cyrillic/russian text in windows explorer on Windows Server 2007 Standard

Posted on 2014-11-14
Last Modified: 2014-12-01
Recently, it was brought to my attention that a server running Windows 2007 Standard edition randomly displays Russian webpages in the default browser without having launched the browser. It is also defaulting to Cyrillic text when typing in new folder names, or trying to type in the name of an executable in the Run line, or in typing text in Wordpad on the system. I noticed winrar (ru) was also installed as was Firefox (ru), both of which I uninstalled. I also ran TDSkiller and it found nothing. I ran MalwareBytes as well, with only a minor "Pup" object discovered. I also noticed a .txt file (2K in size) with a name in Russian, and the contents are also in Russian (I see some email addresses in it with It appears to be a windows install log file of some sort.

I checked the Regional and Language settings in Control Panel and they are all set to the correct, US, settings.
I certainly want to find and remove the cause of what clearly appears to be an infection despite the inability of
the tools I have used to locate and remove it. However, I would first like to reset the Windows Explorer setting(s) that are causing anything I type to appear in the Cyrillic font type. So, any assistance on both the search for and removal of the infection, and the correction of the text would be greatly appreciated.
Question by:ks157
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Author Comment

ID: 40443277
Update since this initial post. I happened to log into this server again and noticed a user, "sys", also had an RDP session open (was the same user that had a few browser sessions running with the Russian websites). I checked the account in AD and it had "sys" for the first and last name. I am suspicious that this account was created by a hacker to gain access to the server (it was a member of domain admins). I disabled the account in AD and killed the RDP session. I also noticed (not sure if after these prior actions I mentioned) that the Cyrillic text has ceased and I can now type in Wordpad and explorer and it will appear in English text now, so it seems part of my initial requests have been automatically (best described perhaps as automagically) resolved. I still would appreciate some suggestions on searching out what appears to be malicious activity. I do not administer this system, I was asked to look at it. It also seems way behind on Windows patches, so that will be my next project while I wait for ideas on searching for infections.
LVL 81

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points
ID: 40444162
Time to enumerate all the administrative users and change all of their passwords. Unfortunately you have proof of being compromised, the backdoor may still be wide open and no machine in the network can be fully trusted as of now.
LVL 64

Accepted Solution

btan earned 250 total points
ID: 40446627
It is clearly being compromised with such privileged account created, inform the security or sys admin in charge, isolate the system upon advice (e.g. remove the network cable), do not turn off machine as it is likely to kill off traces and start the tracing and damage assessment as this account activities will have started very early and laterally exploring the file server, database server and critical services at backend. The endpoint are also entry. They are probably trying to exfiltrate loot into the internet via callback via the compromised systems or even via email.

Also change the system login for the machine suspected to be the trail of this activities. This will include user enterprise and even their personnel online login cred as the saved password or during which browsing is done after this will likely be siphoned too.

You can also do a quick check on the hosts file to see if there are any new and suspicious addition (or even duplicate of "hosts" file which one is in unicode filename) likewise and on all browser whether there are any new and unknown plugins installed. The latter may be part of the package installation done recently or certain site (with mal-advertising) visited which you have allowing unknowing too..this can also include plugins for MS Office and Adobe Reader.

Nonetheless, AV scan and network security log analysis must ensure concurrently as damage can be spreading while the data leaking is ongoing. key now is to isolate, mitigate and analysis source of infection then remediate. Also if the breach is confirmed or unknown, can consult security tm further action or even engaged third party for such forensic aspect. Breach notification is also not to be neglected as part to complying to local authority regulation, the security tm should know all these as part of their incident handling..

Author Comment

ID: 40474284
Seems closing a few ports in the on-premise firewall, securing admin accounts, and preventing RDP access has put a stop to the activity (for the past 10 days or so). At least we have a bit of a breather to pursue further mitigation.

Thanks for your suggestions!

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question