News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Ghost computers and printers on my WIFI network

    Posted on William Mumaw Comment on the AskWoody Lounge

    Home Forums AskWoody support Windows Windows 10 Questions: Win10 Ghost computers and printers on my WIFI network

    Viewing 20 reply threads
    • Author
      Posts
      • #2293389
        William Mumaw
        AskWoody Plus

        When I go into my network on my PC, I can see my router, computer and printer, but at times see another computer or printer. When I click on the unknown  entries and go to properties, it shows only Midiatec model MT53xx and a mac address, no IP address or any other information. The entries will vary at times and go away the next time I look. I am running windows 10 home version with a Cisco router and WIFI, I have two computers and a printer on the network. I also have an Avast VPN. Everything works fine, but these ghost entries really bug me!! Any help or suggestions.

        Thanks Bill

      • #2293486
        Paul T
        AskWoody MVP

        Mediatec is a chip manufacturer, so you could be seeing a TV, phone or IoT device.
        Take the MAC address and search for the manufacturer. This usually gives you a good clue to the device.

        Connect to your router and look at active clients / DHCP leases.
        Can you see any matching MAC addresses?
        If the devices are rogue ones, you can block them at the router.

        cheers, Paul

      • #2293615
        anonymous
        Guest

        If you do not see an IP address the devices are not connected (and should not show as connected in your router). The cause for these showing up in File Explorer is a Windows service named Windows Connect Now – Config Registrar.

        If you use the Wireless Protected Setup feature, then Windows Connect Now service aids you in connecting to your device.

        Directions using the user interface:

        1. Login as Administrator and press Win+R and type services.msc
        2. Find the Windows Connect Now – Config Registrar service and double click on the name.
        3. In the dialog box click on the Stop button, the service should quickly end.*
        4. Then the same dialog box set the Startup type to Disabled, click on Apply, and Okay to continue.

        Directions using PowerShell or the Command Prompt:

        Right click on the Start Menu and then Click on PowerShell (Admin) or Command Prompt (Admin).

        Type these commands exactly as you see them*:
        net stop wcncsvc
        sc config “wcncsvc” start=disabled

        Your neighbor’s gadgets will still advertise their presence but you will not see them now or after a restart in File Explorer.

        *If the service does not stop accept being reconfigured then make a complete note of the error(s) and post it here for more help.

        2 users thanked author for this post.
      • #2293846
        anonymous
        Guest

        Same here, something called iCamera, apparently an Android app, appeared, then disappeared.  Wonder if there’s an advertising period for Connect Now devices, so they disappear after a time.  I Disabled Connect Now-Config service.  Have to see if the app’s on any of our phones.

      • #2309713
        CynicalSnail
        AskWoody Plus

        I have a related but even more obscure problem.  I use Wireless Network Watcher (Nirsoft) to keep an eye on my LAN, mostly to see when things are not working.  Three days ago (Nov 2), some odd devices appeared – no device details at all, and the MACs do not return anything on a search of several sites:  2E-D6-FF-81-C2-AA,  0E-A2-F4-54-B5-88, 26-25-00-42-1E-4E.     They connect briefly from time to time, but that is all that I can see.  They cannot be pinged.

        So what are they?  I have never seen anything like this appear before in several years of monitoring.  No new kit has been installed, no guest devices of any kind on the premises that I am aware of.  How do I find them?  Is this malware (a scan has produced nothing)?

        I have logged one item (-B5-88) being addressed using UDP by ‘System’ using netbios-ns, port 137, 78 packets at a time.  Is this a change in Windows (Pro, 7, 64-b) in the October update, just installed – Nov. 2! ?  Is this M$ being sneaky, yet again?

      • #2309898
        Paul T
        AskWoody MVP

        I use Wireless Network Watcher

        All that is telling you is there are wireless devices broadcasting locally.
        It does not tell you if they are connected to your wifi, you need to look on your router for that information.

        cheers, Paul

        • #2309951
          CynicalSnail
          AskWoody Plus

          You miss the point: they are being addressed as destination by System.  This is not a broadcast detection problem (WNW finds all LAN connections).  My broadcast detector has seen nothing of these.  The router does not show anything when I look – they are only intermittent, well-spaced connections and are easily missed.

          Meanwhile, I have found that TeamViewer is the *source* of some of the packets on those addresses (ICMP, IGMP, UDP).  This is now disabled.  It was installed several months ago (start of lockdown), so it is odd that it only now appears as a ‘connected device’.

          But, what it appears to mean is that software can pretend to be a device with a MAC.  That is rather disturbing.  If that can be done, anything can be spoofed.

          • #2310098
            Paul T
            AskWoody MVP

            Sorry, I misunderstood the way WNW works.

            MAC spoofing has long been a thing in Windows and it’s now a standard feature on Macs.

            cheers, Paul

          • #2311407
            CynicalSnail
            AskWoody Plus

            Update:

            I discovered that one of the MAC addresses was a replaced device on my electricity supply system (concidentally the day after the Windows update).  The manufacturer does not include any id in the packet.

            Disabling Teams had no effect on the other two, so I uninstalled it.  Rebooted.  They are still there.  This is decidly a function of the Windows update or something else is going on – malware I cannot detect.

            This is extremely annoying and worrying.  How can such things be tracked down, disabled or blocked.  How can the function be determined?

      • #2311412
        Paul T
        AskWoody MVP

        Which other 2?
        Can you post full details from WNW?

        cheers, Paul

        • #2311415
          CynicalSnail
          AskWoody Plus

          The two offending are:

          26-25-00-42-1E-4E

          2E-D6-FF-81-C2-AA

          WNW shows nothing else.  I have nothing from my router either because they are intermittent – ~45 min intervals, but not really regular as far as I can tell.

          Thanks.

      • #2311420
        Paul T
        AskWoody MVP

        As they don’t have an IP address it seems likely they are not actually connected to your network. You can check this by looking at the DHCP clients on your router.

        cheers, Paul

        • #2311422
          CynicalSnail
          AskWoody Plus

          They have IP addresses, of course, dynamically assigned by the router, which is why they show in WNW, but those are essentially irrelevant, and meaningless outside my LAN, as they do not point at anything visible.

           

      • #2311618
        Paul T
        AskWoody MVP

        Please provide full details of the devices as requested. We can’t help if you only give us tidbits.

        cheers, Paul

        • #2311619
          CynicalSnail
          AskWoody Plus

          If I knew any more I would have told you already.  All I can see is a MAC.    Plainly, a router-assigned IPA is not informative in itself.

          As for traffic, I have since found I can detect some:

          Ethernet Type IP Protocol Source Address Destination Address Source Port Destination Port Service Name Status Packets Count Total Packets Size Total Data Size Data Speed Maximum Data Speed Average Packet Size Maximum Packet Size First Packet Time Last Packet Time Duration Latency Process ID Process Filename TCP Ack TCP Push TCP Reset TCP Syn TCP Fin Maximum Segment Size TCP Window Size TCP Window Scale TTL Source Country Destination Country
          IPv4 UDP 192.168.1.21 224.0.0.251 5353 5353 43 6,020 4,816 140.0 140 2020-11-12 18:16:17 2020-11-13 08:50:50 14:34:33.474 0 0 0 0 0 255
          IPv4 ICMP 192.168.1.21 192.168.1.2 40 2,240 1,440 56.0 56 2020-11-12 18:36:38 2020-11-13 08:34:04 13:57:25.953 0 0 0 0 0 64
          IPv4 IGMP 192.168.1.21 224.0.0.22 11 440 220 40.0 40 2020-11-12 21:00:01 2020-11-13 08:10:14 11:10:13.464 0 0 0 0 0 1
          IPv4 ICMP 192.168.1.22 192.168.1.2 64 6,784 5,504 0.1 KiB/Sec 106.0 106 2020-11-12 13:42:59 2020-11-13 07:48:19 18:05:19.920 0 0 0 0 0 64

          IPv4 UDP 192.168.1.2 192.168.1.21 137 137 netbios-ns 43 3,354 2,150 78.0 78 2020-11-12 18:39:01 2020-11-13 08:16:46 13:37:44.586 4 System 0 0 0 0 0 64

          — does that help?

      • #2311620
        Alex5723
        AskWoody Plus

        I also see some ghost devices on my network like this Xiaomi smartphone.

        On the other hand the network doesn’t display the home 2 smartphones and laptop that are connected to the network.

        Attachments:
        • #2311629
          CynicalSnail
          AskWoody Plus

          Window’s Network mapping is essentially useless – very, very limited.  Use WNW.

      • #2311838
        Paul T
        AskWoody MVP

        Log into your router and block the MAC addresses you ares concerned about. See what fails.

        cheers, Paul

        • #2311848
          CynicalSnail
          AskWoody Plus

          The router has no record of those MACs , so they cannot be blocked.  Whatever they are doing is ‘inside’ the PC, nothing else seems to show.

          A new one has now appeared: D4-5D-64-29-26-27 – no manufacturer found.

          • #2311849
            PKCano
            Manager

            Suggestion:
            Run msinfo32.
            Look under Components\Network\Adaptor
            See it there are any h/w components with those MAC addresses.

            • #2311853
              CynicalSnail
              AskWoody Plus

              Thanks for that suggestion.  Other than the NIC, there is only

              20:41:53:59:4E:FF     RAS Async Adapter
              02:00:4C:4F:4F:50    Microsoft Loopback Adapter

              neither of which are involved now (they also do not show in WNW or the Router’s lists).

              • This reply was modified 2 months, 1 week ago by CynicalSnail.
              • #2311906
                Susan Bradley
                Manager

                Hang on you are using Avast VPN?  it’s as a result of the vpn.  It will set up loopback adapters on your networking stack.

                Susan Bradley Patch Lady

              • #2311941
                CynicalSnail
                AskWoody Plus

                No, never have.

                The point is that these items only showed up immediately after the update to Win7 that was made on Nov 2 – never before have I seen such a thing, and I have been running WNW for a long time now.  This really is as far as I am aware, a loopback has been on this machine from the beginning in that it seemed a normal item on  any occasion that checks were made or network traffic was monitored.

                If it is not meant to be there, how do I disable it to test, or delete if I do not need it at all?  I have no need of a VPN, but I surely have never installed an Avast VPN (I did try it the AV at one stage, but found it problematic and dropped it – uninstalled – rather quickly).  The timing of this problem is really the odd thing.

              • #2311943
                PKCano
                Manager

                Wait.
                You have Win7? I missed that.
                This thread is about Win10 – this topic is in the Win10 Forum.
                The original OP’s questions was concerning Win10.
                Your questions about Win7 is off-topic here.

              • #2311944
                CynicalSnail
                AskWoody Plus

                That I missed. I searched for a relevant topic to avoid posting redundancy.  The problem is general, surely, not Win10 restricted.  Ghost devices must be of interest everywhere.  But, an admin. is welcome to move this whole thing to another thread if that helps resolve it.

      • #2311841
        Alex5723
        AskWoody Plus

        WNW

        Wireless Network Watcher doesn’t work if your PC doesn’t see wi-fi connections (mine doesn’t).

        The devices in my post above are wired.

        Attachments:
        • #2311851
          CynicalSnail
          AskWoody Plus

          WNW does work – every device that has ever connected (that I know about!) has always shown up – all phones, iPads, laptops … .  The “Wireless” bit of the name is misleading, it is not required on the PC.

      • #2311856
        Microfix
        AskWoody MVP

        I also have an Avast VPN.

        you’re brave given avasts history
        Couldn’t possibly be linked to the Avast VPN, only active when the VPN is active? Virtual device


        No problem can be solved from the same level of consciousness that created IT- AE
        • #2311862
          CynicalSnail
          AskWoody Plus

          No VPN in use on my machine … but an interesting thought: virtual devices created by M$ – but for what?

          • #2311864
            Microfix
            AskWoody MVP

            Was referring to the original poster of the thread 🙂


            No problem can be solved from the same level of consciousness that created IT- AE
            • #2311867
              CynicalSnail
              AskWoody Plus

              Yes, I realized that, but the concept was potentially relevant, I thought.

          • #2311865
            PKCano
            Manager

            I suggested looking in msconfig32 b/c sometimes there are virtual devices listed under Network. I was shooting in the dark.

            Bluetooth devices also have broadcast MAC addresses.

            • #2311869
              CynicalSnail
              AskWoody Plus

              Thanks for that – I had not thought of that.  My iPhone is connected (and shows), but the Bluetooth MAC, one up from that of the WiFi, is not one of the offending items, and has never been seen on my LAN since there has never been a Bluetooth device connected.

      • #2311904
        Alex5723
        AskWoody Plus

        WNW does work

        Never worked fully on any of my PCs.

      • #2311979
        Paul T
        AskWoody MVP

        The router has no record of those MACs , so they cannot be blocked

        I would not be chasing things that don’t appear on the network. If they are only internal they are not malicious IMO.

        cheers, Paul

        • #2312003
          CynicalSnail
          AskWoody Plus

          OK, but how do we know?  It still does not explain why these three have turned up at all when the only event is the update.  There is clearly traffic of some kind that was not there before.

          Thanks.

      • #2312018
        Paul T
        AskWoody MVP

        does not explain why these three have turned up

        Vagaries of Windows?

        cheers, Paul

        • #2312020
          CynicalSnail
          AskWoody Plus

          No, this has to be deliberate, by design, not an accidental byproduct of bad programming.   Either way, it cannot be the case that it occurs only for me.

          I shall keep an eye on it, and try to find out what is going on.

          Thanks.

      • #2316816
        CynicalSnail
        AskWoody Plus

        Using Wireshark I have now captured data for a 400 min run, logging some 600-odd events involving the unknown MACs.  Several protocols are involved (NBNS, ICMP, MDNS, TLSv1.2, TCP, IGMPv3), all except the TCP is ‘internal’ – to or from the NIC.

        Curiously, both MACs are addressing 224.0.0.1, which seems to be associated with activity by iTunes or somesuch: https://stackoverflow.com/questions/12483717/what-is-the-multicast-doing-on-224-0-0-251    But, Bonjour has been disabled on my machine for a very long time, ProcessExplorer reports no instance, and the namespace providers are not loaded (Autoruns).   So is this Apple being sneaky somewhere else?  One of the MACs addresses 224.0.0.22, which might be no big deal, but still …

        However, the TCP packets originate from source 69.171.250.20 (addressing the LAN IP for MAC 26-25-00-42-1E-4E, TCP Retransmission), which apparently belongs to Facebook!   (And with bad certificates at that!)  What is going on?  That is a very specific targetting of a “device” on my machine by an external agent through a specific port (which GRC Shields Up! reports as ‘stealth’).

        It remains odd that these items have only just appeared, at the same time, and immediately after a Windows update.

        Any ideas?  Is there more I can get from the captured packets?

        Thanks.

        • This reply was modified 1 month, 3 weeks ago by CynicalSnail.
        • #2316820
          PKCano
          Manager

          I have two Seagate NAS drives. They come with Internet Services/Protocols integrated – iTunes, Facebook, various protocols, etc. When setting them up, I log in through the Seagate Dashboard and turn off the Services, Remote Administration, protocols I don’t want, etc.

          Perhaps the activity is initiated by the NAS instead of the computer or Router. There should be computer installable software to access the administration functions of the NAS. If it is not installed available on the NAS itself, check the mfg’s website.

          • #2316823
            CynicalSnail
            AskWoody Plus

            Thanks, but no new drives on this machine for a long time, no NAS ever in use, and no Seagate product anyway.

      • #2317039
        Paul T
        AskWoody MVP

        which GRC Shields Up! reports as ‘stealth’

        This doesn’t stop those ports being used. Your firewall will allow packets in, in response to packets out.

        Block some ports / IP addresses and see what breaks.

        cheers, Paul

        • This reply was modified 1 month, 3 weeks ago by Paul T.
        • #2317062
          CynicalSnail
          AskWoody Plus

          unknown MAC to NIC:  “ICMP 70 Destination unreachable (Port unreachable)” … is that not blocked?

          If not, how specifically do I do that?

          Thanks.

           

          • #2317064
            Paul T
            AskWoody MVP

            No idea how that relates as you have left out all the other details for that message.

            What are you trying to block?

            cheers, Paul

            • #2317065
              CynicalSnail
              AskWoody Plus

              I can post the full packet, of course … but what is the point?
              The thread makes it plain  what I am asking about: “ghost device” MACs that have only recently appeared.
              I am not trying to block anything in particular, I just have a decent firewall.  But activity that appears to be spoofing is a concern.  I would like to know what is going on, that is all.

               

      • #2317093
        Paul T
        AskWoody MVP

        If all the traffic is internal to the network, or your machine, then you have to shut everything down and fire things up bit by bit to work out what is producing the traffic.

        cheers, Paul

        • #2317105
          CynicalSnail
          AskWoody Plus

          Not a practical proposition, I’m afraid.  As I said at the beginning, this only started with the update I applied on Nov. 2.  There was no other change on the machine.  This is too much of a coincidence.  Bear in mind that I have had connected devices monitored for some years and these two did not appear before that point: these are logged as “first detected” on that date.

          There is no actual hardware device, so how do I identify the software that pretends by spoofing?  I can search the entire machine for such a string, if I knew what it would look like.

      • #2317113
        Paul T
        AskWoody MVP

        Nirsoft also have CurrPorts to show what app has ports open. And SmartSniff…

        cheers, Paul

        • #2317116
          CynicalSnail
          AskWoody Plus

          SmartSniff is much the same as WireShark.  CurrPorts does not do other than  TCP and UDP, and does not log, so I have to be very lucky to see ephemeral events (but they are not captured anyway).  WS does all protocols.

      • #2319187
        CynicalSnail
        AskWoody Plus

        A new one has just appeared: 3E-51-57-36-9D-8B

        Again, no actual hardware.

        • This reply was modified 1 month, 2 weeks ago by CynicalSnail.
    Viewing 20 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Ghost computers and printers on my WIFI network

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

?
This website collects data via Google Analytics. Click here to opt in. Click here to opt out.
×