Author Topic: powershell.exe repeatedly alerted as IDP.HELU.CMD.Generic12  (Read 577 times)

0 Members and 1 Guest are viewing this topic.

Offline moorhuhen

  • Newbie
  • *
  • Posts: 5
powershell.exe repeatedly alerted as IDP.HELU.CMD.Generic12
« on: October 29, 2021, 10:26:28 AM »
Have a free Avast(vers 21.9.2493 (build 21.9.6675.698) with virus definitions vers - 211029-0) on my home PC under Win10(last updates).

I begun to take repeatedly a messages about my "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
Avast identifies it as IDP.HELU.CMD.Generic12 (before last Windows update I also took message about Script:SNH-gen[Trj] for same powershell.exe).
PS: Script:SNH-gen[Trj] message doesn't disappear.
See atachment.
AlertIDs:
925cf212d955/211029.1105+0300
0da9eff6b1c6/211029.1145+0300



History:
Some time ago a strange message begun appear about "1.vbs file not found" each 10min.
I found that this script called by scheduled task WinNAT from "\Microsoft\Windows\Maintenance\" path in task scheduler library. But I didn't find "1.vbs" nowhere on HDD.
Also in this path I found WinSAT and WinDAT tasks (about last name I'm not sure exactly - maybe WinDNS or something like this).
I deleted WinNAT and WinDAT. But they has been created again and again. Before some moment (I don't know before exactly which one).
Then, thanks for Avast, I found this "1.vbs" file in "C:\ProgramsData\Windows\Profile" folder. There were additional files in this folder(wasp.exe, dllhostn.exe, waspwing.exe, dlchosts.exe).
I deleted whole "C:\ProgramsData\Windows\Profile" folder and now I have messages described above. (looks like all files from this folder now in Avast quarantine)

PS: I opened "1.vbs" script. There is a code with ActiveX object creation and running. This object inited with "powershell", but not directly. Like this: Replace("powSYMBershSYMBell", "SYMB", "")
« Last Edit: October 29, 2021, 11:34:52 AM by moorhuhen »

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 73512
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Win 8.1 [x64] - Avast PremSec 22.1.6886.IBC [UI.688] - EEK - Firefox ESR 91.5 [NS/uBO/PB] - TB 91.5.0
Avast-Tools: Secure Browser 97.1 - Cleanup 21.4 - SecureLine 5.15 - Driver Updater 21.4 - CCleaner 5.88
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline moorhuhen

  • Newbie
  • *
  • Posts: 5
Re: powershell.exe repeatedly alerted as IDP.HELU.CMD.Generic12
« Reply #2 on: October 29, 2021, 12:56:44 PM »
Thanks.
I'll move my message into that thread.