Avast WEBforum
Other => Viruses and worms => Topic started by: moorhuhen on October 29, 2021, 10:26:28 AM
-
Have a free Avast(vers 21.9.2493 (build 21.9.6675.698) with virus definitions vers - 211029-0) on my home PC under Win10(last updates).
I begun to take repeatedly a messages about my "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
Avast identifies it as IDP.HELU.CMD.Generic12 (before last Windows update I also took message about Script:SNH-gen[Trj] for same powershell.exe).
PS: Script:SNH-gen[Trj] message doesn't disappear.
See atachment.
AlertIDs:
925cf212d955/211029.1105+0300
0da9eff6b1c6/211029.1145+0300
(https://drive.google.com/file/d/1VHzUgiJ7J-Mp68ZmNNPQ0TocC6GpzSKC/view?usp=sharing)
History:
Some time ago a strange message begun appear about "1.vbs file not found" each 10min.
I found that this script called by scheduled task WinNAT from "\Microsoft\Windows\Maintenance\" path in task scheduler library. But I didn't find "1.vbs" nowhere on HDD.
Also in this path I found WinSAT and WinDAT tasks (about last name I'm not sure exactly - maybe WinDNS or something like this).
I deleted WinNAT and WinDAT. But they has been created again and again. Before some moment (I don't know before exactly which one).
Then, thanks for Avast, I found this "1.vbs" file in "C:\ProgramsData\Windows\Profile" folder. There were additional files in this folder(wasp.exe, dllhostn.exe, waspwing.exe, dlchosts.exe).
I deleted whole "C:\ProgramsData\Windows\Profile" folder and now I have messages described above. (looks like all files from this folder now in Avast quarantine)
PS: I opened "1.vbs" script. There is a code with ActiveX object creation and running. This object inited with "powershell", but not directly. Like this: Replace("powSYMBershSYMBell", "SYMB", "")
-
-> https://forum.avast.com/index.php?topic=307104.msg1661776#msg1661776
-
Thanks.
I'll move my message into that thread.