Author Topic: IDP.HELU.MSEx4 - Fileless Malware  (Read 1643 times)

0 Members and 1 Guest are viewing this topic.

Offline Oliv.C

  • Newbie
  • *
  • Posts: 6
IDP.HELU.MSEx4 - Fileless Malware
« on: January 27, 2019, 04:13:28 PM »
Hello,
It's been many weeks now that i randomly have the following error message popping up :

IDP.HELU.MSEx4 - Fileless Malware
process : C:\Windows\System32\msiexec.exe
(see enclosed)

It tells me it's been moves to quarantine but when i open the quarantine it shows up empty...
Virus scans don't return anything, and I often use Ccleaner / MBAM / Glary which don't help on this case either.

Can anyone please help?
Thanks a lot!

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35857
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #1 on: January 27, 2019, 04:18:41 PM »
Upload and scan file  ( C:\Windows\System32\msiexec.exe ) at > https://www.virustotal.com/

post link to scan result here


Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31541
  • malware fighter
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #2 on: January 27, 2019, 04:31:41 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Oliv.C

  • Newbie
  • *
  • Posts: 6
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #3 on: January 27, 2019, 04:32:06 PM »

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35857
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #4 on: January 27, 2019, 04:39:31 PM »
when you scan files or URLs at VT always check > Last analysis 2019-01-06 06:04:14 UTC

So a casched result, then you click the blue button at top right and select rescan ....

and voila, you have a fresh result > Last analysis   2019-01-27 15:38:06 UTC
https://www.virustotal.com/#/file/d88e2d981610ea24ee22b83cc284d6c616f3674e8f1f5d3794c9fcd569e8dadd/detection



=========================================================
Signature Info
Signature Verification
This file is not signed
File Version Information
Copyright   © Microsoft Corporation. All rights reserved.
Product   Windows Installer - Unicode
Description   Windows® installer
Original Name   msiexec.exe
Internal Name   msiexec
File Version   5.0.9600.19082 (winblue_ltsb.180619-0600)

==========================================================


« Last Edit: January 27, 2019, 04:44:00 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35857
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #5 on: January 27, 2019, 04:41:17 PM »
Report possible False Positive to avast lab

How to report  >>  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438


Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Oliv.C

  • Newbie
  • *
  • Posts: 6
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #6 on: January 27, 2019, 05:12:46 PM »

Thank you as well Polonus for the info.
MBAM didn't return anything as usual, neither did Emsisoft, but Hitman returned 1 malware and 1 trojan that i got rid of (see enclosed).

thank you both, i will see if this happens again and if it does i will report a possible false positive to the lab.

I will update this topic when i know more.
Thanks again!



Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31541
  • malware fighter
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #7 on: January 27, 2019, 10:17:12 PM »
Hi Oliv.C,

Well, you are welcome. Also thank you for reporting this to the community.
That is the right attitude, credits for that are yours.
This reporting will make all of us here more secure.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Oliv.C

  • Newbie
  • *
  • Posts: 6
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #8 on: February 28, 2019, 02:29:33 PM »
Hello,

after a few days i wanted to let you know that the message came back so i reported it as a false positive and i got the answer today that they whitelisted the file.

Thanks again for your help  ;)

Offline Oliv.C

  • Newbie
  • *
  • Posts: 6
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #9 on: July 09, 2019, 04:50:17 PM »
Hello again,
sorry to come back on this topic, but it seems that despite avast telling me that they whitelisted the .exe file, i still have the exact same message...
so i started all over again, and checked virustotal, used malwarebytes / emisoft / hitman pro / and none of them found anything...

i'm worried about this warning from avast that keeps coming back.  :-\
What am i missing?
Thanks in advance.

Offline Oliv.C

  • Newbie
  • *
  • Posts: 6
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #10 on: July 11, 2019, 08:12:47 PM »
Hi,
I enclose the screenshot I managed to get from my task manager just before avast gives me the warning message.
What can i do?
Thanks in advance for your help.

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35857
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #11 on: July 11, 2019, 09:53:35 PM »
Quote
What can i do?
Report it to avast lab again .......



Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline PDI

  • Avast team
  • Jr. Member
  • *
  • Posts: 89
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #12 on: July 12, 2019, 08:20:08 AM »
Hi Oliv.C,

the detection is connected to the msiexec process instance which is on your screenshot. The Behavioral shield is not trying to remove the msiexec file.

Please download https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns and run it and try to look for the place were the msiexec with the command line is stored. The execution can be stored in the LNK file as well.

If you cannot find it you can store the content and share it with me via PM and I can look on it later.

What version of Avast are you using?

Regards,
PDI

Offline Mohamed249

  • Newbie
  • *
  • Posts: 1
Re: IDP.HELU.MSEx4 - Fileless Malware
« Reply #13 on: Today at 05:41:16 AM »
i have the same problem  :-\
we need any one help us , please