Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Defender downloading while disabled?


  • Please log in to reply
7 replies to this topic

#1 Alchemist

Alchemist

  • Members
  • 166 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 11 August 2015 - 09:20 PM

To my knowledge the "Windows Defender" has never been activated on my computer. In fact, when I type "defender" into the search box and click the "Windows Defender" result that pops up, I get a dialog box that says this program in turned off and click here to activate it. Yet, when I start the system resources monitor to see why my connection is downloading a full speed I see MpCndRun.exe is responsible. This is part of Windows Defender. If this is disabled, why is it downloading anything at all? And why is it downloading from a non-Microsoft site? The IP address it is connecting to is part of Oar.net, which is a (state) government website. WTF is going on?

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,406 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:41 PM

Posted 12 August 2015 - 01:19 PM

Well...is this system part of an oar.net network?

 

Please download MiniToolBox  , save it to your desktop and run it.
 
Checkmark the following checkboxes:
  List last 10 Event Viewer log
  List Installed Programs
  List Users, Partitions and Memory size.
 
Click Go and paste the content into your next post.
 
Also...please Publish a Snapshot using Speccy - http://www.bleepingcomputer.com/forums/topic323892.html/page__p__1797792#entry1797792 , taking care to post the link of the snapshot in your next post.
 
Louis



#3 Alchemist

Alchemist
  • Topic Starter

  • Members
  • 166 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 15 August 2015 - 10:05 AM

Well, there is at least one odd thing I found by running minitoolbox. The SQL server I was using for a class has not been completely uninstalled. I need to figure out why it is still trying to start the MySQL server and remove that. Here is the info from Minitoolbox:

 

MiniToolBox by Farbar  Version: 25-07-2015 01
Ran by <me> (administrator) on 15-08-2015 at 10:59:15
Running from "D:\cd_archives\Misc\SYSTEM"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Model: MS-7592 Manufacturer: MSI
Boot Mode: Normal
***************************************************************************

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/15/2015 09:11:00 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/13/2015 10:06:51 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/12/2015 03:31:34 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/12/2015 03:13:04 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/12/2015 10:17:17 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/11/2015 09:35:44 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/11/2015 03:24:19 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/11/2015 09:47:21 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/10/2015 05:09:55 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/09/2015 08:06:29 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

System errors:
=============
Error: (08/15/2015 09:51:36 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.203.2263.0).

Error: (08/15/2015 09:51:07 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
    New Signature Version:
    Previous Signature Version: 1.203.1950.0
    Update Source: %NT AUTHORITY59
    Update Stage: 4.8.0204.00
    Source Path: 4.8.0204.01
    Signature Type: %NT AUTHORITY602
    Update Type: %NT AUTHORITY604
    User: NT AUTHORITY\SYSTEM
    Current Engine Version: %NT AUTHORITY605
    Previous Engine Version: %NT AUTHORITY606
    Error code: %NT AUTHORITY607
    Error description: %NT AUTHORITY608

Error: (08/15/2015 09:09:21 AM) (Source: Service Control Manager) (User: )
Description: The MySQL service failed to start due to the following error:
%%2

Error: (08/13/2015 10:30:57 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.203.2082.0).

Error: (08/13/2015 10:30:32 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
    New Signature Version:
    Previous Signature Version: 1.203.1950.0
    Update Source: %NT AUTHORITY59
    Update Stage: 4.8.0204.00
    Source Path: 4.8.0204.01
    Signature Type: %NT AUTHORITY602
    Update Type: %NT AUTHORITY604
    User: NT AUTHORITY\SYSTEM
    Current Engine Version: %NT AUTHORITY605
    Previous Engine Version: %NT AUTHORITY606
    Error code: %NT AUTHORITY607
    Error description: %NT AUTHORITY608

Error: (08/13/2015 10:05:27 AM) (Source: Service Control Manager) (User: )
Description: The MySQL service failed to start due to the following error:
%%2

Error: (08/12/2015 03:29:59 PM) (Source: Service Control Manager) (User: )
Description: The MySQL service failed to start due to the following error:
%%2

Error: (08/12/2015 03:11:25 PM) (Source: Service Control Manager) (User: )
Description: The MySQL service failed to start due to the following error:
%%2

Error: (08/12/2015 10:15:39 AM) (Source: Service Control Manager) (User: )
Description: The MySQL service failed to start due to the following error:
%%2

Error: (08/11/2015 09:50:23 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.203.1950.0).


Microsoft Office Sessions:
=========================
Error: (08/15/2015 09:11:00 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/13/2015 10:06:51 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/12/2015 03:31:34 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/12/2015 03:13:04 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/12/2015 10:17:17 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/11/2015 09:35:44 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/11/2015 03:24:19 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/11/2015 09:47:21 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/10/2015 05:09:55 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/09/2015 08:06:29 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

=========================== Installed Programs ============================
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Flash Player 18 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 18.0.0.232 - Adobe Systems Incorporated)
Audacity 2.0.6 (HKLM-x32\...\Audacity_is1) (Version: 2.0.6 - Audacity Team)
CCleaner (HKLM\...\CCleaner) (Version: 5.06 - Piriform)
CDBurnerXP (HKLM\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.2.4478 - CDBurnerXP)
CyberPower PowerPanel Personal Edition 1.5 (HKLM-x32\...\{949DDF99-2238-45E8-B15F-4A46C0E64558}) (Version: 1.5 - Cyber Power Systems, Inc.)
Foxit Cloud (HKLM-x32\...\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1) (Version: 3.6.122.702 - Foxit Software Inc.)
Foxit Reader (HKLM-x32\...\Foxit Reader_is1) (Version: 7.2.0.722 - Foxit Software Inc.)
Free Download Manager 3.9.3 (HKLM-x32\...\Free Download Manager_is1) (Version:  - FreeDownloadManager.ORG)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.28.1 - Google Inc.) Hidden
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.37 - Irfan Skiljan)
LibreOffice 4.4 Help Pack (English (United States)) (HKLM-x32\...\{659B795E-2F52-4FFF-98AA-DAD354CEEEF8}) (Version: 4.4.3.2 - The Document Foundation)
LibreOffice 4.4.3.2 (HKLM-x32\...\{A651A592-2F6C-4D66-AEA8-9BFE4B61BCB3}) (Version: 4.4.3.2 - The Document Foundation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 15.0.4737.1003 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.8.204.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40728.0 - Microsoft Corporation)
Microsoft Visio Professional 2013 (HKLM-x32\...\Office15.VISPROR) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Motorola Device Manager (HKLM-x32\...\{28DB8373-C1BB-444F-A427-A55585A12ED7}) (Version: 2.4.5 - Motorola Mobility)
Motorola Device Software Update (HKLM-x32\...\{894AB83D-A9AF-4E54-BFF3-A7262A0A6C13}) (Version: 13.09.3001 - Motorola Mobility) Hidden
Motorola Mobile Drivers Installation 6.3.0 (HKLM\...\{759E6A2F-1F01-45EF-A0C4-22F1B56CB975}) (Version: 6.3.0 - Motorola Mobility LLC)
Mozilla Firefox 40.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 40.0 (x86 en-US)) (Version: 40.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 40.0.0.5697 - Mozilla)
Mozilla Thunderbird 38.1.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 38.1.0 (x86 en-US)) (Version: 38.1.0 - Mozilla)
Mp3tag v2.58 (HKLM-x32\...\Mp3tag) (Version: v2.58 - Florian Heidenreich)
MSI Afterburner 3.0.1 (HKLM-x32\...\Afterburner) (Version: 3.0.1 - MSI Co., LTD)
MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
NVIDIA 3D Vision Controller Driver 335.21 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 335.21 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 335.23 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 335.23 - NVIDIA Corporation)
NVIDIA Graphics Driver 335.23 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 335.23 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.30.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.30.1 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.13.1220 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.1220 - NVIDIA Corporation)
Office 15 Click-to-Run Extensibility Component (HKLM-x32\...\{90150000-008C-0000-0000-0000000FF1CE}) (Version: 15.0.4737.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (HKLM\...\{90150000-008F-0000-1000-0000000FF1CE}) (Version: 15.0.4737.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (HKLM-x32\...\{90150000-008C-0409-0000-0000000FF1CE}) (Version: 15.0.4737.1003 - Microsoft Corporation) Hidden
Outils de vérification linguistique 2013 de Microsoft Office - Français (HKLM-x32\...\{90150000-001F-040C-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
RAPTOR (HKLM-x32\...\{BDC0F063-0061-400B-800B-2546B9338BA0}) (Version: 4.0.6004 - USAFA)
SeaMonkey 2.33.1 (x86 en-US) (HKLM-x32\...\SeaMonkey 2.33.1 (x86 en-US)) (Version: 2.33.1 - Mozilla)
Secure Download Manager (HKLM-x32\...\{E040B65B-8683-4228-8C33-D44A141E40EA}) (Version: 3.1.60 - Kivuto Solutions Inc.)
SMPlayer 14.9.0.6740 (x64) (HKLM\...\SMPlayer) (Version: 14.9.0.6740 - Ricardo Villalba)
Speccy (HKLM\...\Speccy) (Version: 1.27 - Piriform)
SpeedFan (remove only) (HKLM-x32\...\SpeedFan) (Version:  - )
Transmission-Qt (HKLM\...\Transmission-Qt) (Version: 2.84 - Transmission)

