WMI Malware

I recently had a case which had WMI Malware. Two servers were running an old version of Windows, for which there were no AntiVirus solutions available.

The task became removing it manually. I used the following commands to remove it.

gwmi __eventFilter -namespace root\subscription -filter "name='Filter-Name'"| Remove-WmiObject
gwmi activeScriptEventConsumer -Namespace root\subscription | Remove-WmiObject
gwmi __filtertoconsumerbinding -Namespace root\subscription -Filter "Filter = ""__eventfilter.name='Filter-Name'"""  | Remove-WmiObject

wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="VolumeArrival" DELETE
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="InfectDrive" DELETE