New here, suspicious log entries for weeks, powershell logs, etc.

[sctludwig]

I am running Malwarebytes Premium
ver 5.1.4.112
Update package version 1.0.84489
Component package version 1.0.1233

These are some of my System log file entries after unplugging machine from router,
(I have been seeing a lot of suspicious activity on this machine, new HP Pavilion TP01-3016):

LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.    PackageName: negoexts
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.    PackageName: kerberos
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.    PackageName: msv1_0
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.    PackageName: tspkg
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.    PackageName: pku2u
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.    PackageName: cloudap
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.    PackageName: wdigest
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.    PackageName: schannel
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.    PackageName: sfapm
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.    PackageName: msv1_0

Remote calls to the SAM database are being restricted using the default security descriptor: O:SYG:SYD:(A;;RC;;;BA).

The domain is configured with the following minimum password length-related settings.

MinimumPasswordLength: 0
RelaxMinimumPasswordLengthLimits: 0
MinimumPasswordLengthAudit: -1
For more information see https://go.microsoft.com/fwlink/?LinkId=2097191.

The security account manager is now logging periodic summary events for remote clients that call legacy password change or set RPC methods.

File System Filter 'applockerfltr' (10.0, ‎2008‎-‎07‎-‎12T14:16:33.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter 'bfs' (10.0, ‎1970‎-‎07‎-‎19T04:36:58.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter 'wcifs' (10.0, ‎2065‎-‎03‎-‎01T23:54:53.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter 'luafv' (10.0, ‎2059‎-‎02‎-‎13T02:28:11.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter 'CldFlt' (10.0, ‎2097‎-‎10‎-‎22T13:24:28.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter 'CldFlt' (Version 10.0, ‎2097‎-‎10‎-‎22T13:24:28.000000000Z) unloaded successfully.
File System Filter 'CldFlt' (10.0, ‎2097‎-‎10‎-‎22T13:24:28.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter 'storqosflt' (10.0, ‎2039‎-‎04‎-‎21T18:36:38.000000000Z) has successfully loaded and registered with Filter Manager.

User Logon Notification for Customer Experience Improvement Program

File System Filter 'mbamchameleon' (10.0, ‎2024‎-‎04‎-‎15T13:13:00.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter 'bindflt' (10.0, ‎2032‎-‎10‎-‎19T18:22:30.000000000Z) has successfully loaded and registered with Filter Manager.

Attempted to reserve URL http://*:5357/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:80/Temporary_Listen_Addresses/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://*:5358/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:5986/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:47001/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:5985/wsman/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://*:2869/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:3392/rdp/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:3387/rdp/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:10246/MDEServer/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL https://+:10245/WMPNSSv4/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:10243/WMPNSSv4/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM
Attempted to reserve URL http://+:10247/apps/. Status 0x0. Process Id 0x4 Executable path , User SYSTEM

Found passthru disk: SCSI Port: 0, SCSI Bus: 3, SCSI Target: 0, PCIe SSD, 256060514304 bytes, SAMSUNG MZVL4256HBJD-00BH1        

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

vmswitch.sys build 22621.amd64.ni_release_svc_prod3, debug false, official true, 1 1

DHCPv4 client service is started

DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal

DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal

DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.WamProviderRegistration

DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess

DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal

DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess

DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess

DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal

DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess

DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess

DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess

DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal

DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal

DCOM got error "1084" attempting to start the service EventSystem with arguments "Unavailable" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal

DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess

DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.WamProviderRegistration

DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal

DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess

DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess

DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.CapabilityAccess

DCOM got error "1084" attempting to start the service camsvc with arguments "Unavailable" in order to run the server:
Windows.Internal.CapabilityAccess.Management.CapabilityUsage

This event triggers the Trusted Platform Module (TPM) provisioning/status check to run.

[Porthos]

@sctludwig

Although I will not be directly assisting you, a malware removal expert will be along to assist after you do the following.

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes: Please pay close attention the the instructions in all of the following links.

• If you have not done so already - Enable System Protection and create a NEW System Restore Point
• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

Please run the following scans: Please pay close attention the the instructions in all of the following links.

1. Click the following link and run a  Scan with AdwCleaner
2. Click the following link and run a  Scan with Malwarebytes 
      RESTART the computer
3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 

Example image of where to click to attach files when posting your reply

Then be patient for the next expert to take your case.

 

Thank you

[sctludwig]

FRST.txt Addition.txt

[sctludwig]

Thank you Porthos!

 

[AdvancedSetup]

Where are the logs for Malwarebytes and Adwcleaner?

 

[sctludwig]

Malwarebytes Scan Report 2024-05-11 013856.txt AdwCleaner[C00].txt

[AdvancedSetup]

Thank you for the logs

Please run the following

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 

Select the     Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you

 

 

[sctludwig]

report_2024.05.10_18.51.20.klr.txt

[AdvancedSetup]

That scan found nothing.

Please run the following scan

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

[ 2 ]

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

[sctludwig]

Fast startup turned off.
Hidden files and folder shown.
Microsoft Safety Scanner started.

[AdvancedSetup]

It's almost 11:00 PM for me and was off work at 5:00 PM

I'll try and reply later if I can but if not then some time over the weekend

 

[AdvancedSetup]

Did the Microsoft scan complete @sctludwig

Please post the log

Thank you

 

[AdvancedSetup]

Are you still with us @sctludwig