IDP.HELU.MSEx4 - Fileless Malware

[Michael (alan1998)]

Hello Oliv,

Unless I'm miss reading your autorun attachment, that's msiserver, not msiexec.

Please also follow the instructions found here >> https://forum.avast.com/index.php?topic=194892.0

[Oliv.C]

Hello Michael,
Yes you're right it's msiserver but it is the only entry that mentions msiexec.exe in the image path.
Thank you for your advice, i enclosed the report from MBAM & Farbar.
i see Farbar shows a few entries with a warning...

[Sass Drake]

Have you installed Ardamax keylogger?

[Oliv.C]

Hello Sass Drake, yep a while ago, but i uninstalled it since

[Sass Drake]

OK and thank you for sharing screenshot of Task Manager. Let's now generate new FRST.txt and Addition.txt but this time in FRST.exe under Whitelist section uncheck: Registry, Processes, Services, Internet and Drivers.

[Oliv.C]

Hello, and thanks for your help.
Here are the new logs.
thanks!

[PDI]

Hi,

I dug into the way how the MSIExec is executed and it have to be part of some task.

Your FIRST report shows "Task: {C7513494-BDD0-4427-8D9A-8C53723358EF} - \Thtise -> Pas de fichier <==== ATTENTION".
Could you check this record in the autoruns?

Regards,
PDI

[Oliv.C]

Hello PDI, thanks for helping
Unfortunately i did not find any trace in Autoruns related to some "Thtise" or "8C53723358EF" entry...
maybe i can enclose the saved file from Autoruns if that helps.

I did find entries in regedit however
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache
under 2 different folders "Tasks", "Tree"
Not sure this helps... i have no idea what this file is
Thanks

[PDI]

Hi,

maybe you can try to create a support package (https://support.avast.com/en-eu/article/Submit-support-file) and post the ID here.

I'll look later on the result of it.

The content of the registry records can help too.

Regards,
PDI

[Oliv.C]

Thanks,
so i did the support procedure.
The ID for my support file is WR90I
thank you

[Sass Drake]

In meantime, please do this:

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

cmd: reg EXPORT "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver" reg EXPORT HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver "%userprofile%\Desktop\msiserver.txt"
cmd: type "%userprofile%\Desktop\msiserver.txt"

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

[Oliv.C]

Hello,
here is the fixlog
thanks

[Sass Drake]

I'm sorry. I made a mistake in script. Please now do this:

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

cmd: reg EXPORT "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver" "%userprofile%\Desktop\msiserver.txt"
cmd: type "%userprofile%\Desktop\msiserver.txt"

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

[Oliv.C]

okay no problem
i ran it and this time it generated a fixlog and another file msiserver.txt

[Sass Drake]

msiserver.txt hasn't provides us with useful clues. Let's now try this.

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

cmd: bitsadmin /list /verbose

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.