Avast WEBforum

Other => Viruses and worms => Topic started by: Oliv.C on January 27, 2019, 04:13:28 PM

Title: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on January 27, 2019, 04:13:28 PM
Hello,
It's been many weeks now that i randomly have the following error message popping up :

IDP.HELU.MSEx4 - Fileless Malware
process : C:\Windows\System32\msiexec.exe
(see enclosed)

It tells me it's been moves to quarantine but when i open the quarantine it shows up empty...
Virus scans don't return anything, and I often use Ccleaner / MBAM / Glary which don't help on this case either.

Can anyone please help?
Thanks a lot!
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Pondus on January 27, 2019, 04:18:41 PM
Upload and scan file  ( C:\Windows\System32\msiexec.exe ) at > https://www.virustotal.com/

post link to scan result here


Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: polonus on January 27, 2019, 04:31:41 PM
An attack using this could lead to LokiBOT,
also read: https://malwaretips.com/threads/how-to-remove-msiexec-exe-trojan-horse-virus-removal-guide.2599/

polonus
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on January 27, 2019, 04:32:06 PM
Hello Pondus, thanks for your time
here is the link you asked
https://www.virustotal.com/#/file/d88e2d981610ea24ee22b83cc284d6c616f3674e8f1f5d3794c9fcd569e8dadd/behavior

thanks,
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Pondus on January 27, 2019, 04:39:31 PM
when you scan files or URLs at VT always check > Last analysis 2019-01-06 06:04:14 UTC

So a casched result, then you click the blue button at top right and select rescan ....

and voila, you have a fresh result > Last analysis   2019-01-27 15:38:06 UTC
https://www.virustotal.com/#/file/d88e2d981610ea24ee22b83cc284d6c616f3674e8f1f5d3794c9fcd569e8dadd/detection



=========================================================
Signature Info
Signature Verification
This file is not signed
File Version Information
Copyright   Â© Microsoft Corporation. All rights reserved.
Product   Windows Installer - Unicode
Description   Windows® installer
Original Name   msiexec.exe
Internal Name   msiexec
File Version   5.0.9600.19082 (winblue_ltsb.180619-0600)

==========================================================


Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Pondus on January 27, 2019, 04:41:17 PM
Report possible False Positive to avast lab

How to report  >>  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438


Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on January 27, 2019, 05:12:46 PM

Thank you as well Polonus for the info.
MBAM didn't return anything as usual, neither did Emsisoft, but Hitman returned 1 malware and 1 trojan that i got rid of (see enclosed).

thank you both, i will see if this happens again and if it does i will report a possible false positive to the lab.

I will update this topic when i know more.
Thanks again!


Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: polonus on January 27, 2019, 10:17:12 PM
Hi Oliv.C,

Well, you are welcome. Also thank you for reporting this to the community.
That is the right attitude, credits for that are yours.
This reporting will make all of us here more secure.

polonus
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on February 28, 2019, 02:29:33 PM
Hello,

after a few days i wanted to let you know that the message came back so i reported it as a false positive and i got the answer today that they whitelisted the file.

Thanks again for your help  ;)
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on July 09, 2019, 04:50:17 PM
Hello again,
sorry to come back on this topic, but it seems that despite avast telling me that they whitelisted the .exe file, i still have the exact same message...
so i started all over again, and checked virustotal, used malwarebytes / emisoft / hitman pro / and none of them found anything...

i'm worried about this warning from avast that keeps coming back.  :-\
What am i missing?
Thanks in advance.
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on July 11, 2019, 08:12:47 PM
Hi,
I enclose the screenshot I managed to get from my task manager just before avast gives me the warning message.
What can i do?
Thanks in advance for your help.
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Pondus on July 11, 2019, 09:53:35 PM
Quote
What can i do?
Report it to avast lab again .......



Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: PDI on July 12, 2019, 08:20:08 AM
Hi Oliv.C,

the detection is connected to the msiexec process instance which is on your screenshot. The Behavioral shield is not trying to remove the msiexec file.

Please download https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns and run it and try to look for the place were the msiexec with the command line is stored. The execution can be stored in the LNK file as well.

If you cannot find it you can store the content and share it with me via PM and I can look on it later.

What version of Avast are you using?

