PUP.Optional.EmployeeMonitor

Short bio

PUP.Optional.EmployeeMonitor is a generic detection name for commercial system monitor applications branded as tools to be used as monitoring agents for employee activity.  PUP.Optional.EmployeeMonitor may covertly monitor user behavior and harvest personally identifiable information including: usernames & passwords, keystrokes from emails, chat programs, websites visited, and financial activity.

PUP.Optional.EmployeeMonitor may be capable of the covert collection of screenshots, video recordings, or the ability to activate any connected camera or microphone.   Collected information may be stored locally and later retrieved, or may be transmitted to an online service or location.

Symptoms

PUP.Optional.EmployeeMonitor may run as a start-up entry and may be visible as running processes on compromised machines.  PUP.Optional.EmployeeMonitor may also be configured in a manner which prevents visible processes, and start-up entries.

Type and source of infection

PUP.Optional.EmployeeMonitor could be distributed using various methods and may be packaged free software or other online software, or may be installed by an individual with physical or remote access to the computer.  PUP.Optional.EmployeeMonitor may be installed with or without user consent.

Remediation

Malwarebytes can detect and remove many PUP.Optional.EmployeeMonitor infections without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  3. Then click Finish.
  4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  6. When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  7. Restart your computer when prompted to do so.

Traces/IOCs

You may see these entries in FRST logs:
() C:\Program Files (x86)\Net Monitor for Employees Pro\bin\nmep_ctrlagentsvc.exe
() C:\Windows\SysFolder\rsasws.exe
() C:\Program Files (x86)\Net Monitor for Employees Pro\bin\nmep_ctrlagent.exe
(IMonitor Software Ltd) C:\Program Files\EAM Professional\IMonitorMng.exe
(iMonitor Software) C:\Program Files\EAM Professional\eamserver.exe
(iMonitor Software) C:\Program Files\EAM Professional\IMonLogCmd.exe
() C:\Program Files\EAM Professional\eamlogrec.exe
() C:\Program Files\EAM Professional\eamrdpsrv.exe
() C:\Program Files (x86)\Net Monitor for Employees Pro\bin\nmep_console.exe
Associated files:

mssys.exe, nlnme.exe

Cybersecurity info you can’t do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language