Kill Emotet on Windows: The Only Fix You Need

You're infected. Let's fix it.

Emotet's a pain — it's a modular trojan that steals credentials, drops ransomware, and spreads through your network. I've cleaned this off dozens of corporate machines. The fix is straightforward if you're methodical.

Step 1: Kill the process and block internet

First thing: pull the network cable or disable Wi-Fi. Emotet phones home constantly. Without internet, it can't download payloads or exfiltrate data.

Open Task Manager (Ctrl+Shift+Esc). Look for suspicious processes — common names include svchost.exe (but with weird memory usage), rundll32.exe with no legitimate parent, or random alphanumeric names like asdf1234.exe. Right-click and End task. If it won't die, boot into Safe Mode with Networking — hold Shift while clicking Restart, then Troubleshoot > Advanced options > Startup Settings > Restart > 5 for Safe Mode with Networking.

# From an elevated command prompt (Admin) in Safe Mode, run:
net stop "Emotet Service" 2>nul & sc delete "Emotet Service"

If you don't see a service, don't worry — Emotet often runs as a scheduled task.

Step 2: Nuke the registry entries

Emotet's persistence is usually in the Run keys. Open Regedit (Admin) and check these locations:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run

Look for entries pointing to .exe files in %AppData%, %Temp%, or C:\Users\[username]\. Delete them. Also check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services for any service named something like EmotetSvc or random GUIDs. Delete those keys.

Don't miss the scheduled tasks. Run this from an Admin PowerShell:

Get-ScheduledTask | Where-Object {$_.TaskPath -like "*Emotet*" -or $_.TaskName -like "*Emotet*"} | Unregister-ScheduledTask -Confirm:$false

Step 3: Scan with something that actually works

Windows Defender is okay for day-to-day, but Emotet's polymorphic — it changes its signature. Use Malwarebytes (free trial is enough) or ESET SysRescue Live. Boot from the ESET USB, run a full scan, and let it clean everything.

After the scan, reboot normally. Run a second pass with Malwarebytes to catch any remnants.

Why this works

Emotet relies on persistence via Run keys or services. By killing the process, cutting internet, and deleting those registry hooks, you break its ability to restart. The boot-time scan catches any leftover files hiding in shadow copies or system restore points — Emotet loves to hide there. Most guides skip the network cut, but that's the single most important step. Without it, the malware downloads new modules faster than you can delete them.

Less common variations

Sometimes Emotet uses DLL hijacking — it injects into legitimate processes like explorer.exe or chrome.exe. In that case, the process won't show up in Task Manager as suspicious. Use Process Explorer from Sysinternals to check DLLs loaded by every process. Look for unsigned DLLs in %AppData% or %Temp%. Unload those DLLs by restarting the process or killing it.

Another variant drops WMI subscriptions for persistence. Run this in Admin PowerShell:

Get-WmiObject -Namespace root\subscription -Class __EventFilter | Remove-WmiObject
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding | Remove-WmiObject
Get-WmiObject -Namespace root\subscription -Class __EventConsumer | Remove-WmiObject

If you're on a domain, Emotet spreads via Netlogon — it uses weak domain admin credentials. After cleanup, change all domain admin passwords immediately. Run gpupdate /force to reapply group policies that might have been disabled.

Prevention — don't get hit again

Emotet arrives almost always through email attachments with macro-enabled Office docs. Train your users: never enable macros on a document from an unknown sender. Block macro execution via Group Policy for all users except IT. Use Attachment Manager to strip dangerous file types at the mail gateway.

Keep Windows and Office patched. Emotet's dropped a lot of exploits tied to CVE-2021-34484 and similar. Install updates monthly — don't defer them.

Finally, enable Attack Surface Reduction rules in Defender for Endpoint (if you have E5 licensing) or use a third-party EDR. The rule Block Office from creating child processes kills Emotet's macro-driven execution cold.