Download Link: https://www.xednaps.com/download/wmilister/

Description and Use

This tool is intended to help find and remove APTs using WMI to persist on a computer.

If any odd scripts are found, you will be prompted if you want to remove them.  It is best to review the log which will be saved inside of a Log folder in the same folder the utility was run from.

Run this command as admin:

cscript //nologo WMILister.vbs

If scripts are found, you will be prompted to remove them.  The prompt will remove all scripts it finds if you tell it to.  Here is an example output for no scripts found:

Advanced use:

This version has command line switches.  Use this command to see possible switches:

cscript //nologo WMILister.vbs /?

These are the possible commands to scan and clean remote machines (Port 135 inbound and port 445 outbound both need to be open on remote machine.  Same open ports are seemingly used for malware to spread, so infected computers likely already have these ports open).

Examples of switch usage are:

Machine Name:

cscript //nologo WMILister.vbs /s:MachineName

IP Address:

cscript //nologo WMILister.vbs /s:

Force Cleaning with no prompt (use at own risk as this risks removal of non malicious WMI Scripts):

cscript //nologo WMILister.vbs /f

cscript //nologo WMILister.vbs /s:MachineName /f

cscript //nologo WMILister.vbs /s: /f