Avatar of E White
E White
Flag for United States of America asked on

trojan.emotet/Artemis trojan - how to remove from network

A user was infected with the trojan.emotet and now my computers are constantly be hit wiht Artemis! Trojans through out the day.

I have the McAfee Endpoint Security, which catches and deletes it.

However, does anyone knows how I can get rid of this?

Any help in this will be most appreciated.McAfee-Alert.PNG
Anti-Virus Apps* TrojanSecurity* Artimis* Trojan.emotett

Avatar of undefined
Last Comment
Gerwin Jansen

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
John

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
E White

ASKER
John,  how do I identify who or where it's coming from?
John

The process will have the name or more likely an alphanumeric process name. That is the only way you can find it.

If well hidden, you may not be able to find it.
E White

ASKER
John,

You mean if I go in to my Task manager and look at the Processes there?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
John

No, I was suggesting Process Explorer for this. Better for this task.
E White

ASKER
John,

I notice the 1st alert says the F7AE566F. exe was accessed from the remote system xxx.xxx.xxx.62.  The Trojan named Artemis!716293B3EB20 was detected and deleted.  Could this be the machine that is sending it out?  After that I'm go alerts that other machines also have been hit from remote systems, but have been deleted.
John

You need to check each machine with Process Explorer and make sure it is not running.

Also get Autoruns (Sysinternals) and make sure it is not trying to start on any machine.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
E White

ASKER
John,

When I run the Process Explorer I don't see any aphanumeric proccesses, but when I run the Autoruns, I'm seeing lots of alpha numeric stuff.

McAfee-Alert.PNG
John

In Autoruns, you see plain, red, and yellow areas. Delete all the yellow, close out, restart and test.
E White

ASKER
Oh and it's located under HKLM\System\CurrentControlSet\Services
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
E White

ASKER
John,

I did what was recommended on my computer.

How do I know if it worked?
John

Restart and see if the malware pops up again.

Also run Autoruns again and see if it Installed itself again
E White

ASKER
John,

Upended back up Autoruns and didn't see the alpha numeric yellow processes running.

Do I continue to do this on all the other computers and do I have to logged on as that user of the computer or can I log on as myself on their computer to remove the items?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
John

If you are admin, you can do the same thing at other computers
E White

ASKER
I'm going to do it on the other computers .
John

Thanks - please keep us posted.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Gerwin Jansen

Some generic advise: disconnect systems one by one from the network and observe when the hits stop. Then scan that PC (or better reinstall it).
masnrock

How exactly is this network set up, and what permissions do users have on the systems?
E White

ASKER
masnrock,

The users all are just regular users.  Non-Admin rights.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
E White

ASKER
Gerwin,

I've done as you instructed, but I still see hits happening.
John

If removal does not work, you are going to have to backup machines and reinstall Windows.

Put in a top notch Spam Filter first.
masnrock

Are all of the systems patched properly, especially for WannaCry? Make sure that MS17-017 is installed on ALL of the systems. But also be sure that you haven't been missing other patches as well.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Gerwin Jansen

If you still get hits, install Wireshark to track down the source(s) - then go after them.

But if you disconnected all other machines from the network then you may face an outside, wireless or server source.
E White

ASKER
masnrock,

All the PC's has the latest Windows Patch.
Gerwin Jansen

>> All the PC's has the latest Windows Patch.
You should never assume that you're safe when all patches have been installed. 0 day threats will use unpatched vulnerabilities and when they are detected, they are typically detected as heuristic or artemis in your case. Disconnecting devices from the network and trying to located the issue using some sort of network logger (like wireshark) is what I would do. You can use a passive network tap with a known good laptop to gather data.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Gerwin Jansen

Just curious on how did you solve the issue, can you share?