RE: Weird Profile in Documents and Settings

[Andre Arcand <aarcand () fonex com>]

I have in the Documents and setting folders 2 user profile written in
Chinese font (i have multi Language installed). After some troubleshooting,
i noticed that this Chinese written profile was the one used by the domain
admin user. I can logon with the Domain/Admin user without any problems
copied something on desktop and checked in the Chinese profile the file was
there.  I logged on with the local admin, The user profile works fine.
Tested copying on the desktop and the file is there in the local/admin
profile.

So to recapitulate,

Local admin has its normal profile folder structure.
Domain admin has a Chinese font written profile folder structure.

I checked my events log and noticed the following event.

=========================================================================
Event Type:     Error
Event Source:   NETLOGON
Event Category: None
Event ID:       5788
Date:           04/03/2003
Time:           8:18:55 AM
User:           N/A
Computer:       powervault
Description:
Attempt to update HOST Service Principal Names (SPNs) of the computer object
in Active Directory failed. The updated values were 'HOST/powervault' and
'HOST/powervault'. The following error occurred:
The parameter is incorrect.
Data:
0000: 57 00 00 00               W...
=========================================================================

        I was wondering if this could have something to do with the weird profile.
Is it possible that the Domain\admin user profile gets corrupted because the
computer can't register properly in the AD.?

        I have this partition mirrored to another drive and these folders don't
show up in the 2nd drive. Maybe it is just corrupted. Would it mirror
corrupted data ? I assume yes. but its not.

I have deleted the user profile which i could delete with local/admin.
Re-logged with Domain/admin and the good profile was created. Now the only
thing left to do is to monitor so make sure the profile folders don't come
back as Chinese.

anyway, i though i might share the weirdness with you guys. So it could help
us all to understand what happened and why.

Thanks for any help.

Dre.





-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net]
Sent: February 20, 2003 11:19 AM
To: 'Greg Wiedeman'; incidents () securityfocus com
Subject: RE: Weird Profile in Documents and Settings


I have never seen this before, but the squares are indicators of extended
characters.  Do the profiles show up in the profile list, and what else can
you tell us about them?  How big are they, are they the same size on all
machines, what is in the folders?

> -----Original Message-----
> From: Greg Wiedeman [mailto:gswcentral () attbi com]
> Sent: Thursday, February 20, 2003 6:38 AM
> To: incidents () securityfocus com
> Subject: Weird Profile in Documents and Settings
>
>
>
>
> I have an incident where in the documents and settings in
> windows 2000 I
> have a profile show up under a number of systems where the
> name of the
> folder shows up as 3 squares. I don't know where it came from but it
> appears on my workstations and my servers. I don't know what
> it is. Does
> anyone know anything that would make this profile???? I have
> done virus
> scans and trojan scans along with scumware scans but all turn
> up negative.
> Thanks
>
> --------------------------------------------------------------
> --------------
>
> Do you know the base address of the Global Offset Table (GOT)
> on a Solaris 8 box? CORE IMPACT does. www.securityfocus.com/core


----------------------------------------------------------------------------

Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
www.securityfocus.com/core



----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>