cyrillic/russian text in windows explorer on Windows Server 2007 Standard

Recently, it was brought to my attention that a server running Windows 2007 Standard edition randomly displays Russian webpages in the default browser without having launched the browser. It is also defaulting to Cyrillic text when typing in new folder names, or trying to type in the name of an executable in the Run line, or in typing text in Wordpad on the system. I noticed winrar (ru) was also installed as was Firefox (ru), both of which I uninstalled. I also ran TDSkiller and it found nothing. I ran MalwareBytes as well, with only a minor "Pup" object discovered. I also noticed a .txt file (2K in size) with a name in Russian, and the contents are also in Russian (I see some email addresses in it with It appears to be a windows install log file of some sort.

I checked the Regional and Language settings in Control Panel and they are all set to the correct, US, settings.
I certainly want to find and remove the cause of what clearly appears to be an infection despite the inability of
the tools I have used to locate and remove it. However, I would first like to reset the Windows Explorer setting(s) that are causing anything I type to appear in the Cyrillic font type. So, any assistance on both the search for and removal of the infection, and the correction of the text would be greatly appreciated.
Kevin StaleyMIS AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kevin StaleyMIS AdministratorAuthor Commented:
Update since this initial post. I happened to log into this server again and noticed a user, "sys", also had an RDP session open (was the same user that had a few browser sessions running with the Russian websites). I checked the account in AD and it had "sys" for the first and last name. I am suspicious that this account was created by a hacker to gain access to the server (it was a member of domain admins). I disabled the account in AD and killed the RDP session. I also noticed (not sure if after these prior actions I mentioned) that the Cyrillic text has ceased and I can now type in Wordpad and explorer and it will appear in English text now, so it seems part of my initial requests have been automatically (best described perhaps as automagically) resolved. I still would appreciate some suggestions on searching out what appears to be malicious activity. I do not administer this system, I was asked to look at it. It also seems way behind on Windows patches, so that will be my next project while I wait for ideas on searching for infections.
David Johnson, CD, MVPOwnerCommented:
Time to enumerate all the administrative users and change all of their passwords. Unfortunately you have proof of being compromised, the backdoor may still be wide open and no machine in the network can be fully trusted as of now.
btanExec ConsultantCommented:
It is clearly being compromised with such privileged account created, inform the security or sys admin in charge, isolate the system upon advice (e.g. remove the network cable), do not turn off machine as it is likely to kill off traces and start the tracing and damage assessment as this account activities will have started very early and laterally exploring the file server, database server and critical services at backend. The endpoint are also entry. They are probably trying to exfiltrate loot into the internet via callback via the compromised systems or even via email.

Also change the system login for the machine suspected to be the trail of this activities. This will include user enterprise and even their personnel online login cred as the saved password or during which browsing is done after this will likely be siphoned too.

You can also do a quick check on the hosts file to see if there are any new and suspicious addition (or even duplicate of "hosts" file which one is in unicode filename) likewise and on all browser whether there are any new and unknown plugins installed. The latter may be part of the package installation done recently or certain site (with mal-advertising) visited which you have allowing unknowing too..this can also include plugins for MS Office and Adobe Reader.

Nonetheless, AV scan and network security log analysis must ensure concurrently as damage can be spreading while the data leaking is ongoing. key now is to isolate, mitigate and analysis source of infection then remediate. Also if the breach is confirmed or unknown, can consult security tm further action or even engaged third party for such forensic aspect. Breach notification is also not to be neglected as part to complying to local authority regulation, the security tm should know all these as part of their incident handling..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kevin StaleyMIS AdministratorAuthor Commented:
Seems closing a few ports in the on-premise firewall, securing admin accounts, and preventing RDP access has put a stop to the activity (for the past 10 days or so). At least we have a bit of a breather to pursue further mitigation.

Thanks for your suggestions!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.