Ghost computers and printers on my WIFI network

[William Mumaw]

When I go into my network on my PC, I can see my router, computer and printer, but at times see another computer or printer. When I click on the unknown  entries and go to properties, it shows only Midiatec model MT53xx and a mac address, no IP address or any other information. The entries will vary at times and go away the next time I look. I am running windows 10 home version with a Cisco router and WIFI, I have two computers and a printer on the network. I also have an Avast VPN. Everything works fine, but these ghost entries really bug me!! Any help or suggestions.

Thanks Bill

Reply | Quote

[Paul T]

Mediatec is a chip manufacturer, so you could be seeing a TV, phone or IoT device.
Take the MAC address and search for the manufacturer. This usually gives you a good clue to the device.

Connect to your router and look at active clients / DHCP leases.
Can you see any matching MAC addresses?
If the devices are rogue ones, you can block them at the router.

cheers, Paul

Reply | Quote

[anonymous]

If you do not see an IP address the devices are not connected (and should not show as connected in your router). The cause for these showing up in File Explorer is a Windows service named Windows Connect Now – Config Registrar.

If you use the Wireless Protected Setup feature, then Windows Connect Now service aids you in connecting to your device.

Directions using the user interface:

1. Login as Administrator and press Win+R and type services.msc
2. Find the Windows Connect Now – Config Registrar service and double click on the name.
3. In the dialog box click on the Stop button, the service should quickly end.*
4. Then the same dialog box set the Startup type to Disabled, click on Apply, and Okay to continue.

Directions using PowerShell or the Command Prompt:

Right click on the Start Menu and then Click on PowerShell (Admin) or Command Prompt (Admin).

Type these commands exactly as you see them*:
net stop wcncsvc
sc config “wcncsvc” start=disabled

Your neighbor’s gadgets will still advertise their presence but you will not see them now or after a restart in File Explorer.

*If the service does not stop accept being reconfigured then make a complete note of the error(s) and post it here for more help.

2 users thanked author for this post.

_lightshow, wavy

Reply | Quote

[anonymous]

Same here, something called iCamera, apparently an Android app, appeared, then disappeared.  Wonder if there’s an advertising period for Connect Now devices, so they disappear after a time.  I Disabled Connect Now-Config service.  Have to see if the app’s on any of our phones.

Reply | Quote

[CynicalSnail]

I have a related but even more obscure problem.  I use Wireless Network Watcher (Nirsoft) to keep an eye on my LAN, mostly to see when things are not working.  Three days ago (Nov 2), some odd devices appeared – no device details at all, and the MACs do not return anything on a search of several sites:  2E-D6-FF-81-C2-AA,  0E-A2-F4-54-B5-88, 26-25-00-42-1E-4E.     They connect briefly from time to time, but that is all that I can see.  They cannot be pinged.

So what are they?  I have never seen anything like this appear before in several years of monitoring.  No new kit has been installed, no guest devices of any kind on the premises that I am aware of.  How do I find them?  Is this malware (a scan has produced nothing)?

I have logged one item (-B5-88) being addressed using UDP by ‘System’ using netbios-ns, port 137, 78 packets at a time.  Is this a change in Windows (Pro, 7, 64-b) in the October update, just installed – Nov. 2! ?  Is this M$ being sneaky, yet again?

Reply | Quote

[Alex5723]

Ports 135-139 should be blocked on your router. Check your router’s ports running Gibson’s HIELDS UP!

Reply | Quote

[CynicalSnail]

I do this from time to time: perfect score to 1055 at least.  This is not an external problem.  This is on my LAN.

Reply | Quote

[Paul T]

CynicalSnail wrote:

I use Wireless Network Watcher

All that is telling you is there are wireless devices broadcasting locally.
It does not tell you if they are connected to your wifi, you need to look on your router for that information.

cheers, Paul

Reply | Quote

[CynicalSnail]

You miss the point: they are being addressed as destination by System.  This is not a broadcast detection problem (WNW finds all LAN connections).  My broadcast detector has seen nothing of these.  The router does not show anything when I look – they are only intermittent, well-spaced connections and are easily missed.

Meanwhile, I have found that TeamViewer is the *source* of some of the packets on those addresses (ICMP, IGMP, UDP).  This is now disabled.  It was installed several months ago (start of lockdown), so it is odd that it only now appears as a ‘connected device’.

But, what it appears to mean is that software can pretend to be a device with a MAC.  That is rather disturbing.  If that can be done, anything can be spoofed.

