Over 1 million tech questions and answers.

'Bruteforce Attack', 'Pass-The-Ticket', 'Pass-The-Hash', 'Sensitive account exposed' Attacks NOT DETECTED!!

Q: 'Bruteforce Attack', 'Pass-The-Ticket', 'Pass-The-Hash', 'Sensitive account exposed' Attacks NOT DETECTED!!

Hi All,
I tested the following attacks in Microsoft Advanced Threat Analytics and found them
not to be working.

Bruteforce Attack Pass-The-Ticket Pass-The-Hash Sensitive account exposed Using Plain-Text Authentication
I have tested other attacks like Reconnaissance
using DNS, Broken Trust, Honey Token account suspicious activities but they are working perfectly fine. I don't know
what's the issue with the above 4.
For
1. Bruteforce Attack:
I used thc-hydra-windows and triggered a dictionary attack using a list of passwords.

2. Pass-The-Ticket:
I used mimikatz to steal the kerberos ticket from a PC on which Admin is logged on. Impersonating an attacker, I copied the .kirbi file and Injected that file(using mimikatz again) to another PC on which a domain user is logged in.

3. Pass-The-Hash:
(Same as above)
4. Sensitive account exposed in plain text authentication:
I used mimikatz command 'sekurlsa :: logonpasswords' and was able to get passwords of all the users who logged on to that PC. But this was also not detected by MATA.

Please help me with the above issues. If possible, provide the tools using which I can trigger and detect those attacks.
Regards

Read other answers
RELEVANCY SCORE 200
Preferred Solution: 'Bruteforce Attack', 'Pass-The-Ticket', 'Pass-The-Hash', 'Sensitive account exposed' Attacks NOT DETECTED!!

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 137.2

Hello,

I am using Microsoft Advanced Threat Analytics v1.7.2 evolution. I am following ATA Attack simulation playbook. It can detect enumeration and Pass-the-Hash successfully but it is unable to detect Pass-the-Ticket and Golden Ticket attack. I have set up lab
environment in ESXi environment and has set up Lightweight Gateway on the DC.
Couple of weeks before i set up lab on HyperV environment and it was working fine. Don't know what is the issue here. Please help me resolve this. 

Read other answers
RELEVANCY SCORE 131.2

Could you explain how the pass the ticket attack is determined or how to verify that this is an actual problem and not a falso positive?
I am piloting ATA in my environment and have already received three warnings regarding pass the ticket.
It is only for computer accounts and not users.

Read other answers
RELEVANCY SCORE 128.4

hi,
Ata has alert about pass the ticket attack -  a kerberos tickets were stolen from one computer to other, at the same time both computers  has renewed their ip from dhcp server maybe the renew causing the alert to pop up? 
i can't find anything unusual on the computer.


thanks

Read other answers
RELEVANCY SCORE 128.4

We have been running ATA for a little over a month putting in gateways as we get resources and DC configured. We have had 3 instances of being notified that a pass the ticket attack was performed involving 3 distinct sets of 2 computers. in all cases it
appears that both computers were coming in from a VPN solution. They are not nat'ed or using DirectAccess but VPN is sort of similar so I'm starting to wonder if these are false positives. Is there any guidance on how a VPN segment can cause false positives
to show pass the ticket attacks? Some general understand on what is going on under the hood would help.

Read other answers
RELEVANCY SCORE 127.6

Running v1.7.5757.57477 and recently got four PTH alerts, and in each case it states the has was stolen from one of the computers previously logged into by the user and then used on a system, which in each case happened to be the user's primary system in
which they logged into.
Would this be potential false positives? I would be more worried if the hash was used on a system not associated with the user.

Thx

Read other answers
RELEVANCY SCORE 127.2

Got 2 alerts for Identity theft using pass-the-ticket attack.

Checked with my network team for the IP's involved in the alert. I went through requested them to provide details over this IP.

