Have a free Avast(vers 21.9.2493 (build 21.9.6675.698) with virus definitions vers - 211029-0) on my home PC under Win10(last updates).
I begun to take repeatedly a messages about my "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
Avast identifies it as IDP.HELU.CMD.Generic12 (before last Windows update I also took message about Script:SNH-gen[Trj] for same powershell.exe).
PS: Script:SNH-gen[Trj] message doesn’t disappear.
See atachment.
Some time ago a strange message begun appear about “1.vbs file not found” each 10min.
I found that this script called by scheduled task WinNAT from "\Microsoft\Windows\Maintenance" path in task scheduler library. But I didn’t find “1.vbs” nowhere on HDD.
Also in this path I found WinSAT and WinDAT tasks (about last name I’m not sure exactly - maybe WinDNS or something like this).
I deleted WinNAT and WinDAT. But they has been created again and again. Before some moment (I don’t know before exactly which one).
Then, thanks for Avast, I found this “1.vbs” file in “C:\ProgramsData\Windows\Profile” folder. There were additional files in this folder(wasp.exe, dllhostn.exe, waspwing.exe, dlchosts.exe).
I deleted whole “C:\ProgramsData\Windows\Profile” folder and now I have messages described above. (looks like all files from this folder now in Avast quarantine)
PS: I opened “1.vbs” script. There is a code with ActiveX object creation and running. This object inited with “powershell”, but not directly. Like this: Replace(“powSYMBershSYMBell”, “SYMB”, “”)