Author Topic: IDP.HELU.MSEx4 - Fileless Malware  (Read 2470 times)

0 Members and 1 Guest are viewing this topic.

Offline Oliv.C

  • Newbie
  • *
  • Posts: 7
IDP.HELU.MSEx4 - Fileless Malware
« on: January 27, 2019, 04:13:28 PM »
Hello,
It's been many weeks now that i randomly have the following error message popping up :

IDP.HELU.MSEx4 - Fileless Malware
process : C:\Windows\System32\msiexec.exe
(see enclosed)

It tells me it's been moves to quarantine but when i open the quarantine it shows up empty...
Virus scans don't return anything, and I often use Ccleaner / MBAM / Glary which don't help on this case either.

Can anyone please help?
Thanks a lot!

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36147
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #1 on: January 27, 2019, 04:18:41 PM »
Upload and scan file  ( C:\Windows\System32\msiexec.exe ) at > https://www.virustotal.com/

post link to scan result here


“Ah beer. The cause of and the solution to all of life’s problems.”

"Operator! Give me the number for 911!"

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31765
  • malware fighter
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #2 on: January 27, 2019, 04:31:41 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Oliv.C

  • Newbie
  • *
  • Posts: 7
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #3 on: January 27, 2019, 04:32:06 PM »

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36147
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #4 on: January 27, 2019, 04:39:31 PM »
when you scan files or URLs at VT always check > Last analysis 2019-01-06 06:04:14 UTC

So a casched result, then you click the blue button at top right and select rescan ....

and voila, you have a fresh result > Last analysis   2019-01-27 15:38:06 UTC
https://www.virustotal.com/#/file/d88e2d981610ea24ee22b83cc284d6c616f3674e8f1f5d3794c9fcd569e8dadd/detection



=========================================================
Signature Info
Signature Verification
This file is not signed
File Version Information
Copyright   © Microsoft Corporation. All rights reserved.
Product   Windows Installer - Unicode
Description   Windows® installer
Original Name   msiexec.exe
Internal Name   msiexec
File Version   5.0.9600.19082 (winblue_ltsb.180619-0600)

==========================================================


« Last Edit: January 27, 2019, 04:44:00 PM by Pondus »
“Ah beer. The cause of and the solution to all of life’s problems.”

"Operator! Give me the number for 911!"

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36147
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #5 on: January 27, 2019, 04:41:17 PM »
Report possible False Positive to avast lab

How to report  >>  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438


“Ah beer. The cause of and the solution to all of life’s problems.”

"Operator! Give me the number for 911!"

Offline Oliv.C

  • Newbie
  • *
  • Posts: 7
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #6 on: January 27, 2019, 05:12:46 PM »

Thank you as well Polonus for the info.
MBAM didn't return anything as usual, neither did Emsisoft, but Hitman returned 1 malware and 1 trojan that i got rid of (see enclosed).

thank you both, i will see if this happens again and if it does i will report a possible false positive to the lab.

I will update this topic when i know more.
Thanks again!



Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31765
  • malware fighter
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #7 on: January 27, 2019, 10:17:12 PM »
Hi Oliv.C,

Well, you are welcome. Also thank you for reporting this to the community.
That is the right attitude, credits for that are yours.
This reporting will make all of us here more secure.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Oliv.C

  • Newbie
  • *
  • Posts: 7
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #8 on: February 28, 2019, 02:29:33 PM »
Hello,

after a few days i wanted to let you know that the message came back so i reported it as a false positive and i got the answer today that they whitelisted the file.

Thanks again for your help  ;)

Offline Oliv.C

  • Newbie
  • *
  • Posts: 7
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #9 on: July 09, 2019, 04:50:17 PM »
Hello again,
sorry to come back on this topic, but it seems that despite avast telling me that they whitelisted the .exe file, i still have the exact same message...
so i started all over again, and checked virustotal, used malwarebytes / emisoft / hitman pro / and none of them found anything...

i'm worried about this warning from avast that keeps coming back.  :-\
What am i missing?
Thanks in advance.

Offline Oliv.C

  • Newbie
  • *
  • Posts: 7
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #10 on: July 11, 2019, 08:12:47 PM »
Hi,
I enclose the screenshot I managed to get from my task manager just before avast gives me the warning message.
What can i do?
Thanks in advance for your help.

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36147
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #11 on: July 11, 2019, 09:53:35 PM »
Quote
What can i do?
Report it to avast lab again .......



“Ah beer. The cause of and the solution to all of life’s problems.”

"Operator! Give me the number for 911!"

Offline PDI

  • Avast team
  • Jr. Member
  • *
  • Posts: 91
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #12 on: July 12, 2019, 08:20:08 AM »
Hi Oliv.C,

the detection is connected to the msiexec process instance which is on your screenshot. The Behavioral shield is not trying to remove the msiexec file.

Please download https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns and run it and try to look for the place were the msiexec with the command line is stored. The execution can be stored in the LNK file as well.

If you cannot find it you can store the content and share it with me via PM and I can look on it later.

What version of Avast are you using?

Regards,
PDI

Offline Mohamed249

  • Newbie
  • *
  • Posts: 1
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #13 on: July 20, 2019, 05:41:16 AM »
i have the same problem  :-\
we need any one help us , please

Offline Oliv.C

  • Newbie
  • *
  • Posts: 7
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #14 on: Yesterday at 02:15:49 PM »
well Hello hello again guys...
sorry to bother again on this topic but it seems this message keeps coming back but now it is a little different
it is now IDP.HELU.MSEx5, still linked to C:\Windows\System32\msiexec.exe
I am using avast 19.7.2388 (version 19.7.4674.531), that i bought.
Here is the scan result from virustotal
https://www.virustotal.com/gui/file/d88e2d981610ea24ee22b83cc284d6c616f3674e8f1f5d3794c9fcd569e8dadd/community
Sorry PDI i'm only seing your reply now so i executed Autorun and i enclosed the only entry i found on msiexec.exe. Is there anything more i can do?
Thanks