Solved

Keylog-Ultimate.dll Virus on Windows Server 2008 R2 SP1

Posted on 2012-04-06
7
1,066 Views
Last Modified: 2013-11-22
I am currently managing a SQL Server 2008 R2. I've installed programs such as McAfee Enterprise + AntiSpyware Enterprise 8.8, Kapersky TDSSKILLER and Malwarebytes 1.60.1.1000. These programs are scheduled to run/update everyday. In addition, we are using RDS w/ user CAL licensing which i hear is not secured, but we need it.

A few weeks ago, we encountered a type of malware called ransomware on our server and thought that I successfully removed it. Unfortunately that led to another issue, I noticed a Key logger program planted into my server that McAfee picked up. here is the log:

- D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe      C:\Windows\AppCompat\KAward\rsasws.exe      Keylog-AwardKey (Virus)
- C:\Windows\Explorer.EXE      E:\decrypterpv\dc.exe      Ransom-BA (Trojan)
- C:\Users\sys\Desktop\Setup.exe      C:\ProgramData\uklpr\KLKlMon.dll      Keylog-Ultimate.dll (Virus)


The software ran another scan last night and picked up:

- 3:04:49 AM      Deleted       administrator      ODS(Full Scan)      c:\Documents and Settings\sys\Desktop\Setup.exe\9.nsis      Keylog-Ultimate.dll (Virus)
- 3:04:59 AM      Delete failed (Clean failed)       administrator      ODS(Full Scan)      c:\Users\sys\Desktop\Setup.exe\9.nsis      Keylog-Ultimate.dll (Virus)
- 4/6/2012      3:05:08 AM      Deleted (Clean failed)       administrator      ODS(Full Scan)      c:\Documents and Settings\sys\Downloads\KRyLack.Ultimate.Keylogger.Pro.v1.80.45-alzaeem2008.rar\SETUP.EXE\9.nsis      Keylog-Ultimate.dll (Virus)
- 4/6/2012      3:05:18 AM      Delete failed (Clean failed)       administrator      ODS(Full Scan)      c:\Users\sys\Downloads\KRyLack.Ultimate.Keylogger.Pro.v1.80.45-alzaeem2008.rar\SETUP.EXE\9.nsis      Keylog-Ultimate.dll (Virus)


How do I prevent this? are they getting in my network through a backdoor? does RDS play a big role in this case? is there another level of security I can implement? I'll appreciate your help!
0
Comment
Question by:vlsllp
7 Comments
 
LVL 12

Expert Comment

by:Grant1842
ID: 37817474
Please follow these instructions for removal.

http://www.uninstall-spyware.com/uninstallUltimateKeylogger.html
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 37820092
Is there a business reason why users that rdp into the server have administrative (install) privileges? Have you considered remote app for programs that need administrator privileges?  How about turning on internet explorer security for non-admins? How can you or your company justify the security risk presented that allowed this to happen in the first place. In many environments once something is discovered as compromised then the entire server is rebuilt as it can no longer be trusted.  
Don't create the mess then you don't have to clean up a mess.. Unfortunately you have to treat users like preschool children you have to monitor, and protect them from themselves
0
 

Assisted Solution

by:vlsllp
vlsllp earned 0 total points
ID: 37824081
ve3ofa, yes there are special reasons why we grant our users administrative privileges. Unfortunately we had to manually go into the folders and clean out key names that have "keyloggers" in them, in addition we removed this virus through the registry as well. The primary tools i used was Kapersky TDSSKILLER and Spybot. These 2 items assisted me in cleaning out unwanted items in our registry.

Would you recommend any other tools or best practices when monitoring RDS? IDS/IPS?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 15

Accepted Solution

by:
Russell_Venable earned 500 total points
ID: 37845588
Yes, Actually. Assuming you already removed "Ransom" from your system.  It would do you some good to make note of 3 aspects for prevention and recovery reasons.

1. Keep a Website History


Keep a good track of sites that are visited from your network external from the operating system(Hardware). Not only does it help to keep track of what websites that caused the infection, but also allows you to report the infection and warn others.

2. Avoid untrusted Online Antivirus scanning

Do not allow users to do a online antivirus scan, unless tasked and if that is the case set guidelines for them to follow. Let me be specific; "Randsomware" in your case hides itself as a online antivirus scan and asks the user to install a activex/java file, sometimes even a video codec slightly different situation. This allows the site to start its malicious adventure onto the victim's machine. It's also spreads on a automated basis from "Drive-By" websites hosting a exploit kit.

3. Network traffic analyzer

Use a Network traffic analyzer to monitor for abnormal traffic patterns.
When you ask for more tools are you referring to monitoring or removal?

Other then that I would just implement a user guideline system in the first place that teaches them how to avoid this in the first place.

References to read:
Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 37846768
ve3ofa, yes there are special reasons why we grant our users administrative privileges.

Then BACKUP, BACKUP, BACKUP,

7 Daily's, 4 weekly, 12 monthly, and 7 years annual.
0
 

Author Comment

by:vlsllp
ID: 37852078
thanks
0
 

Author Closing Comment

by:vlsllp
ID: 37875054
Thanks I will try that!
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question