Foreign language characters in some XP dialogues



katman999
07-10-2005, 12:25 AM
Hope someone can shed some light on this weird problem.

A few of the XP dialogues (especially to do with network settings,
connections etc.) on one particular PC appear in a foreign language (looks
like Czech or something similar). All other XP dialogues are correctly in
English. On some dialogues both languages appear but on different tabs.

Default regional and language settings all seem to be set correctly. All
SP's, critical updates etc are the latest. All malware/spyware has been
removed completely. The only recently installed software is for a Belkin wifi
DSL router.

Can anybody suggest any causes and more importantly any remedies?

Thx,
--
Katman999.

T. Waters
07-10-2005, 12:25 AM
There are a lot of Czech malware pranksters out there.
You would not be the first one they have pulled this on.

katman999 wrote:
> Hope someone can shed some light on this weird problem.
>
> A few of the XP dialogues (especially to do with network settings,
> connections etc.) on one particular PC appear in a foreign language
> (looks like Czech or something similar). All other XP dialogues are
> correctly in English. On some dialogues both languages appear but on
> different tabs.
>
> Default regional and language settings all seem to be set correctly.
> All SP's, critical updates etc are the latest. All malware/spyware
> has been removed completely. The only recently installed software is
> for a Belkin wifi DSL router.
>
> Can anybody suggest any causes and more importantly any remedies?
>
> Thx,

Torgeir Bakken \(MVP\)
07-10-2005, 12:27 AM
katman999 wrote:

> Hope someone can shed some light on this weird problem.
>
> A few of the XP dialogues (especially to do with network settings,
> connections etc.) on one particular PC appear in a foreign language (looks
> like Czech or something similar). All other XP dialogues are correctly in
> English. On some dialogues both languages appear but on different tabs.
>
> Default regional and language settings all seem to be set correctly. All
> SP's, critical updates etc are the latest. All malware/spyware has been
> removed completely. The only recently installed software is for a Belkin
> wifi DSL router.
>
> Can anybody suggest any causes and more importantly any remedies?
Hi,

I have seen this on some computers at work, getting Arabic letters in
the dialog boxes you mention (most likely introduced after some OS
security updates installed together with an IE security update, without
a reboot in between).

Installing SP2 for Windows XP on the computers solved the problem.

An idea just came to mind.

Could you export the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\FontSubstitutes
to a file, and post the content of that file here?


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

katman999
07-10-2005, 12:29 AM
Torgeir,

Thanks for the response - here's the export from the registry as requested.
I'm still not sure what the language is - might be czech, slovak or
something similar, so here's a sample if anyone else can help.

"V okamžitej správe nikdy neuvádzajte svoje heslo ani číslo"

____________________________________
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\FontSubstitutes
Class Name: <NO CLASS>
Last Write Time: 08/05/2005 - 13:56
Value 0
Name: Arial CE,238
Type: REG_SZ
Data: Arial,238

Value 1
Name: Arial CYR,204
Type: REG_SZ
Data: Arial,204

Value 2
Name: Arial Greek,161
Type: REG_SZ
Data: Arial,161

Value 3
Name: Arial TUR,162
Type: REG_SZ
Data: Arial,162

Value 4
Name: Courier New CE,238
Type: REG_SZ
Data: Courier New,238

Value 5
Name: Courier New CYR,204
Type: REG_SZ
Data: Courier New,204

Value 6
Name: Courier New Greek,161
Type: REG_SZ
Data: Courier New,161

Value 7
Name: Courier New TUR,162
Type: REG_SZ
Data: Courier New,162

Value 8
Name: Helv
Type: REG_SZ
Data: MS Sans Serif

Value 9
Name: Helvetica
Type: REG_SZ
Data: Arial

Value 10
Name: MS Shell Dlg 2
Type: REG_SZ
Data: Tahoma

Value 11
Name: Times
Type: REG_SZ
Data: Times New Roman

Value 12
Name: Times New Roman CE,238
Type: REG_SZ
Data: Times New Roman,238

Value 13
Name: Times New Roman CYR,204
Type: REG_SZ
Data: Times New Roman,204

Value 14
Name: Times New Roman Greek,161
Type: REG_SZ
Data: Times New Roman,161

Value 15
Name: Times New Roman TUR,162
Type: REG_SZ
Data: Times New Roman,162

Value 16
Name: Tms Rmn
Type: REG_SZ
Data: MS Serif

Value 17
Name: Arial Baltic,186
Type: REG_SZ
Data: Arial,186

Value 18
Name: Courier New Baltic,186
Type: REG_SZ
Data: Courier New,186

Value 19
Name: Times New Roman Baltic,186
Type: REG_SZ
Data: Times New Roman,186

Value 20
Name: MS Shell Dlg
Type: REG_SZ
Data: Microsoft Sans Serif

Torgeir Bakken \(MVP\)
07-10-2005, 12:29 AM
katman999 wrote:

> Torgeir,
>
> Thanks for the response - here's the export from the registry as requested.
> I'm still not sure what the language is - might be czech, slovak or
> something similar, so here's a sample if anyone else can help.
>
> "V okamžitej správe nikdy neuvádzajte svoje heslo ani číslo"
>
> ____________________________________
> Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\FontSubstitutes
> (snip)
Hi,

Those values were exactly the same as the ones on a "healthy" computer,
so that was not it.

If SP2 for WinXP is not installed, you could install it and see if it
solves the problem.



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

katman999
07-10-2005, 12:29 AM
Torgeir,
Again, thanks for the rapid response.

The PC already has SP2 applied.

I'm beginning to believe that the PC has been infected some new trojan/virus
as there is a process running which I'm unable to kill (wmiprvse.exe). This
does not show up under Task Manager, but is visible under Sysinternals
'Process Explorer' program. Although logged on as administrator, it says
"access denied". Sophos suggests that this is a worm variant that can be
fairly easily removed, but none of the online scanners detect anything at all.

Meanwhile, more and more of the XP dialogues are changing into the strange
foreign language, and even though I've disabled MSN Messenger, if the PC is
connected to the internet, it receives loads of strange MSN messages with
peculiar content (anything from "americans are 'Sh1t'", to something about
'arabs will win' plus other messages in the strange foreign language that I
don't understand).

It looks as if whatever is the cause has dropped a Remote Admin Tool into
the PC, allowing it control whenever the PC is online.

Once again, any help you can provide would be gratefully accepted. I'm
usually pretty good at cleaning out PC's of malware, but this one is giving
me serious headaches.

Regards,
Dave.

T. Waters
07-10-2005, 12:30 AM
As I mentioned, you are not the first person I have heard of being infected
by Czech pranksters.
Do a Google search for "wmiprvse" and you will find a lot of sites.
This one mentions how to distinguish the genuine System File wmiprvse from
malware imitators.
http://www.iamnotageek.com/a/wmiprvse.exe.php



katman999 wrote:
> Torgeir,
> Again, thanks for the rapid response.
>
> The PC already has SP2 applied.
>
> I'm beginning to believe that the PC has been infected some new
> trojan/virus as there is a process running which I'm unable to kill
> (wmiprvse.exe). This does not show up under Task Manager, but is
> visible under Sysinternals 'Process Explorer' program. Although
> logged on as administrator, it says "access denied". Sophos suggests
> that this is a worm variant that can be fairly easily removed, but
> none of the online scanners detect anything at all.
>
> Meanwhile, more and more of the XP dialogues are changing into the
> strange foreign language, and even though I've disabled MSN
> Messenger, if the PC is connected to the internet, it receives loads
> of strange MSN messages with peculiar content (anything from
> "americans are 'Sh1t'", to something about 'arabs will win' plus
> other messages in the strange foreign language that I don't
> understand).
>
> It looks as if whatever is the cause has dropped a Remote Admin Tool
> into
> the PC, allowing it control whenever the PC is online.
>
> Once again, any help you can provide would be gratefully accepted. I'm
> usually pretty good at cleaning out PC's of malware, but this one is
> giving me serious headaches.
>
> Regards,
> Dave.

Kelly
07-10-2005, 12:30 AM
Note: The wmiprvse.exe file is located in the c:\windows\System32 folder. In
other cases, wmiprvse.exe is a virus, spyware, trojan or worm! Check this
with Security Task Manager.

Added info and reading:
http://www.google.com/search?hl=en&q=wmiprvse&btnG=Google+Search


--

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com


"T. Waters" <@$%$%#^@jdjgkl.com> wrote in message
news:OHIeRhdWFHA.1152@TK2MSFTNGP09.phx.gbl...
> As I mentioned, you are not the first person I have heard of being
> infected
> by Czech pranksters.
> Do a Google search for "wmiprvse" and you will find a lot of sites.
> This one mentions how to distinguish the genuine System File wmiprvse from
> malware imitators.
> http://www.iamnotageek.com/a/wmiprvse.exe.php
>
>
>
> katman999 wrote:
>> Torgeir,
>> Again, thanks for the rapid response.
>>
>> The PC already has SP2 applied.
>>
>> I'm beginning to believe that the PC has been infected some new
>> trojan/virus as there is a process running which I'm unable to kill
>> (wmiprvse.exe). This does not show up under Task Manager, but is
>> visible under Sysinternals 'Process Explorer' program. Although
>> logged on as administrator, it says "access denied". Sophos suggests
>> that this is a worm variant that can be fairly easily removed, but
>> none of the online scanners detect anything at all.
>>
>> Meanwhile, more and more of the XP dialogues are changing into the
>> strange foreign language, and even though I've disabled MSN
>> Messenger, if the PC is connected to the internet, it receives loads
>> of strange MSN messages with peculiar content (anything from
>> "americans are 'Sh1t'", to something about 'arabs will win' plus
>> other messages in the strange foreign language that I don't
>> understand).
>>
>> It looks as if whatever is the cause has dropped a Remote Admin Tool
>> into
>> the PC, allowing it control whenever the PC is online.
>>
>> Once again, any help you can provide would be gratefully accepted. I'm
>> usually pretty good at cleaning out PC's of malware, but this one is
>> giving me serious headaches.
>>
>> Regards,
>> Dave.
>
>
>

katman999
07-10-2005, 12:30 AM
Thanks all for the suggestions. I'd already spotted that wmiprvse.exe can be
a virus, that's why I tried stopping the process. There is an apparently
valid version in c:\windows\system32\wbem\ folder. However, locating any
other version is very difficult as whatever has got into the PC has now
disabled the search facilities in My Computer and Windows Explorer!
I'll try Security Task Manager as suggested and let you know what it
determines.
Dave.

katman999
07-10-2005, 12:30 AM
OK, the PC is now completely clear of all parasites - there were a couple of
trojans hidden that have now been removed, although I now think that these
were something of a red herring.

However, some of the XP dialogues still have the peculiar language in, so I
reckoned that if I rolled back all of the updates since new (PC is about 3
months old only and was pre-installed with XP SP2), that by then redoing each
critical update, I'd be able to isolate just when the strange language was
installed.

Unfortunately, it looks as if the foreign language was installed from the
original XP CD (pre-installed by Dell), as it still occurs when the PC is
back to its original state.

Anyone have any ideas where I go from here?

Thanks in advance,
Dave.

T. Waters
07-10-2005, 12:31 AM
Ask Dell Support if their English OEM XP has Czech on it.
Those Czechs are very smart, educated, and underemployed in their own
country, sad to say. What a coincidence that the foreign language was not
Dutch or French. It just *had* to be Czech, but only by coincidence?

katman999 wrote:
> OK, the PC is now completely clear of all parasites - there were a
> couple of trojans hidden that have now been removed, although I now
> think that these were something of a red herring.
>
> However, some of the XP dialogues still have the peculiar language
> in, so I reckoned that if I rolled back all of the updates since new
> (PC is about 3 months old only and was pre-installed with XP SP2),
> that by then redoing each critical update, I'd be able to isolate
> just when the strange language was installed.
>
> Unfortunately, it looks as if the foreign language was installed from
> the original XP CD (pre-installed by Dell), as it still occurs when
> the PC is back to its original state.
>
> Anyone have any ideas where I go from here?
>
> Thanks in advance,
> Dave.

katman999
07-10-2005, 12:31 AM
"T. Waters" wrote:

> Ask Dell Support if their English OEM XP has Czech on it.
> Those Czechs are very smart, educated, and underemployed in their own
> country, sad to say. What a coincidence that the foreign language was not
> Dutch or French. It just *had* to be Czech, but only by coincidence?
>

T.
I'll ask the question, but I'd put substantial money on it that a company
like Dell will deny it: they'll insist that they never use any potentially
dodgy installation CD's.
Anyway, thanks for the suggestions - your input has been greatly appreciated.

n.b. Had a couple of suggestions on other forums that the language is;
a) Slovakian [90% certain] or b) Hungarian [also 90% certain]
- who do I believe??

Cheers,
Dave.

T. Waters
07-10-2005, 12:32 AM
katman999 wrote:
> "T. Waters" wrote:
>
>> Ask Dell Support if their English OEM XP has Czech on it.
>> Those Czechs are very smart, educated, and underemployed in their own
>> country, sad to say. What a coincidence that the foreign language
>> was not Dutch or French. It just *had* to be Czech, but only by
>> coincidence?
>>
>
> T.
> I'll ask the question, but I'd put substantial money on it that a
> company like Dell will deny it: they'll insist that they never use
> any potentially dodgy installation CD's.
> Anyway, thanks for the suggestions - your input has been greatly
> appreciated.
>
> n.b. Had a couple of suggestions on other forums that the language is;
> a) Slovakian [90% certain] or b) Hungarian [also 90% certain]
> - who do I believe??
>
> Cheers,
> Dave.

