Services missing and Random Chrome popup ads

I have used your advice to help others in the past, but now I have a virus that I can't fix myself.

Lenovo T500 laptop, Vista Home Basic, 32bit, SP2. Core2 Duo, 3GB RAM.

Problems:
Services don't start (Firewall, Microsoft Essentials service, Security Center service.) They are not even listed in the services list, just gone. There may be other services missing also. So none of the applications that rely on those services will run, including Security Essentials, System Restore, Firewall, Security Center. There are many services running, so it is not that virus that disables all services. It seems that the security oriented services are the ones affected.

Chrome browser randomly pops open a new tab with a "facebook" URL that quickly redirects to an ad. This happens without clicking on anything, usually within 10 seconds after opening a new tab or browser instance, but it is not repeatable, just random time and destination, some of the ads are sexual, others are shady but legit. The last time it happened I noticed that the page it goes to for a split second before going to the destination ad page is a facebook domain page. It disappeared too quickly for me to see if it was actually facebook.com or just a look alike domain with the word "facebook" in there. This split second page always happens before the ad appears, but sometimes there is a big orange or green button in the middle of an empty white screen shown first which says "Redirecting" or somrthing like that. The virus does not seem to be affecting IE8 at all, it is behaving perfectly.

Chrome (or the virus) is also throwing red screen warnings "SSL Error" that the security certificates of all of the https:// sites I was visiting were weak. I have never seen this before in Chrome. Other security oriented messages from Chrome also started appearing in the last day or so. Maybe it is a new feature of Chrome, or maybe it is that my Windows Security services are all dead. I do not see any weak certificate warnings from IE8 visiting the same pages, like my search page "startpage.com."

The "back" browser command doesn't work easily like before. Most of the time now, to go back to the previous page I have to press the back button a few times very quickly to escape the trap. This normally never happens on these sites.

Then I noticed that my Sonos PC controller could not connect to the Sonos system because of a firewall problem. That's when I realized several services were down and my virus protection was disabled.

Some of the ads are
http: // finance - reporting . org (runs script upon trying to leave page)

I will ad more details of the ads and the redirection page if I can catch it.


Hosts files is clean.
I scanned with MalwareBytes Antimalware it removed 2 trojans but that didn't fix.
System Restore was not able to complete a restore because the service was missing.
I booted into Safe Mode to try the System Restore there, but it did not help, still failed the system restore.
I scanned with updated Spybot Search and Destroy, it removed 3 items, but didn't fix the problem.
Microsoft System Essentials is down so I can't update or scan with that. This is my main protection, definitions were updated on 7/20 along with Windows updates.
I scanned with Hijack This, but I didn't see anything weird, but could have been something posing as safe.
I don't see anything in process list that looks unfamiliar or strange.

It might have become infected when my son was using it yesterday afternoon. He was playing Minecraft.net when a popup appeared during his gameplay saying he needed to update Adobe product appeared and he clicked "Run." When he saw the loading bar he clicked cancel. Don't know if it was really Adobe or not. He was also on playlist.com to listen to music. He uses IE8, not Chrome, so the popup he saw was not this virus. But it could have been infected when I pressed the button on the Chrome security warnings to "Proceed Anyway" to a site that I thought was OK, but maybe it wasn't. I don't think a weak SSL cert can infect a computer.

I mostly use Chrome browser and that is where I see the popup hijacks. The homepage is not affected, so it's not a true hijack, I guess.

Thanks for any help!
Rich

I was able to screen capture one of the redirect pages before it redirected to Monster.com

The hijack seems to happen soon after a new instance of the Chrome browser. Opening new tabs does not trigger a random popup ad.

On one hijack it did go to www.facebook.com domain first, but it is not consistent. Another time it went to attached this URL (attached pic) before landing on MySpace.com

When I saw the previous "get answers fast" URL I learned that is the name of a virus. So I ran RKill but nothing was mentioned in the log of RKill removed items. I ran MBAM again with tomorrow's definition but it didn't find anything. But the hijacks continue.

I have also ran Kaspersky TDSKiller. It does not find anything when using normal settings. If I check both 'additional options' boxes then it finds some items but quarantining those did not stop the problem.

Problems fixed. You can close this thread. Thanks

It was Sirefef.R.

Thanks for the update... If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.

Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:

• Simple and easy ways to keep your computer safe.
• How did I get infected?, With steps so it does not happen again!.
• Hardening Windows Security - Part 1 & Part 2.
• Configuring Internet Explorer for Practical Security and Privacy - How to Secure Your Web Browser.
• Your Guide To Staying Safe Online.
• Use Task Manager to close pop-up messages to safely exit malware attacks.

• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

• Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:

• USB-Based Malware Attacks.
• When is AUTORUN.INF really an AUTORUN.INF?.
• Please disable Autorun asap!.