Author Topic: Constant threat promts of IDP.HELU.CMD.Generic12 and SNH-gen from powershell.exe  (Read 4440 times)

0 Members and 1 Guest are viewing this topic.

Offline neloofthepresent

  • Newbie
  • *
  • Posts: 2
Hey all!
As the title says - 3 days ago Avast started to constantly (around every 10-40 minutes) reacto to the same 2 threats:
- IDP.HELU.CMD.Generic12
- Script:SNH-gen [Trj]
Scans (from several AV tools other than avast) detect nothing, no file is being put in quarantine. In the case of Script:SNH-gen [Trj] there isn't even a name for a supposedly locked file (see screenshot). Reporting as a False Positive does nothing.
Any way to resolve this?


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86828
  • No support PMs thanks
Are you actually running a powershell script  ?
It could be that something else is trying to run it and this activity is considered suspicious, given that it is the Behaviour Shield that is alerting (in your image).

Whilst that is the correct location and I have it there on my system, and a normal (right click) scan comes up clean.  If you checked that also it too may come up clean.  If so, it would tend to point to suspicious use by another application/script trying to run it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline neloofthepresent

  • Newbie
  • *
  • Posts: 2
Are you actually running a powershell script  ?
It could be that something else is trying to run it and this activity is considered suspicious, given that it is the Behaviour Shield that is alerting (in your image).
As a matter of fact - I don't run a powershell script. But Avast isn't pointing out to anything or anywhere that could use powershell.
And that any other AV with a behavior shield, that I periodically use just in case, is not seeing anything either. So I would appreciate some practical advice


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86828
  • No support PMs thanks
I have never needed to run powershell scripts so I'm not familiar with the process, so I'm afraid someone more knowledgable than I would have to give that.  Note that I'm an avast user just like yourself not an avast team member.

Powershell.exe would normally sit dormant until a script/file to run powershell commands (is executed by) powershell.exe could be malicious.  It is this act that I feel Avast's Behaviour Shield doesn't like.  If you ran a manual scan on the powershell.exe file in the location given by the alert (as I did) you are likely to get the same result as I did, clean. 

So it is just the actions it is trying to carry out which Avast considers suspect.  More so if you (or a file/program, etc.) aren't knowingly running a powershell script, then that activity is more suspect.  A powershell command file/script in itself may be considered nothing more than a text file with the commands inside it.

Following one from your first post and my reply, it is strange that nothing was quarantined.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86828
  • No support PMs thanks
Update, I have tried to draw some Avast Team attention to this topic.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2270
Hello,
we detect some very nasty powershell script. It looks to be some clicker with miner. It could be possible that we are not able to clean the system because of exceptions/exclusions. Do you remember adding some exceptions/exclusions in Avast settings? Can you check the exceptions/exclusions and post here the list of the files/folders added in exceptions/exclusions, please?

Milos
« Last Edit: October 29, 2021, 11:12:27 AM by Milos »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86828
  • No support PMs thanks
Thanks for the input Milos.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline moorhuhen

  • Newbie
  • *
  • Posts: 5
Hi, guys.

Have same problems. I made same thread today, but I'll move it here.

Have a free Avast(vers 21.9.2493 (build 21.9.6675.698) with virus definitions vers - 211029-0) on my home PC under Win10(last updates).

I begun to take repeatedly a messages about my "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
Avast identifies it as IDP.HELU.CMD.Generic12 and as Script:SNH-gen[Trj].
See atachment.
AlertIDs:
925cf212d955/211029.1105+0300
0da9eff6b1c6/211029.1145+0300

History:
Some time ago a strange message begun appear about "1.vbs file not found" each 10min.
I found that this script called by scheduled task WinNAT from "\Microsoft\Windows\Maintenance\" path in task scheduler library. But I didn't find "1.vbs" nowhere on HDD.
Also in this path I found WinSAT and WinDAT tasks (about last name I'm not sure exactly - maybe WinDNS or something like this).
I deleted WinNAT and WinDAT. But they has been created again and again. Before some moment (I don't know before exactly which one).
Then, thanks for Avast, I found this "1.vbs" file in "C:\ProgramsData\Windows\Profile" folder. There were additional files in this folder(wasp.exe, dllhostn.exe, waspwing.exe, dlchosts.exe).
I deleted whole "C:\ProgramsData\Windows\Profile" folder and now I have messages described above. (looks like all files from this folder now in Avast quarantine)
I opened "1.vbs" script. There is a code with ActiveX object creation and running. This object inited with "powershell", but not directly. Like this: Replace("powSYMBershSYMBell", "SYMB", "")

Also see my Avast exceptions list in attachment. I'll try to remove it and rescan the system.

PS: scan didn't find "Browser threats" and "Viruses & malware". Just "Performance issues".
PSPS: messages still appears :(
« Last Edit: October 29, 2021, 01:27:17 PM by moorhuhen »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76213
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline moorhuhen

  • Newbie
  • *
  • Posts: 5
I have run boot scan with default settings.

Look's like nothing found on drive C. Maybe I need to scan other drives?..
Couple corrupted archives and couple decompression bombs(I'm not really sure what is that)
Here report with replaced UserName.:

10/30/2021 14:52
Scan of C:

Scan of *STARTUP

File C:\Microsoft\AndroidNDK64\android-ndk-r16b\prebuilt\windows-x86_64\lib\python2.7\test\test_zipfile.pyc|>afile Error 42125 {ZIP archive is corrupted.}
File C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.zip.aamdownload|>libcef.dll Error 42125 {ZIP archive is corrupted.}
File C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1049-7B44-AC0F074E4100}\AcroRdrDCUpd1900820071.msp|>PCW_CAB_RDR|>rdrservicesupdater.exe|>static\images\hi_contrast\core_icons_highcontrast_retina.png Error 42125 {ZIP archive is corrupted.}
File C:\ProgramData\Microsoft\VisualStudio\Packages\AndroidImage_ARM_API25,version=21.0.0.2\armeabi-v7a-25_r08.zip|>armeabi-v7a\userdata.img Error 42110 {The file is a decompression bomb.}
File C:\ProgramData\Microsoft\VisualStudio\Packages\AndroidImage_ARM_API25,version=21.0.0.2\armeabi-v7a-25_r08.zip|>armeabi-v7a\system.img Error 42110 {The file is a decompression bomb.}
File C:\ProgramData\Microsoft\VisualStudio\Packages\AndroidImage_x86_API25_Private,version=10.0.0.2\x86-25_r09.zip|>x86\userdata.img Error 42110 {The file is a decompression bomb.}
File C:\ProgramData\Microsoft\VisualStudio\Packages\AndroidImage_x86_API25_Private,version=10.0.0.2\x86-25_r09.zip|>x86\system.img Error 42110 {The file is a decompression bomb.}
File C:\ProgramData\Microsoft\VisualStudio\Packages\AndroidNDK_R16B,version=16.0,chip=x64\android-ndk-r16b-windows-x86_64.zip|>android-ndk-r16b\prebuilt\windows-x86_64\lib\python2.7\test\test_zipfile.pyc|>afile Error 42125 {ZIP archive is corrupted.}
File C:\ProgramData\Microsoft\VisualStudio\Packages\Microsoft.VisualStudio.EntityFrameworkTools.Msi,version=16.0.62902.0\EF6Tools.cab|>lib\net40\EntityFramework.dll Error 42125 {ZIP archive is corrupted.}
File C:\Users\ReplacedUserName\AppData\Local\Android\Sdk\.downloadIntermediates\android-ndk-r21-windows-x86_64.zip.asdownload|>android-ndk-r21\platforms\android-24\arch-x86\usr\lib\libc.a Error 42125 {ZIP archive is corrupted.}
File C:\Users\ReplacedUserName\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs\var\cache\apt\archives\ubuntu-mono_16.10+18.04.20181005-0ubuntu1_all.deb|>data.tar.xz|>data.tar Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs\var\cache\apt\archives\ubuntu-mono_16.10+18.04.20181005-0ubuntu1_all.deb|>data.tar.xz Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Алуолтон\Autosave-317.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Алуолтон\Autosave-318.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Алуолтон\Autosave-319.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Алуолтон\Autosave-320.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Алуолтон\Autosave-321.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Алуолтон\fdf.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Алуолтон\hhfgh.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Алуолтон\Start.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Алуолтон\ав.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Алуолтон\ва.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Алуолтон\вкп.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Алуолтон\епркер.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Алуолтон\ппп.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Алуолтон\пркерке.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Денджмарш\Autosave-2.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Денджмарш\Autosave-3.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Денджмарш\Autosave-4.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Денджмарш\Autosave-5.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Денджмарш\Autosave-6.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Денджмарш\Start.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Нейнби\333.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Нейнби\5454.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Нейнби\6666.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Нейнби\Autosave-29.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Нейнби\Autosave-30.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Нейнби\Autosave-31.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Нейнби\Autosave-32.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Нейнби\Autosave-33.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\VillageSaves\Нейнби\Start.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Users\ReplacedUserName\AppData\LocalLow\Foxy Voxel\Going Medieval\_bug_reporter_saveZ-R.zip|>VillageSaves\bug_reporter_Алуолтон_2021-9-8_11-34\bug_reporter_save.sav|>Terrain.bin Error 42110 {The file is a decompression bomb.}
File C:\Windows\Installer\2d8329.msp|>PCW_CAB_RDR|>rdrservicesupdater.exe|>static\images\hi_contrast\core_icons_highcontrast_retina.png Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 274852
Number of tested files: 4150053
Number of infected files: 0