Does the IP address of one or both computers belong to a subnet that is allocated from an undersized DHCP pool, for example, VPN or WiFi? 
Is the IP address shared? For example, by a NAT device?
--------------------------------------------------------------------------------------------------------------
Below is the network team reply: 
Please note that IP is part of subnet on Ballina Ireland Data VLan . It is currently DHCP free.

Please note that IP address is part Wireless Network 2 Atlanta Office Center.
It is currently DHCP free.

Is the IP address shared? For example, by a NAT device? NO.
---------------------------------------------------------------------------------------------------------------
Can this be the cause of the Alert ? It is currently DHCP free.
If not then what else I need to look for here.

Read other answers
RELEVANCY SCORE 126.8

Hi everybody,
I've been trying the pass-the-ticket attack for a week now with mimikatz.
This is my lab :

1 Center1 Gateway1DC1Workstation
From the worstation, I use the admin ticket. I have access for example to this folder \\dc\admin$. But ATA doesn't detect this scenario. Could someone help me please. 
Thanks!!

Read other answers
RELEVANCY SCORE 126.4

I have recently installed ATA (1.8.6645.28499). It is now in to the second week of its learning phase and it is raising a considerable number of false pass-the-hash alerts when users initiate Citrix sessions from their usual PC using pass-thru authentication,
eg a typical alert would be:
Bloggs,Fred's hash was stolen from one of the computers previously logged into by Bloggs,Fred and used from xx1234
Clearly this is spurious - in each case the user is initiating a Citrix session from their
own PC and the xx1234 represents a Citrix server in the farm in every case.
1) Why am I only receiving a handful of related PTH alerts each day when I have many thousands of Citrix users, all authenticating in the same manner?
2) How can I supress these alerts?
What I effectively want to say is 'IF the suspected PTH is being triggered BY the user on their OWN PC and the target server is in our Citrix farm' then ignore it. I can't see a way of setting an exclusion range like this for PTH events though?
Thanks

Read other answers
RELEVANCY SCORE 126

Hi everybody,
Could someone please explain, if he had succeeded, the pass-the-hash attack with ATA ?
I have :

1 Center1 Gateway1DC1 workstation
From the workstation, I use the DC hash password admin for authentication. I have access to the DC but ATA don't detect this scenario.

Read other answers
RELEVANCY SCORE 125.6

Hello,

I received the following alert:

Identity theft using pass-the-ticket attack
USER-NAME's Kerberos tickets were stolen from 2 computers to 2 computers and used to access ldap/DC-NAME.DOMAIN-NAME/DomainDnsZones.DOMAIN-NAME.

The network activities indicate the following:
Network activity #1 - WORKSTATION 1 was resolved through the Hint, Cached method by DOMAIN CONTROLLER 1 - the Resource Name is krbtgt/DOMAIN-NAME - Source Account Name is USER-NAME
Network activity #2 - WORKSTATION 2 was resolved through the RpcNtlm method by DOMAIN CONTROLLER 1 - the Resource Name is ldap/DC-NAME.DOMAIN-NAME/DomainDnsZones.DOMAIN-NAME - Source Account Name is USER-NAME
Network activity #3 - WORKSTATION 1 was resolved through the Hint, Cached method by DOMAIN CONTROLLER 1 - the Resource Name is ldap/DC-NAME.DOMAIN-NAME/DomainDnsZones.DOMAIN-NAME - Source Account Name is USER-NAME

The user on WORKSTATION 1 did not use any other machine.
The user on WORKSTATION 2 did not use any other machine, too.
Both users did not use VPN.
The DC resolved the machine names successfully.

Is the authentication issue / one-way replication of application directory partitions, including DomainDNSZones the root cause here?

What are your thoughts?

Regards,
MSSOC

Read other answers
RELEVANCY SCORE 125.6

I have installed and have been testing the ATA in a test AD Forest. I have successfully tested against the honey token account and DNS Reconnaissance.

I am now testing for Pass-the-ticket detection that is touted on the Microsoft ATA announcement pages. I used MimiKatz on one server to obtain a ticket of the Domain Admin account performing a CIFS session to a DC $ADMIN share and transferred it
to another machine logged in as a non Domain Admin account. I then was able to use Mimikatz to replay that token and then access the DC's directory and copy a sensitive file from the NTDS folder. ATA did not report any such behavior. if I understand
the ATA correctly, it should have discovered PTT and reported it. Based upon the documentation, it just magically works when you set up the ATA.

What am I missing here? the only thing I did not do was grant the ATA GW access to the client computers in the Domain. Since we are a large Enterprise, it would be difficult to get that kind of by-in from all depts.

I have yet to test the plain text simple binds.
Assistance please.
Brian B.  

Read other answers
RELEVANCY SCORE 124.4

Good morning, I installed Microsoft ATA 1.6 as soon as was available and now I start to receive security message from behaviour and attack events. I need to verify "Identity theft using pass-the-ticket attack" event anyone could suggest me
any test and verification? thank you

Read other answers
RELEVANCY SCORE 124.4

I had a pass-the-ticket attack SA today that I believe is the result of a computer moving from a wired to a wireless network.
The DNS cache was used to resolve the original computer name (during the Kerberos TGS request) but there was no cache hit when the ticket was used again (SMB access to the DC).
First, does this seem like a plausible cause of a false positive?
Second, is there any tuning others have done to eliminate these? 

Read other answers
RELEVANCY SCORE 114.8

Hello,
I came across an unusual pass-the-ticket ATA alert. Please take a look below:
Time (UTC)    Source Ip Address    Source Computer   Source Computer Resolution Method                Destination Ip Address
06.10.2017   20:01:58,538           10.***.**.**1        LT******1           Netbios, RpcNtlm, Hint, Cached    10.***.***.*3
06.10.2017   20:05:29,289           10.***.**.**1        LT******1           Netbios, RpcNtlm, Hint, Cached    10.***.***.*3
06.10.2017   20:45:52,151           10.***.**.**2        LT******2           Dns, Cached                                
10.***.***.*3
06.10.2017   20:45:52,615           10.***.**.**2        LT******2           Dns, Cached                  &... Read more

Read other answers
RELEVANCY SCORE 113.6

Hi
I have just installed ATA 1.6 and using the Lightweight Gateway on all our DC's.

After I have enabled and configured event forwarding I see a lot of "Identity theft using pass-the-hash attack" alerts, and there is way to many for me to believe that we have been hacked/under attack.
Have any of you any ideas of what I might be doing wrong?

Read other answers
RELEVANCY SCORE 111.6

I have Microsoft ATA set up in a lab environment and it is not detecting pass the ticket and golden ticket attacks when following the playbook. It does detect enumeration and pass the hash and other anomolies.
The computers i have in the lab environment running in Proxmox VE are:
Victim-PC (Windows 7)
Admin-PC (Windows 7)
ATACenter (Server 2012)
Domain Controller (Server 2012) (lightweight gateway setup)

I also had a strange problem using Netsess tool to obtain the ip address of the NuckC user logged into the admin-pc machine. I have gone over every inch of the setup i could and did follow the directions for the playbook directly. Not sure if this had some
effect on why those things were not detected. Any insight on this would be helpful.

Read other answers
RELEVANCY SCORE 104

Hi all,
This is a question for my own information and knowledge as I'm new to ATA.

In ATA, I understand the need for DNS Reconnaissance IP exclusions.  There may be machines where legitimate DNS administrative tasks need to be performed, and you don't want these machines triggering alerts in ATA when someone runs the NSLookup command
etc.

