Fresh after recovery, I figured I write a small piece before I go home. If you’re seeing ad pop-ups or pop-unders from sites that load up something like rhpop-xxxxxx.js then you might have the sweetcaptcha plugin installed on your wordpress site. Let’s hope you’re the one who installed it — not the hacker :-), you might want to de-activate it and remove it from your system. Their site has been compromised and the wordpress plugin has also been pulled off the list. More general info here:
Happy hunting…..