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37190
Quote
Couple corrupted archives and couple decompression bombs(I'm not really sure what is that)


{ZIP archive is corrupted.} usually means that avast engine is not unpacking and scanning that  archive for whatever reason, can be password protected / encrypted by the program that use it

decompression bombs = archive that unpack to a very large file so  avast engine is not unpacking and scanning it

« Last Edit: October 31, 2021, 09:43:50 AM by Pondus »

Offline moorhuhen

  • Newbie
  • *
  • Posts: 5
Pondus, thank you for explanations.

I want to add a couple words:
After my actions yesterday, messages didn't stop appear.
But then Avast automaticly has updated a virus definition(from 211029-0 up to 211030-0).
Looks like I didn't see this messages again (yesterday and today).
Maybe everything is ok now.

I'll write here if I'll see this messages again..

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2270
Hi, guys.

Have same problems. I made same thread today, but I'll move it here.

Have a free Avast(vers 21.9.2493 (build 21.9.6675.698) with virus definitions vers - 211029-0) on my home PC under Win10(last updates).

I begun to take repeatedly a messages about my "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
Avast identifies it as IDP.HELU.CMD.Generic12 and as Script:SNH-gen[Trj].
See atachment.
AlertIDs:
925cf212d955/211029.1105+0300
0da9eff6b1c6/211029.1145+0300

History:
Some time ago a strange message begun appear about "1.vbs file not found" each 10min.
I found that this script called by scheduled task WinNAT from "\Microsoft\Windows\Maintenance\" path in task scheduler library. But I didn't find "1.vbs" nowhere on HDD.
Also in this path I found WinSAT and WinDAT tasks (about last name I'm not sure exactly - maybe WinDNS or something like this).
I deleted WinNAT and WinDAT. But they has been created again and again. Before some moment (I don't know before exactly which one).
Then, thanks for Avast, I found this "1.vbs" file in "C:\ProgramsData\Windows\Profile" folder. There were additional files in this folder(wasp.exe, dllhostn.exe, waspwing.exe, dlchosts.exe).
I deleted whole "C:\ProgramsData\Windows\Profile" folder and now I have messages described above. (looks like all files from this folder now in Avast quarantine)
I opened "1.vbs" script. There is a code with ActiveX object creation and running. This object inited with "powershell", but not directly. Like this: Replace("powSYMBershSYMBell", "SYMB", "")

Also see my Avast exceptions list in attachment. I'll try to remove it and rescan the system.

PS: scan didn't find "Browser threats" and "Viruses & malware". Just "Performance issues".
PSPS: messages still appears :(

Hello,
remove all the exceptions and do a full scan, remove the 2 mentioned scheduled tasks, if not done already.

Milos