Popup issues

[Lexluethar]

I need some help in fixing a clients PC.

Background:
System is running XP SP3. The PC gets random popups. The internet will work fine, but at random times you get popups saying you've won prizes, you have virus's, ect. There are no malicious icons in the system tray (as if he installed something). You can leave the PC alone, come back about 30 minutes later and you'll have about 5 popups.

I've tried:
-Running updated malwarebytes and cleaning everything off, it finds nothing now
-Running updated spybot, immunizing and scanning, it cleaned stuff off too but now finds nothing
-Reinstalling IE, disabling popups on IE and setting the security level to highest
-Deleted all files from Prefetch
-Deleting all cookies and temp files
-Ensuring the connection tab on IE isn't using a proxy server, its set to just detect settings automatically
-Windows firewall is on, ensured there were no exceptions that should be there
-Nothing malicious that i've found in task manager running in the background, doesn't mean they aren't there but all processes i've seen are legit
-Nothing starting up in msconfig that shouldn't be
-No programs installed that shouldn't be

Setup:
This PC is remote, i'm using logmein to troubleshoot the issue. I can walk the user through safemode (and logmein does have a safemode feature).

Not sure where else to take this one. If it were local i'd just do a repair install on the machine.

Any help or guidance would be appreciated.

 

[Trotter]

Since it is an XP machine you can use Osiris's guide on it. Basically, it uses ComboFix, Malwarebytes, and HijackThis and has the user post the logs here on TF so they can be read. The reader will let you know what to delete and to rescan.

Here's a link for XP:
XP Full

ComboFix will kill your connection when it scans BTW. I think all three will run in safe mode, though.

 

[Lexluethar]

Much appreciated, i'll run that tomorrow (PC is offline now). I figured i'd have to do that but wanted to check with you guys first.

 

[KSoD]

Yeah that PC, she be infected pretty good.

 

[Lexluethar]

Agreed - i'm still trying to get combo to work. AVG is installed and it won't allow me to uninstall through the program so i'm going to have to remove the registry key manually.

It's bad if i'm in safemode, spybot and malware won't find anything yet you still get popups. I thought maybe they were using his IP to spam attack him... but i can't change the IP because he doesn't use a router.

 

[KSoD]

Disabling Messenger Service in Windows XP

Just a thought. But if your in safe mode and still getting the junk it sounds as if the Messenger Service is still active. I know that it should have been disabled with the install of SP2 or SP3 but it is worth a try.

 

[Lexluethar]

Ya it is disabled, thanks for the thought though.

 

[Trotter]

Try using Revo Uninstaller to nix AVG, Lex. It will pull up both leftover files and registry entries. Just make sure to only check the bolded entries before you tell it to delete them.

 

[KSoD]

Try using a BarPE disk with some of this stuff on there. Either that or a hirens or Avast bootable disk.

 

[Lexluethar]

I used the AVG removal tool last night - I don't think it got everything because combofix still threw up some errors - combofix still ran though. Once i presume it restarted and didn't start up right because the PC never came back online (or the owner turned it off).

Once i get these logs i'll post them for you guys.