojan Virus. It would also seem that it is re-running itself at startup. Whatever anti-virus you are using is not getting rid of it. When your anti-virus finds it, it should include a path. Attempt to navigate to that path and delete the program manually. This b.exe if part of the Trojan Virus, the fact that there is an error may mean that the one who coded the virus was not a very good coder -.-.
But anyway try deleting the file manually/ending the process via task manager (can be opend with ctrl+shift+escape or ctrl+alt+delete -> Open Task Manager) If you don't know how to do that, go to the process tab and look for b.exe, select it and press end task (as well as Trojan.exe is you find it).
I hope that helps.

this line in the logs you provided:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6c153f40 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
May mean that you have the "deadly" Trojan Vundo, which is Extremely hard to get rid of.

Please download VundoFix.exe to your Desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* It will make a log in C:\vundofix.txt, I need you to post that in your next reply.


I downloaded VundoFix and ran it in on our Administrator profile and again in the profile that has the most problems (just in case it mattered) and it found no infections either time. I've attached the log per your request.

Today, we have not yet seen the b.exe application error message, but we still have the TrojanDownloader:Win32/Renos.DZ warning.

I can't find the path that u8sand recommends because the file associated with the TrojanDownloader warning, which is C:\Documents and Settings\email\Local Settings\temp\b.exe->(UPX), did not exist. Of course, I looked only after asking Windows Defender to fix the problem, but we've done that many many times already.

How can we be sure we don't have the Vundo virus?

How can we make sure the b.exe TrojanDownloader problem goes away and stays away?


Please do not Attach any logs, copy the content and paste it in your post..

Considering the infections are from the temp folders, as a preliminary measure do the following :

Download Ccleaner, Install it, Open it...
Under the 'Cleaner' Section select all in the 'Windows' And 'Applications' Tab, Then click on 'Analyze' And then 'Run Cleaner'...
Do The Same In The 'Registry' Tab, i.e. 'Scan For Issues' and 'Fix Selected Issues', It will ask you to make a backup, DO IT...Then Click on 'Fix All'...Now Reboot The Pc..


Please download ComboFix by sUBs...
* You must download it to and run it from your Desktop
* Physically disconnect from the internet.
* Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
* Double click combofix.exe & follow the prompts.
* When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
* Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Upload The Combofix Log And a New Hijackthis Log(Reboot and then run hijackthis scan)..

what to do if my computer doesnt allow use of internet, cannot open antivirus, cannot e mail cannot recognize printer etc.. to get rid of trojan above

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.