Quantcast Constant Network Activity, NOT a virus!

Closed Thread
Results 1 to 9 of 9
  1. #1
    Notebook Enthusiast
    Join Date
    Oct 2007
    Posts
    30
    Rep Power
    18

    Default Constant Network Activity, NOT a virus!

    Hi everyone. I'm having a weird problem with my laptop running XP Home. For some reason, there is constant network activity within the svchost.exe process. I can assure you that this is NOT a virus. The laptop is brand new and I didn't do anything to it yet (like install stuff), and I've scanned the process with every known scanner known to man.

    I did install Port Explorer, and it shows that the network activity is happening within the svchost.exe process, on port 2555. When I resolve the IP address, it shows that the IP is 192.168.1.1, which is my broadband router. I can't get it to stop with this network activity.

    Could it be pinging the router? If I open up Task Manager, go to the networking tab, and hold F5 so that it refreshes the graph very quickly, it shows that this spike in network activity is happening once every second. It seems to be only a few KB of data, but it is not sending it out to the internet. From what I can tell, it looks like it's only the laptop and the router constantly talking to each other, and I cannot figure out why and get it to stop!

    I have two other machines on the router, and when the aforementioned machines are idling, there is no network activity on them. This problem is unique to the new laptop, and that machine only. Any help is greatly appreciated!!!

  2. #2
    Lazy as the Day is Long
    Join Date
    Jul 2006
    Location
    The SSR of NYC
    Posts
    8,179
    Rep Power
    59

    Default Re: Constant Network Activity, NOT a virus!

    Is the machine in question a _Compaq? According to this webpage port 2555 is used by a Compaq utility called Compaq.WCP. Nothing obvious comes up on what Compaq WCP is from a quickie google (other than the port assignment, which has apparently been registered); however, I would conjecture that it's probably part of the wireless connection protocol if the system is a _Compaq (or perhaps an _HP).

  3. #3
    Notebook Enthusiast
    Join Date
    Oct 2007
    Posts
    30
    Rep Power
    18

    Default Re: Constant Network Activity, NOT a virus!

    Thank you for the suggestion. However, my machine is not a Compaq. It is actually an Acer Aspire One netbook. It's running XP, nonetheless. This is mighty strange. I double checked and it does say "Remote port: 2555". I might install Wireshark to see if that can further advance the help that Port Explorer has already given me.

    I should mention that the netbook functions properly, as in nothing is problematic. This is the only thing that's wrong with it. I've never seen anything like this. Thanks again for the help.

  4. #4
    Lazy as the Day is Long
    Join Date
    Jul 2006
    Location
    The SSR of NYC
    Posts
    8,179
    Rep Power
    59

    Default Re: Constant Network Activity, NOT a virus!

    Quote Originally Posted by jondevon View Post
    Thank you for the suggestion. However, my machine is not a Compaq. It is actually an Acer Aspire One netbook. It's running XP, nonetheless. This is mighty strange. I double checked and it does say "Remote port: 2555". I might install Wireshark to see if that can further advance the help that Port Explorer has already given me.

    I should mention that the netbook functions properly, as in nothing is problematic. This is the only thing that's wrong with it. I've never seen anything like this. Thanks again for the help.
    Then that just makes it odd; it beats me why what looks like a Compaq utility would be running on an Acer.

    You could also try running Microsoft's Network Monitor 3.2 (free) to see more precisely what's getting sent down that rabbit hole - you'll be able to see not only what ports and IPs are involved (e.g., the destination IP and port) but also the contents of the packets being sent.

  5. #5
    Notebook Enthusiast
    Join Date
    Oct 2007
    Posts
    30
    Rep Power
    18

    Default Re: Constant Network Activity, NOT a virus!

    Hello again. Sorry for the delayed response. I don't know if anyone will read this since it is an older post, so if I don't get a response here, I'll post a new thread. I would like to inform you that I installed Network Monitor 3.2 and I captured the strange network activity. I was wondering if Shyster1, or anyone else, could make anything of the results of the capture. I have included an attachment containing the capture file. It's only about 20 seconds worth of network activity, but it is quite a bit of it. Again, thanks for any help!!!

    -jon
    Attached Files Attached Files

  6. #6
    Notebook Guru
    Join Date
    Dec 2008
    Location
    Asia & Middle-East
    Posts
    68
    Rep Power
    15

    Default Re: Constant Network Activity, NOT a virus!

    Download WireShark or NetWitness Investigator. Capture network traffic and see where it goes, then with that info work backwards.

  7. #7
    Notebook Guru
    Join Date
    Dec 2008
    Location
    Asia & Middle-East
    Posts
    68
    Rep Power
    15

    Default Re: Constant Network Activity, NOT a virus!

    Had a look at your capture file - does your router have UPnP on? Could be the UPnP discovery mode going sour. Witch UPnP off on your router - then try agian.

  8. #8
    Notebook Evangelist
    Join Date
    Jul 2008
    Location
    OR, USA
    Posts
    569
    Rep Power
    18

    Default Re: Constant Network Activity, NOT a virus!

    wireshark would be nice
    I got the bandwidth.

  9. #9
    Lazy as the Day is Long
    Join Date
    Jul 2006
    Location
    The SSR of NYC
    Posts
    8,179
    Rep Power
    59

    Default Re: Constant Network Activity, NOT a virus!

    TheNomad is correct about the possibility of there being problems with the UPNP functionality of router - the bulk of the packets in your capture basically appear to be back-and-forth between your router (IP 192.168.1.1) and one machine on your network that's been assigned the IP 192.168.1.5.

    One curious thing, though - you've got packets in your capture that have both their source and their destination IPs in a completely different set of private IP addresses, namely the IP addresses beginning 169.254.xxx.yyy - was the machine doing the capturing connected to two separate networks?

 

 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -4. The time now is 01:12 AM.
Powered by vBulletin® Version 4.2.2
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
SEO by vBSEO 3.6.1