What I'm trying to get my head around is why you would want Pass-The-Ticket IP Address exclusions.  What is the scenario where you would add an IP or IP Range to be excluded from PtT alerting?

http://www.dreamension.net

Read other answers
RELEVANCY SCORE 102.8

I'm trying to find out what triggers a pass the ticket alert.   We have a case where a user logged in with another user's credentials on a different
computer over vpn at the same time that user was on campus and a pass the ticket alert was triggered.  Is the alert triggered when an exact TGT with the exact hashes and exact sessions are seen on a different computer?  Or is it some
other trigger?
In other words: is this an indication that the other user installed malware to steal the ticket from a user's computer and then use the
Kerberos ticket to log into vpn and ATA saw an exact duplicate ticket with the same hashes and sessions?  
This seems very unlikely because the other user would have had to use the Kerberos ticket to log into VPN, which first communicates with a radius
server (no Kerberos ticket used at this point) before it communicates with the DCs.  So the other user probably had a username and password already, and if that were true, why use a stolen Kerberos ticket that will trigger alerts when one could just get
a new one when logging in.  it doesn?t seem to make sense for this to be the case.
Or does ATA see the same username in a different subnet at the same time and assume that the ticket was stolen without verifying that the tickets
are exactly the same?  
Or is there some mechanism built into Kerberos that forwards copies of Kerberos tickets to the same user whe... Read more

Read other answers
RELEVANCY SCORE 102

We are currently in monitor mode with ATA and have been receiving alerts since going live on Sunday 10/20.   The alert says the users hash is being passed from an unknown system to the system that is used by the owner of the hash that is being
passed. I am not sure why it is identifying an unknown system and saying the system is passing a hash to the users legitimate system.

Should we respond to alerts that are generated during the 30 day monitoring period or should they be ignored until that period is completed?

Read other answers
RELEVANCY SCORE 102

We are getting a Pass the Hash warning for two users (only one has happened more than once) that I am pretty sure is a false positive.  The message says the hash was stolen from one computer that the user logged into and was used by the same user on
her desktop.  

I am guessing an app is doing something weird or something but cant pinpoint it.  Anything i can do to try to track it down?





Identity theft using pass-the-hash attack

Savannah ***** (*****)'s hash was stolen from one of the computers previously logged into by Savannah ******   (************) and used from DT-S*******.

Read other answers
RELEVANCY SCORE 102

I got a pass the hash alert but it is on a Direct Access server.
A previous pass the ticket alert asked me if the computer was a DirectAccess proxy, this alert does not.
I do not see a way to do this for this new alert.

Read other answers
RELEVANCY SCORE 101.6

HI !

We are currently running ATA 1.7 and there seems to be no way to add a whole subnet to the Pass-the-Ticket Detection Exclusions. I tried the common dash notation like 127.0.0.1/24 but that doesnt work. The SAVE button doesnt come active.

Read other answers
RELEVANCY SCORE 101.2

I'm trying this exercise as described here :
https://social.technet.microsoft.com/Forums/security/en-US/0752bc4b-9119-4756-8a5e-9475b25dc105/simulating-suspicious-actions-in-a-lab-environment?forum=mata
but ATA doesn't detect it. But it detects DNS Reconnaissance.
Could someone help me ?
Thanks in advance for your answer.

Read other answers
RELEVANCY SCORE 100.8

Hi,
Last week I successfully simulated "Pass the hash" in my environment using mimikatz.
However, using back the same machine, same ID, and same method, it just don't work now.
DNS Reconnaissance, Directory Reconnaissance, LDAP binding all can detect. 
Any idea why?
Regards,
Hau

Read other answers
RELEVANCY SCORE 100.8

Hey guys.
We installed ATA on a customer and started getting Pass-the-Hash alerts after configuring the port forwarding for 4776.
We're currently looking into these events. One of them, however, has lost all data regarding which user and computer was affected - the hash is still there but all other information is gone.

Is this a known issue? Is there something we can do to recover the info/prevent this from happening again?
Thank you very much in advance,



Miguel Duarte

Read other answers
RELEVANCY SCORE 98.4

Microsoft Advanced Thread Analytics - Pass-the-Ticket address exclusions

Hello - How can i add an IP Range ?
I need to exclude the VPN IP Address Range, because we have a lot of false-positive Pass-the-Ticket Alerts when User switch IP due to VPN connection.

Read other answers
RELEVANCY SCORE 92.8

I'm getting the famous enter admin pass on boot (no BIOS update, laptop been off for a year (no OS atm) and I just started trying to fix it.  The error code I get is: [ 54549743 ] I hope that helps get my mobo unlocked!











Solved!
View Solution.

A:HP-2000 Enter Admin Pass/Power on Pass at Boot

@PoetheProgrammr? Enter    41421385 Regards, DP-K

Read other 2 answers
RELEVANCY SCORE 92.8

Ok so i am furious with Micro$oft now! the other day i was FORCED to change my microsoft account after much nagging i did so and i dont like changing logins too much. (this was a week ago)
now for some random reason on earth without my permission my windows login also changed login passwords to the microsoft account. I DONT WANT THAT! that password is too long and complicated for someone who locks his computer every 5 minutes or so. why did this just kick in now? i changed M$ account pass over a week ago and today it decides to change windows login?! can i change JUST my local windows login separate from microsoft login?
if i try to change pass from settings it it goes online and says you cant use password that has been used before.

A:Can i change windows login pass without changing microsoft pass too?

Originally Posted by xdarkmario


Ok so i am furious with Micro$oft now! the other day i was FORCED to change my microsoft account after much nagging i did so and i dont like changing logins too much. (this was a week ago)
now for some random reason on earth without my permission my windows login also changed login passwords to the microsoft account. I DONT WANT THAT! that password is too long and complicated for someone who locks his computer every 5 minutes or so. why did this just kick in now? i changed M$ account pass over a week ago and today it decides to change windows login?! can i change JUST my local windows login separate from microsoft login?
if i try to change pass from settings it it goes online and says you cant use password that has been used before.



Don't go for a password. Use the PIN option That's just what you need and it's really a great thing as well.

Read other 4 answers
RELEVANCY SCORE 90

i have a hp touchsmart 610-1000 i forgot my power on password i need some help to get on my computer

A:i have a touchsmart 610-1000 cant get pass the power on pass...

 Hi, Attach the completed model number, for example 610-1031f How Do I Find My Model Number or Product Number?

Read other 3 answers
RELEVANCY SCORE 86.8

Hello everyone! Can you help me with a (hopefully) simple problem?
I have a Access 2003 SQL Pass-thru query that I need to prompt the user for Begin Date and End date, then put these values in the query. I read the Help, but I still don't understand HOW!
Questions: (BTW, this query is being generated from the Switchboard)
1. How do I prompt the user for the dates in Access? I can't use parameters and I don't understand how to use a prompt otyher than that.
2. How do I get those user responses into the query below
3. How do I write the querydef?

The SQL query is attached

Thanks!
Emil
 

A:Prompt&Pass value to pass-thru query

Read other 16 answers
RELEVANCY SCORE 84

Most, if not all of the time, I'm logged into Win7 as a standard user. If I need to run a program as a Admin, I right click on the program and choose "run as administrator". I'm not getting prompt for the password, which is denying programs from installing even after rebooting.

A:Denied Admin Account Pass ?

Try the RUNAS cmd.

Eg.

Code:
c:\windows\system32\notepad.exe RUNAS /user:AdminAccount
Make sure you replace AdminAccount with the correct administrator account name.
You will be prompted for a password, so type it in and press Enter.

Read other 2 answers
RELEVANCY SCORE 84

I have recently ran into an issue that is probably not too uncommon but I am having issues with. I currently forgot my password for my admin account on my laptop that runs on windows vista, i have looked up ways to bypass this issue and have ran into some issues along the way so first i looked up a password rescuer online but figured that i would have a hard time running it because my pass is more than 14 characters long. i also tried to run a system restore on it for an earlier time before i changed the password that i have currently forgot but an error keeps coming up due to a corrupted file on my c drive. all i want to do is gain access to my admin account so i can back up the files that are precious to me so i can run a factory restore on my computer then have it running clean again. Anyhow, I looked online for some other ideas and im currently reading and looking into ways to bypass the admin account by using a sticky keys trick the windows vista password or offline enabling the built in admin account on vista. The trouble that I am having is that i made it to where my files were viewable and accessable only through the admin account, does that mean they are encrypted? also would doing these tricks possibly delete my files or make them unaccessable? i also dont have a vista or windows setup dvd could i possibly do anything to bypass the admin account to keep my files, without the dvd? thank you so much, i know im in one heck of a pickle any help is very appreciated.

A:forgotten pass in admin account

You can download the The Ultimate Boot CD and use the password changing utility that comes with it.Also by default the Administrator Password on Windows Vista and 7 is disabled.

Read other 2 answers
RELEVANCY SCORE 83.2

OK here is the problem I am looking to solve. I have a compaq presario F700 with Vista prem, in here. The laptop will not boot at all. I am supposed to transfer the "my documents" folder over to a dvd. I have slaved the hard drive to another computer. so I can access and pull the contents of " My Documents " over to it and burn it to a dvd. Problem is that the user has a password. That means the " My Documents " is passworded. I start to access the My Documents folder and I get an error saying the file is not accessable. Here lays the problem. If I am not able to boot into the laptop so I can enter the password then how can I access these files to pull for here.

Thanks
 

A:Getting pass a slaved vista account for the files.

hi iam sorry but we cannot help with this type of issue please read the forum rulesPasswords - Please do not ask for assistance with forgotten passwords and/or bypassing them. As there is no way to verify the actual situation and/or intentions, no assistance will be provided and any such threads will be closed. ask the user
 

Read other 3 answers
RELEVANCY SCORE 83.2

Pretty self explanitory, also is has to run on AC power because the battery stoped accepting charge. (i'll try to fix that later) Please help? I have so much important stuff and documents on there. PLEASE!? Free prefer or course, no job ATM.
 

A:I lost my only account admin pass on computer!!

It sounds to me like what your asking for is access to a password-protected user account.

Since we can determine actual intent, TSG rules prevent me from helping you.
Passwords - Please do not ask for assistance with forgotten passwords and/or bypassing them. As there is no way to verify the actual situation and/or intentions, no assistance will be provided and any such threads will be closed.Click to expand...

I've asked for this thread to be closed.
 

Read other 3 answers
RELEVANCY SCORE 82.4

Hi all

I need help for my broken XP. My XP is broken and I am trying to get my documents from password protected account. I took out my hard disk, hoping that i could enter my password to get the files, but it shows only empty folder. Then I installed XP-Pro on my D disk, hoping that I can access MyDoc on C, but it was also impossible. Now I am trying to install XP on C without formating C. But the boot CD that I got from internet doesn't work. The original boot CD formats everything on C, so I am using this boot CD from internet. SO I decided to format D to have the internet boot CD work. But XP on D says I can't format D as long as I use D. I opened DOS on windows XP to format D, but this DOS is working within XP, which prevents me formating D. I also used the Computer MAnagement to format my D disk, but it shows D is Boot, and C is Sysytem disk...

Is there any way that I can format my D?
or is there any way that I can get my documents from password protected account? I already tried CD version of windows and password deleting program...
 

A:Open pass-protected account or formating windows XP

Hi

You need to reset the permisssions on the drive in order to access it from another XP install,

To do this follow this guide here.

Any other questions let us know

Regards
 

Read other 1 answers
RELEVANCY SCORE 82

I removed Simple pass and validity software, and I am still required to enter the master password that simplepass asked me to set up, I uninstalled all drivers, and software, and removed all remnants from registry, and I am still required to enter the password at login, i have done the netplwiz thing,  and bios says password is clear, so how do i remove this password requirement that i didnt have before i installed simplepass.

Read other answers
RELEVANCY SCORE 81.6

Hello everybody,

As you can read in the title, here are the 3 symptoms:

-Diagnostics from the BIOS: EVERY tests passed.
-When I try to start at the usual way my laptop: Black screen with blinking cursor.
-When I boot on a XP CD in order to format the hard disk, it says that the hard disk isn't detected.

My 2.5" HDD is: HM250JI. Spinpoint M5 capacity : 250 GB interface : Serial ATA 1.5 Gbps buffer memory : 8 MB

My laptop is: HP Pavilion DV9530eb

-Is the hard disk broken?
-I really don't understand how is possible for the bios to test the hard disk if it is not recognized, not detected when i boot from my XP CD.
-I also really don't understand why the test says that everything is OK.

I know there's a problem with the hard disk because I put it in a hdd enclosure (in fact, 2 different) with new PCs and New Laptops and there was no way to access it.
(on the hard disk, there is VISTA .. and this is not a new hard disk, everything worked during 8 months)

Thank you very much and sorry about my bad English.
 

A:Diagnostics pass, hard disk no detected, blinking cursor: broken hdd?

Read other 6 answers
RELEVANCY SCORE 78.8

hello there,
 
sorry for my english...
 
im playing a web base game "ms.voomga.com", i spent arround $20.000 only for this game.. i know it sounds crazy.. but i like this game.. and finally something went wrong when i play the game.. got disconnected so many time, especially the right momment..
 
the next day, my password bank account was changed.. luckily no credit card .. email + facebook + all related to that game was doomed.
 
and finally someone using my game account in purpose.. and i asked the moderator that game.. he told me someone using my account from 8 diferrent place.. some of my item lost...
 
so i start using another clean pc... and it happends again.. until i broke 3 pc.. now im using a notebook with so many program running for exp spybot destroy + norton anti virus $68 + hitman pro + bla bla bla (all protection from bleepin computer i use it) ..
 
hopefully, someone can help me.. i know the time is not good for quick reply because right now 22:31 pm (indonesia)...
 
please help from the master...
 
sincerly Rudy herlambang
 

A:Web Based Game gimme zero rootkit - google redirect - bank account pass stolen

Hi there,my name is Marius and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.    Scan with Malwarebytes Anti-RootkitPlease download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.Be sure to print out and follow the instructions provided on that same page.Caution: This is a beta versio... Read more

Read other 13 answers
RELEVANCY SCORE 66.8

Team,
We had an alert on Win SERVER for Kerberos golden ticket activity, which says ticket usage was over a period of 13 hours which exceeded allowed maximum of 10 hours.
Need help to evaluate this alert.

Checked with AD team they confirmed no change in Group Policy has been made.
Now next where else we need to check for investigation for this alert.

Read other answers
RELEVANCY SCORE 64.4

I had purchased windows 2010 and xp pro as w many other programs. PAID 4 them with my earned dollar! n my pass keys do not work! I have paid good money, alot of money, on many of their programs! Why cant I have a pass key thats allowed to work since mine doesnt??!!??
Both times ive called microsoft, all they want to do is sell me another program. My pass keys should work if I purchased them with my money!!

A:pass key

We are not agents for Microsoft...and we are not obligated nor legally capable of answering questions regarding MS policies.
 
If you have a computer problem which deals with Windows XP...and you want someone here to try to assist you...please post some details of the problem, rather than comments regarding items relating solely to Microsoft and conduct of Microsoft business.
 
Louis

Read other 4 answers
RELEVANCY SCORE 64.4

Hi,
I am having difficulties to enable VNP pass-through on my DFL-800 router. Iím not very familiar with some of the technical terms such as IPSec, PPTP, and L2TP and what do they actually do. My previous router Linksys RV082 had no problems. There was one option to disable or enable VPN pass-thought and everything was simple. I have setup up a VPN connection on my Windows XP and Vista and off I went. I could connect to my work network by supplying host name www.mycompany.com and my login credentials.

