Keylog-Ultimate.dll Virus on Windows Server 2008 R2 SP1

I am currently managing a SQL Server 2008 R2. I've installed programs such as McAfee Enterprise + AntiSpyware Enterprise 8.8, Kapersky TDSSKILLER and Malwarebytes 1.60.1.1000. These programs are scheduled to run/update everyday. In addition, we are using RDS w/ user CAL licensing which i hear is not secured, but we need it.

A few weeks ago, we encountered a type of malware called ransomware on our server and thought that I successfully removed it. Unfortunately that led to another issue, I noticed a Key logger program planted into my server that McAfee picked up. here is the log:

- D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe      C:\Windows\AppCompat\KAward\rsasws.exe      Keylog-AwardKey (Virus)
- C:\Windows\Explorer.EXE      E:\decrypterpv\dc.exe      Ransom-BA (Trojan)
- C:\Users\sys\Desktop\Setup.exe      C:\ProgramData\uklpr\KLKlMon.dll      Keylog-Ultimate.dll (Virus)


The software ran another scan last night and picked up:

- 3:04:49 AM      Deleted       administrator      ODS(Full Scan)      c:\Documents and Settings\sys\Desktop\Setup.exe\9.nsis      Keylog-Ultimate.dll (Virus)
- 3:04:59 AM      Delete failed (Clean failed)       administrator      ODS(Full Scan)      c:\Users\sys\Desktop\Setup.exe\9.nsis      Keylog-Ultimate.dll (Virus)
- 4/6/2012      3:05:08 AM      Deleted (Clean failed)       administrator      ODS(Full Scan)      c:\Documents and Settings\sys\Downloads\KRyLack.Ultimate.Keylogger.Pro.v1.80.45-alzaeem2008.rar\SETUP.EXE\9.nsis      Keylog-Ultimate.dll (Virus)
- 4/6/2012      3:05:18 AM      Delete failed (Clean failed)       administrator      ODS(Full Scan)      c:\Users\sys\Downloads\KRyLack.Ultimate.Keylogger.Pro.v1.80.45-alzaeem2008.rar\SETUP.EXE\9.nsis      Keylog-Ultimate.dll (Virus)


How do I prevent this? are they getting in my network through a backdoor? does RDS play a big role in this case? is there another level of security I can implement? I'll appreciate your help!
vlsllpAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Grant1842Commented:
Please follow these instructions for removal.

http://www.uninstall-spyware.com/uninstallUltimateKeylogger.html
0
David Johnson, CD, MVPOwnerCommented:
Is there a business reason why users that rdp into the server have administrative (install) privileges? Have you considered remote app for programs that need administrator privileges?  How about turning on internet explorer security for non-admins? How can you or your company justify the security risk presented that allowed this to happen in the first place. In many environments once something is discovered as compromised then the entire server is rebuilt as it can no longer be trusted.  
Don't create the mess then you don't have to clean up a mess.. Unfortunately you have to treat users like preschool children you have to monitor, and protect them from themselves
0
vlsllpAuthor Commented:
ve3ofa, yes there are special reasons why we grant our users administrative privileges. Unfortunately we had to manually go into the folders and clean out key names that have "keyloggers" in them, in addition we removed this virus through the registry as well. The primary tools i used was Kapersky TDSSKILLER and Spybot. These 2 items assisted me in cleaning out unwanted items in our registry.

Would you recommend any other tools or best practices when monitoring RDS? IDS/IPS?
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Russell_VenableCommented:
Yes, Actually. Assuming you already removed "Ransom" from your system.  It would do you some good to make note of 3 aspects for prevention and recovery reasons.

1. Keep a Website History


Keep a good track of sites that are visited from your network external from the operating system(Hardware). Not only does it help to keep track of what websites that caused the infection, but also allows you to report the infection and warn others.

2. Avoid untrusted Online Antivirus scanning

Do not allow users to do a online antivirus scan, unless tasked and if that is the case set guidelines for them to follow. Let me be specific; "Randsomware" in your case hides itself as a online antivirus scan and asks the user to install a activex/java file, sometimes even a video codec slightly different situation. This allows the site to start its malicious adventure onto the victim's machine. It's also spreads on a automated basis from "Drive-By" websites hosting a exploit kit.

3. Network traffic analyzer

Use a Network traffic analyzer to monitor for abnormal traffic patterns.
When you ask for more tools are you referring to monitoring or removal?

Other then that I would just implement a user guideline system in the first place that teaches them how to avoid this in the first place.

References to read:
Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Johnson, CD, MVPOwnerCommented:
ve3ofa, yes there are special reasons why we grant our users administrative privileges.

Then BACKUP, BACKUP, BACKUP,

7 Daily's, 4 weekly, 12 monthly, and 7 years annual.
0
vlsllpAuthor Commented:
thanks
0
vlsllpAuthor Commented:
Thanks I will try that!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.