IDP.HELU.MSEx2

Viruses and worms
1

Hi all

Several times a day I’m getting the following notice:

We’ve moved the threat msiexec.exe to your virus chest

Looking at details I get:

Threat Name: IDP.HELU.MSEx2 - Fileless malware
Process: [drive letter]Windows\System32

Status: Move to Virus Chest

Look in the Virus Chest and msiexec.exe is here.

This has been going on for 7 days now and I’ve run many antivirus, malware, and PUP checkers above and beyond Avast… and nothing, not a single one of them, finds a thing.

someone can help me ?

2

Attach your basic diagnostic logs. (MBAM and FRST)
Instructions: https://forum.avast.com/index.php?topic=194892

3

this is AVAST report
attached files .txt from FRST and from MBAM

4

Same problème with “IDP.HELU.MSEx2 - Fileless malware” regular noticed from Avast.
Any idea?

5

If you want help then follow instructions in sticky post at top in this forum section

6

Sorry so here is my files.

7

up ?

8

@ g.dalonzo

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
HKLM\...\Run: [hola] => C:\Program Files\Hola\app\hola.exe [2190248 2018-09-09] (Hola Networks Ltd.) <==== ATTENTION
HKLM\...\Providers\ilhjoc0i: C:\Program Files (x86)\Shilidom Mapper\local64spl.dll [306688 2017-03-09] () <==== ATTENTION
ShellExecuteHooks: No Name - {BF96FB02-038E-11E7-B91B-64006A5CFC23} - C:\Users\giuseppe d'alonzo\AppData\Roaming\Mucedomtercegh\Ghersule.dll [145408 2017-03-09] () <==== ATTENTION
CHR HomePage: ChromeDefaultData -> hxxps://start-pagesearch.com/?s=acer&m=home&brw=ch
CHR StartupUrls: ChromeDefaultData -> "hxxps://start-pagesearch.com/?s=acer&m=start&brw=ch"
CHR DefaultSearchURL: ChromeDefaultData -> hxxps://secure.start-pagesearch.com/?partner=acer&src=omnibox&brw=ch&q={searchTerms}
CHR DefaultSearchKeyword: ChromeDefaultData -> start-pagesearch.com
CHR DefaultSuggestURL: ChromeDefaultData -> hxxps://secure-suggest.start-pagesearch.com/suggest?format=json&brw=ch&locale={language}&q={searchTerms}
Task: {86A878FA-12BC-4205-BC0C-4CE554497B54} - \Vasagohok -> No File <==== ATTENTION
Task: {8D857566-9BCC-498F-BE44-7860FAE3ED12} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe <==== ATTENTION
VirusTotal: C:\Program Files\Hola\app\hola.exe;C:\Program Files (x86)\Shilidom Mapper\local64spl.dll;C:\Users\giuseppe d'alonzo\AppData\Roaming\Mucedomtercegh\Ghersule.dll;C:\Program Files (x86)\MIO\MIO.exe
C:\Program Files\Hola
C:\Program Files (x86)\Shilidom Mapper
C:\Users\giuseppe d'alonzo\AppData\Roaming\Mucedomtercegh
C:\Program Files (x86)\MIO
IE trusted site: HKU\S-1-5-21-3745431335-3607709842-4274522421-1001\...\hola.org -> hxxp://hola.org
EmptyTemp:
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
9

@ patochefree

Can you post screenshot of Avast alert?

10

Thanks for your help.
I am trying it.
However I didn’t keep the avast alert sceenshot…

11

@ Sass Drake

thnak you for your reply
here attached is the file fixlog.txt

12

@both of you

What is system status now? Do you still get Avast notifications about blocked threat?

13

No more Avast Notification and installation programm works again.
Thanks it is seems all ok! :slight_smile:

14

no more notifications
thank you :wink: