Using Windows XP with all updates in place and AVG as anti-virus and no funny Toolbars in IE6


Have scanned PC in Normal Mode AND in Safe Mode with Ad-Aware, Spybot & Ewido and these now find no problems.


Also have used Hijack which using www.hijackthis.de advises no problems.


But still get popups!!!

Also the ISP - Metronet - claims to have a firewall in place & XP firewall turned on.


I could use a system restore but I'd rather solve the existing problem in case it happens again


Any clues????

regards

elpmek

Hi there Elpmek , welcome to PCHF.


Sounds like you have an Apropos rootkit on there , let's get rid of it.



Please download AproposFix.exe - but do NOT run it yet.
http://swandog46.geekstogo.com/aproposfix.exe

Boot youre pc in safemode (hit f8 when booting up)

Once in Safe Mode, double-click aproposfix.exe and unzip it to the desktop.
Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode.

When done please post a HijackThis log (hjt.de is good , but does make mistakes) , and the log.txt file in the aproposfix folder.

logs attached

thanks
elpmek

Nope , it wasn't apropos. And i dont really see anything in youre hjt log , only messenger plus3 , wich often also comes with a Lop.com infection but i see no evidence of Lop.com in youre log.

Did you already have messenger plus installed before the popups begon?

And can you do a Panda active scan here and post the log from that?

http://www.pandasoftware.com/products/activescan

Messenger was loaded before this popup outbreak

Panda log attached

elpmek

You do have a Lop.com infection on there im afraid.


1. Go to Add/Remove programs. Double click on "Messenger Plus!" (or click on Remove) (see quote below)
2. The "Messenger Plus! - Setup" is now displayed. Click on the Uninstall button. Note: options displayed on the first screen are not related to the sponsor program.
3. The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. Once you enter the code, press Uninstall.
4. If you entered the code properly, the program will ask you to confirm that you want to uninstall. You must answer "Yes" to this question, else, you won't have another chance of uninstalling.
5. To complete the uninstallation, follow the instructions that are displayed (the first one is to close all your Internet Explorer windows, that's very important). When everything is complete, restart your computer and, hopefully one nasty infection is gone.


Then do another panda scan please and post the new log from it.

Followed instructions - didn't quite go as planned as got messages about corrupt files etc.
Anyway it said MessengerPlus was removed.
Did Panda scan (attached) & LOP still present so will reinstall Messenger Plus & remove again.

Will advise after that...


elpmek