Masters

Thanks for helping, Borislav.I have run the TDSSkiller application. It found one infected driver. I then rebooted as directed. Following is the log. I left out the list of drivers it scanned for easier reading. 2010/12/28 07:08:09.0848 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46 2010/12/28 07:08:09.0848 ==================================================== 2010/12/28 07:08:09.0848 SystemInfo: 2010/12/28 07:08:09.0848 2010/12/28 07:08:09.0848 OS Version: 5.1.2600 ServicePack: 3.0 2010/12/28 07:08:09.0848 Product type: Workstation 2010/12/28 07:08:09.0848 ComputerName: RANDY-LT 2010/12/28 07:08:09.0848 UserName: randy 2010/12/28 07:08:09.0848 Windows directory: C:\WINDOWS 2010/12/28 07:08:09.0848 System windows directory: C:\WINDOWS 2010/12/28 07:08:09.0848 Processor architecture: Intel x86 2010/12/28 07:08:09.0848 Number of processors: 1 2010/12/28 07:08:09.0848 Page size: 0x1000 2010/12/28 07:08:09.0848 Boot type: Normal boot 2010/12/28 07:08:09.0848 ==================================================== 2010/12/28 07:08:10.0449 Initialize success 2010/12/28 07:08:20.0974 ==================================================== 2010/12/28 07:08:20.0974 Scan started 2010/12/28 07:08:20.0974 Mode: Manual; 2010/12/28 07:08:20.0974 ==================================================== 2010/12/28 07:10:26.0044 Scan finished 2010/12/28 07:10:26.0044 ==================================================== 2010/12/28 07:10:26.0064 Detected object count: 1 2010/12/28 07:11:26.0040 Cdrom (a31d3f13c972a6a5cb3b15f69fa3b531) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2010/12/28 07:11:26.0040 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: a31d3f13c972a6a5cb3b15f69fa3b531, Fake md5: 1f4260cc5b42272d71f79e570a27a4fe 2010/12/28 07:11:29.0836 Backup copy found, using it.. 2010/12/28 07:11:29.0956 C:\WINDOWS\system32\DRIVERS\cdrom.sys - will be cured after reboot 2010/12/28 07:11:29.0956 Rootkit.Win32.TDSS.tdl3(Cdrom) - User select action: Cure 2010/12/28 07:12:20.0088 Deinitialize success So far, there has been no pop ups. On a possibly unrelated issue, I set the Malwarebytes protection mode to on and set start with Windows. Until yesterday, this has always enabled protection on Windows start up. Now, when I boot the system, Malwarebytes protection is disabled. I have to manually start the protection. I have performed a full scan after updating the application to 1.50.1.1100 and the database to version 5405. It found no suspicious items.

I continually get a Malware Bytes pop up stating 'Successfully blocked IP access to a potentially malicious site' Type: outgoing. There are several different IP addresses that show up. This is a sample from the protection log: 11:20:28 randy IP-BLOCK 194.8.251.137 (Type: outgoing) 11:20:41 randy IP-BLOCK 194.8.251.136 (Type: outgoing) 11:20:44 randy IP-BLOCK 194.8.251.136 (Type: outgoing) 11:20:50 randy IP-BLOCK 194.8.251.136 (Type: outgoing) 11:21:02 randy IP-BLOCK 212.117.177.13 (Type: outgoing) 11:21:05 randy IP-BLOCK 212.117.177.13 (Type: outgoing) 11:21:11 randy IP-BLOCK 212.117.177.13 (Type: outgoing) 11:21:23 randy IP-BLOCK 212.117.177.13 (Type: outgoing) 11:21:26 randy IP-BLOCK 212.117.177.13 (Type: outgoing) 11:21:32 randy IP-BLOCK 212.117.177.13 (Type: outgoing) 11:21:44 randy IP-BLOCK 194.8.251.138 (Type: outgoing) 11:21:47 randy IP-BLOCK 194.8.251.138 (Type: outgoing) 11:21:53 randy IP-BLOCK 194.8.251.138 (Type: outgoing) 11:27:11 randy IP-BLOCK 194.60.205.222 (Type: outgoing) 11:27:14 randy IP-BLOCK 194.60.205.222 (Type: outgoing) 11:27:20 randy IP-BLOCK 194.60.205.222 (Type: outgoing) 11:27:32 randy IP-BLOCK 89.187.53.53 (Type: outgoing) 11:27:35 randy IP-BLOCK 89.187.53.53 (Type: outgoing) 11:27:41 randy IP-BLOCK 89.187.53.53 (Type: outgoing) 11:27:53 randy IP-BLOCK 194.60.205.222 (Type: outgoing) 11:27:56 randy IP-BLOCK 194.60.205.222 (Type: outgoing) 11:28:02 randy IP-BLOCK 194.60.205.222 (Type: outgoing) These aren't all the IP address. It seams to try some for a while, then it goes to a different set. A full scan shows no viruses or malware.