Reply | Quote

[Paul T]

Sorry, I misunderstood the way WNW works.

MAC spoofing has long been a thing in Windows and it’s now a standard feature on Macs.

cheers, Paul

Reply | Quote

[CynicalSnail]

Update:

I discovered that one of the MAC addresses was a replaced device on my electricity supply system (concidentally the day after the Windows update).  The manufacturer does not include any id in the packet.

Disabling Teams had no effect on the other two, so I uninstalled it.  Rebooted.  They are still there.  This is decidly a function of the Windows update or something else is going on – malware I cannot detect.

This is extremely annoying and worrying.  How can such things be tracked down, disabled or blocked.  How can the function be determined?

Reply | Quote

[Paul T]

Which other 2?
Can you post full details from WNW?

cheers, Paul

Reply | Quote

[CynicalSnail]

The two offending are:

26-25-00-42-1E-4E

2E-D6-FF-81-C2-AA

WNW shows nothing else.  I have nothing from my router either because they are intermittent – ~45 min intervals, but not really regular as far as I can tell.

Thanks.

Reply | Quote

[Paul T]

As they don’t have an IP address it seems likely they are not actually connected to your network. You can check this by looking at the DHCP clients on your router.

cheers, Paul

Reply | Quote

[CynicalSnail]

They have IP addresses, of course, dynamically assigned by the router, which is why they show in WNW, but those are essentially irrelevant, and meaningless outside my LAN, as they do not point at anything visible.

 

Reply | Quote

[Paul T]

Please provide full details of the devices as requested. We can’t help if you only give us tidbits.

cheers, Paul

Reply | Quote

[CynicalSnail]

If I knew any more I would have told you already.  All I can see is a MAC.    Plainly, a router-assigned IPA is not informative in itself.

As for traffic, I have since found I can detect some:

Ethernet Type IP Protocol Source Address Destination Address Source Port Destination Port Service Name Status Packets Count Total Packets Size Total Data Size Data Speed Maximum Data Speed Average Packet Size Maximum Packet Size First Packet Time Last Packet Time Duration Latency Process ID Process Filename TCP Ack TCP Push TCP Reset TCP Syn TCP Fin Maximum Segment Size TCP Window Size TCP Window Scale TTL Source Country Destination Country
IPv4 UDP 192.168.1.21 224.0.0.251 5353 5353 43 6,020 4,816 140.0 140 2020-11-12 18:16:17 2020-11-13 08:50:50 14:34:33.474 0 0 0 0 0 255
IPv4 ICMP 192.168.1.21 192.168.1.2 40 2,240 1,440 56.0 56 2020-11-12 18:36:38 2020-11-13 08:34:04 13:57:25.953 0 0 0 0 0 64
IPv4 IGMP 192.168.1.21 224.0.0.22 11 440 220 40.0 40 2020-11-12 21:00:01 2020-11-13 08:10:14 11:10:13.464 0 0 0 0 0 1
IPv4 ICMP 192.168.1.22 192.168.1.2 64 6,784 5,504 0.1 KiB/Sec 106.0 106 2020-11-12 13:42:59 2020-11-13 07:48:19 18:05:19.920 0 0 0 0 0 64

IPv4 UDP 192.168.1.2 192.168.1.21 137 137 netbios-ns 43 3,354 2,150 78.0 78 2020-11-12 18:39:01 2020-11-13 08:16:46 13:37:44.586 4 System 0 0 0 0 0 64

— does that help?

Reply | Quote

[Alex5723]

I also see some ghost devices on my network like this Xiaomi smartphone.

On the other hand the network doesn’t display the home 2 smartphones and laptop that are connected to the network.

Attachments:

You must be logged in to access attached files.

Reply | Quote

[CynicalSnail]

Window’s Network mapping is essentially useless – very, very limited.  Use WNW.

Reply | Quote

[Paul T]

Log into your router and block the MAC addresses you ares concerned about. See what fails.

cheers, Paul

Reply | Quote

[CynicalSnail]

The router has no record of those MACs , so they cannot be blocked.  Whatever they are doing is ‘inside’ the PC, nothing else seems to show.

A new one has now appeared: D4-5D-64-29-26-27 – no manufacturer found.

Reply | Quote

[PKCano]

Suggestion:
Run msinfo32.
Look under Components\Network\Adaptor
See it there are any h/w components with those MAC addresses.

