Solved

uknown proccess flooding the network and crashing computers

Posted on 2004-10-10
4
915 Views
Last Modified: 2008-01-09
hi i'm samuel from the netherlands i got a serious problem that keeps returning.

from time to time a uknown proccess called wpconfig.exe appears on the proccesslist when i logon. this proccess prevents me from login. when i hit ctrl+alt+del and choose logoff i can normaly login. so the first login is always a hang after that it goes normaly.

but on some computers the program it self start to hang, using 100% cpu and flooding the network with tcp packets on port 445(microsoft filesharing). even when i try to kill the proccess its denied and when i reboot the computer it simply get back and contiue.

but after a few day's it stops. waiting for its return. about 3 weeks later and the whole story starts again.

know here's the question "what is wpconfig.exe and what to make it stop crashing and flooding packets."

my network is devided in 3 sections wich are bridged using a linux router wich also servers as internet gateway. one strange thing i discoverd is that the packets are directed toward the gateway wich also has a firewall installed, end then simply bounced towards an uknown class c iprange like this:
192.168.0.190 => 192.168.0.1 => 192.168.145.65 = dead end.

could it have anything to do with my firewall configuration or the bridiging thats driving these weak windows machines crazy. i have looked on the internet for any information about wpconfig.exe and found that is is not involved in any virus case(checked at sarc.com) also my virus scan did not found any virus on my pc. i also checked to see if it was any spyware. but adaware and norton2004 could not identfie it as spyware nor virus. and since it is using tcp port 445 and seems to be installed on almost every pc i got here i would think its part of the windows 2000 install. since even some computers wich i needed to install fresh because they did not want to stop hanging already had this file on there disk.

so here's a summary:
wpconfig.exe is not a virus nor spyware or adware or malware.
wpconfig.exe seems to be  standaard in window and critical since i can't kill it.
wpconfig.exe hangs the login process but a second try does work.
wpconfig.exe sometimes keeps hanging and uses 100%
wpconfig.exe then floods the network with packets towards uknown local ip-address at tcp port 445
wpconfig.exe seems almost like performing a ddos attack at local level without a clear target.

ofcourse wpconfig.exe uses the linux network router as direction because these ip-addresses don't exists localy. the ip addresses are in a diffrent range and thus the gateway is used to access them.
proberly the flood of packets is because non of the packets is reaching destnation.
i'm using fixed ip address in my network and there is no dhcp server present.
the network consists of 3 local switches to wich the clients are connected. the switches are connected to the linux router wich bridges the 3 switches together making it one network where all traffic is pointed to the network router wich also connects to the internet and is thus also a internet gateway.
because the network is well designed and at full 100mbit/s full-duplex the flood are not causing major problems but are very anoying. the router can easly stand the load. but the traffic should not be there.

and in the worst case i have to re-install windows to get the program stop hanging wich it will start in about 3 week again. i also found that if one computer starts others seem to follow it.

i also checked the security logs. and found no evidence of a hacker in the system. also because this should be a standard windows programm and is even present again after a complete re-install.

please help me with this problem, it going on for 3 months now a doesn't wan't to stop even after a complete re-install of the firewall it self. 35 day's ago.

0
Comment
Question by:docey
4 Comments
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12271571
0
 
LVL 76

Expert Comment

by:David Lee
ID: 12271617
Hi, Samuel.

My first recommendation would be to discover what wpconfig.exe is and what it does.  I searched two computers, one XP and one 2000, for that file and found nothing.  I searched the internet and found a few references, but nothing that seems like it'd be on a stock Windows system.  So, I propose that you serch one of the affected systems for the file and report back on its location.  I'd also check the properties and see if there's any references to who the file is made by.
0
 
LVL 15

Accepted Solution

by:
harleyjd earned 500 total points
ID: 12272774
I had a similar one recently - it turned out to be the Korgo virus, but was not detected as it was too new. The Firewall kept falling over as there were 2000+ outbound packets on a box designed for 50 - 100, so I just blocked the outbound access to that port. That will stop the flooding in its tracks, and allow you 'net access while you track down what the actual cause is.

You can also try a manual removal, rebooting into safe mode, deleting the file and then checking the registry very carefully for things in the hklm\software\microsoft\windows\run and associated folders.
0
 

Author Comment

by:docey
ID: 12532883
harleyjd was rigth.

it was a virus and seems to be included into the norton virus updates about 6 months ago.
it seems to be so fast spreading that almost as soon as windows was installed the virus infected the computer before i could update my virus definitions from norton stock till now.

i still don't know why norton would not find it even after searching the whole disk 5 times on row. it kept well hidden while norton was right on top of it. on the virus updates a few weeks ago it suddenly was detected as a virus wich was known at sarc for more then 6 months. gues it got not included into the virus definitions or conflicted with another virus in those definitions.

it did not cause any major problems on the network but did disable a complete computer for about 5 days. lucky i got more then one computer here.

so harleyjd gets the points since he was the closest and i must say that from the beginning i already suspected it was a virus and had my doubts about norton findings. i also most likely found how it got into my network. about 1 month before it started i had a lan-party at my house and most people could not bring there own computer except for one. so if it did not come from the internet and it does not because this virus tries to spread on a local area networks accourding to the sarc website.

thus it must have been included in a computer joining the network on my lan-party. as i find it strange but logical norton did not found it. the number of virusses is almost running in the 6 digit numbers. so no offense to norton but i expect more of these cases in the near future.

greetings from holland,
 Docey


FREE YOUR MIND, SPEAK YOUR MIND
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
When table data gets too large to manage or queries take too long to execute the solution is often to buy bigger hardware or assign more CPUs and memory resources to the machine to solve the problem. However, the best, cheapest and most effective so…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question