Regards,
PDI
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Mohamed249 on July 20, 2019, 05:41:16 AM
i have the same problem  :-\
we need any one help us , please
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on October 19, 2019, 02:15:49 PM
well Hello hello again guys...
sorry to bother again on this topic but it seems this message keeps coming back but now it is a little different
it is now IDP.HELU.MSEx5, still linked to C:\Windows\System32\msiexec.exe
I am using avast 19.7.2388 (version 19.7.4674.531), that i bought.
Here is the scan result from virustotal
https://www.virustotal.com/gui/file/d88e2d981610ea24ee22b83cc284d6c616f3674e8f1f5d3794c9fcd569e8dadd/community
Sorry PDI i'm only seing your reply now so i executed Autorun and i enclosed the only entry i found on msiexec.exe. Is there anything more i can do?
Thanks
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Michael (alan1998) on October 19, 2019, 11:47:56 PM
Hello Oliv,

Unless I'm miss reading your autorun attachment, that's msiserver, not msiexec.

Please also follow the instructions found here >> https://forum.avast.com/index.php?topic=194892.0

Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on October 20, 2019, 06:10:56 PM
Hello Michael,
Yes you're right it's msiserver but it is the only entry that mentions msiexec.exe in the image path.
Thank you for your advice, i enclosed the report from MBAM & Farbar.
i see Farbar shows a few entries with a warning...
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Sass Drake on October 23, 2019, 07:48:38 PM
Have you installed Ardamax keylogger?
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on October 24, 2019, 09:19:26 AM
Hello Sass Drake, yep a while ago, but i uninstalled it since
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Sass Drake on October 24, 2019, 06:51:19 PM
OK and thank you for sharing screenshot of Task Manager. Let's now generate new FRST.txt and Addition.txt but this time in FRST.exe under Whitelist section uncheck: Registry, Processes, Services, Internet and Drivers.
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on October 25, 2019, 10:48:40 AM
Hello, and thanks for your help.
Here are the new logs.
thanks!
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: PDI on October 25, 2019, 01:07:09 PM
Hi,

I dug into the way how the MSIExec is executed and it have to be part of some task.

Your FIRST report shows "Task: {C7513494-BDD0-4427-8D9A-8C53723358EF} - \Thtise -> Pas de fichier <==== ATTENTION".
Could you check this record in the autoruns?

Regards,
PDI


Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on October 25, 2019, 03:12:22 PM
Hello PDI, thanks for helping :)
Unfortunately i did not find any trace in Autoruns related to some "Thtise" or "8C53723358EF" entry...
maybe i can enclose the saved file from Autoruns if that helps.

I did find entries in regedit however
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache
under 2 different folders "Tasks", "Tree"
Not sure this helps... i have no idea what this file is
Thanks
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: PDI on October 25, 2019, 03:51:20 PM
Hi,

maybe you can try to create a support package (https://support.avast.com/en-eu/article/Submit-support-file) and post the ID here.

I'll look later on the result of it.

The content of the registry records can help too.

Regards,
PDI
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on October 25, 2019, 06:05:43 PM
Thanks,
so i did the support procedure.
The ID for my support file is WR90I
thank you
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Sass Drake on October 25, 2019, 07:50:22 PM
In meantime, please do this:

Code: [Select]
cmd: reg EXPORT "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver" reg EXPORT HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver "%userprofile%\Desktop\msiserver.txt"
cmd: type "%userprofile%\Desktop\msiserver.txt"
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on October 27, 2019, 01:18:33 PM
Hello,
here is the fixlog
thanks
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Sass Drake on October 27, 2019, 07:03:25 PM
I'm sorry. I made a mistake in script. Please now do this:

Code: [Select]
cmd: reg EXPORT "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver" "%userprofile%\Desktop\msiserver.txt"
cmd: type "%userprofile%\Desktop\msiserver.txt"
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on October 27, 2019, 10:20:08 PM
okay no problem
i ran it and this time it generated a fixlog and another file msiserver.txt
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Sass Drake on October 28, 2019, 07:14:13 PM
msiserver.txt hasn't provides us with useful clues. Let's now try this.

Code: [Select]
cmd: bitsadmin /list /verbose
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: PDI on October 31, 2019, 10:09:30 AM
Hi,

I checked provided logs and I haven't found anything suspicious inside it.

