I have one machine that continues to get a popup stating Threat Secured We’ve moved the threat powershell.exe to your Virus Chest.

More information
AV Threat Detected Alert :: Security - AntiVirus
Threat Name: IDP.HELU.PSWM6 - Fileless malware
Virus Type: Object is infected by malware
Threat Shield: Behavior Shield
Virus Action: Fix automatically - means try to Repair, if it fails, try to Move to Chest, and if even that fails, delete
Object Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Malwarebytes has been ran and came back clean. I have attached the FRST logs.

• Open Notepad (click Start button → type notepad.exe → press Enter)
• Copy text from code block below and paste it into Notepad

IFEO\osk.exe: [Debugger] cmd.exe
IFEO\sethc.exe: [Debugger] cmd.exe

• Go to File → Save As
• Make sure that UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Thank you! I have attached the fixlog.

What is status now?

It is still popping up. I haven’t restarted the machine though. Not sure if that would change anything.

FRST logs oesn’t showany traces of malware so I can say it might be Avast false positive. Restart it if you wish but I don’t think problem will be solved doing so.

Hi,

the powershell is spawned via WMI.

Try to use Autoruns https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns and it’s WMI page.

Or you can try to use https://gallery.technet.microsoft.com/scriptcenter/List-all-WMI-Permanent-73e04ab4 and share the output of the powershell cmdlet here. It’d be used this way “. .\Get-WMIEventSubscription.ps1 | Format-List” to see it in readable form.

Regards,
PDI