Over 1 million tech questions and answers.

opened American Airlines fake ticket

Q: opened American Airlines fake ticket

to whom it may concern
My brother accidentialy opened a american airlines email and caused his computer to hide all personal files, including music, photos, work, I have tried malwarebuytes to repair. needs more than that. he has webroot antivirus, it always saying it needs updating
thank you for your help

Kevin Petty

Preferred Solution: opened American Airlines fake ticket

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: opened American Airlines fake ticket

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OKDeFogger may ask you to reboot the machine, if it does - click OKDo not re-enable these drivers until otherwise instructed.Download DDS:Please download DDS by sUBs from one of the links below and save it to your desktop:
Download DDS and save it to your desktop


Please disable any anti-malware program that will block scripts from running before running DDS.

Double-Click on dds.scr and a command window will appear. This is normal.Shortly after two logs will appear:
DDS.txt Attach.txtA window will open instructing you save & post the logsSave the logs to a convenient place such as your desktopCopy the contents of both logs & post in your next replyinformation and logs:In your next post I need the following

.logs from DDSlet me know of any problems you may have hadGringo

Read other 3 answers

A family member of mine was just recently infected with a virus that they got from a fake American Airlines email.  Since they already deleted the email, I cannot paste here what the content was exactly but it seemed like a regular ticket confirmation email.  The only thing that was off was that it included a line saying "in order to use your ticket now, please download the attachment".  As you may have guessed, they actually downloaded the attachment and executed the file inside which was named something like ticket.exe.  
I'm not sure what the virus does exactly, but after a few minutes, Mcafee caught it, but it notified us that the computer had to restart in order to fix the problem.  I booted into safe mode with networking, but things seemed to be in working order.  When I googled the virus, I heard it was supposed to black out your desktop and erase your program icons from the start menu, but this doesn't seem to be the case here.  After a few more minutes, Mcafee's real-time scan disabled itself and I'm unable to turn it back on.
The computer is running Windows 7, 64-bit ultimate.  Let me know if you need more information, otherwise I'll update with any new problems as they come up.
Thanks for all your help! 

A:American airlines email virus/ticket.exe

Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.* Double-click mbam-setup.exe and follow the prompts to install the program.* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and ... Read more

Read other 5 answers

Please help with removal of a virus or malware launched after receiving fake NYC traffic ticket. Workstation was shutdown shortly after infection and now will not boot into WinXP Pro in any mode.

A:Fake Traffic Ticket Launched Malware

Hi, Lets give it a try.We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow. Download GETxPUD.exe to the desktop of your clean computerRun GETxPUD.exeA new folder will appear on the desktop.Open the GETxPUD folder and click on the get&burn.batThe program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.Click on Start and follow the prompts to burn the image to a CD.Next download driver.sh to your USB driveAlso Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.Remove the USB & CD and insert them in the sick computerBoot the Sick computer with the CD you just burnedThe computer must be set to boot from the CDIn some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.Follow the promptsA Welcome to xPUD screen will appearPress FileExpand mntsda1,2...usually corresponds to your HDDsdb1 is likely your USBClick on the folder that represents your USB drive (sdb1 ?)Confirm that you see driver.sh that you downloaded therePress Tool at the topChoose Open TerminalType bash driver.shPress EnterAfter it has finished a report will be located on your USB drive named report.txtThen type bash driver.sh -afPress EnterYou will be prompted to input a ... Read more

Read other 19 answers

Mistakenly ran executable file sent in an email posing as an E-Card from American Greetings. [Executable came up clean when scanned by Norton AntiVirus 2006.] My machine is now randomly displaying ads whenever I run Internet Explorer and connect to the Internet. Machine runs XP Pro with SP 3. IBM T41. Getting AnitVirus 360 and REgistry Defender ads as part of the process but not only these ads. Windows OneCare claims to have cleaned up Trojans but infection still here. Use Norton AntiVirus 2006 with up to date definitions and it can't clean it fully either. Data backed up so no problem there.

Here is the log from DDS. I'm also attaching the attach.txt file (unzipped as it appears to be quite small).
DDS (Ver_09-02-01.01) - NTFSx86
Run by mgordon at 6:04:52.78 on Sat 02/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.406 [GMT -5:00]

AV: Norton AntiVirus 2006 *On-access scanning enabled* (Updated)
AV: Windows Live OneCare *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *enabled*
FW: Windows Live OneCare Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.e... Read more

A:Malware From Executable Attached to Fake American Greetings E-Card

Hello birchrunville,

Sorry for the delay. We have over 500 logs backed up on only a few helpers.