Regards,
PDI
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on October 31, 2019, 10:35:34 AM
Hi, sorry for the delay, here is the Fixlog of BITSADMIN.
thanks for your help guys
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on October 31, 2019, 10:44:40 AM
Hello PDI,
So what to think then about this message?
thank you
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: PDI on October 31, 2019, 02:46:37 PM
Hi,

do you have any other computer on the network when the detection occurs?

Maybe we are looking on wrong computer.

PDI
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on October 31, 2019, 02:51:15 PM
nope, it's just me connected on my box via wifi...
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: PDI on October 31, 2019, 03:46:29 PM
Hi Oliv.C,

last chance is WMI.

Can you download https://github.com/vinaypamnani/wmie2/releases and follow these steps?

1) press Connect button
2) navigate to the ROOT\subscription
3) for each subscription
    a) press right mouse button on it and run Enumerate Classes and navigate into the Classes subwindow
    b) select ActiveScriptEventConsumer, press right mouse button on it and run Enumerate Instances
    c) select CommandLineEventConsumer, press right mouse button on it and run Enumerate Instances
  if there are any records for instances in steps b) or c) please try to get of the instance and share it with us

Thanks,
PDI
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on November 01, 2019, 06:37:23 PM
Hello PDI,
so i ran WmiExplorer, and found a few classes that had ActiveScriptEventConsumer and CommandLineEventConsumer but none of them had any instance.
Thanks
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on November 12, 2019, 11:54:12 AM
Hello again, so does anybody have another idea please?
thanks a lot
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Michael (alan1998) on November 12, 2019, 05:40:32 PM
I have reached out to PDI for comment.
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: PDI on November 12, 2019, 08:26:24 PM
Hi,

unfortunately if there aren't instances in the WMI then I cannot help you anymore now. If I find something I'll let you know.

Regards,
PDI
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Sass Drake on November 12, 2019, 11:39:42 PM
Please post new FRST.txt and Addition.txt logs.
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on November 15, 2019, 03:57:08 PM
Hello sorry for the delay here are the newest files. thanks
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Sass Drake on November 15, 2019, 05:59:37 PM
Logs look clean. Please scan PC with TDSSKiller.
http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on November 16, 2019, 11:11:40 AM
Hello, TDSSKiller didn't return any threat...
Thank you
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on December 07, 2019, 06:25:54 PM
Hello guys, so does somebody have any more ideas?
i'm still getting this annoying message.
thanks
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Sass Drake on December 07, 2019, 07:24:50 PM
Try to scan PC with KVRT. I unfortunely have no more ideas.

http://devbuilds.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on December 11, 2019, 06:14:31 PM
Hi,
Well KVRT returned 1 trojan (see enclosed)
So i cured and i hope it was it. i'm surprised the other tools didn't detect it before!
But anyway, i will let you know if the message keeps coming back, thanks a lot!
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: AKT on February 03, 2020, 07:59:51 PM
Same IDP.HELU.MSEx5 annoying message, again and again..quite a few times every day.
Any solution ?
Thanks
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Michael (alan1998) on February 03, 2020, 08:13:53 PM
Same IDP.HELU.MSEx5 annoying message, again and again..quite a few times every day.
Any solution ?
Thanks

Hello AKT,

Please start your own thread and follow the instructions here: https://forum.avast.com/index.php?topic=194892.0
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Oliv.C on February 04, 2020, 09:26:37 AM
Hello AKT,
in my case, and thanks for the help of everyone, it worked. The last tool i tried (the KVRT tool) appearently removed it because since then i don't have the msg anymore.

thx again
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: AKT on February 04, 2020, 12:41:53 PM
Hi all,
Used Malwarebytes without success.
Used KVRT. Found one threat - Trojan ( sorry, don't not have a screen capture) and cleared it.
Seems it worked..

Many thanks.   
Title: Re: IDP.HELU.MSEx4 - Fileless Malware
Post by: Michael (alan1998) on February 04, 2020, 03:14:22 PM
Hi all,
Used Malwarebytes without success.
Used KVRT. Found one threat - Trojan ( sorry, don't not have a screen capture) and cleared it.
Seems it worked..

Many thanks.

Hi,

Glad to hear it's solved. For future reference, please avoid using the tools deployed for others users. You can cause a lot of damage if followed incorrectly (and it's happened before).