cyrillic/russian text in windows explorer on Windows Server 2007 Standard

Posted on 2014-11-14
Last Modified: 2014-12-01
Recently, it was brought to my attention that a server running Windows 2007 Standard edition randomly displays Russian webpages in the default browser without having launched the browser. It is also defaulting to Cyrillic text when typing in new folder names, or trying to type in the name of an executable in the Run line, or in typing text in Wordpad on the system. I noticed winrar (ru) was also installed as was Firefox (ru), both of which I uninstalled. I also ran TDSkiller and it found nothing. I ran MalwareBytes as well, with only a minor "Pup" object discovered. I also noticed a .txt file (2K in size) with a name in Russian, and the contents are also in Russian (I see some email addresses in it with It appears to be a windows install log file of some sort.

I checked the Regional and Language settings in Control Panel and they are all set to the correct, US, settings.
I certainly want to find and remove the cause of what clearly appears to be an infection despite the inability of
the tools I have used to locate and remove it. However, I would first like to reset the Windows Explorer setting(s) that are causing anything I type to appear in the Cyrillic font type. So, any assistance on both the search for and removal of the infection, and the correction of the text would be greatly appreciated.
Question by:ks157
  • 2

Author Comment

ID: 40443277
Update since this initial post. I happened to log into this server again and noticed a user, "sys", also had an RDP session open (was the same user that had a few browser sessions running with the Russian websites). I checked the account in AD and it had "sys" for the first and last name. I am suspicious that this account was created by a hacker to gain access to the server (it was a member of domain admins). I disabled the account in AD and killed the RDP session. I also noticed (not sure if after these prior actions I mentioned) that the Cyrillic text has ceased and I can now type in Wordpad and explorer and it will appear in English text now, so it seems part of my initial requests have been automatically (best described perhaps as automagically) resolved. I still would appreciate some suggestions on searching out what appears to be malicious activity. I do not administer this system, I was asked to look at it. It also seems way behind on Windows patches, so that will be my next project while I wait for ideas on searching for infections.
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points
ID: 40444162
Time to enumerate all the administrative users and change all of their passwords. Unfortunately you have proof of being compromised, the backdoor may still be wide open and no machine in the network can be fully trusted as of now.
LVL 63

Accepted Solution

btan earned 250 total points
ID: 40446627
It is clearly being compromised with such privileged account created, inform the security or sys admin in charge, isolate the system upon advice (e.g. remove the network cable), do not turn off machine as it is likely to kill off traces and start the tracing and damage assessment as this account activities will have started very early and laterally exploring the file server, database server and critical services at backend. The endpoint are also entry. They are probably trying to exfiltrate loot into the internet via callback via the compromised systems or even via email.

Also change the system login for the machine suspected to be the trail of this activities. This will include user enterprise and even their personnel online login cred as the saved password or during which browsing is done after this will likely be siphoned too.

You can also do a quick check on the hosts file to see if there are any new and suspicious addition (or even duplicate of "hosts" file which one is in unicode filename) likewise and on all browser whether there are any new and unknown plugins installed. The latter may be part of the package installation done recently or certain site (with mal-advertising) visited which you have allowing unknowing too..this can also include plugins for MS Office and Adobe Reader.

Nonetheless, AV scan and network security log analysis must ensure concurrently as damage can be spreading while the data leaking is ongoing. key now is to isolate, mitigate and analysis source of infection then remediate. Also if the breach is confirmed or unknown, can consult security tm further action or even engaged third party for such forensic aspect. Breach notification is also not to be neglected as part to complying to local authority regulation, the security tm should know all these as part of their incident handling..

Author Comment

ID: 40474284
Seems closing a few ports in the on-premise firewall, securing admin accounts, and preventing RDP access has put a stop to the activity (for the past 10 days or so). At least we have a bit of a breather to pursue further mitigation.

Thanks for your suggestions!

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the event you manage a Small Business Server 2003, and you are audited for PCI compliance, there are several changes you must make in order to pass the audit. I can take no credit for discovering any of these fixes or workarounds, but there is no…
The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question