Rch.Sys trojan and weather channel desktop pops up

[tabasco139]

Had a trojan attack and removed "rch.sys" (gen-nullo)with malwarebytes,super anti-spyware (free) and avg. It installed xobni and weather channel desktop pops up. I never installed these applications on my machine. Attack occurred after attemping to read email from a mac user (?) Attempted to remove xobni and weather channel with the remove/add software window. Xobni is gone but weather channel desktop pops up everytime reboot PC. Ichecked starup window but its empty. any suggestion on how proceed

 

[Bobbye]

Please follow the steps HERE. Leave the 3 logs for review when finished.

 

[tabasco139]

Rch.sys trojan and weather change

Here are my attached files you requested.

Look forward to youre reply

 

[Bobbye]

Thank you.

Download the Flash Player Uninstaller and save it to your desktop.
Choose the Flash Player Uninstaller for you browser: http://www.adobe.com/shockwave/download/alternates/ Don't run yet.

Please reopen HijackThis to 'do system scan only.' Check each of the following if present: Note: Optional removals are coded in green:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - *{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - (no file)> See Option 1
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://calcchat.tdlc.com/free_solutions/test.html">> See additional special instructions

Close all Windows except HijackThis and click on "Fix Checked".

Option 1: Possible Foistware/ Borderline Spyware: NetAssistantBHO
Foistware is not malware but is bundled with another unrelated program and installs without you knowledge or permission. I recommend removal.
Bundled with Freeze.com_Toolbar - a Softomate Toolbar variant - Softomate customizes toolbars to customers needs. The dll files for their toolbars contain some spyware/adware functionality, although not all of the toolbars use this. Some of the toolbars are fine to have, so every case is different. Your choice.

Special instructions for Shockwave Updater:
Flash player is known for leaving behind old insecure files. It is better to clean out the entire entry, uninstall, then reinstall:

• Boot into Safe Mode
  [o] Restart your computer and start pressing the F8 key on your keyboard.
  [o] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
• Double-click the Flash Player Uninstaller setup on the desktop and run the uninstaller program.
  
• Reboot your computer to complete the uninstall.
  
• Download latest version of Flash Player HERE and save to the desktop.
  
• . Double click the setup and run to install. Reboot when through.
  
• Once the new version is installed, follow the directions to disable the auto-updater.
  [1] Navigate to the Shockwave Welcome page:http://www.adobe.com/shockwave/welcome/
  Note: The context menu can be accessed from any Shockwave movie if the context menu has been enabled by the author, but this URL was provided to simplify the process.
  [2] Windows: Right click the Shockwave movie.
  [3] From the drop down menu choose "Properties".
  [4] Uncheck the box next to "Automatic Update Service" to disable the auto update feature.

Please Download SDFix HERE and save it to your Desktop.

• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
  
  Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
  Run SDFix
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

Rescan with HijackThis and include new log in next reply, along with SDFix Report.

 

[tabasco139]

Ran everything as instructed.
Weather channel window still appeared after the Fixtool ran.

 

[Bobbye]

Sorry- I missed this. didn't realize it was an issue since you are loading the program: Description: This is a valid program but it is not required to run on startup.

O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"

13. How do I remove Desktop weather from my desktop?

To remove or uninstall Desktop Weather from your computer, click on "Start" - "Programs" - "The Weather Channel" - "Desktop Weather". Then click on the Uninstall program. Follow the prompts to remove Desktop Weather.

You may also remove the application by clicking on "Start", followed by "Settings", then "Control Panel." Then click on "Add/Remove Programs." From the list, select "The Weather Channel," and then click on "Add/Remove." Follow the prompts to uninstall the application.

To remove Weather Services from your PC, you click on "Start" - "Settings" - "Control Panel". Double click on the "Desktop Weather" weather services icon, then click on the "Uninstall Weather Services" button. This should remove any remaining elements from your system.

http://www.weather.com/services/desktop_install_faq.html

Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

If this log is clean and the problems have been resolved, I'll have you remove the cleaning tools.

 

[tabasco139]

RCH.trojan and weather channel popup

Thanks for the help so far....attempted to run Eset NOD32 online Antivirus scanner as directed. Error message 404 appeared on the site see attached.

 

[Bobbye]

I don't open files with a .doc format. Sorry. I have been experiencing an extremely slow internet all day- not site related.

However, the embedded link I left is good- I just brought the site up using it. Please give it another try.