PUP.Optional.EmployeeMonitor

detection icon

Short bio

PUP.Optional.EmployeeMonitor is Malwarebytes’ generic detection name for commercial system monitor applications branded as tools to be used as monitoring agents for employee activity. PUP.Optional.EmployeeMonitor may covertly monitor user behavior and harvest personally identifiable information including: usernames & passwords, keystrokes from emails, chat programs, websites visited, and financial activity.PUP.Optional.EmployeeMonitor may be capable of the covert collection of screenshots, video recordings, or the ability to activate any connected camera or microphone. Collected information may be stored locally and later retrieved, or may be transmitted to an online service or location.

Symptoms

PUP.Optional.EmployeeMonitor may run as a start-up entry and may be visible as running processes on compromised machines. PUP.Optional.EmployeeMonitor may also be configured in a manner which prevents visible processes, and start-up entries.

Type and source of infection

PUP.Optional.EmployeeMonitor could be distributed using various methods and may be packaged free software or other online software, or may be installed by an individual with physical or remote access to the computer. PUP.Optional.EmployeeMonitor may be installed with or without user consent.

Remediation

Malwarebytes can detect and remove many PUP.Optional.EmployeeMonitor infections without further user interaction.

  1. Please download Malwarebytesto your desktop.
  2. Double-click MBSetup.exeand follow the prompts to install the program.
  3. When your Malwarebytes for Windowsinstallation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get started button.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantineto remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

Add an exclusion

Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it.

  • Open Malwarebytes for Windows.
  • Click the Detection History
  • Click the Allow List
  • To add an item to the Allow List, click Add.
  • Select the exclusion type Allow a file or folderand use the Select a folderbutton to select the main folder for the software that you wish to keep.
  • Repeat this for any secondary files or folder(s) that belong to the software.

If you want to allow the program to connect to the Internet, for example to fetch updates, also add an exclusion of the type Allow an application to connect to the internet and use theBrowse button to select the file you wish to grant access.

Traces/IOCs

You may see these entries in FRST logs:() C:\Program Files (x86)\Net Monitor for Employees Pro\bin\nmep_ctrlagentsvc.exe() C:\Windows\SysFolder\rsasws.exe() C:\Program Files (x86)\Net Monitor for Employees Pro\bin\nmep_ctrlagent.exe(IMonitor Software Ltd) C:\Program Files\EAM Professional\IMonitorMng.exe(iMonitor Software) C:\Program Files\EAM Professional\eamserver.exe(iMonitor Software) C:\Program Files\EAM Professional\IMonLogCmd.exe() C:\Program Files\EAM Professional\eamlogrec.exe() C:\Program Files\EAM Professional\eamrdpsrv.exe() C:\Program Files (x86)\Net Monitor for Employees Pro\bin\nmep_console.exeAssociated files:mssys.exe, nlnme.exe

detection icon

Related blog content

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams