Author Topic: powershell.exe repeatedly alerted as IDP.HELU.CMD.Generic12  (Read 1869 times)

0 Members and 1 Guest are viewing this topic.

Offline moorhuhen

  • Newbie
  • *
  • Posts: 5
powershell.exe repeatedly alerted as IDP.HELU.CMD.Generic12
« on: October 29, 2021, 10:26:28 AM »
Have a free Avast(vers 21.9.2493 (build 21.9.6675.698) with virus definitions vers - 211029-0) on my home PC under Win10(last updates).

I begun to take repeatedly a messages about my "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
Avast identifies it as IDP.HELU.CMD.Generic12 (before last Windows update I also took message about Script:SNH-gen[Trj] for same powershell.exe).
PS: Script:SNH-gen[Trj] message doesn't disappear.
See atachment.
AlertIDs:
925cf212d955/211029.1105+0300
0da9eff6b1c6/211029.1145+0300



History:
Some time ago a strange message begun appear about "1.vbs file not found" each 10min.
I found that this script called by scheduled task WinNAT from "\Microsoft\Windows\Maintenance\" path in task scheduler library. But I didn't find "1.vbs" nowhere on HDD.
Also in this path I found WinSAT and WinDAT tasks (about last name I'm not sure exactly - maybe WinDNS or something like this).
I deleted WinNAT and WinDAT. But they has been created again and again. Before some moment (I don't know before exactly which one).
Then, thanks for Avast, I found this "1.vbs" file in "C:\ProgramsData\Windows\Profile" folder. There were additional files in this folder(wasp.exe, dllhostn.exe, waspwing.exe, dlchosts.exe).
I deleted whole "C:\ProgramsData\Windows\Profile" folder and now I have messages described above. (looks like all files from this folder now in Avast quarantine)

PS: I opened "1.vbs" script. There is a code with ActiveX object creation and running. This object inited with "powershell", but not directly. Like this: Replace("powSYMBershSYMBell", "SYMB", "")
« Last Edit: October 29, 2021, 11:34:52 AM by moorhuhen »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline moorhuhen

  • Newbie
  • *
  • Posts: 5
Re: powershell.exe repeatedly alerted as IDP.HELU.CMD.Generic12
« Reply #2 on: October 29, 2021, 12:56:44 PM »
Thanks.
I'll move my message into that thread.