Whistler is connecting to the net without you knowing! idwlog (Update:Log File)

[Wik]

This thing is in build 2428 start menu. It connects to a server somewhere and does who knows what. Anyone have a clue what this is?

idwlog.exe

EDIT: I added part of the log file it creates about 13 posts down!

 

[Wik]

Ok I watched my net traffic meter on freesco to see what my Whistler 2428 install would try to connect ot on start up. It went to this IP address. 239.255.255.250

I did a whois and turned up this...

University of Southern California
Information Sciences Institute
4676 Admiralty Way
Marina Del Ray, CA 90292-6695
310-833-9358

Why is Whistler connecting to them?

 

[GT1999]

Wow, that certianly is a bit scary. :Q About the whois, it could just be a glitch in DNS - odd DNS behavior is actually very common.

G|T

 

[urbantechie]

It's calling home. Anti-Piracy methods and to detur leaked betas. Office 10 RC1 does the same.

 

[Wik]

Now I did the work arounds to stop it from that. This I have no idea what the heck it is doing. I just took the idwlog out of the start menu and it does not do it now.

 

[NOX]

You're scaring the kids. (j/k)

Then again I don't blame them.

 

[Quaggoth]

Well, that pretty much settles it. As soon as I get my DSL connection working with Linux, Windoze is permatoast.

 

[Damaged]

run netstat and see what ports it's using.

 

[Wik]

I can't find what port it was using. I wrote it down but I think I threw it out. I used iptraf on my Freesco box to track it

 

[Wik]

Ok I did it again to see what it does.

UDP (147 bytes) from 192.168.0.2:1029 to 239.255.255.250:1900

It does this like 3 times at startup.

Note that the 192.168.0.2 machine is my computer behind my Freesco router.

Weird stuff, I don't know about you guys but I don't care for my computer sending 147 bytes out to the internet during startup.

 

[PG]

I have a friend who got a not so legal copy of Whistler a while ago. I just went and told him about this to warn him, but he said the copy he downloaded was already hacked to prevent Whistler from sending any info out to the net.
I guess someone will find a way around anything if you give them enough time.

 

[uncouth]

which equals about 40 minutes in the world you"r friend" got it from

 

[igiveup]

Some body explain how a computer can send a message to an address that is a broadcast on two of the octets? 239.255.255.250 is not a valid IP. Am I way off on this? Last I remember you can't use 255 because it is a broadcast octet. The 239 is valid, but the 255.255 would just broadcast. Why would you even use 250 at the end? You can't route that IP to a specific machine with those 255's in there. Open to suggestions.

 

[Damaged]

Nothing wrong with that as an IP address. I'm more bothered by the fact that it exists in Class D space (Reserved for IP multicast).

 

[Wik]

There is a log file for this program also and this is just a part of it.


Started on 02/20/01 21:25:21]

[Tue Feb 20 21:25:21 2001]

STARTED -- [IDWLOG: Stage2 - Service]

[Tue Feb 20 21:25:21 2001]
This is for winver Windows 2000.

[Tue Feb 20 21:25:21 2001]
Getting Displays Info.

[Tue Feb 20 21:25:21 2001]
Getting Build, Delta, Build lab for local system.

[Tue Feb 20 21:25:21 2001]
First look for imagehlp.dll in C:\WINDOWS\System32\imagehlp.dll.

[Tue Feb 20 21:25:21 2001]
Inserting into struct Build, Delta, Build lab for the local system.

[Tue Feb 20 21:25:21 2001]
Success in retrieving build, delta, location.

[Tue Feb 20 21:25:21 2001]
Succeded in getting build, build delta, VBL location. Build 2428 Delta 1.

[Tue Feb 20 21:25:21 2001]
Identified OS version as Windows 2000

[Tue Feb 20 21:25:21 2001]
Getting Build, Delta, Build lab for the installing files.

[Tue Feb 20 21:25:21 2001]
Getting Installing file location as C:\WINDOWS\System32.

[Tue Feb 20 21:25:21 2001]
First look for imagehlp.dll in C:\WINDOWS\System32\imagehlp.dll.

[Tue Feb 20 21:25:21 2001]
Inserting into struct Build, Delta, Build lab for the installing files.

[Tue Feb 20 21:25:21 2001]
Success in retrieving build, delta, location.

[Tue Feb 20 21:25:21 2001]
Succeded in getting build, build delta, VBL location. Build 2428 Delta 1.

[Tue Feb 20 21:25:21 2001]
Loading the booleans with install data.

[Tue Feb 20 21:25:21 2001]
Getting the computer name.

[Tue Feb 20 21:25:21 2001]
Generating the Machine Id: xxxxxxxxxx.

[Tue Feb 20 21:25:21 2001]
Failed to get the UserName! Setting default Unknown.
[Tue Feb 20 21:25:21 2001]
Failed to get the Userdomain! Setting default Unknown.
[Tue Feb 20 21:25:21 2001]
Getting processor Architecture: x86.

