I recently had a case which had WMI Malware. Two servers were running an old version of Windows, for which there were no AntiVirus solutions available.
The task became removing it manually. I used the following commands to remove it.
gwmi __eventFilter -namespace root\subscription -filter "name='Filter-Name'"| Remove-WmiObject gwmi activeScriptEventConsumer -Namespace root\subscription | Remove-WmiObject gwmi __filtertoconsumerbinding -Namespace root\subscription -Filter "Filter = ""__eventfilter.name='Filter-Name'""" | Remove-WmiObject wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="VolumeArrival" DELETE wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="InfectDrive" DELETE