Windows Server 2012/2012 R2/2016: Remove Malware embedded in WMI with PowerShell

  • Article

With Malware getting smarter each time and out running the Anti-Virus and embedding itself in the Operating System that it thinks its Legit, there is a way to remove it when it writes an encrypted entry or multiple entries to the WMI database. To remove it you will need to run the following set of commands to clear it all out:

([WmiClass]'root\default:Win32_TaskService') | Remove-WMIObject -Verbose

Get-WMIObject -Namespace root\Subscription -Class __EventFilter -filter "Name= 'SCM Event Filter'" |remOVe-WMIObject -Verbose

Get-WMIObject -Namespace root\Subscription -Class __EventFilter -filter "Name= 'DSM Event Logs Filter'" |remOVe-WMIObject -Verbose

Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='SCM Event Consumer'" | Remove-WMIObject -Verbose

Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%SCM Event Consumer%'" | REmOVE-WMIObject -Verbose

Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%DSM Event Logs Consumer%'" | REmOVE-WMIObject -Verbose

Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer -Filter "Name='DSM Event Logs Consumer'" | Remove-WMIObject -Verbose

Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer -Filter "Name='SCM Event Consumer'" | Remove-WMIObject -Verbose

gwmi -Namespace "root/subscription" -class __FilterToConsumerBinding -Filter "Filter = ""__EventFilter.Name='SCM Event Filter'""" | Remove-WMIObject -Verbose

gwmi -Namespace "root/subscription" -Class __EventFilter | WHERE Name -eq "SCM Event Filter" | Remove-WmiObject -Verbose

gwmi -Namespace "root/subscription" -Class __EventConsumer | where name -EQ "SCM Event Consumer" | Remove-WmiObject -Verbose

gwmi -Namespace "root/subscription" -class __FilterToConsumerBinding -Filter "Filter = ""__EventFilter.Name='SCM Events Logs Filter'""" | Remove-WMIObject -Verbose

gwmi -Namespace "root/subscription" -Class __EventFilter | WHERE Name -eq "SCM Events Logs Filter" | Remove-WmiObject -Verbose

gwmi -Namespace "root/subscription" -Class __EventConsumer | where name -EQ "SCM Events Logs Consumer" | Remove-WmiObject -Verbose

As the verbose option is used, you can see if it has removed anything.

Reboot the server and you should notice that the PowerShell task under Task Manager is gone and the CPU usage has died down considerably.