Avast WEBforum

Other => Viruses and worms => Topic started by: REDACTED on October 17, 2018, 04:27:17 PM

Title: IDP.HELU.PSWM6 - Fileless malware
Post by: REDACTED on October 17, 2018, 04:27:17 PM

I have one machine that continues to get a popup stating Threat Secured We've moved the threat powershell.exe to your Virus Chest.

More information
AV Threat Detected Alert :: Security - AntiVirus
Threat Name:         IDP.HELU.PSWM6 - Fileless malware
Virus Type:         Object is infected by malware
Threat Shield:         Behavior Shield
Virus Action:         Fix automatically - means try to Repair, if it fails, try to Move to Chest, and if even that fails, delete
Object Path:         C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Malwarebytes has been ran and came back clean. I have attached the FRST logs.

Title: Re: IDP.HELU.PSWM6 - Fileless malware
Post by: Sass Drake on October 18, 2018, 06:04:43 PM

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

IFEO\osk.exe: [Debugger] cmd.exe
IFEO\sethc.exe: [Debugger] cmd.exe

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Title: Re: IDP.HELU.PSWM6 - Fileless malware
Post by: REDACTED on October 18, 2018, 07:13:24 PM

Thank you! I have attached the fixlog.

Title: Re: IDP.HELU.PSWM6 - Fileless malware
Post by: Sass Drake on October 18, 2018, 08:49:30 PM

What is status now?

Title: Re: IDP.HELU.PSWM6 - Fileless malware
Post by: REDACTED on October 18, 2018, 09:35:43 PM

It is still popping up. I haven't restarted the machine though. Not sure if that would change anything.

Title: Re: IDP.HELU.PSWM6 - Fileless malware
Post by: Sass Drake on October 18, 2018, 10:46:59 PM

FRST logs oesn't showany traces of malware so I can say it might be Avast false positive. Restart it if you wish but I don't think problem will be solved doing so.

Title: Re: IDP.HELU.PSWM6 - Fileless malware
Post by: PDI on October 19, 2018, 11:57:51 PM

Hi,

the powershell is spawned via WMI.

Try to use Autoruns https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns (https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns) and it's WMI page.

Or you can try to use https://gallery.technet.microsoft.com/scriptcenter/List-all-WMI-Permanent-73e04ab4 (https://gallery.technet.microsoft.com/scriptcenter/List-all-WMI-Permanent-73e04ab4) and share the output of the powershell cmdlet here. It'd be used this way ". .\Get-WMIEventSubscription.ps1 | Format-List" to see it in readable form.

Regards,
PDI