Lenovo T500 laptop, Vista Home Basic, 32bit, SP2. Core2 Duo, 3GB RAM.
Services don't start (Firewall, Microsoft Essentials service, Security Center service.) They are not even listed in the services list, just gone. There may be other services missing also. So none of the applications that rely on those services will run, including Security Essentials, System Restore, Firewall, Security Center. There are many services running, so it is not that virus that disables all services. It seems that the security oriented services are the ones affected.
Chrome browser randomly pops open a new tab with a "facebook" URL that quickly redirects to an ad. This happens without clicking on anything, usually within 10 seconds after opening a new tab or browser instance, but it is not repeatable, just random time and destination, some of the ads are sexual, others are shady but legit. The last time it happened I noticed that the page it goes to for a split second before going to the destination ad page is a facebook domain page. It disappeared too quickly for me to see if it was actually facebook.com or just a look alike domain with the word "facebook" in there. This split second page always happens before the ad appears, but sometimes there is a big orange or green button in the middle of an empty white screen shown first which says "Redirecting" or somrthing like that. The virus does not seem to be affecting IE8 at all, it is behaving perfectly.
Chrome (or the virus) is also throwing red screen warnings "SSL Error" that the security certificates of all of the https:// sites I was visiting were weak. I have never seen this before in Chrome. Other security oriented messages from Chrome also started appearing in the last day or so. Maybe it is a new feature of Chrome, or maybe it is that my Windows Security services are all dead. I do not see any weak certificate warnings from IE8 visiting the same pages, like my search page "startpage.com."
The "back" browser command doesn't work easily like before. Most of the time now, to go back to the previous page I have to press the back button a few times very quickly to escape the trap. This normally never happens on these sites.
Then I noticed that my Sonos PC controller could not connect to the Sonos system because of a firewall problem. That's when I realized several services were down and my virus protection was disabled.
Some of the ads are
http: // finance - reporting . org (runs script upon trying to leave page)
I will ad more details of the ads and the redirection page if I can catch it.
Hosts files is clean.
I scanned with MalwareBytes Antimalware it removed 2 trojans but that didn't fix.
System Restore was not able to complete a restore because the service was missing.
I booted into Safe Mode to try the System Restore there, but it did not help, still failed the system restore.
I scanned with updated Spybot Search and Destroy, it removed 3 items, but didn't fix the problem.
Microsoft System Essentials is down so I can't update or scan with that. This is my main protection, definitions were updated on 7/20 along with Windows updates.
I scanned with Hijack This, but I didn't see anything weird, but could have been something posing as safe.
I don't see anything in process list that looks unfamiliar or strange.
It might have become infected when my son was using it yesterday afternoon. He was playing Minecraft.net when a popup appeared during his gameplay saying he needed to update Adobe product appeared and he clicked "Run." When he saw the loading bar he clicked cancel. Don't know if it was really Adobe or not. He was also on playlist.com to listen to music. He uses IE8, not Chrome, so the popup he saw was not this virus. But it could have been infected when I pressed the button on the Chrome security warnings to "Proceed Anyway" to a site that I thought was OK, but maybe it wasn't. I don't think a weak SSL cert can infect a computer.
I mostly use Chrome browser and that is where I see the popup hijacks. The homepage is not affected, so it's not a true hijack, I guess.
Thanks for any help!
Edited by hamluis, 24 July 2012 - 09:37 AM.
Moved from Vista to Am I Infected - Hamluis.