Difficulty removing Emotet / Trickbot malware

GCITech
GCITech used Ask the Experts™
on
We have 17 or so computers including 1 server 2003, 2 server 2012 r2s, and 2 server 2016s and the rest are windows 10.

Happened a month ago, used malwarebytes free until all the machines scanned clean.
The next day I noticed the 2003 server was reinfected, but the others were not, cleaned it up..

Came back today and noticed virus was back on most of the machines.

Does anyone have experience or suggestions on how to stop emotet / trickbot malware?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
This happens when:

- too many admin rights for normal users on servers, clients.
- not cleaned well enough (scanned when Windows was running, not when using cd/usb boot)
- freedom for USERS to run ANY programs (non SRP/applocker environment), change to run only pre-installed program
- very good resident malware scanner
- not all software packages (chrome, adobe reader, and ALL OTHER) are up to date
- admin passwords are known somehow (please change them all)
- users are curious little cats, click on EVERYTHING. (user education, website/content/url filtering)

Solve them ALL in order to solve your problem. Also, remove the outdated server 2003. Don't bring the network online unless all points are taken care of.
IT Services Analyst
Commented:
I had this happen at my old job where it hit hundreds of computers and dozens of servers.

First thing you need to do is disable the admin shares on all machines. This is how it is spreading. You can do this via group policy or manually.

After you disable admin shares, use MBAM to do a scan, let it clean up everything, then check the Task Scheduler for remnants. What it tends to do is drop pieces of code inside of user profiles, then run a CSCRIPT or some other command to activate that code. This may require manual cleanup per machine, which really sucks.

After that, restart the PC (offline if you can) and run MBAM again and check task scheduler again. Keep doing this until it comes back clean. Also check any startup items that don't look correct.
Generally, you should just wipe and reinstall.  Keep each machine offline until it's been reinstalled.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
Thank you William,

I was able to find a good article talking about the admin shares. Thanks to you I was able to get a grip on the situation.

Commented:
If disabling the admin shares was your "solution", you just fooled yourself big time. It only means the infection is coming from the highest authority (you as the admin, through the servers). Following 0 steps from my list will keep this "simple" infection at bay, but in the background may do other worse things (mining passwords, banking/ID info etc etc).
The other suggestion might be a better one (wiping, starting over), but since you are keen to fully ignore other tips anyway, it will probably come back in the same way.
William FulksIT Services Analyst

Commented:
Doing a total wipe and restore is the IDEAL solution from an IT perspective, but that may involve shutting down the business for days or even weeks. For my group, this simply was not an option, so we had to work around it by disabling admin shares, then performing both automated and manual cleanings. It took a while to complete clean everything up, but we did it with minimal disruption to business operations.
It took a while to complete clean everything up, but we did it with minimal disruption to business operations.

You did it with any major known visible disruptions.  Now, you don't know if there is a hidden admin user or backdoor lurking in your system that doesn't trigger alerts or show up in events.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial