IDP.HELU.PSWM6 - Fileless malware

[REDACTED]

I have one machine that continues to get a popup stating Threat Secured We've moved the threat powershell.exe to your Virus Chest.

More information
AV Threat Detected Alert :: Security - AntiVirus
Threat Name:         IDP.HELU.PSWM6 - Fileless malware
Virus Type:         Object is infected by malware
Threat Shield:         Behavior Shield
Virus Action:         Fix automatically - means try to Repair, if it fails, try to Move to Chest, and if even that fails, delete
Object Path:         C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Malwarebytes has been ran and came back clean. I have attached the FRST logs.

[Sass Drake]

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

IFEO\osk.exe: [Debugger] cmd.exe
IFEO\sethc.exe: [Debugger] cmd.exe

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

[REDACTED]

Thank you! I have attached the fixlog.

[Sass Drake]

What is status now?

[REDACTED]

It is still popping up. I haven't restarted the machine though. Not sure if that would change anything.

[Sass Drake]

FRST logs oesn't showany traces of malware so I can say it might be Avast false positive. Restart it if you wish but I don't think problem will be solved doing so.

[PDI]

Hi,

the powershell is spawned via WMI.

Try to use Autoruns https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns and it's WMI page.

Or you can try to use https://gallery.technet.microsoft.com/scriptcenter/List-all-WMI-Permanent-73e04ab4 and share the output of the powershell cmdlet here. It'd be used this way ". .\Get-WMIEventSubscription.ps1 | Format-List" to see it in readable form.

Regards,
PDI