Killian Occelli

Dear James, Thanks for your help. We ran the new vbs script. Attaching the latest dump here. We have patched our VMs that are infected. Dump261217.txt

Dear James, Thanks for your help. After the reboot, the process come back after 30 minutes. We have patched the server and reset all admin password after th at You can find below the dump of the WMILister_22 script. Dump221217.txt Thanks in advance.

Hi Everyone, I have the same problem as Marco2526 PowerShell Script - Possible Malicious Attack. I tested the commands below, but the fourth doesn't work. Get-WMIObject -Namespace root\Subscription -Class __EventFilter -filter "Name= 'SCM Event Filter'" |remOVe-WMIObject -Verbose Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='SCM Event Consumer'" | Remove-WMIObject -Verbose Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%SCM Event Consumer%'" | REmOVE-WMIObject -Verbose ([WmiClass]'root\default:Win32_TaskService') | Remove-WMIObject -Verbose Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer -Filter "Name='SCM Event Consumer'" | Remove-WMIObject -Verbose I have the error "Cannot convert value "root\default:win32_TaskService" to type "System.Management.ManagementClass. Error: "Not found " You can find the dump of the WMILister_20.vbs script in my post. dumpedscript.txt It's on a VM with Windows Server 2008 R2. Thanks in advance.