IDP.HELU.MSEx4 - Fileless Malware

Viruses and worms
1

Hello,
It’s been many weeks now that i randomly have the following error message popping up :

IDP.HELU.MSEx4 - Fileless Malware
process : C:\Windows\System32\msiexec.exe
(see enclosed)

It tells me it’s been moves to quarantine but when i open the quarantine it shows up empty…
Virus scans don’t return anything, and I often use Ccleaner / MBAM / Glary which don’t help on this case either.

Can anyone please help?
Thanks a lot!

2

Upload and scan file ( C:\Windows\System32\msiexec.exe ) at > https://www.virustotal.com/

post link to scan result here

3

An attack using this could lead to LokiBOT,
also read: https://malwaretips.com/threads/how-to-remove-msiexec-exe-trojan-horse-virus-removal-guide.2599/

polonus

4

Hello Pondus, thanks for your time
here is the link you asked
https://www.virustotal.com/#/file/d88e2d981610ea24ee22b83cc284d6c616f3674e8f1f5d3794c9fcd569e8dadd/behavior

thanks,

5

when you scan files or URLs at VT always check > Last analysis 2019-01-06 06:04:14 UTC

So a casched result, then you click the blue button at top right and select rescan …

and voila, you have a fresh result > Last analysis 2019-01-27 15:38:06 UTC
https://www.virustotal.com/#/file/d88e2d981610ea24ee22b83cc284d6c616f3674e8f1f5d3794c9fcd569e8dadd/detection

=========================================================
Signature Info
Signature Verification
This file is not signed
File Version Information
Copyright © Microsoft Corporation. All rights reserved.
Product Windows Installer - Unicode
Description Windows® installer
Original Name msiexec.exe
Internal Name msiexec
File Version 5.0.9600.19082 (winblue_ltsb.180619-0600)

==========================================================

6

Report possible False Positive to avast lab

How to report >> https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

7

Thank you as well Polonus for the info.
MBAM didn’t return anything as usual, neither did Emsisoft, but Hitman returned 1 malware and 1 trojan that i got rid of (see enclosed).

thank you both, i will see if this happens again and if it does i will report a possible false positive to the lab.

I will update this topic when i know more.
Thanks again!

8

Hi Oliv.C,

Well, you are welcome. Also thank you for reporting this to the community.
That is the right attitude, credits for that are yours.
This reporting will make all of us here more secure.

polonus

9

Hello,

after a few days i wanted to let you know that the message came back so i reported it as a false positive and i got the answer today that they whitelisted the file.

Thanks again for your help :wink:

10

Hello again,
sorry to come back on this topic, but it seems that despite avast telling me that they whitelisted the .exe file, i still have the exact same message…
so i started all over again, and checked virustotal, used malwarebytes / emisoft / hitman pro / and none of them found anything…

i’m worried about this warning from avast that keeps coming back. :-
What am i missing?
Thanks in advance.

11

Hi,
I enclose the screenshot I managed to get from my task manager just before avast gives me the warning message.
What can i do?
Thanks in advance for your help.

12
What can i do?
Report it to avast lab again .......
13

Hi Oliv.C,

the detection is connected to the msiexec process instance which is on your screenshot. The Behavioral shield is not trying to remove the msiexec file.

Please download https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns and run it and try to look for the place were the msiexec with the command line is stored. The execution can be stored in the LNK file as well.

If you cannot find it you can store the content and share it with me via PM and I can look on it later.

What version of Avast are you using?

Regards,
PDI

14

i have the same problem :-
we need any one help us , please

15

well Hello hello again guys…
sorry to bother again on this topic but it seems this message keeps coming back but now it is a little different
it is now IDP.HELU.MSEx5, still linked to C:\Windows\System32\msiexec.exe
I am using avast 19.7.2388 (version 19.7.4674.531), that i bought.
Here is the scan result from virustotal
https://www.virustotal.com/gui/file/d88e2d981610ea24ee22b83cc284d6c616f3674e8f1f5d3794c9fcd569e8dadd/community
Sorry PDI i’m only seing your reply now so i executed Autorun and i enclosed the only entry i found on msiexec.exe. Is there anything more i can do?
Thanks

16

Hello Oliv,

Unless I’m miss reading your autorun attachment, that’s msiserver, not msiexec.

Please also follow the instructions found here >> https://forum.avast.com/index.php?topic=194892.0

17

Hello Michael,
Yes you’re right it’s msiserver but it is the only entry that mentions msiexec.exe in the image path.
Thank you for your advice, i enclosed the report from MBAM & Farbar.
i see Farbar shows a few entries with a warning…

18

Have you installed Ardamax keylogger?

19

Hello Sass Drake, yep a while ago, but i uninstalled it since

20

OK and thank you for sharing screenshot of Task Manager. Let’s now generate new FRST.txt and Addition.txt but this time in FRST.exe under Whitelist section uncheck: Registry, Processes, Services, Internet and Drivers.