Solved

Need to track down Infection in a Server 2008 domain user profile

Posted on 2016-11-15
7
67 Views
Last Modified: 2016-11-15
One of my customers remoted onto her server a couple of days ago and ran her Outlook email there. She received an infected email with an "Invoice attached" message, and, amazingly, attempted to open the attachment, which was a .jar file.

Don't recall her permission level on the server, but it was enough to run the .jar, but it stopped, prompting her to accept a command which is trying to insert a .reg file into the registry.  She did not permit the .reg file, thankfully.

I reduced her user account privileges to basic user, but whenever she logs on, Regedit is constantly requesting permission to run a .reg file. If she cancels, the prompt comes back one second later. I can stop it all by killing javaw.exe in the task manager.  However, when she logs back on, it starts up again.

Hers is the only user account affected, yet I cannot find anything anywhere that tells javaw.exe (or anything else) to start up when she, and only she, logs on. There are no suspicious extensions or add-ons in her Chrome or IE browsers. I've scanned her user profile for visues, and run a rootkit detector, etc.  All clean.

Can someone advise?
0
Comment
Question by:DaveWWW
  • 3
  • 2
  • 2
7 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 41887920
run MSCONFIG as an administrator on the server and review all Startup Items and remove or disable anything suspicious. better also review services as well.

you may also right-click the taskbar and choose Task Manager to check Startup items.
0
 

Author Comment

by:DaveWWW
ID: 41887936
Thanks.  I've been been through MSCONFIG and the Task Manager. I see javaw.exe in the Task Manager, which I can shut down, but it comes back when this user logs back on.  What I'm not clear on is how to find the source of this autostarting of javaw.exe when only a single user is having the issue.  No other users autostart the program javaw.exe.

I've checked the logon script for this user and it is no different than anyone else's.

That's the confusing part in this: Where is this single user receiving an instruction to run javaw.exe that attempts to run a .reg file?
0
 
LVL 37

Accepted Solution

by:
bbao earned 500 total points
ID: 41887954
javaw.exe itself is not the issue or trouble maker, the process calls Java runtime is the one to go.

you may check the Java runtime's parent process ID, it should be pointing the target process or at least providing a clue.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Closing Comment

by:DaveWWW
ID: 41888002
Thank you! That worked. I found the info using Process Explorer and then searched the registry for it, and deleted it out of the Run area for that user.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 41888004
msconfig is good, but much better is Sysinternals'  'autoruns' - try that
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 41888009
Too late - but it might have got you there right away ;)
0
 
LVL 37

Expert Comment

by:bbao
ID: 41888121
> Sysinternals'  'autoruns' - try that

yes, AUTORUNS can be handy to list ALL auto-start items from both startup folders, registr items and services, but you have to review them one by pen to guess if it is related or not.

the given method of tracking back to parent process can directly determine the related process or even thread (a virus way) and finally catch the source image file on file system.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question