========================= Memory info: ===================================
Percentage of memory in use: 27%
Total physical RAM: 8191.24 MB
Available physical RAM: 5950.32 MB
Total Virtual: 16380.69 MB
Available Virtual: 13843.87 MB

========================= Partitions: =====================================
1 Drive c: (System) (Fixed) (Total:90 GB) (Free:21.83 GB) NTFS
2 Drive d: (Data) (Fixed) (Total:250 GB) (Free:164.36 GB) NTFS
3 Drive e: (Media) (Fixed) (Total:250 GB) (Free:124.74 GB) NTFS
4 Drive f: (Storage) (Fixed) (Total:250 GB) (Free:160.26 GB) NTFS
5 Drive g: (Buffer) (Fixed) (Total:10 GB) (Free:9.89 GB) NTFS

========================= Users: ========================================
User accounts for \\THING1

Administrator            Guest                    <me>                     


**** End of log ****
 

And the speccy link is here: http://speccy.piriform.com/results/UzVlha8Zym00AjsJHOVsmfm


Edited by hamluis, 16 August 2015 - 11:19 AM.


#4 Alchemist

Alchemist
  • Topic Starter

  • Members
  • 166 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 15 August 2015 - 11:30 AM

After seeing all those errors installing MSIE definition updates, I forced a manual update. Weirdly, it did NOT download and install the updates. It simply changed the line in the Windows Update box to say they were installed. No network or disk activity involved. Since this looks like some sort of fakery I decided to look for clever malware, downloaded MBAM 2.1.8.1057 and ran it in safe mode. No threats detected. Either it's too new to show up yet or it's not malware causing the problems with MSIE definition updates. Any other ideas?

#5 hamluis

hamluis

    Moderator


  • Moderator
  • 55,406 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:41 PM

Posted 15 August 2015 - 05:02 PM

You did not answer the few questions I posted.

 

Louis



#6 Alchemist

Alchemist
  • Topic Starter

  • Members
  • 166 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 16 August 2015 - 08:51 AM

Questions? I only see one question and the answer is no. My personal machine is not part of oar.net and my ISP is not either. That is an educational network which I usually only see when I use university library sites.

#7 hamluis

hamluis

    Moderator


  • Moderator
  • 55,406 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:41 PM

Posted 16 August 2015 - 11:21 AM

http://www.file.net/process/mpcmdrun.exe.html

 

I would try the Fixit at https://support.microsoft.com/en-us/kb/976982#/en-us/kb/976982 .

 

Louis



#8 Alchemist

Alchemist
  • Topic Starter

  • Members
  • 166 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 29 August 2015 - 10:07 AM

And this morning it downloaded a large amount of data from a small ISP on the other end of the state right after booting. This is really weird.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users