Windows Console Language Auto Changes to Russian

[mtb1996]

Hello All,

I have a Windows 2003 R2 Server (32 bit) that keeps switching to Russian as the language. I suspect that the system has been compromised, but a virus scan (TrendMicro) has turned up nothing and I can't find anything on the internet that describes the exact problem that I'm seeing. This particular computer does not have outbound access to the internet. It is a Terminal Server app server and only has port 3389 inbound through a firewall. The other odd thing is that I did a fresh reinstall of this machine last Friday (1/21/2011) night and installed it the next morning. Whatever is affecting this machine either existed on the network before I put the computer in, got transmitted through the ts connection (maybe by a knowledgeable user enabling local drives on their RDP client), or one of the authorized users has done it. Anyway, has anyone heard of any malware that sets the Windows language before the logon window appears?

Thanks,

 

[Titleist]

mtb1996,

I'd be looking at locking down all users permissions on this terminal server, it sounds to me like someone has admin rights to change the default languages and settings.

John

 

[mtb1996]

Thanks Titleist,

At first I was thinking virus because I could not figure out how to keep it from switching to Russian every time I logged off, but I was eventually able to get it back to US and stopped it from switching to Russian. So then my thoughts turned to someone had gained access with admin rights, so I locked it down more than it already was. Later that day, I observed from within terminal services manager repeated failed RDP-Tcp connection attempts (about 1 every 1-2 seconds). I would see an RDP-Tcp#xxxx pop up then almost immediately disappear, then a couple seconds later it would happen again. I contacted the IT department of this customer and we agreed to shut the computer down. I felt that was a pretty clear ongoing attempt to hack the system, so it has been passed on to their security group.

 

[technome]

At first I was thinking virus...think plural...viruses, key loggers, rootkits.

Not a great hacker if he changing language settings and making it obvious. Been through this before, I pray this guy has not caused major damage. It may already be to late for the system.

Before you connect to the system with outside access, best to download multiple rootkit revealers, multiple anti malware scanners, multiple virus scanners from an outside machine and run them ( last time I was went through this I downloaded no less than 8 rootkit revealers, 5 virus scanners, and at least 6 anti malware scanners). Turn off system restore on all machines which are found to be comprimised. Would not be surprised if there are now multiple key loggers, and "downloaders" on the system, meaning servers and wks; if the hacker is any good, all his additives will not be visible. Go through AD Computers and users, look for new users, or users which have had their rights elevated. Look in Document and Settings, in all profiles, for recently logged in users, file changes. Only after cleaning up do you change all passwords.
The last hacked system I came in on took >2 weeks to clear.
If you do not find all virus/malware/keylogger this guy installed, he will be back shortly after reconnecting to the Internet; been there. Possibly could be from the inside, but obviously the hacker would need to speak Russian, or the language change/RDP accesses could be a rouse, very unlikely though.
This is very tedious and detailed work, best to document all scans on a per machine basis, otherwise disorganization sets in, and you forget a critical scan or cleanup procedure. Good luck



........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm