New Norton showing powershell.exe infected with IDP.Generic/IDP.HELU.PSS23 etc

Issue abstract: New Norton showing powershell.exe infected with IDP.Generic/IDP.HELU.PSS23 etc

Detailed description: Last night the new version of Norton was pushed to my computer. This morning all sorts of issues but the most troubling is that I’m constantly popping up with “We’ve blocked powershell.exe because it was infected with IDP.HELU.PSS23 - Command line detection” (or IDP.Generic or other IDP.* named files). I was able to do one exclude but now I can’t get rid of it at all.

Product & version number: Norton 360 Premium Version 24.10.9535 (build 24.10.9535.882)

OS details: Windows 23H2 (build 22631.4317)

What is the error message you are seeing?

We’ve blocked powershell.exe because it was infected with IDP.HELU.PSS23 - Command line detection"

If you have any supporting screenshots, please add them:

I have a case opened with Norton which is supposedly with their escalations team. They called me Saturday evening while I was in the car. I arranged for a call back on Sunday at a specific time. They called me one hour early. Then chatted with them yesterday and arranged for a call back today. They never even called this time. I chatted again and was assured someone would contact me within 2 hours. Alas… 5 hours later…nothing. They claim they tried to call me yesterday which is total BS. Does anyone have any suggestions at all? This is absolutely unbelievable!!!

Did you submit false positive report with the Alert ID?

I’m curious to see → See details

Were my machine and I wanted reassurance.
I’d ask Malwarebytes Malware Removal Help Forums [here] to check my machine.

Steve. Run this tool to see if it detects anything: REMOVE that device from active internet and local network use.

SA

Additionally please read this article from Microsoft:
https://answers.microsoft.com/en-us/windows/forum/all/how-to-delete-powershell-virus/f1765bfb-48dc-4494-b10f-034c3527ee08

Autoruns by Microsoft:

SA

Thank you all for your responses! Neither Windows Defender nor Norton scan detect anything. I disconnected from the network and ran rkill and re-ran my scans and still nothing is detected. All my scans are clean. The only suspicious software that I know of is something called Rippling my company was using for endpoint updates. We are getting rid of it and I had already removed it but rkill found an autorun .exe running. It killed that and I downloaded autoruns and deleted that from system startup.

Literally as I’m typing this the popup occurred again. :frowning:

@bjm I did just submit a false positive report now. I know I probably should have done that first but it’s been so troubling because normal scanning, etc doesn’t show anything at all. And all very suspicious that I logged on one morning last week and discovered the update overnight and two of these things popped up.

Thank you to both of you!

For giggles, I ran MalwareBytes…nothing showing with it.

Rippling scheduled task?

Were my machine and I wanted reassurance.
I’d ask Malwarebytes Malware Removal Help Forums [here] to check my machine.

Quick update…some Windows updates were applied during a reboot this morning and so far I’ve been about an hour or so without a popup. Not sure if that or my false positive report helped but so far so good. Keeping fingers crossed!! :slight_smile:

Thanks again to you both!

2 Likes

@Steven_Mohl Following up to see how your results are with the last posting.

SA

All is well! And someone from Norton actually called me last night!

No pop-ups all day so I think I’m good!

1 Like

Awesome in both instances. Glad we could help in some way. Let us know if this resurrects itself so we can follow up again.

SA

You guys Rock! So much better than actual Norton support! So very much appreciated!

You’re most welcome!! Thanks for the kind words.

SA