Solved

uknown proccess flooding the network and crashing computers

Posted on 2004-10-10
4
913 Views
Last Modified: 2008-01-09
hi i'm samuel from the netherlands i got a serious problem that keeps returning.

from time to time a uknown proccess called wpconfig.exe appears on the proccesslist when i logon. this proccess prevents me from login. when i hit ctrl+alt+del and choose logoff i can normaly login. so the first login is always a hang after that it goes normaly.

but on some computers the program it self start to hang, using 100% cpu and flooding the network with tcp packets on port 445(microsoft filesharing). even when i try to kill the proccess its denied and when i reboot the computer it simply get back and contiue.

but after a few day's it stops. waiting for its return. about 3 weeks later and the whole story starts again.

know here's the question "what is wpconfig.exe and what to make it stop crashing and flooding packets."

my network is devided in 3 sections wich are bridged using a linux router wich also servers as internet gateway. one strange thing i discoverd is that the packets are directed toward the gateway wich also has a firewall installed, end then simply bounced towards an uknown class c iprange like this:
192.168.0.190 => 192.168.0.1 => 192.168.145.65 = dead end.

could it have anything to do with my firewall configuration or the bridiging thats driving these weak windows machines crazy. i have looked on the internet for any information about wpconfig.exe and found that is is not involved in any virus case(checked at sarc.com) also my virus scan did not found any virus on my pc. i also checked to see if it was any spyware. but adaware and norton2004 could not identfie it as spyware nor virus. and since it is using tcp port 445 and seems to be installed on almost every pc i got here i would think its part of the windows 2000 install. since even some computers wich i needed to install fresh because they did not want to stop hanging already had this file on there disk.

so here's a summary:
wpconfig.exe is not a virus nor spyware or adware or malware.
wpconfig.exe seems to be  standaard in window and critical since i can't kill it.
wpconfig.exe hangs the login process but a second try does work.
wpconfig.exe sometimes keeps hanging and uses 100%
wpconfig.exe then floods the network with packets towards uknown local ip-address at tcp port 445
wpconfig.exe seems almost like performing a ddos attack at local level without a clear target.

ofcourse wpconfig.exe uses the linux network router as direction because these ip-addresses don't exists localy. the ip addresses are in a diffrent range and thus the gateway is used to access them.
proberly the flood of packets is because non of the packets is reaching destnation.
i'm using fixed ip address in my network and there is no dhcp server present.
the network consists of 3 local switches to wich the clients are connected. the switches are connected to the linux router wich bridges the 3 switches together making it one network where all traffic is pointed to the network router wich also connects to the internet and is thus also a internet gateway.
because the network is well designed and at full 100mbit/s full-duplex the flood are not causing major problems but are very anoying. the router can easly stand the load. but the traffic should not be there.

and in the worst case i have to re-install windows to get the program stop hanging wich it will start in about 3 week again. i also found that if one computer starts others seem to follow it.

i also checked the security logs. and found no evidence of a hacker in the system. also because this should be a standard windows programm and is even present again after a complete re-install.

please help me with this problem, it going on for 3 months now a doesn't wan't to stop even after a complete re-install of the firewall it self. 35 day's ago.

0
Comment
Question by:docey
4 Comments
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12271571
0
 
LVL 76

Expert Comment

by:David Lee
ID: 12271617
Hi, Samuel.

My first recommendation would be to discover what wpconfig.exe is and what it does.  I searched two computers, one XP and one 2000, for that file and found nothing.  I searched the internet and found a few references, but nothing that seems like it'd be on a stock Windows system.  So, I propose that you serch one of the affected systems for the file and report back on its location.  I'd also check the properties and see if there's any references to who the file is made by.
0
 
LVL 15

Accepted Solution

by:
harleyjd earned 500 total points
ID: 12272774
I had a similar one recently - it turned out to be the Korgo virus, but was not detected as it was too new. The Firewall kept falling over as there were 2000+ outbound packets on a box designed for 50 - 100, so I just blocked the outbound access to that port. That will stop the flooding in its tracks, and allow you 'net access while you track down what the actual cause is.

You can also try a manual removal, rebooting into safe mode, deleting the file and then checking the registry very carefully for things in the hklm\software\microsoft\windows\run and associated folders.
0
 

Author Comment

by:docey
ID: 12532883
harleyjd was rigth.

it was a virus and seems to be included into the norton virus updates about 6 months ago.
it seems to be so fast spreading that almost as soon as windows was installed the virus infected the computer before i could update my virus definitions from norton stock till now.

i still don't know why norton would not find it even after searching the whole disk 5 times on row. it kept well hidden while norton was right on top of it. on the virus updates a few weeks ago it suddenly was detected as a virus wich was known at sarc for more then 6 months. gues it got not included into the virus definitions or conflicted with another virus in those definitions.

it did not cause any major problems on the network but did disable a complete computer for about 5 days. lucky i got more then one computer here.

so harleyjd gets the points since he was the closest and i must say that from the beginning i already suspected it was a virus and had my doubts about norton findings. i also most likely found how it got into my network. about 1 month before it started i had a lan-party at my house and most people could not bring there own computer except for one. so if it did not come from the internet and it does not because this virus tries to spread on a local area networks accourding to the sarc website.

thus it must have been included in a computer joining the network on my lan-party. as i find it strange but logical norton did not found it. the number of virusses is almost running in the 6 digit numbers. so no offense to norton but i expect more of these cases in the near future.

greetings from holland,
 Docey


FREE YOUR MIND, SPEAK YOUR MIND
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In  today’s increasingly digital world, managed service providers (MSPs) fight for their customers’ attention, looking for ways to make them stay and purchase more services. One way to encourage that behavior is to develop a dependable brand of prod…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now