When I replaced my routers and try to connect, Windows connection hangs on Authenticating User Name and Password. And then fails saying that could not connect to a network.
Obviously my router blocks some communications.

Could you please let me know how to set-up this D-Link router as I am running out of ideas.
There is too many settings in this box to play with and Iím not really sure what to touch, how and what not to.

I have tried to play with IpRules Ė trying to create some and enable IPSec, PPTP, and L2TP one at the time but none of those attempts was successful.

Iím a little pissed off at my self at this moment that I have to use my old Linksys because I canít figure out how this new box works.

Please help!!!

Cheers:

CC
 

Read other answers
RELEVANCY SCORE 64.4

Hi
I'm not sure if this is the right place to post this but i need to install some programs for my use and the administrator has placed UAC on everything i try to install , it's not the typical UAC but the one where you have to type a password before it lets you click yes. I can't seem to do anything , like task scheduler msconfig etc.

How do i get pass this?

A:Getting Pass W7 UAC

Sorry, but you don't. You will need your network administrator.

Read other 2 answers
RELEVANCY SCORE 64.4

Hi,
I've got a problem I'm hoping someone can help me with..

I've got a Belkin F5D8231-4 v2 N1 Wireless Router and a D-Link DSL-504G 4 Port Modem which I am trying to setup a VPN Connection through.
I'm using the built in VPN server in Windows XP Professional SP2, I can connect to the VPN internally but not externally - When trying to connect externally the client freezes up on "verifying username and password" but I dont think its even getting as far as connecting to the server.
I've opened up the ports in the firewall, and have forwarded port 1723 on TCP to the servers internal static IP address. The modem itself is running in Bridge mode to the router so I'm assuming that I don't have to open any ports or anything on that for it to work. I have contacted Belkin who assure me that a VPN can be established through that router, and weren't able to offer me much assistance.

what I've got setup is this:
modem (192.168.2.253) ---> Router (192.168.2.254) - - - - (wireless) - -> VPN Server (192.168.2.2)

I haven't actually been able to find anything that suggests that the clients are even getting through the modem and router to the server.. Any suggestions?
 

A:VPN Pass-Through

Read other 6 answers
RELEVANCY SCORE 64.4

hello,

im working on a Dell Latitude E6400 laptop and i need to do some work from home.
however, my new modem is not allowing my jobsite's vpn to pass thru so I can connect to it. How do i connect??
 

A:allow vpn to pass thru

msTHELP said:


hello,

im working on a Dell Latitude E6400 laptop and i need to do some work from home.
however, my new modem is not allowing my jobsite's vpn to pass thru so I can connect to it. How do i connect??Click to expand...

my wireless connection is in excellent connection by the way
 

Read other 2 answers
RELEVANCY SCORE 64

i am trying to use HP Simple Pass on my new laptop and the instruction say that I should just navigate to a desire website and enter my logon and password and Simple Pass will remember it... This is not working. There has not been any "pop-up" that asks if I want Simple Pass to remember my information when I got to any website. Do I need to change a setting somewhere to  permit Simple Pass to ask when I Navigate to a desired web site? Any help is appreciated.

A:HP simple pass

Hello jennshp, Welcome to the HP Forums! I understand Simplepass is not working properly. I will do my best to help, but I first require the following information: 1. The computer's model number. If you require assistance locating this information, please reference this website: Guide to finding your notebook product number 2. The computer's operating system. If you require assistance locating this information, please reference this website to determine your Windows operating system. 3. What version of Simplepass are you using? 4. Have you installed any new software or drivers on this computer, before the issue appeared? Thanks, and have a great day! Mario




I worked on behalf of HP.

Read other 2 answers