[PowerShell Script 100% CPU Load - Malicious Attack]

Dear James,

Thanks for your help.

We ran the new vbs script. Attaching the latest dump here.

We have patched our VMs that are infected.

Dump261217.txt

[PowerShell Script 100% CPU Load - Malicious Attack]

Dear James,

Thanks for your help.

After the reboot, the process come back after 30 minutes.

We have patched the server and reset all admin password after th at

You can find below the dump of the WMILister_22 script.

Dump221217.txt

Thanks in advance.

[PowerShell Script 100% CPU Load - Malicious Attack]

Hi Everyone,

I have the same problem as Marco2526 PowerShell Script - Possible Malicious Attack.

I tested the commands below, but the fourth doesn't work.

Get-WMIObject -Namespace root\Subscription -Class __EventFilter -filter "Name= 'SCM Event Filter'" |remOVe-WMIObject  -Verbose
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='SCM Event Consumer'" | Remove-WMIObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%SCM Event Consumer%'" | REmOVE-WMIObject -Verbose
([WmiClass]'root\default:Win32_TaskService') | Remove-WMIObject -Verbose

Get-WMIObject -Namespace root\Subscription -Class  ActiveScriptEventConsumer -Filter "Name='SCM Event Consumer'" | Remove-WMIObject -Verbose

I have the error "Cannot convert value "root\default:win32_TaskService" to type "System.Management.ManagementClass. Error: "Not found "

You can find the dump of the WMILister_20.vbs script in my post.

dumpedscript.txt

It's on a VM with Windows Server 2008 R2.

Thanks in advance.