Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on October 17, 2018, 04:27:17 PM
-
I have one machine that continues to get a popup stating Threat Secured We've moved the threat powershell.exe to your Virus Chest.
More information
AV Threat Detected Alert :: Security - AntiVirus
Threat Name: IDP.HELU.PSWM6 - Fileless malware
Virus Type: Object is infected by malware
Threat Shield: Behavior Shield
Virus Action: Fix automatically - means try to Repair, if it fails, try to Move to Chest, and if even that fails, delete
Object Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Malwarebytes has been ran and came back clean. I have attached the FRST logs.
-
- Open Notepad (click Start button -> type notepad.exe -> press Enter)
- Copy text from code block below and paste it into Notepad
IFEO\osk.exe: [Debugger] cmd.exe
IFEO\sethc.exe: [Debugger] cmd.exe
- Go to File -> Save As
- Make sure that UTF-8 is selected as Encoding (left side of Save button)
- Save it as fixlist.txt on Desktop
- Open again FRST and click on button Fix
- Wait until FRST finishes
- fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
-
Thank you! I have attached the fixlog.
-
What is status now?
-
It is still popping up. I haven't restarted the machine though. Not sure if that would change anything.
-
FRST logs oesn't showany traces of malware so I can say it might be Avast false positive. Restart it if you wish but I don't think problem will be solved doing so.
-
Hi,
the powershell is spawned via WMI.
Try to use Autoruns https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns (https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns) and it's WMI page.
Or you can try to use https://gallery.technet.microsoft.com/scriptcenter/List-all-WMI-Permanent-73e04ab4 (https://gallery.technet.microsoft.com/scriptcenter/List-all-WMI-Permanent-73e04ab4) and share the output of the powershell cmdlet here. It'd be used this way ". .\Get-WMIEventSubscription.ps1 | Format-List" to see it in readable form.
Regards,
PDI