Reply | Quote

[CynicalSnail]

Thanks for that suggestion.  Other than the NIC, there is only

20:41:53:59:4E:FF     RAS Async Adapter
02:00:4C:4F:4F:50    Microsoft Loopback Adapter

neither of which are involved now (they also do not show in WNW or the Router’s lists).

• This reply was modified 2 months, 1 week ago by CynicalSnail.

Reply | Quote

[Susan Bradley]

Hang on you are using Avast VPN?  it’s as a result of the vpn.  It will set up loopback adapters on your networking stack.

Susan Bradley Patch Lady

Reply | Quote

[CynicalSnail]

No, never have.

The point is that these items only showed up immediately after the update to Win7 that was made on Nov 2 – never before have I seen such a thing, and I have been running WNW for a long time now.  This really is as far as I am aware, a loopback has been on this machine from the beginning in that it seemed a normal item on  any occasion that checks were made or network traffic was monitored.

If it is not meant to be there, how do I disable it to test, or delete if I do not need it at all?  I have no need of a VPN, but I surely have never installed an Avast VPN (I did try it the AV at one stage, but found it problematic and dropped it – uninstalled – rather quickly).  The timing of this problem is really the odd thing.

Reply | Quote

[PKCano]

Wait.
You have Win7? I missed that.
This thread is about Win10 – this topic is in the Win10 Forum.
The original OP’s questions was concerning Win10.
Your questions about Win7 is off-topic here.

Reply | Quote

[CynicalSnail]

That I missed. I searched for a relevant topic to avoid posting redundancy.  The problem is general, surely, not Win10 restricted.  Ghost devices must be of interest everywhere.  But, an admin. is welcome to move this whole thing to another thread if that helps resolve it.

Reply | Quote

[Alex5723]

CynicalSnail wrote:

WNW

Wireless Network Watcher doesn’t work if your PC doesn’t see wi-fi connections (mine doesn’t).

The devices in my post above are wired.

Attachments:

You must be logged in to access attached files.

Reply | Quote

[CynicalSnail]

WNW does work – every device that has ever connected (that I know about!) has always shown up – all phones, iPads, laptops … .  The “Wireless” bit of the name is misleading, it is not required on the PC.

Reply | Quote

[Microfix]

I also have an Avast VPN.

you’re brave given avasts history
Couldn’t possibly be linked to the Avast VPN, only active when the VPN is active? Virtual device

No problem can be solved from the same level of consciousness that created IT- AE

Reply | Quote

[CynicalSnail]

No VPN in use on my machine … but an interesting thought: virtual devices created by M$ – but for what?

Reply | Quote

[Microfix]

Was referring to the original poster of the thread 🙂

No problem can be solved from the same level of consciousness that created IT- AE

Reply | Quote

[CynicalSnail]

Yes, I realized that, but the concept was potentially relevant, I thought.

Reply | Quote

[PKCano]

I suggested looking in msconfig32 b/c sometimes there are virtual devices listed under Network. I was shooting in the dark.

Bluetooth devices also have broadcast MAC addresses.

Reply | Quote

[CynicalSnail]

Thanks for that – I had not thought of that.  My iPhone is connected (and shows), but the Bluetooth MAC, one up from that of the WiFi, is not one of the offending items, and has never been seen on my LAN since there has never been a Bluetooth device connected.

Reply | Quote

[Alex5723]

CynicalSnail wrote:

WNW does work

Never worked fully on any of my PCs.

Reply | Quote

[Paul T]

CynicalSnail wrote:

The router has no record of those MACs , so they cannot be blocked

I would not be chasing things that don’t appear on the network. If they are only internal they are not malicious IMO.

cheers, Paul

Reply | Quote

[CynicalSnail]

OK, but how do we know?  It still does not explain why these three have turned up at all when the only event is the update.  There is clearly traffic of some kind that was not there before.

Thanks.

Reply | Quote

[Paul T]

CynicalSnail wrote:

does not explain why these three have turned up

Vagaries of Windows?

cheers, Paul

Reply | Quote

[CynicalSnail]

No, this has to be deliberate, by design, not an accidental byproduct of bad programming.   Either way, it cannot be the case that it occurs only for me.

I shall keep an eye on it, and try to find out what is going on.

Thanks.

Reply | Quote

[CynicalSnail]

Using Wireshark I have now captured data for a 400 min run, logging some 600-odd events involving the unknown MACs.  Several protocols are involved (NBNS, ICMP, MDNS, TLSv1.2, TCP, IGMPv3), all except the TCP is ‘internal’ – to or from the NIC.

Curiously, both MACs are addressing 224.0.0.1, which seems to be associated with activity by iTunes or somesuch: https://stackoverflow.com/questions/12483717/what-is-the-multicast-doing-on-224-0-0-251    But, Bonjour has been disabled on my machine for a very long time, ProcessExplorer reports no instance, and the namespace providers are not loaded (Autoruns).   So is this Apple being sneaky somewhere else?  One of the MACs addresses 224.0.0.22, which might be no big deal, but still …

However, the TCP packets originate from source 69.171.250.20 (addressing the LAN IP for MAC 26-25-00-42-1E-4E, TCP Retransmission), which apparently belongs to Facebook!   (And with bad certificates at that!)  What is going on?  That is a very specific targetting of a “device” on my machine by an external agent through a specific port (which GRC Shields Up! reports as ‘stealth’).

It remains odd that these items have only just appeared, at the same time, and immediately after a Windows update.

Any ideas?  Is there more I can get from the captured packets?

Thanks.

• This reply was modified 1 month, 3 weeks ago by CynicalSnail.

Reply | Quote

[PKCano]

I have two Seagate NAS drives. They come with Internet Services/Protocols integrated – iTunes, Facebook, various protocols, etc. When setting them up, I log in through the Seagate Dashboard and turn off the Services, Remote Administration, protocols I don’t want, etc.

Perhaps the activity is initiated by the NAS instead of the computer or Router. There should be computer installable software to access the administration functions of the NAS. If it is not installed available on the NAS itself, check the mfg’s website.

Reply | Quote

[CynicalSnail]

Thanks, but no new drives on this machine for a long time, no NAS ever in use, and no Seagate product anyway.

Reply | Quote

[Paul T]

CynicalSnail wrote:

which GRC Shields Up! reports as ‘stealth’

This doesn’t stop those ports being used. Your firewall will allow packets in, in response to packets out.

Block some ports / IP addresses and see what breaks.

cheers, Paul

• This reply was modified 1 month, 3 weeks ago by Paul T.

Reply | Quote

[CynicalSnail]

unknown MAC to NIC:  “ICMP 70 Destination unreachable (Port unreachable)” … is that not blocked?

If not, how specifically do I do that?

Thanks.

 

Reply | Quote

[Paul T]

No idea how that relates as you have left out all the other details for that message.

What are you trying to block?

cheers, Paul

Reply | Quote

[CynicalSnail]

I can post the full packet, of course … but what is the point?
The thread makes it plain  what I am asking about: “ghost device” MACs that have only recently appeared.
I am not trying to block anything in particular, I just have a decent firewall.  But activity that appears to be spoofing is a concern.  I would like to know what is going on, that is all.

 

Reply | Quote

[Paul T]

If all the traffic is internal to the network, or your machine, then you have to shut everything down and fire things up bit by bit to work out what is producing the traffic.

cheers, Paul

Reply | Quote

[CynicalSnail]

Not a practical proposition, I’m afraid.  As I said at the beginning, this only started with the update I applied on Nov. 2.  There was no other change on the machine.  This is too much of a coincidence.  Bear in mind that I have had connected devices monitored for some years and these two did not appear before that point: these are logged as “first detected” on that date.

There is no actual hardware device, so how do I identify the software that pretends by spoofing?  I can search the entire machine for such a string, if I knew what it would look like.

Reply | Quote

[Alex5723]

Have you tried : https://www.pcwdld.com/find-device-or-ip-address-using-mac-address ?

Reply | Quote

[CynicalSnail]

I know the IPs, the router assigns them.  I know the MACs.  There is no associated hardware, and as I said, a search does not find a manufacturer for either.

Reply | Quote

[Paul T]

Nirsoft also have CurrPorts to show what app has ports open. And SmartSniff…

cheers, Paul

Reply | Quote

[CynicalSnail]

SmartSniff is much the same as WireShark.  CurrPorts does not do other than  TCP and UDP, and does not log, so I have to be very lucky to see ephemeral events (but they are not captured anyway).  WS does all protocols.

Reply | Quote

[CynicalSnail]

A new one has just appeared: 3E-51-57-36-9D-8B

Again, no actual hardware.

• This reply was modified 1 month, 2 weeks ago by CynicalSnail.

Reply | Quote

[Author]

Posts