Constant Network Activity, NOT a virus!

Discussion in 'Networking and Wireless' started by jondevon, Nov 25, 2008.

Thread Status:
Not open for further replies.
  1. jondevon

    jondevon Notebook Enthusiast

    Reputations:
    0
    Joined:
    Oct 19, 2007
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    15
    Hi everyone. I'm having a weird problem with my laptop running XP Home. For some reason, there is constant network activity within the svchost.exe process. I can assure you that this is NOT a virus. The laptop is brand new and I didn't do anything to it yet (like install stuff), and I've scanned the process with every known scanner known to man.

    I did install Port Explorer, and it shows that the network activity is happening within the svchost.exe process, on port 2555. When I resolve the IP address, it shows that the IP is 192.168.1.1, which is my broadband router. I can't get it to stop with this network activity.

    Could it be pinging the router? If I open up Task Manager, go to the networking tab, and hold F5 so that it refreshes the graph very quickly, it shows that this spike in network activity is happening once every second. It seems to be only a few KB of data, but it is not sending it out to the internet. From what I can tell, it looks like it's only the laptop and the router constantly talking to each other, and I cannot figure out why and get it to stop!

    I have two other machines on the router, and when the aforementioned machines are idling, there is no network activity on them. This problem is unique to the new laptop, and that machine only. Any help is greatly appreciated!!!
     
  2. Shyster1

    Shyster1 Lazy as the Day is Long

    Reputations:
    6,926
    Joined:
    Jul 7, 2006
    Messages:
    8,179
    Likes Received:
    0
    Trophy Points:
    205
    Is the machine in question a _Compaq? According to this webpage port 2555 is used by a Compaq utility called Compaq.WCP. Nothing obvious comes up on what Compaq WCP is from a quickie google (other than the port assignment, which has apparently been registered); however, I would conjecture that it's probably part of the wireless connection protocol if the system is a _Compaq (or perhaps an _HP).
     
  3. jondevon

    jondevon Notebook Enthusiast

    Reputations:
    0
    Joined:
    Oct 19, 2007
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    15
    Thank you for the suggestion. However, my machine is not a Compaq. It is actually an Acer Aspire One netbook. It's running XP, nonetheless. This is mighty strange. I double checked and it does say "Remote port: 2555". I might install Wireshark to see if that can further advance the help that Port Explorer has already given me.

    I should mention that the netbook functions properly, as in nothing is problematic. This is the only thing that's wrong with it. I've never seen anything like this. Thanks again for the help.
     
  4. Shyster1

    Shyster1 Lazy as the Day is Long

    Reputations:
    6,926
    Joined:
    Jul 7, 2006
    Messages:
    8,179
    Likes Received:
    0
    Trophy Points:
    205
    Then that just makes it odd; it beats me why what looks like a Compaq utility would be running on an Acer.

    You could also try running Microsoft's Network Monitor 3.2 (free) to see more precisely what's getting sent down that rabbit hole - you'll be able to see not only what ports and IPs are involved (e.g., the destination IP and port) but also the contents of the packets being sent.
     
  5. jondevon

    jondevon Notebook Enthusiast

    Reputations:
    0
    Joined:
    Oct 19, 2007
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    15
    Hello again. Sorry for the delayed response. I don't know if anyone will read this since it is an older post, so if I don't get a response here, I'll post a new thread. I would like to inform you that I installed Network Monitor 3.2 and I captured the strange network activity. I was wondering if Shyster1, or anyone else, could make anything of the results of the capture. I have included an attachment containing the capture file. It's only about 20 seconds worth of network activity, but it is quite a bit of it. Again, thanks for any help!!!

    -jon
     

    Attached Files:

  6. TheNomad

    TheNomad Notebook Guru

    Reputations:
    1
    Joined:
    Dec 14, 2008
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    15
    Download WireShark or NetWitness Investigator. Capture network traffic and see where it goes, then with that info work backwards.
     
  7. TheNomad

    TheNomad Notebook Guru

    Reputations:
    1
    Joined:
    Dec 14, 2008
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    15
    Had a look at your capture file - does your router have UPnP on? Could be the UPnP discovery mode going sour. Witch UPnP off on your router - then try agian.
     
  8. focusfre4k

    focusfre4k Notebook Evangelist

    Reputations:
    149
    Joined:
    Jul 25, 2008
    Messages:
    569
    Likes Received:
    0
    Trophy Points:
    30
    wireshark would be nice :D
     
  9. Shyster1

    Shyster1 Lazy as the Day is Long

    Reputations:
    6,926
    Joined:
    Jul 7, 2006
    Messages:
    8,179
    Likes Received:
    0
    Trophy Points:
    205
    TheNomad is correct about the possibility of there being problems with the UPNP functionality of router - the bulk of the packets in your capture basically appear to be back-and-forth between your router (IP 192.168.1.1) and one machine on your network that's been assigned the IP 192.168.1.5.

    One curious thing, though - you've got packets in your capture that have both their source and their destination IPs in a completely different set of private IP addresses, namely the IP addresses beginning 169.254.xxx.yyy - was the machine doing the capturing connected to two separate networks?
     
Loading...
Thread Status:
Not open for further replies.

Share This Page