If you still need help, then please post a fresh DDS log and we will take it from there.

Read other 2 answers

I came across an unusual pass-the-ticket ATA alert. Please take a look below:
Time (UTC)    Source Ip Address    Source Computer   Source Computer Resolution Method                Destination Ip Address
06.10.2017   20:01:58,538           10.***.**.**1        LT******1           Netbios, RpcNtlm, Hint, Cached    10.***.***.*3
06.10.2017   20:05:29,289           10.***.**.**1        LT******1           Netbios, RpcNtlm, Hint, Cached    10.***.***.*3
06.10.2017   20:45:52,151           10.***.**.**2        LT******2           Dns, Cached                                
06.10.2017   20:45:52,615           10.***.**.**2        LT******2           Dns, Cached                  &... Read more

Read other answers


I am using Microsoft Advanced Threat Analytics v1.7.2 evolution. I am following ATA Attack simulation playbook. It can detect enumeration and Pass-the-Hash successfully but it is unable to detect Pass-the-Ticket and Golden Ticket attack. I have set up lab
environment in ESXi environment and has set up Lightweight Gateway on the DC.
Couple of weeks before i set up lab on HyperV environment and it was working fine. Don't know what is the issue here. Please help me resolve this. 

Read other answers

I have Microsoft ATA set up in a lab environment and it is not detecting pass the ticket and golden ticket attacks when following the playbook. It does detect enumeration and pass the hash and other anomolies.
The computers i have in the lab environment running in Proxmox VE are:
Victim-PC (Windows 7)
Admin-PC (Windows 7)
ATACenter (Server 2012)
Domain Controller (Server 2012) (lightweight gateway setup)

I also had a strange problem using Netsess tool to obtain the ip address of the NuckC user logged into the admin-pc machine. I have gone over every inch of the setup i could and did follow the directions for the playbook directly. Not sure if this had some
effect on why those things were not detected. Any insight on this would be helpful.

Read other answers

I am trying to use the automatic ticket generation feature of RT. I was able to do it at the command, specifying the queue, etc, and it generated a queue. I would like to use a form that a user can fill out and have it send to rt and generate the ticket.

Any ideas of how to do this?


A:RT Ticket form to auto generate ticket

Closing duplicate, please reply here:



Read other 1 answers

I cannot use DDS (goes for a while then frezes system), Tdsskiller (Nothing happens when clicked, even when renamed), GMER (getting Loaddriver error at start, program goes after that but I am not sure if it's doing anything), Combofix except using /nombr, even then it takes two hours to get through where it normaly takes 10 minutes.
Symptoms are that when using MBRcheck I get fake MBR message. I get ghost webpages opening up that I cannot see but can hear if they have sound. I was having hijacked searches but that seems to be gone after I deleted a bunch of temp files. I tried replacing MBR using both MBRcheck and using System Recovery booting from a CD, both indicate success but rerunning the MBRcheck still indicates a fake MBR.

MBRcheck and the Combofix reports are below:
MBRCheck, version 1.2.3
© 2010, AD

Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d

Kernel Drivers (total 128):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA32... Read more

A:Fake MBR, invisible webpages opened

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.The first thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these stepsDownload and run OTLDownload OTL by Old Timer and save it to your Desktop.Double click on OTL.exe to run it.Under Output, ensure that Minimal Output is selected.Under Extra Registry section, select Use SafeList.Click the Scan All Users checkbox.Under the Custom Scan box paste this in

%TEMP%\smtmp�... Read more

Read other 3 answers

Hello, I'm sure this is old news, but I ran this AA Airline crap and before I knew it was a virus the damage was already done. I killed the computer as soon as I realized trouble and now all I get when I try to start it is "error reading OS". I can't get it to even show a safe mode option with F8. I can get to bios (F2) and boot (F12) but that is it. Any help would be appreciated as I am at a loss. Thanks. Robert.

A:AA Airlines virus

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/442543 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 6 answers

cannot access their website

southwest.com or iflyswa.com

others have no problem.
this started on wednesday for me.

A:southwest airlines

Read other 11 answers

For some reason I cannot access southwest.com - on any of the three computers I own. At home these three computers access the internet via a wireless modem that connects with the comcast host. When I travel with either laptop the same problem happens. It also happens using Firefox. When I attempt to open southwest.com I get a connecting message and it will grind away for a half-hour or so before finally timing out. Sometimes the southwest site will partially open. I have tried deleting cookies, but that doesn't help. Any suggestions.



A:Cannot access Southwest Airlines

You might have SW on your banned URL list. Check to see if that connects.

Read other 17 answers

I stumbled on new baggage rules for lithium batteries on airlines. (haven't seen this announced before.)
Spare lithium batteries can not be carried in checked luggage. Only lithium batteries installed in equipment can be in checked baggage.
Spare lithium batteries are allowed in carry-on baggage.

These strange rules will cause your spare lithium camera batteries to be discarded after you check luggage without you being notified. Those are expensive and hard to replace when touring.

A:Lithium batteries on airlines

Here's the DOT's notice.


Read other 1 answers

I cannot access Delta Airlines url (www.Delta.com) from any of the 3 computers on my Home network anymore. I can take my Laptop to another network and access perfectly. All PC's use XP.

I have access to all other url's (websites) from any of the 3 computers except the Delta Website.

Any help is appreciated.

A:Can't access Delta Airlines url

Click Start => run type in CMD press OK. When command prompt opens up type in Ping www.Delta.com and press Enter. Please copy and paste the results back into this thread

Read other 1 answers

Q /Wechat 987739625 Fake UWO Buy a diploma University of Western Ontario , fake diplomas, fake degrees,
Q /Wechat 987739625 Fake UWO Buy a diploma University of Western Ontario , fake diplomas, fake degrees,
Q /Wechat 987739625 Fake UWO Buy a diploma University of Western Ontario , fake diplomas, fake degrees,
Buy a degree is more and more important for someone couldn?t get a degree from his university. How to buy a degree and

where to buy degree that means your choose.
Our degree  will service for you online everyday!
Our company is specialized in Australia, Britain, Canada, the United States, France, New Zealand, Singapore, Japan, Malaysia and
 other countries of the fake diplomas production and research and development work. Our company was founded in 2003, is located
 in southern China's a coastal city - shenzhen, adjacent to Hong Kong, who create numerous miracles in this city, we are just one of

them. We already have the high-end printing equipment, all kinds of import the original paper, mature processing technology and
 perfect service system. No matter from watermark, seal, or hot stamping or laser, we can do it 100% of similar!
Why you should just buy your degree?
1.Get yourself work promotion.
2.Get better job, better salary ? good money.
3.Save lots of money ? tuition fee getting extraordinarily high.
4.You can save whole lot of time.
5.You don?t have to sit for endless examinations and do assignments.
How to buy a ... Read more

Read other answers

Q /Wechat 987739625 Fake McMaster University Buy a diploma , fake diplomas, fake degrees,

Read other answers

+1 833_228-2161 Spirit Airlines Flight Baggage Fee

Spirit baggage fees

Baggage category


Max Weight

Gate check baggage fee


First checked bag



Second checked bag



Third - fifth checked bag



Do you have to pay for carry on with spirit?

When you fly Spirit Airlines, you can bring on a personal
item up to 18 x 14 x 8 inches on board for free while a full-sized carry-on will cost you $37 to $65, depending on when and where you purchase the right to bring the bag on board.
(Prices slightly less for $9 Fare Club members.)

Read other answers

+1 833_228-2161 How do I talk to a live person at Spirit Airlines?

How do I talk to a live person at Spirit Airlines?

How to Call a Live Person in Spirit Airlines Customer Service

Dial 1-801-401-2222.Press 5 in the main menu.Press 1 in the sub-menu and press 6 in the next menu.After that, the automated phone system will connect you to a live customer service agent from Spirit Airlines.

Read other answers

+1 833_228-2161 Delta Airlines Flight Booking & Managing Phone Number

Air travel has become one of the most convenient and cheap means of transportation nowadays. Most of us prefer to book flights for journeys that would take up almost twice our time if we traveled by other means for the same distance. Booking flights has also
become an easier task nowadays than it was before.

There are various ways to book a flight ticket. We can do it ourselves or let others do it for us. We can make the booking online, through a travel agency, etc.

Read other answers

My son has an ipad and an iphone. the iphone is not sycned to the ipad but a single email has been opened on the ipad that he has only accessed via his iphone. How can this happen?

A:one email looks opened when i ahve not opened it?

It sounds like you are using IMAP, which syncs the emails with the server, not the devices. So when one device shows up and is read there, the other will then show the same thing (being read). This is normal.

Read other 1 answers

I purchased a Y70-70 in with 2 year additional warranty.  I had never used the ports on the left side as all my periphials were USB 2 and I used WIFI (no need for Ethernet).   But a several months ago, I purchased a USB3 device and found it or any other device would work on the left side ports, to include the ethernet port.  Called support, got a ticket and sent it in.  Received email saying it was received and was being looked at.  Later, checking ticket status, it stated problem found, BUT NO SPARE - this was bad enough, but stated one was being searched for ASAP.   Okay until I checked again today and NO ticket!!  I cannot find any phone numbers or emails.  In the original email it was stated "click here" to email.  Doesn't work!!  How can I get this resolved?  TIA for any assistance.  btw, I had forgetton my email password and it is ON the laptop that is in for repair.  Obviously I'll have to change to a new one, but many messages stored on that computer (as well as a LOT of vauble information)  Yes, I backed it up, but backup is set for THAT computer!

Read other answers

Why does tech support simply ship out a box for depot repair without consulting the customer first? Twice I have opened a ticket for issues which DO NOT require depot repair and TWICE they have shipped out a box for me to return my computer to them.  Why are they in such a need to get their hands on my computer? It would be nice to have a little contact before just blindly sending out a box. My issues DO NOT require depot repair. I do not understand nor appreciate this policy. They don't stop to consider that users may not be able to be without their computers for weeks, for issues which probably could be resolved with a tweak or something.   

Read other answers

Win 10, IE 11; No matter what I do I cannot get rid of the ?Script Error? message: An error has occurred on the script on this page. I have adjusted IE OPTIONS, ADVANCED disable script debugging (IE) and (OTHER)
I delete all browsing, cookies, Internet files and history once a day.
This only happens on, or in, Internet Explorer 11, Not in Microsoft Edge 38.14393.0.0
Need your help or a ticket to the loony bin. Thanks eddie460

Read other answers

I installed RT 3.0.10 on a RedGat 9 server with Apache. I did the rpm install of Rt. I have the site up but on the index.html page, the RT logo is just an X. Docs and questions I read said /html/Elements/ folder should be in share/Elements. I do not think it sees the Elements folder.

I have all the perl modules installed.

Is there something I am missing?


A:RT Ticket System

Please do not double post.

Read other 2 answers

I try to play microsoft solitaire on windows and all I get is a white screen 

Read other answers


Can anyone help me design airlines website like calendar in access.

Like, when it shows, the date and the availability and the price of ticket.


A:Access Query: Display Airlines like Calendar in Access

Read other 12 answers

I somehow got the site-ticket browser search hijacker. I've tried just about every browser hijack repair tool on the net for download. Whenever I do a search and click on a link it redirects me to some other site. When it does that down in the status bar I see the following IP I've tried BHO. I've tried HOSTS file. I've tried Addons. I've tried plugins. I've tried everything I can think of. I've even gone into IE options in the registry. I seriously need help with getting rid of this. I've even tried removing IE and installing IE 7 to see if that cleans things up.Moderator Edit: Moved topic to more appropriate forum. ~ Animal

A:Site Ticket Removal

http://www.bleepingcomputer.com/uninstall/...SiteTicket.htmlInstall Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds. http://www.superantispyware.com/Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.http://www.bitdefender.com/scan8/ie.htmlIf you need more help removing the malware:Post a Hijack This log in the appropriate forum by following the directions in the link below.http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Read other 6 answers

I did a serious blunder of opening an email that had a zip attachment yesterday, it was her confirmation for an airline tickets and confirmation. Now every application and or short cut I click on I get an Application Error "0x00409e73" referenced memory at "0x0009f000" The memory could not be “read” (the numbers are sometimes different) the option to press ok to terminate or cancel to debug (the debug feature does not work) as I mentioned I get this error with anything I try and open. I have looked in C\windows\system32 for braviax.exe and did not find this. I know I am not the first person to report this virus but I cannot find the solution on the site here sorry about the repeat question
I am running xp pro log attached please help thanks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:12:37, on 8/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Progr... Read more

A:Virus in Airline ticket please help

Welcome to TSG

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.
... Read more

Read other 1 answers

Could you explain how the pass the ticket attack is determined or how to verify that this is an actual problem and not a falso positive?
I am piloting ATA in my environment and have already received three warnings regarding pass the ticket.
It is only for computer accounts and not users.

