Skeleton-Key (Virus Removal Guide) - updated Dec 2019

Skeleton-Key Removal Guide

What is Skeleton-Key?

Skeleton Key is dangerous malware that targets 64-bit Windows machines that are protected with a single-factor authentication method

Skeleton Key virusSkeleton Key is a stealthy virus that spawns its own processes post-infection

Skeleton Key is a Trojan that mainly attacks corporate networks by bypassing the Active Directory authentication systems, as it abuses the single-factor authentication function. In other words, those who use a single password to access their Windows machines connected to a network are in particular danger of being infected with Skeleton Key malware. The malicious actors behind the malware strain can simply use any password and log in as any user, all while not impacting the access of other users connected to the same network.

As soon as the Skeleton-Key virus is installed, it gains access to systems' e-mail and the VPN services and starts harvesting information on the infected device. In such a way, users' passwords, credit card information, and other sensitive data can be easily compromised. The best way to protect yourself from Skeleton-Key malware is to enable two-factor authentication instead of using a simple password for computer protection. Luckily, Skeleton Key is relatively flawed, so its prevalence is limited.

Name Skeleton-Key, Skeleton Key
Type Malware, Trojan, keylogger
Intrusion hackers use domain administrator credentials as a primary infection vector; alternatively, the virus can be deployed with the help of an already installed malware
Malware sample Security researchers analyzed Skeleton Key sample that was named ole64.dll
Other elated files ole.dll, .msuta64.dll
Systems affected 64-bit Windows versions only
Associated risks Loss of personal data, identity theft, loss of intellectual property, financial losses, infiltration of other malware
Removal Get rid of the infection by using the most up-to-date anti-malware software such as SpyHunter 5Combo Cleaner or Malwarebytes
Recovery FortectIntego can be used to fix virus damage

While Skeleton Key is a relatively primitive piece of malware and has shortcomings, its infection on the system could be devastating due to excessive information gathering, and numerous companies could face significant monetary and intellectual property losses due to it. Those infected should immediately remove Skeleton Key Trojan from their computes and networks immediately using the most up-to-date security software.

Unlike most of the modern-day malware, Skeleton Key infection requires an already compromised machine or access on the network via a malicious employer. In other cases, the Trojan can be deployed with the help of already installed malware. The analysis performed by Dell Secureworks researchers concluded[1] that Skeleton-Key needs to be familiar with the environment before the intrusion. Hackers need to have access to:

  • memory of another server on the network
  • targeted domain controllers
  • domain administrators' workstations

Once deployed, the Skeleton Key virus inserts the malicious ole64.dll file into WINDOWS\system32\ directory and uses PsExec[2] utility to launch itself remotely. Hacker's password is generated in an NTLM format rather than plain text, allowing him/her to log in as any user on the network and then move laterally. After the intrusion, the malicious DLL file is deleted from the machine.

Skeleton Key malwareSkeleton Key is a type of malware that can bypass single-factor authentication to access Windows machines and steal sensitive data

Skeleton Key weaknesses include its inability to infect 32-bit-based Windows systems and Windows server versions beginning 2012, as well as not monitoring network traffic on the host. Additionally, one of the main downfalls of the malware is that it needs to be reinstalled each time the server is rebooted in order to perform operations on the host.

According to researchers, malicious actors managed to infect multiple organizations with Skeleton Key. While the infection is relatively old, it can still be used by hackers and might also be improved to include more functions.

For Skeleton Key removal, victims need to install anti-malware software which could detect the malicious DLL file as well as its code injections into the LSASS process's memory. In the case of system malfunctions post-removal, users should scan their machines with FortectIntego.

Organisations should protect their networks accordingly

Security researchers reported that Skeleton Key needs to be familiar with the environment where the target computers are located. For example, a malicious employee who was bribed or contacted by hackers could access corporate computers and infect them with malware. Unfortunately, the key characteristic of the infection is stealth, and one person who is not fair is enough to compromise an entire network and compromise even the most sensitive corporate data.

Thus, security researchers advise to take countermeasures to prevent data-stealers:

  • Implement multi-factor authentication[3] methods for regular computer access, as well as remote email services and the VPN;
  • Security personnel should conduct audits that check from unexpected appearance of PsExec.exe, rundll32.exe and process arguments similar to NTLM hashes;
  • Protecting their networks with comprehensive security solutions;
  • Ensuring integrity of the employees by conducting security training sessions.

Skeleton Key imperfectionsWhile Skeleton Key lacks in persistence, it is a threat that should be ignored, as it might result in corporate data leak

Skeleton Key virus removal

Skeleton Key removal can be a real challenge as it deletes its main executable file post-infection and barely leaves any traces. However, finding these traces manually can only be done by professional IT experts. Most of the modern-day solutions should be able to track and detect the initial .dll file and even stop its further expansion. Nevertheless, for Skeleton-Key removal, users should employ anti-malware software and run a full system scan.

Note that in some cases, Skeleton key virus might not be the only threat residing on the system, as often happens with Trojans. Therefore, it is possible that anti-malware software might be stopped by those threats in the first place. If that happens, users should access Safe Mode with Networking and perform a full system scan from there.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Skeleton-Key. Follow these steps

Manual removal using Safe Mode

Go to Windows' Safe Mode with Networking to enable security software to work properly and remove Skeleton Key, as well as other malware:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Skeleton-Key and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting trojans

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

Removal guides in other languages