Need to track down Infection in a Server 2008 domain user profile
Posted on 2016-11-15
One of my customers remoted onto her server a couple of days ago and ran her Outlook email there. She received an infected email with an "Invoice attached" message, and, amazingly, attempted to open the attachment, which was a .jar file.
Don't recall her permission level on the server, but it was enough to run the .jar, but it stopped, prompting her to accept a command which is trying to insert a .reg file into the registry. She did not permit the .reg file, thankfully.
I reduced her user account privileges to basic user, but whenever she logs on, Regedit is constantly requesting permission to run a .reg file. If she cancels, the prompt comes back one second later. I can stop it all by killing javaw.exe in the task manager. However, when she logs back on, it starts up again.
Hers is the only user account affected, yet I cannot find anything anywhere that tells javaw.exe (or anything else) to start up when she, and only she, logs on. There are no suspicious extensions or add-ons in her Chrome or IE browsers. I've scanned her user profile for visues, and run a rootkit detector, etc. All clean.
Can someone advise?