GCITech
asked on
Difficulty removing Emotet / Trickbot malware
We have 17 or so computers including 1 server 2003, 2 server 2012 r2s, and 2 server 2016s and the rest are windows 10.
Happened a month ago, used malwarebytes free until all the machines scanned clean.
The next day I noticed the 2003 server was reinfected, but the others were not, cleaned it up..
Came back today and noticed virus was back on most of the machines.
Does anyone have experience or suggestions on how to stop emotet / trickbot malware?
Happened a month ago, used malwarebytes free until all the machines scanned clean.
The next day I noticed the 2003 server was reinfected, but the others were not, cleaned it up..
Came back today and noticed virus was back on most of the machines.
Does anyone have experience or suggestions on how to stop emotet / trickbot malware?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Generally, you should just wipe and reinstall. Keep each machine offline until it's been reinstalled.
ASKER
Thank you William,
I was able to find a good article talking about the admin shares. Thanks to you I was able to get a grip on the situation.
I was able to find a good article talking about the admin shares. Thanks to you I was able to get a grip on the situation.
If disabling the admin shares was your "solution", you just fooled yourself big time. It only means the infection is coming from the highest authority (you as the admin, through the servers). Following 0 steps from my list will keep this "simple" infection at bay, but in the background may do other worse things (mining passwords, banking/ID info etc etc).
The other suggestion might be a better one (wiping, starting over), but since you are keen to fully ignore other tips anyway, it will probably come back in the same way.
The other suggestion might be a better one (wiping, starting over), but since you are keen to fully ignore other tips anyway, it will probably come back in the same way.
Doing a total wipe and restore is the IDEAL solution from an IT perspective, but that may involve shutting down the business for days or even weeks. For my group, this simply was not an option, so we had to work around it by disabling admin shares, then performing both automated and manual cleanings. It took a while to complete clean everything up, but we did it with minimal disruption to business operations.
It took a while to complete clean everything up, but we did it with minimal disruption to business operations.
You did it with any major known visible disruptions. Now, you don't know if there is a hidden admin user or backdoor lurking in your system that doesn't trigger alerts or show up in events.
- too many admin rights for normal users on servers, clients.
- not cleaned well enough (scanned when Windows was running, not when using cd/usb boot)
- freedom for USERS to run ANY programs (non SRP/applocker environment), change to run only pre-installed program
- very good resident malware scanner
- not all software packages (chrome, adobe reader, and ALL OTHER) are up to date
- admin passwords are known somehow (please change them all)
- users are curious little cats, click on EVERYTHING. (user education, website/content/url filtering)
Solve them ALL in order to solve your problem. Also, remove the outdated server 2003. Don't bring the network online unless all points are taken care of.