[Tue Feb 20 21:25:21 2001]
Getting locale: ENU.

[Tue Feb 20 21:25:21 2001]
Getting System Info.

[Tue Feb 20 21:25:21 2001]
Getting Ram size.

[Tue Feb 20 21:25:21 2001]
Failed to open the Video hardware Key. Video is NULL.
[Tue Feb 20 21:25:21 2001]
Getting Video Info.

[Tue Feb 20 21:25:21 2001]
Geting Sound Info.

[Tue Feb 20 21:25:22 2001]
Getting Network scsi modem pnp Info.

[Tue Feb 20 21:25:22 2001]
Getting Hydra Info.

[Tue Feb 20 21:25:22 2001]
Reading the username and userdomain from the cookie

[Tue Feb 20 21:25:22 2001]
Could not find the Cookie file!! Err: 3

[Tue Feb 20 21:25:22 2001]
Getting Build, Delta, Build lab for local system.

[Tue Feb 20 21:25:22 2001]
First look for imagehlp.dll in C:\WINDOWS\System32\imagehlp.dll.

[Tue Feb 20 21:25:22 2001]
Inserting into struct Build, Delta, Build lab for the local system.

[Tue Feb 20 21:25:22 2001]
Success in retrieving build, delta, location.

[Tue Feb 20 21:25:22 2001]
This is a CD Boot Install logging as such.

[Tue Feb 20 21:25:22 2001]
SERVER Attempt 0: No server online. Probing servers.

[Tue Feb 20 21:25:22 2001]
ServerOnlineTest: Making connection to the server \\pnptriage\idwlogWHSTL.

[Tue Feb 20 21:25:23 2001]
Error 1231: The network location cannot be reached. For information about network troubleshooting, see Windows Help.

[Tue Feb 20 21:25:23 2001]
WNetAddConnection2 FAILED using id pnptriage\idwuser pwd idwuser on \\pnptriage\idwlogWHSTL.
Trying a file write as a last resort.

[Tue Feb 20 21:25:23 2001]
FAILED: ServerOnlineThread failed to call createfile.

[Tue Feb 20 21:25:23 2001]
ServerOnlineTest: Server connection failed.

 

[Panther505]

Looking at the log that you posted I think that you are seeing the way that M$ is going to generate the hardware key associated with the activation code. It is looking to see what hwdwre you have and logging it. Then it is looking for a UNC server on the local network to log on to(ie \\...). It has a usrnm and pass to the server(domain logon). Looking at the info in the log file I would guess several things.

#1 This is not a public build and Probably comes from the PnP lab.

#2 This is an IDW build - IDW being- Internal Developers Workstation (I think) Build (also called Dog Food). That means that at MS this is a required build on the Internal Developers Workstations.

#3 You probably should not have posted the Log. With MS giving specific builds to specific sites this may be a flag.

Last- The mojority of 1,2 & 3 are not excessive speculation. I work with the MS Beta Material on a fairly consistent basis and know that #1 and #2 are fact (with the exception of the true meaning of IDW right now as I am not 100% sure). #3 is conjecture but I do know that MS is giving specific info Beta Sites to see who is leaking- be careful if you are running this build as you could get yourself into "issues"

 

[Wik]

Well I noticed that the servers it was trying to locate were \\ instead of // so that is why when I first saw this exe in the start-up I was not to worried. But after watching the iptraf on my Freesco box I saw the connection to the 239.255.255.250 and was very confused. I edited the generated machine ID but will leave the rest up for now. I am just curious to know what this is.

 

[Panther505]

I will talk to someone at work and see if they are seeing the same thing. Where was the log file? I may load it and see what it does on the firewall at work

 

[Train]

this isnt anything new guys

Win2k does this too, on every boot up a single packet flies off to Redmond, WA

A lot of Flavors of Linux even do it.

I'ts mostly for customer research. I have never heard of any bootleg copies of Win2k being prosecuted, even though they all send data home.

 

[Wik]

Well a shortcut to the idwlog.exe was in the startup. The log files are on the root.

 

[Panther505]

How does W2K do it? I haven't seen a service or app run to tattletale since about Beta3. During B3 we kept it off the network because of the traffic that it generated due to the TT app. MS removed it at RC1. I would be interested in a logfile or capture of the packets that a W2K system send to Redmond on boot as I have not seen it on the closely monitored Homenetwork that I have..


Let me know as I am VERY interested

Wik- Thanks I will check at work on the morrow

 

[Wik]

I have had Win2K since RC2 and I don't remember seeing anything like this.

 

[Panther505]

Like I said I only saw it on Beta3. I would like to see a packet capture or the application/service that does this in W2K as I know that it would interest my Net Admin. Might explain his network congestion issue in the AM(NOT!)

Wik- I will look around and see what I can find that I can tell you. If it is what I think it is I will probably have to bow out of the discussion at that point due to NDA issues

 

[Wik]

lol ok

 

[Wik]

I might look up one of my old Win2K RC cds to see what it does. I might have tossed it long ago though.