The Biggest Mistake in Windows 7 and such, Task manager does notfocus on harddisk performance !

I can confirm the new version of procmon 12/feb/2018 does work on my windows 7 system even when extracted.

So no it's not some kind of winrar system security bug or so

Was getting a bit worried there ! LOL

v3.50 it says (procmon).

Bye,
Skybuck.

Wow this tool has already proven usefull.

Apperently FireFox is infected with some kind of relic entertainment spy software.

It's sending small little infos to reliclive.quazal.net.

Not yet sure why.. might be facebook spyware/malware/adware related... or some kind of port scanner... weird.

Will try to figure out what this is... if I don't succeed will post screenshot later on.

Bye,
Skybuck.

A quick check of firefox add-ons turns up nothing... kinda stupid idea anyway to allow "add-on" for something as important/privacy vunerable/targetable as webbrowser.

Anyway for what it's worth here is screenshot of sneak relic behaviour:

http://www.skybuck.org/WeirdStuff.jpg

Weird or what ?

Bye,
Skybuck

There is some weird **** on the firefox command line when it is started according to procmon, very weird:

"
"C:\Tools\Firefox\version 35.0.1\firefox.exe" -contentproc --channel="1568.0.221971136\1769260587" -childID 1 -isForBrowser -intPrefs 5:50|6:-1|28:1000|34:20|35:5|36:10|45:128|46:10000|51:0|53 :400|54:1|55:0|56:0|61:0|62:120|63:120|99:2|100:1| 115:5000|125:0|127:0|138:10000|150:-1|158:24|159:32768|161:0|162:0|170:5|174:1048576|1 75:100|176:5000|178:600|180:1|188:20|191:4|195:0|2 04:60000| -boolPrefs 1:0|2:0|4:0|26:1|27:1|30:0|33:1|37:1|38:0|39:0|40: 0|43:1|44:1|47:0|48:0|49:0|50:0|52:0|57:1|58:1|59: 0|60:1|64:1|65:1|66:0|67:1|68:1|69:0|70:1|73:0|74: 0|77:1|78:1|82:1|83:1|84:0|85:0|86:0|88:0|89:0|90: 1|91:1|92:1|95:1|96:0|98:0|101:1|102:0|109:0|114:0 |117:1|120:1|122:1|126:0|129:1|132:1|133:1|139:1|1 40:0|141:1|143:0|149:0|151:1|152:0|153:1|156:0|157 :0|160:1|163:0|165:1|167:1|168:0|177:1|182:0|183:0 |184:0|185:1|186:0|187:0|189:1|190:1|193:0|196:0|1 97:0|198:1|199:1|200:0|201:1|202:1|203:1|205:0|206 :0|208:0|217:1|218:1|219:0|220:0|221:0| -stringPrefs "3:7;release|97:0;|142:3;1.0|154:332; Â*¼½¾ǃË�̷̸։֊׃״؉؊٪۔Ü�܂܃܄ᅟá…*᜵⠀€â€�         ​‎â€�â€�’․ ‧

‪‫‬â€** ‹›â��â�„â�’â�Ÿâ…“â… ”⅕⅖⅗⅘⅙⅚⅛⅜â…�⅞⅟∕∶⎮╱⧶⠧¸â«»â«½â¿°â¿±â¿²â¿³â¿´â¿µâ¿¶â¿·â¿¸â¿¹â¿ºâ¿»ã€€ã€‚ 〔〕〳ã‚*ã…¤ãˆ�㈞㎮㎯ã�†ã�Ÿêž‰ï¸”︕︿ï¹�ï¹ žï»¿ï¼Žï¼�｡ï¾*�|155:4;high|192:38; {fa95922f-3225-43da-9da5-2b44fb1ea2c1}|" -schedulerPrefs 0001,2 -greomni "C:\Tools\Firefox\version 35.0.1\omni.ja" -appomni "C:\Tools\Firefox\version 35.0.1\browser\omni.ja" -appdir "C:\Tools\Firefox\version 35.0.1\browser" 1568 "\\.\pipe\gecko-crash-server-pipe.1568" tab
"

This seems like some shell code to me ?! Maybe my firefox command line has been hacked and injected with some crap ?! Hmm interesting !

Bye,
Skybuck.

According to this guy on this link/forum:

https://bbs.archlinux.org/viewtopic.php?id=228084

This command line starts to show up when firefox starts opening sub processes/multi tab that kind of thing.

However these guys seem unable to decode and understand it further.

My hypothesis for now is that perhaps relic found a way to take over control of firefox when visiting there facebook page... and somehow these launch parameters are injected into firefox.

Or I could be completely paranoid and this is actually "normal firefox" behaviour seems a bit dangerous though !