Read other answers

So I was stupid enough to open the traffic ticket e-mail, my antivirus blocked it but I still have the following issues:

Both my Start menu columns are blank.

My desktop shortcuts are gone exept for some word files.

There is a locket icon next to my user (Owner) file menu.
How can I fix the above? I did a virus and a spyware scan immediately after the infection but I am not sure if the bug is totally removed...

Thanks in advance

A:Ticket virus victim...

Read other 16 answers

Hi everybody,
I've been trying the pass-the-ticket attack for a week now with mimikatz.
This is my lab :

1 Center1 Gateway1DC1Workstation
From the worstation, I use the admin ticket. I have access for example to this folder \\dc\admin$. But ATA doesn't detect this scenario. Could someone help me please. 

Read other answers

I just recently signed up for Verizon DSL. It is very important that I can be on the phone & computer at the same time at home because that is where I do most of my work. I have two phone lines through Verizon, however, the second phone line goes completly out at least once every two days.....basicaly whenever it rains or snows. By the time I can get someone from Verizon to my house, the phone is working again and the repairman can't do anything about it.

So what do I do? I sign up for Verizon DSL....obviously a bad idea. I thought it would be more reliable than the phone line that they can't fix. So I order the DSL on my good line and the thing doesn't even work. It looks connected and packets are coming but none are going. And that darn ready light will not quit blinking.

Sorry for the rambling...I just need to vent. Anyways, I have already spoken with three CSRs over at VOL. I have been issued a trouble ticket. She said it was probably the modem????

So if anyone has had this problem and has had a trouble ticket issued...when do they usually fix the problem? I have read on other forums that it takes a long time. Should I be concerned here? I simply have no patience with these people.....I am PAYING them so I should at least get decent service.

What is a trouble ticket? Will someone come out to my house? Should I just cancel the whole thing...I am already being charged for it after all. Has anyone else had this problem? I would call them back but I h... Read more

A:Verizon DSL trouble ticket

Sad to say, this is clearly an issue you'll have to resolve with Verizon. OTOH, if you have no service, you can usually get them to give you a credit for the service...

Read other 3 answers

I just opened a ticket at microsoft and forked over the $35 because I can't figure out how to stop getting the error when using Outlook 2002 notes. I think, somehow, I paid 2x and opened 2 tickets because of the stupid activex crap needed to be installed (can you tell I am frustrated?) What is the best way to get one of my payments back rather than fighting it through the credit card company? I am really getting torqued off at Microsoft.

A:Microsoft Ticket Screw UP

Read other 10 answers

I'm looking for a completely free ticket making program. Nothing fancy. Just to make basic raffle tickets.

I can only find demos that won't print the things because they want you to buy the software.

Any ideas?

A:Solved: Ticket Generator

Read other 6 answers

Hi all,
This is a question for my own information and knowledge as I'm new to ATA.

In ATA, I understand the need for DNS Reconnaissance IP exclusions.  There may be machines where legitimate DNS administrative tasks need to be performed, and you don't want these machines triggering alerts in ATA when someone runs the NSLookup command

What I'm trying to get my head around is why you would want Pass-The-Ticket IP Address exclusions.  What is the scenario where you would add an IP or IP Range to be excluded from PtT alerting?


Read other answers

I got a thing called Media Ticket Installer.ocx, was picked up buy Norton, which couldnt delete it, but I managed to do it manually. It didnt sem to have changed the registry, but I would be grateful if someone could have a quick peek at my log, just to make sure. Not sure how I got it, as I am running lots of antispyware recommended on here.

Logfile of HijackThis v1.98.2
Scan saved at 18:56:35, on 29/08/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.ex... Read more

Read other answers

We have a situation where users are getting locked out after 2 logon attempts with bad passwords. Our policy is three bad passwords produces a lockout, but we've confirmed that it locks after only 2. In troubleshooting this, we found that every time a
user send logon credentials, two kerberos tickets are generated. To AD, after the second attempt, four "bad" tickets have been sent. How in the world do we begin tracing this down?

A:Kerberos Ticket Generated at Logon Sent Twice

I am reviving an old thread strictly for the sake of posting our fix. This happened again on a single machine in our environment and I remembered that I posted something here. I failed to return to relate the solution.
Turns out that a year or two before I started at my current job, a Group Policy Preference was created to force a particular encryption type (RC4-HMAC) to allow machines to connect to our Windows 2003 Server DCs. The GPP maintained a setting in the registry:
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters.  The value is called
DefaultEncryptionType and was set to 17 (hex). Removing the value corrected the issue for us.

