Windows update installed new network Connection

Guys, I recently updated windows and after restart it has created a new Local area connection labeled "Microsoft TV/Video connection" I tried to disable it but it say I can't, I tried looking for the service its tied to and can'f find much. After googling I found its associated with a TV capture card or Web cam, I have neither of these installed on my PC, and no my Graphics card doesnt have capture.

Ipconfig yeilds this adapted to have an IP of 0.1.0.4, I also see packets coming through my Cisco Pix that have the source of my lan adapted and within that packet the source of above. Also I have a Mcaffee IPS which is reporting it as a violation constantly.

Does anyone know more about this? I hope its not another Microsoft are going to play big brother thing. Or could it be some sort of virus my zone alarm and mcaffee havent picked up.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Silver Bullet

Is it listed in Device Manager? If so can you uninstall the driver for it there?

Does the route print command list any routes for this interface? If so, run netstat -a -o from a command prompt and see if you have any strange connections listening or established and note the PID from that connection. Then run tasklist /svc and find the PID that you noted from netstat to find out what service or services are using that connection and stop it using task manager. Then try removing/disabling the interface.

The first I have heard of this. Let us know how it progresses.

wildfire

route print reveals a default route to my ethernet interface. Aside from having lots of TCP and UDP connections I can only find one that looks consistant with this adapter, source port if 3434 (TCP) and the PID 5752

The process associated is one of the svchost.exe with an appended description of Upnp so stopping one of the svchost causes all hell. this is annoying me now not being able to remove it, I want to know what its doing, I used a Sniffer session and noticed its just a load of hex code its sending.

Silver Bullet

There are usually a few different svchosts running at the same time. You can make sure that you are stopping only the one that is associated with that adapter by enabling the view of the PID in the GUI task manager by clicking View>Select Columns. Then of course just put a check mark in PID(Process Identifier).

Might want to make sure the PID hasn't changed and then try it again by stopping only that svchosts for that PID by right clicking and choosing end process tree.

Or are you saying all kinda crazy stuff happened when you stopped only the svchost that was associated with that adapter?

Also since you say that it appears to be UPnP then check the status of the Universal Plug and Play Device Host in Services. If it is set to Automatic and Started then Stop this Service and change it's Startup Type to either Manual or Disabled.

Another thing you can look at is in the Registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run and see if it is starting from there. If so, remove it and restart your PC and see if it is running. If it is not then remove it.

RussS

If you want to know what svchost is you can do this ..

Open command prompt and type

tasklist /svc >c:\taskList.txt

Then browser to the text file in C drive and read.

You should get something like ...

svchost.exe 920 DcomLaunch, TermService
svchost.exe 996 RpcSs
MsMpEng.exe 1092 WinDefend
svchost.exe 1132 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
dmserver, ERSvc, EventSystem, helpsvc,
lanmanserver, lanmanworkstation, Netman,
Nla, RasMan, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, srservice,
TapiSrv, Themes, TrkWks, W32Time, winmgmt,
wscsvc, wuauserv, WZCSVC
svchost.exe 1192 Dnscache
svchost.exe 1280 LmHosts, RemoteRegistry, SSDPSRV, WebClient

A favourite of mine when sorting systems is ProcessExplorer

http://www.sysinternals.com/Utilities/ProcessExplorer.html

JDMurray

Are you sure that it wasn't there before you ran the update? Are you running Windows Media Center Edition? A network connection can be associated with software-only, so it's possible that it is spyware or a bot Trojan.