Rch.Sys trojan and weather channel desktop pops up

By tabasco139
Dec 9, 2009
  1. Had a trojan attack and removed "rch.sys" (gen-nullo)with malwarebytes,super anti-spyware (free) and avg. It installed xobni and weather channel desktop pops up. I never installed these applications on my machine. Attack occurred after attemping to read email from a mac user (?) Attempted to remove xobni and weather channel with the remove/add software window. Xobni is gone but weather channel desktop pops up everytime reboot PC. Ichecked starup window but its empty. any suggestion on how proceed
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please follow the steps HERE. Leave the 3 logs for review when finished.
  3. tabasco139

    tabasco139 TS Rookie Topic Starter

    Rch.sys trojan and weather change

    Here are my attached files you requested.

    Look forward to youre reply
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you.

    Download the Flash Player Uninstaller and save it to your desktop.
    Choose the Flash Player Uninstaller for you browser: Don't run yet.

    Please reopen HijackThis to 'do system scan only.' Check each of the following if present: Note: Optional removals are coded in green:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    R3 - URLSearchHook: (no name) - *{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - (no file)> See Option 1
    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"">> See additional special instructions

    Close all Windows except HijackThis and click on "Fix Checked".

    Option 1: Possible Foistware/ Borderline Spyware: NetAssistantBHO
    Foistware is not malware but is bundled with another unrelated program and installs without you knowledge or permission. I recommend removal.
    Bundled with Freeze.com_Toolbar - a Softomate Toolbar variant - Softomate customizes toolbars to customers needs. The dll files for their toolbars contain some spyware/adware functionality, although not all of the toolbars use this. Some of the toolbars are fine to have, so every case is different. Your choice.

    Special instructions for Shockwave Updater:
    Flash player is known for leaving behind old insecure files. It is better to clean out the entire entry, uninstall, then reinstall:

    • Boot into Safe Mode
      [o] Restart your computer and start pressing the F8 key on your keyboard.
      [o] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    • Double-click the Flash Player Uninstaller setup on the desktop and run the uninstaller program.
    • Reboot your computer to complete the uninstall.
    • Download latest version of Flash Player HERE and save to the desktop.
    • . Double click the setup and run to install. Reboot when through.
    • Once the new version is installed, follow the directions to disable the auto-updater.
      [1] Navigate to the Shockwave Welcome page:
      Note: The context menu can be accessed from any Shockwave movie if the context menu has been enabled by the author, but this URL was provided to simplify the process.
      [2] Windows: Right click the Shockwave movie.
      [3] From the drop down menu choose "Properties".
      [4] Uncheck the box next to "Automatic Update Service" to disable the auto update feature.

    Please Download SDFix HERE and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

      Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here

    Rescan with HijackThis and include new log in next reply, along with SDFix Report.
  5. tabasco139

    tabasco139 TS Rookie Topic Starter

    Ran everything as instructed.
    Weather channel window still appeared after the Fixtool ran.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- I missed this. didn't realize it was an issue since you are loading the program: Description: This is a valid program but it is not required to run on startup.

    O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"

    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    If this log is clean and the problems have been resolved, I'll have you remove the cleaning tools.
  7. tabasco139

    tabasco139 TS Rookie Topic Starter

    RCH.trojan and weather channel popup

    Thanks for the help so far....attempted to run Eset NOD32 online Antivirus scanner as directed. Error message 404 appeared on the site see attached.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't open files with a .doc format. Sorry. I have been experiencing an extremely slow internet all day- not site related.

    However, the embedded link I left is good- I just brought the site up using it. Please give it another try.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...