Bye,
Skybuk

This is a bit suspicious not sure what this is:

http://www.skybuck.org/Suspicious.jpg

When clicking on TCP receive and going to properties and then stack.

There is this unknown frame.

What are frames in this case ? Frames on the "computing stack" ? Or does it mean tcp/ip stack ? Or some other kind of stack ? hmmm...

Seems like some kind of tcp/ip stack not sure.

Date is also weird of this unknown from 1970 ? Huh ?

Bug in windows ? Bug in tool ? Module hack ? Huh ? Hmm...

Bye,
Skybuck.

On Sat, 3 Mar 2018 20:12:51 -0800 (PST),
wrote:

LOL.


There were 2400 baud modems, Telix and beautifully colored and
creative BBS screens slowly appearing on screen. But never any stutter
once it was loading or chatting with operator !

It certainly had a distinct feel to it !

Different font, different though fixed colors and most of all totally full screen.

300BAUD. Acoustical. First used publicly from San Antonio, possibly
as well Boston's computer society. And also the Internet, although it
was Department of Defense and .not. public;. . .the academia
nevertheless leaked through it, though, probably sophomoric
undergraduates, oozing out terms like the "Information Highway", until
the DOD either had had enough or gave up and built the NSA, in Utah,
surreptitiously to better oversee them.

Video cards ran off their ROM registers in DOS, vectored and remapped
through the BIOS. Colors, intensity, synchronization rates, were
controlled and a factor of how good the monitor build, past a
ubiquitous of white-and-black, past a amber- or green-screen with
early but limited CGA emulation.

Full screen, that is, for those standards -- as well later CGA, EGA,
and various VGA modes, the last being somewhat pushed into higher
limits of S-VGA. Pixelation and MSFT, or the *nix X-Windows motif,
eventually and largely negated to eclipse with more pixels to a
monitor, (technology eventually provided by TTL logic), than any
poor-ol' tired eyeballs ought to be able to discern.

You can always tell if someone, possibly a programmer, has been
looking at computers too long: they'll be immediately identifiable,
wearing glasses with lenses as thick as the bottom of a 1950's, nickel
coke bottle.

Say hi to one for me;- Pat him on the head and kindly help lead him
around by the elbow if he needs it.

On Sat, 3 Mar 2018 20:12:51 -0800 (PST),
wrote:

And, yes, as you say, I suppose there would have been something about
MS-DOS that decidedly felt different: There was no WEB at that time.

LOL.

There were 2400 baud modems, Telix and beautifully colored and creative BBS screens slowly appearing on screen. But never any stutter once it was loading or chatting with operator !

It certainly had a distinct feel to it !

Different font, different though fixed colors and most of all totally full screen.

I got started with 110 baud.

(Couldn't post this yesterday posting this today):

I tried to block this relic dns address in hosts files on windows/system32/drivers/etc.

By copieing and pasting code/advise from somebody else.

# relic coh tov
127.0.0.1 reliclive.quazal.net
127.0.0.1 cohlive.quazal.net
127.0.0.1 reliclive-1.quazel.net
127.0.0.1 reliclive.quazel.net
127.0.0.1 38.102.69.23
127.0.0.1 38.102.69.36
127.0.0.1 38.102.69.37
127.0.0.1 38.102.69.42
127.0.0.1 38.102.69.48

I think my firewall is disabled at the moment cause I slept my system and I also turn all that "junk" of for max performance in world of warships.

Now my question is kind of does hosts file still block if firewall is off ?

Or is hosts file only active/applied when firewall is on ?

I would assume hosts file is active even if firewall is on because hosts file should be used by some kind of dns resolving component of windows... but I may be wrong.

So why is this communication showing up in procmon ?!

Really weird... is this some kind of loopback behaviour ?

Also where is it coming from.

Maybe when installing company of heroes tales of valor some kind of system modification was made so windows "phones" home to relic for some kind of reason.

(I think installer of civilization 3 conquest does also something suspicious... cause windows blocks it or warns about it... but this... relic thing is somewhat of a new discovery for me )

Addition:

Either procmon is recgonizing 127.0.0.1 as this dns address which seems unlikely.

Or there is something more sinister going on.

A wireshark capture may shine some more light on this so I am gonna do that next.

Bye,
Skybuck.

Ok issued resolved.

I added this line to hosts to see what effect it would have:

127.0.0.1 testtesttest

Nows procmon shows firefox is connecting to testtesttest.

According to info from the web firefox connects to itself multiple times via 127.0.0.1.

This is some odd behaviour to cope with ****ty firewalls like zone alarm and other crap from the 90's LOL.

Bye,
Skybuck =D