We help IT Professionals succeed at work.

trojan.emotet/Artemis trojan - how to remove from network

NJ-EWhite
NJ-EWhite asked
on
26 Comments
1 Solution
283 Views
Last Modified: 2018-12-07
A user was infected with the trojan.emotet and now my computers are constantly be hit wiht Artemis! Trojans through out the day.

I have the McAfee Endpoint Security, which catches and deletes it.

However, does anyone knows how I can get rid of this?

Any help in this will be most appreciated.McAfee-Alert.PNG
Comment
Watch Question

View Solution Only

Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
NJ-EWhiteIT Coordinator

Author

Commented:
John,  how do I identify who or where it's coming from?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
The process will have the name or more likely an alphanumeric process name. That is the only way you can find it.

If well hidden, you may not be able to find it.
NJ-EWhiteIT Coordinator

Author

Commented:
John,

You mean if I go in to my Task manager and look at the Processes there?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
No, I was suggesting Process Explorer for this. Better for this task.
NJ-EWhiteIT Coordinator

Author

Commented:
John,

I notice the 1st alert says the F7AE566F. exe was accessed from the remote system xxx.xxx.xxx.62.  The Trojan named Artemis!716293B3EB20 was detected and deleted.  Could this be the machine that is sending it out?  After that I'm go alerts that other machines also have been hit from remote systems, but have been deleted.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You need to check each machine with Process Explorer and make sure it is not running.

Also get Autoruns (Sysinternals) and make sure it is not trying to start on any machine.
NJ-EWhiteIT Coordinator

Author

Commented:
John,

When I run the Process Explorer I don't see any aphanumeric proccesses, but when I run the Autoruns, I'm seeing lots of alpha numeric stuff.

McAfee-Alert.PNG
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
In Autoruns, you see plain, red, and yellow areas. Delete all the yellow, close out, restart and test.
NJ-EWhiteIT Coordinator

Author

Commented:
Oh and it's located under HKLM\System\CurrentControlSet\Services
NJ-EWhiteIT Coordinator

Author

Commented:
John,

I did what was recommended on my computer.

How do I know if it worked?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Restart and see if the malware pops up again.

Also run Autoruns again and see if it Installed itself again
NJ-EWhiteIT Coordinator

Author

Commented:
John,

Upended back up Autoruns and didn't see the alpha numeric yellow processes running.

Do I continue to do this on all the other computers and do I have to logged on as that user of the computer or can I log on as myself on their computer to remove the items?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
If you are admin, you can do the same thing at other computers
NJ-EWhiteIT Coordinator

Author

Commented:
I'm going to do it on the other computers .
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Thanks - please keep us posted.
Gerwin JansenTopic Advisor
CERTIFIED EXPERT
Most Valuable Expert 2016

Commented:
Some generic advise: disconnect systems one by one from the network and observe when the hits stop. Then scan that PC (or better reinstall it).
masnrock
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
How exactly is this network set up, and what permissions do users have on the systems?
NJ-EWhiteIT Coordinator

Author

Commented:
masnrock,

The users all are just regular users.  Non-Admin rights.
NJ-EWhiteIT Coordinator

Author

Commented:
Gerwin,

I've done as you instructed, but I still see hits happening.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
If removal does not work, you are going to have to backup machines and reinstall Windows.

Put in a top notch Spam Filter first.
masnrock
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Are all of the systems patched properly, especially for WannaCry? Make sure that MS17-017 is installed on ALL of the systems. But also be sure that you haven't been missing other patches as well.
Gerwin JansenTopic Advisor
CERTIFIED EXPERT
Most Valuable Expert 2016

Commented:
If you still get hits, install Wireshark to track down the source(s) - then go after them.

But if you disconnected all other machines from the network then you may face an outside, wireless or server source.
NJ-EWhiteIT Coordinator

Author

Commented:
masnrock,

All the PC's has the latest Windows Patch.
Gerwin JansenTopic Advisor
CERTIFIED EXPERT
Most Valuable Expert 2016

Commented:
>> All the PC's has the latest Windows Patch.
You should never assume that you're safe when all patches have been installed. 0 day threats will use unpatched vulnerabilities and when they are detected, they are typically detected as heuristic or artemis in your case. Disconnecting devices from the network and trying to located the issue using some sort of network logger (like wireshark) is what I would do. You can use a passive network tap with a known good laptop to gather data.
Gerwin JansenTopic Advisor
CERTIFIED EXPERT
Most Valuable Expert 2016

Commented:
Just curious on how did you solve the issue, can you share?

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions