• Ghost computers and printers on my WIFI network

    Home » Forums » AskWoody support » Windows » Windows 10 » Questions: Win10 » Ghost computers and printers on my WIFI network

    Author
    Topic
    #2293389

    When I go into my network on my PC, I can see my router, computer and printer, but at times see another computer or printer. When I click on the unknown  entries and go to properties, it shows only Midiatec model MT53xx and a mac address, no IP address or any other information. The entries will vary at times and go away the next time I look. I am running windows 10 home version with a Cisco router and WIFI, I have two computers and a printer on the network. I also have an Avast VPN. Everything works fine, but these ghost entries really bug me!! Any help or suggestions.

    Thanks Bill

    Viewing 25 reply threads
    Author
    Replies
    • #2293486

      Mediatec is a chip manufacturer, so you could be seeing a TV, phone or IoT device.
      Take the MAC address and search for the manufacturer. This usually gives you a good clue to the device.

      Connect to your router and look at active clients / DHCP leases.
      Can you see any matching MAC addresses?
      If the devices are rogue ones, you can block them at the router.

      cheers, Paul

    • #2293615

      If you do not see an IP address the devices are not connected (and should not show as connected in your router). The cause for these showing up in File Explorer is a Windows service named Windows Connect Now – Config Registrar.

      If you use the Wireless Protected Setup feature, then Windows Connect Now service aids you in connecting to your device.

      Directions using the user interface:

      1. Login as Administrator and press Win+R and type services.msc
      2. Find the Windows Connect Now – Config Registrar service and double click on the name.
      3. In the dialog box click on the Stop button, the service should quickly end.*
      4. Then the same dialog box set the Startup type to Disabled, click on Apply, and Okay to continue.

      Directions using PowerShell or the Command Prompt:

      Right click on the Start Menu and then Click on PowerShell (Admin) or Command Prompt (Admin).

      Type these commands exactly as you see them*:
      net stop wcncsvc
      sc config “wcncsvc” start=disabled

      Your neighbor’s gadgets will still advertise their presence but you will not see them now or after a restart in File Explorer.

      *If the service does not stop accept being reconfigured then make a complete note of the error(s) and post it here for more help.

      2 users thanked author for this post.
    • #2293846

      Same here, something called iCamera, apparently an Android app, appeared, then disappeared.  Wonder if there’s an advertising period for Connect Now devices, so they disappear after a time.  I Disabled Connect Now-Config service.  Have to see if the app’s on any of our phones.

    • #2309713

      I have a related but even more obscure problem.  I use Wireless Network Watcher (Nirsoft) to keep an eye on my LAN, mostly to see when things are not working.  Three days ago (Nov 2), some odd devices appeared – no device details at all, and the MACs do not return anything on a search of several sites:  2E-D6-FF-81-C2-AA,  0E-A2-F4-54-B5-88, 26-25-00-42-1E-4E.     They connect briefly from time to time, but that is all that I can see.  They cannot be pinged.

      So what are they?  I have never seen anything like this appear before in several years of monitoring.  No new kit has been installed, no guest devices of any kind on the premises that I am aware of.  How do I find them?  Is this malware (a scan has produced nothing)?

      I have logged one item (-B5-88) being addressed using UDP by ‘System’ using netbios-ns, port 137, 78 packets at a time.  Is this a change in Windows (Pro, 7, 64-b) in the October update, just installed – Nov. 2! ?  Is this M$ being sneaky, yet again?

    • #2309898

      I use Wireless Network Watcher

      All that is telling you is there are wireless devices broadcasting locally.
      It does not tell you if they are connected to your wifi, you need to look on your router for that information.

      cheers, Paul

      • #2309951

        You miss the point: they are being addressed as destination by System.  This is not a broadcast detection problem (WNW finds all LAN connections).  My broadcast detector has seen nothing of these.  The router does not show anything when I look – they are only intermittent, well-spaced connections and are easily missed.

        Meanwhile, I have found that TeamViewer is the *source* of some of the packets on those addresses (ICMP, IGMP, UDP).  This is now disabled.  It was installed several months ago (start of lockdown), so it is odd that it only now appears as a ‘connected device’.

        But, what it appears to mean is that software can pretend to be a device with a MAC.  That is rather disturbing.  If that can be done, anything can be spoofed.

        • #2310098

          Sorry, I misunderstood the way WNW works.

          MAC spoofing has long been a thing in Windows and it’s now a standard feature on Macs.

          cheers, Paul

        • #2311407

          Update:

          I discovered that one of the MAC addresses was a replaced device on my electricity supply system (concidentally the day after the Windows update).  The manufacturer does not include any id in the packet.

          Disabling Teams had no effect on the other two, so I uninstalled it.  Rebooted.  They are still there.  This is decidly a function of the Windows update or something else is going on – malware I cannot detect.

          This is extremely annoying and worrying.  How can such things be tracked down, disabled or blocked.  How can the function be determined?

    • #2311412

      Which other 2?
      Can you post full details from WNW?

      cheers, Paul

      • #2311415

        The two offending are:

        26-25-00-42-1E-4E

        2E-D6-FF-81-C2-AA

        WNW shows nothing else.  I have nothing from my router either because they are intermittent – ~45 min intervals, but not really regular as far as I can tell.

        Thanks.

    • #2311420

      As they don’t have an IP address it seems likely they are not actually connected to your network. You can check this by looking at the DHCP clients on your router.

      cheers, Paul

      • #2311422

        They have IP addresses, of course, dynamically assigned by the router, which is why they show in WNW, but those are essentially irrelevant, and meaningless outside my LAN, as they do not point at anything visible.

         

    • #2311618

      Please provide full details of the devices as requested. We can’t help if you only give us tidbits.

      cheers, Paul

      • #2311619

        If I knew any more I would have told you already.  All I can see is a MAC.    Plainly, a router-assigned IPA is not informative in itself.

        As for traffic, I have since found I can detect some:

        Ethernet Type IP Protocol Source Address Destination Address Source Port Destination Port Service Name Status Packets Count Total Packets Size Total Data Size Data Speed Maximum Data Speed Average Packet Size Maximum Packet Size First Packet Time Last Packet Time Duration Latency Process ID Process Filename TCP Ack TCP Push TCP Reset TCP Syn TCP Fin Maximum Segment Size TCP Window Size TCP Window Scale TTL Source Country Destination Country
        IPv4 UDP 192.168.1.21 224.0.0.251 5353 5353 43 6,020 4,816 140.0 140 2020-11-12 18:16:17 2020-11-13 08:50:50 14:34:33.474 0 0 0 0 0 255
        IPv4 ICMP 192.168.1.21 192.168.1.2 40 2,240 1,440 56.0 56 2020-11-12 18:36:38 2020-11-13 08:34:04 13:57:25.953 0 0 0 0 0 64
        IPv4 IGMP 192.168.1.21 224.0.0.22 11 440 220 40.0 40 2020-11-12 21:00:01 2020-11-13 08:10:14 11:10:13.464 0 0 0 0 0 1
        IPv4 ICMP 192.168.1.22 192.168.1.2 64 6,784 5,504 0.1 KiB/Sec 106.0 106 2020-11-12 13:42:59 2020-11-13 07:48:19 18:05:19.920 0 0 0 0 0 64

        IPv4 UDP 192.168.1.2 192.168.1.21 137 137 netbios-ns 43 3,354 2,150 78.0 78 2020-11-12 18:39:01 2020-11-13 08:16:46 13:37:44.586 4 System 0 0 0 0 0 64

        — does that help?

    • #2311620

      I also see some ghost devices on my network like this Xiaomi smartphone.

      On the other hand the network doesn’t display the home 2 smartphones and laptop that are connected to the network.

    • #2311838

      Log into your router and block the MAC addresses you ares concerned about. See what fails.

      cheers, Paul

      • #2311848

        The router has no record of those MACs , so they cannot be blocked.  Whatever they are doing is ‘inside’ the PC, nothing else seems to show.

        A new one has now appeared: D4-5D-64-29-26-27 – no manufacturer found.

        • #2311849

          Suggestion:
          Run msinfo32.
          Look under Components\Network\Adaptor
          See it there are any h/w components with those MAC addresses.

          • #2311853

            Thanks for that suggestion.  Other than the NIC, there is only

            20:41:53:59:4E:FF     RAS Async Adapter
            02:00:4C:4F:4F:50    Microsoft Loopback Adapter

            neither of which are involved now (they also do not show in WNW or the Router’s lists).

            • This reply was modified 2 years, 4 months ago by CynicalSnail.
            • #2311906

              Hang on you are using Avast VPN?  it’s as a result of the vpn.  It will set up loopback adapters on your networking stack.

              Susan Bradley Patch Lady

            • #2311941

              No, never have.

              The point is that these items only showed up immediately after the update to Win7 that was made on Nov 2 – never before have I seen such a thing, and I have been running WNW for a long time now.  This really is as far as I am aware, a loopback has been on this machine from the beginning in that it seemed a normal item on  any occasion that checks were made or network traffic was monitored.

              If it is not meant to be there, how do I disable it to test, or delete if I do not need it at all?  I have no need of a VPN, but I surely have never installed an Avast VPN (I did try it the AV at one stage, but found it problematic and dropped it – uninstalled – rather quickly).  The timing of this problem is really the odd thing.

            • #2311943

              Wait.
              You have Win7? I missed that.
              This thread is about Win10 – this topic is in the Win10 Forum.
              The original OP’s questions was concerning Win10.
              Your questions about Win7 is off-topic here.

            • #2311944

              That I missed. I searched for a relevant topic to avoid posting redundancy.  The problem is general, surely, not Win10 restricted.  Ghost devices must be of interest everywhere.  But, an admin. is welcome to move this whole thing to another thread if that helps resolve it.

    • #2311841

      WNW

      Wireless Network Watcher doesn’t work if your PC doesn’t see wi-fi connections (mine doesn’t).

      The devices in my post above are wired.

      • #2311851

        WNW does work – every device that has ever connected (that I know about!) has always shown up – all phones, iPads, laptops … .  The “Wireless” bit of the name is misleading, it is not required on the PC.

    • #2311856

      I also have an Avast VPN.

      you’re brave given avasts history
      Couldn’t possibly be linked to the Avast VPN, only active when the VPN is active? Virtual device

      Keep IT Lean, Clean and Mean!
      • #2311862

        No VPN in use on my machine … but an interesting thought: virtual devices created by M$ – but for what?

        • #2311864

          Was referring to the original poster of the thread 🙂

          Keep IT Lean, Clean and Mean!
        • #2311865

          I suggested looking in msconfig32 b/c sometimes there are virtual devices listed under Network. I was shooting in the dark.

          Bluetooth devices also have broadcast MAC addresses.

          • #2311869

            Thanks for that – I had not thought of that.  My iPhone is connected (and shows), but the Bluetooth MAC, one up from that of the WiFi, is not one of the offending items, and has never been seen on my LAN since there has never been a Bluetooth device connected.

    • #2311904

      WNW does work

      Never worked fully on any of my PCs.

    • #2311979

      The router has no record of those MACs , so they cannot be blocked

      I would not be chasing things that don’t appear on the network. If they are only internal they are not malicious IMO.

      cheers, Paul

      • #2312003

        OK, but how do we know?  It still does not explain why these three have turned up at all when the only event is the update.  There is clearly traffic of some kind that was not there before.

        Thanks.

    • #2312018

      does not explain why these three have turned up

      Vagaries of Windows?

      cheers, Paul

      • #2312020

        No, this has to be deliberate, by design, not an accidental byproduct of bad programming.   Either way, it cannot be the case that it occurs only for me.

        I shall keep an eye on it, and try to find out what is going on.

        Thanks.

    • #2316816

      Using Wireshark I have now captured data for a 400 min run, logging some 600-odd events involving the unknown MACs.  Several protocols are involved (NBNS, ICMP, MDNS, TLSv1.2, TCP, IGMPv3), all except the TCP is ‘internal’ – to or from the NIC.

      Curiously, both MACs are addressing 224.0.0.1, which seems to be associated with activity by iTunes or somesuch: https://stackoverflow.com/questions/12483717/what-is-the-multicast-doing-on-224-0-0-251    But, Bonjour has been disabled on my machine for a very long time, ProcessExplorer reports no instance, and the namespace providers are not loaded (Autoruns).   So is this Apple being sneaky somewhere else?  One of the MACs addresses 224.0.0.22, which might be no big deal, but still …

      However, the TCP packets originate from source 69.171.250.20 (addressing the LAN IP for MAC 26-25-00-42-1E-4E, TCP Retransmission), which apparently belongs to Facebook!   (And with bad certificates at that!)  What is going on?  That is a very specific targetting of a “device” on my machine by an external agent through a specific port (which GRC Shields Up! reports as ‘stealth’).

      It remains odd that these items have only just appeared, at the same time, and immediately after a Windows update.

      Any ideas?  Is there more I can get from the captured packets?

      Thanks.

      • This reply was modified 2 years, 3 months ago by CynicalSnail.
      • #2316820

        I have two Seagate NAS drives. They come with Internet Services/Protocols integrated – iTunes, Facebook, various protocols, etc. When setting them up, I log in through the Seagate Dashboard and turn off the Services, Remote Administration, protocols I don’t want, etc.

        Perhaps the activity is initiated by the NAS instead of the computer or Router. There should be computer installable software to access the administration functions of the NAS. If it is not installed available on the NAS itself, check the mfg’s website.

    • #2317039

      which GRC Shields Up! reports as ‘stealth’

      This doesn’t stop those ports being used. Your firewall will allow packets in, in response to packets out.

      Block some ports / IP addresses and see what breaks.

      cheers, Paul

      • This reply was modified 2 years, 3 months ago by Paul T.
      • #2317062

        unknown MAC to NIC:  “ICMP 70 Destination unreachable (Port unreachable)” … is that not blocked?

        If not, how specifically do I do that?

        Thanks.

         

        • #2317064

          No idea how that relates as you have left out all the other details for that message.

          What are you trying to block?

          cheers, Paul

          • #2317065

            I can post the full packet, of course … but what is the point?
            The thread makes it plain  what I am asking about: “ghost device” MACs that have only recently appeared.
            I am not trying to block anything in particular, I just have a decent firewall.  But activity that appears to be spoofing is a concern.  I would like to know what is going on, that is all.

             

    • #2317093

      If all the traffic is internal to the network, or your machine, then you have to shut everything down and fire things up bit by bit to work out what is producing the traffic.

      cheers, Paul

      • #2317105

        Not a practical proposition, I’m afraid.  As I said at the beginning, this only started with the update I applied on Nov. 2.  There was no other change on the machine.  This is too much of a coincidence.  Bear in mind that I have had connected devices monitored for some years and these two did not appear before that point: these are logged as “first detected” on that date.

        There is no actual hardware device, so how do I identify the software that pretends by spoofing?  I can search the entire machine for such a string, if I knew what it would look like.

    • #2317113

      Nirsoft also have CurrPorts to show what app has ports open. And SmartSniff…

      cheers, Paul

      • #2317116

        SmartSniff is much the same as WireShark.  CurrPorts does not do other than  TCP and UDP, and does not log, so I have to be very lucky to see ephemeral events (but they are not captured anyway).  WS does all protocols.

    • #2319187

      A new one has just appeared: 3E-51-57-36-9D-8B

      Again, no actual hardware.

      • This reply was modified 2 years, 3 months ago by CynicalSnail.
    • #2406073

      2E-D6-FF-81-C2-AA
      6E-23-49-F7-57-D8
      AE-67-87-BB-EE-66
      16-31-7B-52-D7-79

      This is getting silly …

    • #2406158

      D4-5D-64-29-26-27

      That appears to be an Asustek device.

    • #2406188

      So it seems – but that search produced nothing at the time, as I said.
      But the others?  Still ghosts?
      Thank you.

    • #2406376

      As I said at the beginning, this only started with the update I applied on Nov. 2. There was no other change on the machine.

      As a test, uninstall the update?

      Win 10 home - 22H2
      Attitude is a choice...Choose wisely

    • #2406454

      The router surely only controls traffic through it. If these ‘devices’ are in my PC then it only stops external comms – which is fine, happy for that.  Now done for all 6 that I have identified.  Now to see what is broken!

      This is on Win 7, not 10.  This is not a wireless machine, fixed location, hardwired.

      Thanks.

    • #2539165

      I have identified at least part of the problem.  My iPhone has random MAC selected for wifi connections (see https://support.apple.com/en-gb/guide/security/secb9cb3140c/web).

      I have three possible wifi connections here (2G, 5G and a mesh), each gives a different MAC (see Wi-Fi address info under the connection).  It sems that the MAC is not entirely random, but specific for the connection, hence reproducible (so far).

      That accounts for 3 of the unknowns at least … but it still seems as though software on the PC can generate ‘local’ MACs.  Why is there no documentation for this anywhere?  Nobody seems to have a clue about this.  All the chats are unhelpful, and mostly wrong by omission in this respect.

    Viewing 25 reply threads
    Reply To: Ghost computers and printers on my WIFI network

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: