BleepingComputer.com: Devcon.exe

Nut Shell: Granddaughter clicked on a Like in Facebook just to see what it was. WHAM!!! fakealert fakealert REP. Ran Malwarebyte, FixNCR.reg, Stinger. A lot was cleaned out and fixed. I still have two instances left and they were detected in C:\Windows\devcon.exe. I know what that does. So, can In download the devcon package from M$, delete it then put the new one the same place as the infected one? Thought I had this one! Darn!!! Her laptop runs Vista Home.

Thanks!!

Jann

Maybe one last scan will remove it.

Http://www.superantispyware.com

Download, Update, full scan. Good luck!

Computerproblem101, on 08 May 2011 - 10:15 PM, said:

ng

That is one of the programs I use, it didn't find it the first scan. And it is updated. Stinger found them. I just scanned for a report, not to fix. Some No even HouseDoctor found it. Stinger takes so terribly long, I had in configured to HIGH and scan all files. Will let it run overnight and have it fix the problem. Then I will put up a sign that says: STOP CLICKING!!!

Thanks

Lets run Spybot Search And Destroy

http://www.safer-networking.org/en/spybotsd/index.html


Download>Right Click>Run As Administrator>Update>Scan>Remove Infections>Reboot

Let me know how it went.

can you post the logs from the scans that you ran so we can tell what was detected. Also Spy Bot Search and Destroy is not that good of program, and can slow a computer down.

I recommend Malwarebytes Anti-Malware and Super Anti-Spyware.

Spybot has a high detection rate for some of the newer rootkits, effective removal as well. Slows down and doesn't detect the common things though yes, I like the immunization feature.

cryptodan, on 08 May 2011 - 10:59 PM, said:

I will post the log from Stinger. I use those programs. Stinger takes so long, I am going to let it go all night. Or I could run HJT and look there to see if picks it up.

Jann

Don't run hjt until we see what is detected. Please post all logs from the previous scans.

[quote name='cryptodan' timestamp='1304914613' post='2239691']
Don't run hjt until we see what is detected. Please post all logs from the previous scans
[/quo

Ok. how do I put my log in here? I use Screen Shoot-it to capture the screen so copy and paste doesn't work.

here is the log from Stinger I ran this morning. I took it shortly after the virus was found and fixed. The scan is still running but I wanted to post this now. What my issue is now is did it delete devcon.exe totally and if it did, should I download it from MS?

Jann also wondering if my Granddaughter can get any infections on her Wii? The lass discovered last night that she could do her facebook and youtube.

C:\Windows\devcon.exe..this may be the first time this is infected so I would like to see the full path in the log ,gefore you delete and replace it.

Copy/paste the MBAM log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

boopme, on 09 May 2011 - 11:50 AM, said:

The only program that found it was Stinger. The path was this: C:\Windows\devcon.exe is infected with fakealert!fakealert-REP virus !!! The directory at the top of that program was C:\Windows when it hit on it.

I ran updated MBAM, SuperAntiSpyware, Avira Antivir, (not at the same time) and none of them picked it up. Forgot to mention HouseCall. The log for Stinger I can't find anywhere. Before I left this morning, I ran everything again and Stinger was still the only one to pick it up, and I had it fix it. Now, since all is A-Okay I am thinking it was a false positive. Sooooooo I will run it again here in a minute and if it finds it again, I will have to take a screen shot and attach it to you or in here, if that is possible. Hang on for a bit.......






c

Can you do a search of the PC and find C:\Windows\devcon.exe
Everywhere I look this is a safe file, but one says it can be Trojan-Dropper.Delf


This is possibly a False positive. We should double check it before we take action.

Lets' upload this file,devcon.exe, for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


NOTE:
For submission to a specific anti-virus vendor see Submitting Virus Samples: How to Submit a Virus.

This is the darnedest thing I have come across in years. The virus is gone. Stinger fixed it. When I very first saw that devcon.exe file as a red line in Stinger, I did a little research. I also looked on the Windows 7 machine I have been working on and fixed woo hoo, and did a system search in there to see where the file was. I didn't write it down, guess that is something I am going to regret, but I don't remember where it was, but it was there in Windows 7. AND when I first looked for it on this Vista Machine, before fixing it, it was in that path, I looked to MS to tell me what I was dealing with as far as what the file does, I actually could edit or whatever if I knew what I was doing. This said:

I did both Jotti and virustotal. Nothing. Somehow I was under the impression that Devcon.exe was part of Windows installation and needed to be in there to control program drivers. I don't know why I thought that, maybe from the MS site. The only proof I have of it existing on this machine is the screen shot I took. Since Stinger is a McAfee free tool, I should submit it to them.

I will do a little more research to see IF that file belongs in Vista. I am at a total loss. My brain hurts. If you want to give me your email addy, I can attach this screen shot so you can see.

Jann
























i

Can you please post the logs from all the scans you have done minus the HiJackthis?

Hello, Trend Micro has been known to ignore submissions from users not running their products. However, in informal tests, selecting HouseCall (their online, free scanner) got a detection added, although in most cases no notification of the detection was received, and in some cases the submission was simply ignored.

Since It was Stinger they may look. I believe you saw it.
I would add be p;eased it is gone.

These are what I found.
http://support.microsoft.com/kb/311272
http://social.technet.microsoft.com/wiki/contents/articles/how-to-obtain-the-current-version-of-device-console-utility-devcon-exe.aspx
http://blogs.technet.com/b/deploymentguys/archive/2009/12/16/where-to-find-devcon-exe.aspx