Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Devcon.exe


  • Please log in to reply
22 replies to this topic

#1 JannEd

JannEd

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lake of the Ozarks, MO
  • Local time:08:54 PM

Posted 08 May 2011 - 10:10 PM

Nut Shell: Granddaughter clicked on a Like in Facebook just to see what it was. WHAM!!! fakealert fakealert REP. Ran Malwarebyte, FixNCR.reg, Stinger. A lot was cleaned out and fixed. I still have two instances left and they were detected in C:\Windows\devcon.exe. I know what that does. So, can In download the devcon package from M$, delete it then put the new one the same place as the infected one? Thought I had this one! Darn!!! Her laptop runs Vista Home.

Thanks!!

Jann

BC AdBot (Login to Remove)

 


#2 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 08 May 2011 - 10:15 PM

Maybe one last scan will remove it.

Http://www.superantispyware.com

Download, Update, full scan. Good luck!

#3 JannEd

JannEd
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lake of the Ozarks, MO
  • Local time:08:54 PM

Posted 08 May 2011 - 10:31 PM

Maybe one last scan will remove it.

Http://www.superantispyware.com

Download, Update, full scan. Good luck!

ng

That is one of the programs I use, it didn't find it the first scan. And it is updated. Stinger found them. I just scanned for a report, not to fix. Some No even HouseDoctor found it. Stinger takes so terribly long, I had in configured to HIGH and scan all files. Will let it run overnight and have it fix the problem. Then I will put up a sign that says: STOP CLICKING!!!

Thanks

#4 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 08 May 2011 - 10:36 PM

Lets run Spybot Search And Destroy

http://www.safer-networking.org/en/spybotsd/index.html


Download>Right Click>Run As Administrator>Update>Scan>Remove Infections>Reboot

Let me know how it went.

#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:54 AM

Posted 08 May 2011 - 10:59 PM

can you post the logs from the scans that you ran so we can tell what was detected. Also Spy Bot Search and Destroy is not that good of program, and can slow a computer down.

I recommend Malwarebytes Anti-Malware and Super Anti-Spyware.

#6 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 08 May 2011 - 11:10 PM

Spybot has a high detection rate for some of the newer rootkits, effective removal as well. Slows down and doesn't detect the common things though yes, I like the immunization feature.

#7 JannEd

JannEd
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lake of the Ozarks, MO
  • Local time:08:54 PM

Posted 08 May 2011 - 11:13 PM

can you post the logs from the scans that you ran so we can tell what was detected. Also Spy Bot Search and Destroy is not that good of program, and can slow a computer down.

I recommend Malwarebytes Anti-Malware and Super Anti-Spyware.


I will post the log from Stinger. I use those programs. Stinger takes so long, I am going to let it go all night. Or I could run HJT and look there to see if picks it up.

Jann

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:54 AM

Posted 08 May 2011 - 11:16 PM

Don't run hjt until we see what is detected. Please post all logs from the previous scans.

#9 JannEd

JannEd
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lake of the Ozarks, MO
  • Local time:08:54 PM

Posted 09 May 2011 - 10:30 AM

[quote name='cryptodan' timestamp='1304914613' post='2239691']
Don't run hjt until we see what is detected. Please post all logs from the previous scans
[/quo

Ok. how do I put my log in here? I use Screen Shoot-it to capture the screen so copy and paste doesn't work.

here is the log from Stinger I ran this morning. I took it shortly after the virus was found and fixed. The scan is still running but I wanted to post this now. What my issue is now is did it delete devcon.exe totally and if it did, should I download it from MS?

Jann also wondering if my Granddaughter can get any infections on her Wii? The lass discovered last night that she could do her facebook and youtube.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:54 PM

Posted 09 May 2011 - 11:50 AM

C:\Windows\devcon.exe..this may be the first time this is infected so I would like to see the full path in the log ,gefore you delete and replace it.

Copy/paste the MBAM log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 JannEd

JannEd
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lake of the Ozarks, MO
  • Local time:08:54 PM

Posted 09 May 2011 - 02:47 PM

C:\Windows\devcon.exe..this may be the first time this is infected so I would like to see the full path in the log ,gefore you delete and replace it.

Copy/paste the MBAM log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


The only program that found it was Stinger. The path was this: C:\Windows\devcon.exe is infected with fakealert!fakealert-REP virus !!! The directory at the top of that program was C:\Windows when it hit on it.

I ran updated MBAM, SuperAntiSpyware, Avira Antivir, (not at the same time) and none of them picked it up. Forgot to mention HouseCall. The log for Stinger I can't find anywhere. Before I left this morning, I ran everything again and Stinger was still the only one to pick it up, and I had it fix it. Now, since all is A-Okay I am thinking it was a false positive. Sooooooo I will run it again here in a minute and if it finds it again, I will have to take a screen shot and attach it to you or in here, if that is possible. Hang on for a bit.......






c

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:54 PM

Posted 09 May 2011 - 06:29 PM

Can you do a search of the PC and find C:\Windows\devcon.exe
Everywhere I look this is a safe file, but one says it can be Trojan-Dropper.Delf


This is possibly a False positive. We should double check it before we take action.

Lets' upload this file,devcon.exe, for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


NOTE:
For submission to a specific anti-virus vendor see Submitting Virus Samples: How to Submit a Virus.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 JannEd

JannEd
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lake of the Ozarks, MO
  • Local time:08:54 PM

Posted 09 May 2011 - 09:08 PM

This is the darnedest thing I have come across in years. The virus is gone. Stinger fixed it. When I very first saw that devcon.exe file as a red line in Stinger, I did a little research. I also looked on the Windows 7 machine I have been working on and fixed woo hoo, and did a system search in there to see where the file was. I didn't write it down, guess that is something I am going to regret, but I don't remember where it was, but it was there in Windows 7. AND when I first looked for it on this Vista Machine, before fixing it, it was in that path, I looked to MS to tell me what I was dealing with as far as what the file does, I actually could edit or whatever if I knew what I was doing. This said:

I did both Jotti and virustotal. Nothing. Somehow I was under the impression that Devcon.exe was part of Windows installation and needed to be in there to control program drivers. I don't know why I thought that, maybe from the MS site. The only proof I have of it existing on this machine is the screen shot I took. Since Stinger is a McAfee free tool, I should submit it to them.

I will do a little more research to see IF that file belongs in Vista. I am at a total loss. My brain hurts. If you want to give me your email addy, I can attach this screen shot so you can see.

Jann
























i

#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:54 AM

Posted 09 May 2011 - 09:15 PM

Can you please post the logs from all the scans you have done minus the HiJackthis?

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:54 PM

Posted 09 May 2011 - 09:19 PM

Hello, Trend Micro has been known to ignore submissions from users not running their products. However, in informal tests, selecting HouseCall (their online, free scanner) got a detection added, although in most cases no notification of the detection was received, and in some cases the submission was simply ignored.

Since It was Stinger they may look. I believe you saw it.
I would add be p;eased it is gone.

These are what I found.
http://support.microsoft.com/kb/311272
http://social.technet.microsoft.com/wiki/contents/articles/how-to-obtain-the-current-version-of-device-console-utility-devcon-exe.aspx
http://blogs.technet.com/b/deploymentguys/archive/2009/12/16/where-to-find-devcon-exe.aspx
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users