Help removing NCH software

Hi, i ran adwcleaner and found a nch entry and prompt delte and restart, after scanning again the task its back

AdwCleaner v3.014 - Report created 01/12/2013 at 18:17:40

Updated 01/12/2013 by Xplode

Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)

Username : PatricK - PATRICK-PC

Running from : C:\Users\PatricK\Desktop\Marvin Gaye\AdwCleaner.exe

Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\Windows\System32\Tasks\NCH Software

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\ Internet Explorer v11.0.9600.16428

-\ Mozilla Firefox v

[ File : C:\Users\PatricK\AppData\Roaming\Mozilla\Firefox\Profiles\0\prefs.js ]

-\ Google Chrome v31.0.1650.57

[ File : C:\Users\PatricK\AppData\Local\Google\Chrome\User Data\Default\preferences ]


AdwCleaner[R0].txt - [939 octets] - [01/12/2013 18:06:03]
AdwCleaner[R1].txt - [860 octets] - [01/12/2013 18:17:40]
AdwCleaner[S0].txt - [1001 octets] - [01/12/2013 18:07:57]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [979 octets] ##########

have you tried to run it from safe mode…
does MBAM detect it…

if not attach a OTL diagnostic log and wait for essexboy to arrive later today

the file seems to be something to do with a audio/video software … google the name

File Found : C:\Windows\System32\Tasks\NCH Software
This is leftover task. Non-active task ...
-\\ Mozilla Firefox v [ File : C:\Users\PatricK\AppData\Roaming\Mozilla\Firefox\Profiles\0\prefs.js ]

It is deleted the profile file firefox related. The result of this is when firefox load next time if he can’t find prefs settings it shall create it again with default settings.
Or in translation, FF did a half-reset itself. AdwC did not detect nothing important. The same goes for Chrome

But if you want to check the system, follow Pondus advice.

Havent tried safe mode, MBAM , hitmanpro, SAS,Avast (modified to high settings) all come back clean
:slight_smile:
but ive ran adwcleaner alot since last week and its usually clean (nch software usually popups up but not in system32)

about nch i check the folder and its contains 0 bytes and one of the group user name is CREATOR OWNER (though this account does have any ticked privileges), i posted it here because i ran adwcleaner alot since last 2 weeks and its popped up nch but nothing system32 related (only registry) and after than the log where clean, then this week i saw this popup so i was wondering how come especially since its in system32
but you say its no active so dont worry about it?
I havent had firefox for a long while, so i can delete the appdata entry? ( though chrome cpu usage has been off the charts when loading pages , jump to 90+ percent then dips ever since i updated)

bump

see mine and magna86 post above… waiting for the OTL log http://forum.avast.com/index.php?topic=53253.0

::slight_smile:

I can confirm that NCH software does place something on your PC but I’m not sure what I would call it. Specifically, I noticed a link to their website kept reappearing in Firefox and this CNET review also warns of browser hijacking as well. I fixed mine with an image restoral but I’m sure there are other ways to deal with this issue so good luck.

http://download.cnet.com/VideoPad-Video-Editor-Professional/3000-13631_4-10906278.html

Yup, even amazon has some weird bots running in the firewall even when your are not on the site
the thing is i dont know any active nch software is have , ill have to check again
thanks for the input
waiting for log reply from the guys

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:FILES
C:\Users\PatricK\AppData\Roaming\Mozilla\Firefox\Profiles\0\extensions\OneClickDownloader@OneClickDownloader.com.xpi
C:\Users\PatricK\Desktop\*.tmp

:OTL
O2 - BHO: (no name) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - No CLSID value found.

:COMMANDS
[CREATERESTOREPOINT]
[EMPTYTEMP]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool to your desktop.

[]Shut down your protection software now to avoid potential conflicts.
[
]Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select “Run as Administrator”.
[]The tool will open and start scanning your system.
[
]Please be patient as this can take a while to complete depending on your system’s specifications.
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[
]Post the contents of JRT.txt into your next message.


Any improvements?

JRT log too big i attached it

All processes killed
========== FILES ==========
C:\Users\PatricK\AppData\Roaming\Mozilla\Firefox\Profiles\0\extensions\OneClickDownloader@OneClickDownloader.com.xpi moved successfully.
C:\Users\PatricK\Desktop~WRL1853.tmp moved successfully.
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}\ not found.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes

User: HomeGroupUser$
->Temp folder emptied: 0 bytes

User: PatricK
->Temp folder emptied: 3145626 bytes
->Temporary Internet Files folder emptied: 1425463 bytes
->Google Chrome cache emptied: 347622534 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 14439046 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 350.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 12052013_162713

Files\Folders moved on Reboot…
C:\Users\PatricK\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files…

Registry entries deleted on Reboot…

Any improvements?

Yes, just was wondering why nch keep pooping up in adwarecleaner , even though weeks before its was clean
the only problem now is high cpu usage from chrome (which occurs since the ewer update, cpu usage jumps to 100% each page load then drop back to 2%)

Re-run AdwCleaner and click on Uninstall button.
Re-run OTL and click on CleanUp! button.

Chrome and CPU problem isn’t malware related.

Cheers :wink:

another thing i forgot to tell you was, when windows started up and was showing a black screen before the desktop popped up , there was a sudden popup that came and disappeared in 1 second, ui always wondered what it was but not its gone
great work and thanks ;D

though my pc cant keep restore points, everytime its shuts down (via powercut) i have to reset the time and date and all my restore point are usually gone (i created many but they all disappear)
:o