The proxy setting will show up - and can be removed with 2 clicks - in a HijackThis report. While Trend Micro bought it and supposedly has changed something (not sure what...) HJT remains a useful tool for anyone combating malware and ransomware.

The Firefox extension AC replied about will show up in a log from ComboFix though CFX won't remove the proxy by itself at this point -- perusing a ComboFix log features loads of information about a system and its infections.

"By morning Ira figured out a solution. Selenium may be a poison to the nitrogen-based aliens as arsenic is to carbon-based life-forms, based on their similar positions in relation to each other on the periodic table. Ira's two worst students, Deke and Danny Donald, reveal that selenium is the active ingredient in Head & Shoulders dandruff shampoo."

- Evolution, the movie :)

NSE isn't actually domain specific, it's the tried, tested, and fast Lua (with extensions to make it fit with the Nmap scanner). You get the speed of Nmap to find hosts/ports plus the NSE scripts backing it up to do deeper probes.

Wireshark, Snort, Nmap, and plenty of other tools use Lua for scripting, so it's a valuable language to learn. I recommend it!

This is a really good point. The city of Madison, Wisconsin has a ridiculous team called TEST - Traffic Enforcement Safety Team. Funded with tax dollars from the police department's Field Operations budget, when TEST lays a speed trap, it means they sit one officer in an inconspicuous lawn chair at the end of a straightaway where speeding is common. This officer has a radio and a laser speed measuring device.

They then hide as many as SEVEN squad cars around the corner, completely out of sight. Usually one or two are higher-ranking undercover cars; in Madison, these are usually driven by police sergeants. The lawn chair officer proceeds to laser every car and radios in any going as few as 7-8 miles per hour over the speed limit, where a regular squad pulls out behind that person and pulls them over just around the bend or on a subsequent block so the traffic stop isn't visible to drivers on the straightaway.

This coupled with Madison's artificially low speed limits in many of these places makes for an easy revenue stream, but it can't possibly be a net positive, especially if some of these tickets are fought in court (like the 8mph ones -- hard to argue that 8mph over the already-low limit through a CEMETERY is particularly unsafe.) The court costs, plus officer salaries, plus the fact that while those squads are waiting for speeders the officers and their equipment are not doing productive things like combating the city's growing gang problem can't possibly make the whole thing a useful endeavor. Just one more reason I'm moving elsewhere...

I'm sure it doesn't help that the plants that are resistant to roundup will cross-pollinate with the weeds that are supposed to be killed with roundup, thereby making everything resistant. I remember people saying a long time ago that this would happen, and here we are!

Fox11 News in Milwaukee has a dramatic video of the meteor taken looking slightly north of west in downtown Milwaukee, WI.

Any idea where it actually landed? DID it actually land -- or just burn up in the atmosphere?

Haha, I hadn't even thought of that!

I originally wrote it as a single page, but 60 images + that much text was too much, so I broke it into 4 pages. For what it's worth, I don't have any ads or anything so it's not like I'm profiting from it.

Yeah, the simple xor 'encryption' is pretty oldschool. I can't believe I didn't notice that right away myself. I didn't see it till I started looking at the send/recv functions.

As to the CLSID, good thought, but no -- the CLSID isn't a real CLSID, it's just a way of identifying its own commands. Basically, it's a list of if(!strcmpi(command, "clsid1")) { do_this() } elseif(!strcmpi(command, "clsid2")) { do_that() } etc.

It only has those 9 or so CLSID's included, and if it isn't on the list the command is simply discarded.

And for what it's worth, the initial "'\x00\x00\x00" that you're seeing is a length (0x27 = the length of the CLSID = ').

I spent the morning reverse engineering the Trojan and wrote an Nmap script to detect if a remote system is infected. Hope it helps out: http://www.skullsecurity.org/blog/?p=563.

Ron

CmdrTaco spends $9000 on penis pills but he still has a baby penis.