What is newupdate1142C.exe, How to remove newupdate1142C.exe


newupdate1142C.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: newupdate1142C
Filename: newupdate1142C.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | newupdate1142C.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | newupdate1142c .exe

Command:

C:\Documents and Settings\user\Application Data\961E5EF4A7D6693D789C1E7488D08864\newupdate1142C.exe
c:\documents and settings\user\application data\961e5ef4a7d6693d789c1e7488d08864\newupdate1142c .exe

Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [newupdate1142C.exe] C:\Documents and Settings\user\Application Data\961E5EF4A7D6693D789C1E7488D08864\newupdate1142C.exe
O4 – HKCU\..\Run: [newupdate1142c .exe] c:\documents and settings\user\application data\961e5ef4a7d6693d789c1e7488d08864\newupdate1142c .exe

DDS Line:

uRun: [newupdate1142C.exe] C:\Documents and Settings\user\Application Data\961E5EF4A7D6693D789C1E7488D08864\newupdate1142C.exe
uRun: [newupdate1142c .exe] c:\documents and settings\user\application data\961e5ef4a7d6693d789c1e7488d08864\newupdate1142c .exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“newupdate1142C.exe”=C:\Documents and Settings\user\Application Data\961E5EF4A7D6693D789C1E7488D08864\newupdate1142C.exe [2010-04-19 31232]
“newupdate1142c .exe”=c:\documents and settings\user\application data\961e5ef4a7d6693d789c1e7488d08864\newupdate1142c .exe [2010-04-19 31232]

Description: a trojan

How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool

One Response to “What is newupdate1142C.exe, How to remove newupdate1142C.exe”

  1. Don A Says:

    Note above, the word in the registry line /user/ will be the name of the user of the system that you are logged in with. Note also that these are hidden files and you must go into folder options and set hidden files to be displayed. OK, back to the subject at hand.

    I found the same malware that installed this also installed a file C:\WINDOWS\System32\qchrsesdxgkcbcc.dll. What this enables, I believe, is also is a boot-up launch of iexplore.exe (InternetExplorer) to cause an audio sound byte to keep repeating, the sound fades in and out with no apparent browser window open (the iexplore process is running, however). The sound byte cycles in an out with what sounds like multiple radio stations all going at once and superimposed over each other.

    I first received a message from ZoneAlarm that regsvr32.exe was trying to access the Internet. At that exact moment, the sound track started. I used the tool “Process Explorer” to first show me that process regsvr32.exe was active and hovering my cursor over the process name in the list showed that regsvr32.exe was active with a call to C:\WINDOWS\System32\qchrsesdxgkcbcc.dll. I used Process Explorer to kill that process and then I renamed the file it was calling in the System32 folder, keeping the same name while changing the extension to .delete I would delete the file after the next reboot. I then from Process Explorer killed the iexplore.exe process and the rogue audio stopped.

    From there I removed the call from the registry HKLM / Run using the free tool “Startup Control Panel by Mike Lin”. Here I deleted the line item gpqceurnxgihb that shows the path to the subject malware dll .

    While I had all the bad processes killed, I ran Spybot Search and Destroy and it found and deleted Fraud AntiMalwareDoctor as well.

    I also noticed that 2 folders got added to my Program Files at the same exact time this virus hit occurred, ezLife and Smart-Ads-Solutions in the C:\Program Files directory. Each of these directories have only a single uninstall.exe in them that I have no proof yet but would imagine they would install all this stuff all over if started. For right now I am just going to scan the registry with system tool Regedit.exe and delete any references to them and hope that gets rid of them.

    Searches online for exLive or Smart-Ads-Solutions on this date show no info with any explanation of these and since neither Sypbot or my AV software flags them, I am going to just manually uninstall references to them in the registry and delete the folders from the Program Files directory. I assume that if they installed with a malware/virus that their uninstall.exe would be just a vicious.

    My system seems restored now, no more rogue audio in and out or after a reboot and Spybot Search and Destroy seemed to take care of the AntiMalwareDoctor problem as well. First virus I have been hit with in 8 years. Tricky one, this one!

    Now all I have to figure out is why MalwareBytes is causing a BSOD when I run a system scan. Such fun and all this work just to update my Facebook. The perils of life.

Leave a Reply