If you Google a bunch of those words together in Advanced Search under "any
of these terms" you will be able to look at the url's of the resulting hits
as listed in Google and see if there is a .hu for Hungary. a .cz for Czech
Republic or a .sk for Slovakia.
As far as I know, the former Czechoslovakia had everyone speaking Czech, and
blieve that would still be the case pt present. However, since the economic
situation in Slovakia is pretty dismal, I might guess that Slovakia is a
likely choice for your perpetrator's homeland.
I am old enough to think of Czech speakers as being Czechslovakians.
Initially, I perhaps ought to have said Czech/Slovak, or just Slovak.

katman999
07-10-2005, 12:34 AM
All,
I now have a possible answer.

I've been perseverant enough to enough look through quite a few of the
windows\system32 files checking their properties and guess what .....

... the xpsp2res.dll file is a signed microsoft file, but it is a Slovak
language version!

I don't want to spend hours checking every file - anybody got any idea which
key exe's and dll's are part of or updated in SP"?

I guess our only course of action is to get back to Dell and push them to
sort it out, I suspect they've somehow let some OEM XP SP2 installs get
corrupted with some files that are Slovak versions and not English versions.

T. Waters
07-10-2005, 12:35 AM
Dell will never admit to this, if you want my opinion!
I do not know that much about malware, having not been infected yet, but is
there any chance that malware could swap one dll file for another?
Would you be able to do an experiment and put the original file from the
Dell disk back on your computer (repair) and then see if the problem
persists? Or, do the repair from another disk of the same XP version?

katman999 wrote:
> All,
> I now have a possible answer.
>
> I've been perseverant enough to enough look through quite a few of the
> windows\system32 files checking their properties and guess what .....
>
> .. the xpsp2res.dll file is a signed microsoft file, but it is a
> Slovak language version!
>
> I don't want to spend hours checking every file - anybody got any
> idea which key exe's and dll's are part of or updated in SP"?
>
> I guess our only course of action is to get back to Dell and push
> them to sort it out, I suspect they've somehow let some OEM XP SP2
> installs get corrupted with some files that are Slovak versions and
> not English versions.

katman999
07-10-2005, 12:35 AM
T.
Already tried repair from the Dell CD - no change and unfortunately I don't
have access to another SP2 version of XP Home.
Regarding malware, yes, it is perfectly possible for a dll to get replaced
with a rogue one. However, I've cleaned dozens of PC's and I've never yet
come across a replaced dll with the same size, date/time stamp and versioning
etc.
You might be right about Dell never admitting to this, but I'm sure as hell
going to try to make them admit they've stuffed up, I do have evidence after
all.
Cheers.
--
Katman999.


"T. Waters" wrote:

> Dell will never admit to this, if you want my opinion!
> I do not know that much about malware, having not been infected yet, but is
> there any chance that malware could swap one dll file for another?
> Would you be able to do an experiment and put the original file from the
> Dell disk back on your computer (repair) and then see if the problem
> persists? Or, do the repair from another disk of the same XP version?
>
> katman999 wrote:
> > All,
> > I now have a possible answer.
> >
> > I've been perseverant enough to enough look through quite a few of the
> > windows\system32 files checking their properties and guess what .....
> >
> > .. the xpsp2res.dll file is a signed microsoft file, but it is a
> > Slovak language version!
> >
> > I don't want to spend hours checking every file - anybody got any
> > idea which key exe's and dll's are part of or updated in SP"?
> >
> > I guess our only course of action is to get back to Dell and push
> > them to sort it out, I suspect they've somehow let some OEM XP SP2
> > installs get corrupted with some files that are Slovak versions and
> > not English versions.
>
>
>
>

Sharon F
07-10-2005, 12:48 AM
On Thu, 19 May 2005 03:43:03 -0700, katman999 wrote:

> T.
> Already tried repair from the Dell CD - no change and unfortunately I don't
> have access to another SP2 version of XP Home.
> Regarding malware, yes, it is perfectly possible for a dll to get replaced
> with a rogue one. However, I've cleaned dozens of PC's and I've never yet
> come across a replaced dll with the same size, date/time stamp and versioning
> etc.
> You might be right about Dell never admitting to this, but I'm sure as hell
> going to try to make them admit they've stuffed up, I do have evidence after
> all.
> Cheers.

This is an old post as far as windowsxp.general goes but one specific file
that you might check for:

Locate the file mfc42loc.dll and, if found, check its properties.

This file tells mfc42.dll what language to use in some dialog and menu
boxes. Installing a program that comes in multiple languages (or installing
an update that is not the same language as the operating system) will
occasionally drop a copy of this file that does not match the users
language settings. Renaming or deleting the file allows Windows to use the
language settings instead the language noted by the file.

NOTE: My XP installation is over 3 years old and I do not have any copies
of the mfc42loc.dll file on my system. Do NOT rename or move the mfc42.dll
file. That is a normal file and should be left alone.

--
Sharon F
MS-MVP ~ Windows Shell/User

katman999
07-10-2005, 12:53 AM
--
Katman999.


"Sharon F" wrote:

> On Thu, 19 May 2005 03:43:03 -0700, katman999 wrote:
>
> > T.
> > Already tried repair from the Dell CD - no change and unfortunately I don't
> > have access to another SP2 version of XP Home.
> > Regarding malware, yes, it is perfectly possible for a dll to get replaced
> > with a rogue one. However, I've cleaned dozens of PC's and I've never yet
> > come across a replaced dll with the same size, date/time stamp and versioning
> > etc.
> > You might be right about Dell never admitting to this, but I'm sure as hell
> > going to try to make them admit they've stuffed up, I do have evidence after
> > all.
> > Cheers.
>
> This is an old post as far as windowsxp.general goes but one specific file
> that you might check for:
>
> Locate the file mfc42loc.dll and, if found, check its properties.
>
> This file tells mfc42.dll what language to use in some dialog and menu
> boxes. Installing a program that comes in multiple languages (or installing
> an update that is not the same language as the operating system) will
> occasionally drop a copy of this file that does not match the users
> language settings. Renaming or deleting the file allows Windows to use the
> language settings instead the language noted by the file.
>
> NOTE: My XP installation is over 3 years old and I do not have any copies
> of the mfc42loc.dll file on my system. Do NOT rename or move the mfc42.dll
> file. That is a normal file and should be left alone.
>
> --
> Sharon F
> MS-MVP ~ Windows Shell/User
>

Sharon,
Thanks for this info. but in copying other [UK] versions of the two dll's
mentioned in an earlier post, the problem has been resolved. I still think
that Dell had used a ghost XP SP2 image that was faulty. The slovak
characters were appearing on some dialogues from day 1 that the PC arrived.
Cheers.
Dave.

Torgeir Bakken \(MVP\)
07-10-2005, 12:54 AM
katman999 wrote:

> "Sharon F" wrote:
>>
>> This is an old post as far as windowsxp.general goes but one specific file
>> that you might check for:
>>
>> Locate the file mfc42loc.dll and, if found, check its properties.
>>
>> This file tells mfc42.dll what language to use in some dialog and menu
>> boxes. Installing a program that comes in multiple languages (or installing
>> an update that is not the same language as the operating system) will
>> occasionally drop a copy of this file that does not match the users
>> language settings. Renaming or deleting the file allows Windows to use the
>> language settings instead the language noted by the file.
>>
>> NOTE: My XP installation is over 3 years old and I do not have any copies
>> of the mfc42loc.dll file on my system. Do NOT rename or move the mfc42.dll
>> file. That is a normal file and should be left alone.
>
> Sharon,
> Thanks for this info. but in copying other [UK] versions of the two dll's
> mentioned in an earlier post, the problem has been resolved. I still think
> that Dell had used a ghost XP SP2 image that was faulty. The slovak
> characters were appearing on some dialogues from day 1 that the PC arrived.

Hi Dave,

Thanks for posting back the solution :-)

You say two previously mentioned dll's, but I can only find that you
have mentioned the xpsp2res.dll file. What was the second one?


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

katman999
07-10-2005, 12:54 AM
Torgeir,
The two dll's were xpsp2res.dll and xpsp1res.dll
Dave.
--

Sharon F
07-10-2005, 12:54 AM
On Tue, 31 May 2005 16:17:52 -0700, katman999 wrote:

> Sharon,
> Thanks for this info. but in copying other [UK] versions of the two dll's
> mentioned in an earlier post, the problem has been resolved. I still think
> that Dell had used a ghost XP SP2 image that was faulty. The slovak
> characters were appearing on some dialogues from day 1 that the PC arrived.
> Cheers.

You're welcome and thank you for posting back with your solution for the
problem.

--
Sharon F
MS-MVP ~ Windows Shell/User

Torgeir Bakken \(MVP\)
07-10-2005, 12:54 AM
katman999 wrote:

> Torgeir,
> The two dll's were xpsp2res.dll and xpsp1res.dll
> Dave.

Thank you :-)


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx


Foreign language characters in some XP dialogues