Read other 5 answers

my sister is having difficulties trying to get her tickets when she wins bingo on pogo. It says "Validating your bingo claim", but nothing happens.. I have uninstalled and reinstalled Sun Java because pogo support said to, but it still won't work. she has Windows XP SP2. I have contacted pogo numerous times, but none of them can find out how to fix this. Any help would be greatly appreciated.

Read other answers

Hello all,
I'm testing ATA for a couple of weeks now. I have successfuly raised a lot of alerts based on the list of functionnalities of ATA but I'm not able to rise alert for golden tickets.
I'm using mimikatz for retrieving the password hash of the krbtgt account (the alert "malicious replication" is raised). I created a a ticket with the command "kerberos::golden" and I loaded successfuly a ticket from a domain admin account.

I accessed to the admin shares of a domain controller, I have removed/added members from domain admins group. I have no alert from ATA.
I'm using lightweight agent on all domain controllers and the kerberos audit is enabled (4776).
Thank you for the help!


Read other answers

I'm trying to find out what triggers a pass the ticket alert.   We have a case where a user logged in with another user's credentials on a different
computer over vpn at the same time that user was on campus and a pass the ticket alert was triggered.  Is the alert triggered when an exact TGT with the exact hashes and exact sessions are seen on a different computer?  Or is it some
other trigger?
In other words: is this an indication that the other user installed malware to steal the ticket from a user's computer and then use the
Kerberos ticket to log into vpn and ATA saw an exact duplicate ticket with the same hashes and sessions?  
This seems very unlikely because the other user would have had to use the Kerberos ticket to log into VPN, which first communicates with a radius
server (no Kerberos ticket used at this point) before it communicates with the DCs.  So the other user probably had a username and password already, and if that were true, why use a stolen Kerberos ticket that will trigger alerts when one could just get
a new one when logging in.  it doesn?t seem to make sense for this to be the case.
Or does ATA see the same username in a different subnet at the same time and assume that the ticket was stolen without verifying that the tickets
are exactly the same?  
Or is there some mechanism built into Kerberos that forwards copies of Kerberos tickets to the same user whe... Read more

Read other answers

I've got a fairly new 2003 Active Directory and recently I have had two independent reports of users not being able to get into a file server that they were able to one week before. After a log off and log on they have been ok.

I believe this is due to the fact the users haven't logged off in a week and their Kerberos credentials expired. So I've checked domain policy and it seems that the policies are as follows:

Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
The last one was of interest here so I just changed it to 60 days.

Maximum lifetime for user ticket renewal 60 days
I would like to ask what people's opinion's are on this, especially if there are any other veteran mcses out there, regarding the security implications of this change.

Read other answers

 ATA 1.9 will simply not detect Golden Ticket attempts, even though I have followed the ATA deployment Guide
1.8 to the letter, I've waited 12 hours after creating the ticket to use it the second time and everything but still no alert. I have attempted this numerous times in varying methods but still NOTHING..

gateway is setup and is working perfectly. It correctly triggers stuff like PTH and Malicious Replication of Directory Services, but for the life of me I cannot get the Golden Ticket Alert to trigger in ANY event, after trying a variety of different ways and

FYI I am running version 19.7312.32791

Read other answers

I have installed and have been testing the ATA in a test AD Forest. I have successfully tested against the honey token account and DNS Reconnaissance.

I am now testing for Pass-the-ticket detection that is touted on the Microsoft ATA announcement pages. I used MimiKatz on one server to obtain a ticket of the Domain Admin account performing a CIFS session to a DC $ADMIN share and transferred it
to another machine logged in as a non Domain Admin account. I then was able to use Mimikatz to replay that token and then access the DC's directory and copy a sensitive file from the NTDS folder. ATA did not report any such behavior. if I understand
the ATA correctly, it should have discovered PTT and reported it. Based upon the documentation, it just magically works when you set up the ATA.

What am I missing here? the only thing I did not do was grant the ATA GW access to the client computers in the Domain. Since we are a large Enterprise, it would be difficult to get that kind of by-in from all depts.

I have yet to test the plain text simple binds.
Assistance please.
Brian B.  

Read other answers