uknown proccess flooding the network and crashing computers
Posted on 2004-10-10
hi i'm samuel from the netherlands i got a serious problem that keeps returning.
from time to time a uknown proccess called wpconfig.exe appears on the proccesslist when i logon. this proccess prevents me from login. when i hit ctrl+alt+del and choose logoff i can normaly login. so the first login is always a hang after that it goes normaly.
but on some computers the program it self start to hang, using 100% cpu and flooding the network with tcp packets on port 445(microsoft filesharing). even when i try to kill the proccess its denied and when i reboot the computer it simply get back and contiue.
but after a few day's it stops. waiting for its return. about 3 weeks later and the whole story starts again.
know here's the question "what is wpconfig.exe and what to make it stop crashing and flooding packets."
my network is devided in 3 sections wich are bridged using a linux router wich also servers as internet gateway. one strange thing i discoverd is that the packets are directed toward the gateway wich also has a firewall installed, end then simply bounced towards an uknown class c iprange like this:
192.168.0.190 => 192.168.0.1 => 192.168.145.65 = dead end.
could it have anything to do with my firewall configuration or the bridiging thats driving these weak windows machines crazy. i have looked on the internet for any information about wpconfig.exe and found that is is not involved in any virus case(checked at sarc.com) also my virus scan did not found any virus on my pc. i also checked to see if it was any spyware. but adaware and norton2004 could not identfie it as spyware nor virus. and since it is using tcp port 445 and seems to be installed on almost every pc i got here i would think its part of the windows 2000 install. since even some computers wich i needed to install fresh because they did not want to stop hanging already had this file on there disk.
so here's a summary:
wpconfig.exe is not a virus nor spyware or adware or malware.
wpconfig.exe seems to be standaard in window and critical since i can't kill it.
wpconfig.exe hangs the login process but a second try does work.
wpconfig.exe sometimes keeps hanging and uses 100%
wpconfig.exe then floods the network with packets towards uknown local ip-address at tcp port 445
wpconfig.exe seems almost like performing a ddos attack at local level without a clear target.
ofcourse wpconfig.exe uses the linux network router as direction because these ip-addresses don't exists localy. the ip addresses are in a diffrent range and thus the gateway is used to access them.
proberly the flood of packets is because non of the packets is reaching destnation.
i'm using fixed ip address in my network and there is no dhcp server present.
the network consists of 3 local switches to wich the clients are connected. the switches are connected to the linux router wich bridges the 3 switches together making it one network where all traffic is pointed to the network router wich also connects to the internet and is thus also a internet gateway.
because the network is well designed and at full 100mbit/s full-duplex the flood are not causing major problems but are very anoying. the router can easly stand the load. but the traffic should not be there.
and in the worst case i have to re-install windows to get the program stop hanging wich it will start in about 3 week again. i also found that if one computer starts others seem to follow it.
i also checked the security logs. and found no evidence of a hacker in the system. also because this should be a standard windows programm and is even present again after a complete re-install.
please help me with this problem, it going on for 3 months now a doesn't wan't to stop even after a complete re-install of the firewall it self. 35 day's ago.