Frequent attempts by System to access 137 at various IP addresses

[Protopia]

Malwarebytes is reporting frequent (couple of times per hour) attempts by SYSTEM to access port 137 on various internet addresses. Unfortunately it does not give any information as to which process is requesting SYSTEM to do this.

Neither Malwarebytes nor ESET have reported anything on their weekly scans. I have run MSERT with a full scan and (after 3 days) it found no viruses.

I have no idea how to proceed further to narrow this down.

Any ideas?

[MKDB]

Hello @Protopia  and 

 

My name is MKDB and I will assist you.

 

 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

• Please follow the steps in the given order and post back the log files.
• Please copy and paste all log files into your post.
• Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
• Only run the tools I guide you to. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• As English is not my native language, please do not use slang or idioms. It may be hard for me to understand.
• If you do not respond within 4 days, your topic will be closed.
• Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also a big source of current trojan infections. If you are running any kin of illegal software on your system, please uninstall them now, before we start the cleaning procedure.

 

 

Step 1

• Please download the Malwarebytes Support Tool (MBST).
• Run MBST and accept license agreement.
• In the left navigation pane of MBST, click Advanced.
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine.
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply.

 

Thank you!

[Protopia]

Thank you. Here are the results.

I am suspecting that it is qBitTorrent which is causing this, but no idea how to narrow it down further to a specific torrent or a specific search plugin.

I have stopped running qBitTorrent for the moment to see if this stops these detections.

mbst-grab-results.zip

[MKDB]

@Protopia

Thanks for those information and the .zip file.

BitTorrent may the reason for those detections... Let me know if stopping BitTorrent stopped the detections.

I'll review your log files now.

Edited July 2 by MKDB

[MKDB]

@Protopia

Please run MSS and KVRT.

 

 

Step 1

The Microsoft Safety Scanner (MSS) is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

• The download links & the how-to-run-the tool are at this link at Microsoft.
• Please let me know the results of this scan.
• Run a Full Scan.
• The log is named MSERT.log.
• The log will be at%SYSTEMROOT%\debug\msert.log which in most cases is

C:\Windows\debug\msert.log

• Please attach that log with your next reply.

 

 

 

Step 2

Download Kaspersky Virus Removal Tool (KVRT) and save it to your Desktop.

• Select the Windows Key and R Key together, the Run box should open.
• Copy and paste the following string into the line:

C:\Users\Paul\Desktop\KVRT.exe -dontencrypt

• Select „Ok“ in the Run box.
• If the „Windows protected your PC“ window opens, select „More info“. A new windows will open, select „Run anyway“.
• An EULA window from KVRT will open, tick all confirmation boxes then select "Accept".
• A window from KVRT will open, select "Change Parameters".
• In the new window ensure the following boxes are ticked:
  • System memory
  • Startup objects
  • Boot sectors
  • System drive

• Then select "OK" and „Start scan“.

• completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
• Usually, your system needs a reboot to finish the removal process.
• Logfiles can be found on your systemdrive (usually C: ), similar like this:

C:\KVRT2020_Data\Reports\report_<data>_<time>.klr

• Right click direct onto those reports, select > open with > Notepad.
• Save the files and attach them with your next reply.

 

 

 

[Protopia]

I already ran scans using ESET, MSERT, MalwareBytes, Sophos Hitman, and they were clean. Unfortunately I deleted the MSERT log and it will take 3 days to run it again (I have c. 4TB of data).

I will run the Kaspersky tool tomorrow and let you know.

[MKDB]

Thanks @Protopia.

No need to run MSERT again, just run KVRT and post that logfile.

Furthermore, let me know if stopping BitTorrent stopped the detections by MBAM.

Thanks!

Edited July 3 by MKDB

[MKDB]

Hi @Protopia,

do you still need help? If so, please follow my instructions and post the logfiles.

Thank you.

[Protopia]

Stopping qBitTorrent did indeed stop the messages. So I am going to assume it is that and investigate that further myself.

Thanks for your help. You can close this. 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you