I am running Malwarebytes Premium
ver 5.1.4.112
Update package version 1.0.84489
Component package version 1.0.1233
These are some of my System log file entries after unplugging machine from router,
(I have been seeing a lot of suspicious activity on this machine, new HP Pavilion TP01-3016):
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard. PackageName: negoexts
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard. PackageName: kerberos
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard. PackageName: msv1_0
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard. PackageName: tspkg
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard. PackageName: pku2u
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard. PackageName: cloudap
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard. PackageName: wdigest
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard. PackageName: schannel
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard. PackageName: sfapm
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard. PackageName: msv1_0
Remote calls to the SAM database are being restricted using the default security descriptor: O:SYG:SYD:(A;;RC;;;BA).
The domain is configured with the following minimum password length-related settings.
MinimumPasswordLength: 0
RelaxMinimumPasswordLengthLimits: 0
MinimumPasswordLengthAudit: -1
For more information see https://go.microsoft.com/fwlink/?LinkId=2097191.
The security account manager is now logging periodic summary events for remote clients that call legacy password change or set RPC methods.
File System Filter 'applockerfltr' (10.0, 2008-07-12T14:16:33.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter 'bfs' (10.0, 1970-07-19T04:36:58.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter 'wcifs' (10.0, 2065-03-01T23:54:53.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter 'luafv' (10.0, 2059-02-13T02:28:11.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter 'CldFlt' (10.0, 2097-10-22T13:24:28.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter 'CldFlt' (Version 10.0, 2097-10-22T13:24:28.000000000Z) unloaded successfully.
File System Filter 'CldFlt' (10.0, 2097-10-22T13:24:28.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter 'storqosflt' (10.0, 2039-04-21T18:36:38.000000000Z) has successfully loaded and registered with Filter Manager.
User Logon Notification for Customer Experience Improvement Program
File System Filter 'mbamchameleon' (10.0, 2024-04-15T13:13:00.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter 'bindflt' (10.0, 2032-10-19T18:22:30.000000000Z) has successfully loaded and registered with Filter Manager.
Attempted to reserve URL http://*:5357/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:80/Temporary_Listen_Addresses/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://*:5358/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:5986/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:47001/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:5985/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://*:2869/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:3392/rdp/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:3387/rdp/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:10246/MDEServer/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:10245/WMPNSSv4/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:10243/WMPNSSv4/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:10247/apps/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Found passthru disk: SCSI Port: 0, SCSI Bus: 3, SCSI Target: 0, PCIe SSD, 256060514304 bytes, SAMSUNG MZVL4256HBJD-00BH1
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
vmswitch.sys build 22621.amd64.ni_release_svc_prod3, debug false, official true, 1 1
DHCPv4 client service is started
DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal
DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal
DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}
DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.WamProviderRegistration
DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}
DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess
DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal
DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess
DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess
DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal
DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess
DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess
DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess
DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal
DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal
DCOM got error "1084" attempting to start the service EventSystem with arguments "Unavailable" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal
DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess
DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.WamProviderRegistration
DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal
DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess
DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess
DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess
DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.Management.CapabilityUsage
This event triggers the Trusted Platform Module (TPM) provisioning/status check to run.
