VirTool.Win32.Obfuscator_d76d53c4f5

Trojan.GenericKDZ.42772 (BitDefender), VirTool:Win32/Obfuscator (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.MulDrop8.2012 (DrWeb), Trojan.GenericKDZ.427...
Blog rating:1.4 out of5 with5 ratings

VirTool.Win32.Obfuscator_d76d53c4f5

by malwarelabrobot on June 24th, 2018 in Malware Descriptions.

Trojan.GenericKDZ.42772 (BitDefender), VirTool:Win32/Obfuscator (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.MulDrop8.2012 (DrWeb), Trojan.GenericKDZ.42772 (B) (Emsisoft), Packed-FBS!D76D53C4F5E9 (McAfee), Packed.Generic.525 (Symantec), Trojan.Win32.Crypt (Ikarus), Trojan.GenericKDZ.42772 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), Ransom_GANDCRAB.SMALY-3 (TrendMicro), mzpefinder_pcap_file.YR, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Ransom, Trojan, Worm, Packed, VirTool, WormAutorun, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d76d53c4f5e9fbaef9089b506403e952
SHA1: 722e83636d0408db1e0d4ae64ddbdecd3085b535
SHA256: f7e931cb58ad1bb8b96164b0bb6b2b867453d726ec47f19b287177bad660a3e7
SSDeep: 3072:mELd9sXb9z5QAthrbZmuGHKho/OCTsLrV6FWb1HVB6FEndImzwh2HNwM:mELvsH/mZqGOCTsLr1xKE2mzKy M
Size: 211976 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: CHIP Digital GmbH
Created at: 2018-03-14 13:39:51
Analyzed on: Windows7 SP1 32-bit


Summary:

VirTool. A program used to apply passive protection methods to viruses, such as obfuscation, encryption, polymorphism. The original virus is usually encrypted/compressed and stored inside the wrapper.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the VirTool's file once a user opens a drive's folder in Windows Explorer.


Process activity

The VirTool creates the following process(es):

GoogleUpdate.exe:1644
GoogleUpdate.exe:2276
GoogleUpdate.exe:1828
GoogleUpdate.exe:572
GoogleUpdate.exe:3632
GoogleUpdate.exe:1944
GoogleUpdateSetup.exe:556

The VirTool injects its code into the following process(es):

UI0Detect.exe:1740
%original file name%.exe:3548

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:1644 makes changes in the file system.
The VirTool creates and/or writes to the following file(s):

%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
%Program Files%\GUM7992.tmp\goopdateres_en.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
%Program Files%\GUM7992.tmp\goopdate.dll (49 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
%Program Files%\Google\Update\1.3.31.5 (28 bytes)

The VirTool deletes the following file(s):

%Program Files%\Google\Update\1.3.31.5\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdate.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fil.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ms.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_am.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bg.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_it.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\npGoogleUpdate3.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_mr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ur.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lt.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ja.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_tr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ko.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ml.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_cs.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ru.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_is.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_kn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fa.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ta.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ro.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_no.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_uk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_el.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_vi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_da.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_th.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdate.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hu.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ca.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en-GB.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_te.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_iw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_et.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_id.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ar.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_de.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_nl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es-419.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_gu.dll (0 bytes)

The process GoogleUpdate.exe:3632 makes changes in the file system.
The VirTool creates and/or writes to the following file(s):

%Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\Google\Update\Install\{4BE618D2-770F-4708-9A9A-3C9A3C3461E4}\GoogleUpdateSetup.exe (7596 bytes)

The VirTool deletes the following file(s):

%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\54.0.2840.59\54.0.2840.59_chrome_installer.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{46DCEA9D-0154-4BFB-A3CC-A5A7602E10AF}-GoogleUpdateSetup.exe (0 bytes)

The process %original file name%.exe:3548 makes changes in the file system.
The VirTool creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\zsqhuj.exe (211 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ipv4bot_whatismyipaddress_com[1].htm (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\c5b88721db08c824db69d0bbc702beb8_88dcd395-b062-45b3-a6cd-79f37c0eba08 (44 bytes)

The VirTool deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ipv4bot_whatismyipaddress_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\c5b88721db08c824db69d0bbc702beb8_88dcd395-b062-45b3-a6cd-79f37c0eba08 (0 bytes)

The process GoogleUpdateSetup.exe:556 makes changes in the file system.
The VirTool creates and/or writes to the following file(s):

%Program Files%\GUM7992.tmp\psuser_64.dll (248 bytes)
%Program Files%\GUM7992.tmp\goopdateres_vi.dll (42 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
%Program Files%\GUT7993.tmp (7 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ja.dll (39 bytes)
%Program Files%\GUM7992.tmp\goopdateres_fr.dll (44 bytes)
%Program Files%\GUM7992.tmp\goopdateres_it.dll (44 bytes)
%Program Files%\GUM7992.tmp\goopdateres_am.dll (42 bytes)
%Program Files%\GUM7992.tmp\goopdateres_da.dll (43 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ml.dll (46 bytes)
%Program Files%\GUM7992.tmp\goopdateres_en-GB.dll (42 bytes)
%Program Files%\GUM7992.tmp\goopdateres_lv.dll (44 bytes)
%Program Files%\GUM7992.tmp\goopdateres_es-419.dll (43 bytes)
%Program Files%\GUM7992.tmp\goopdateres_sw.dll (44 bytes)
%Program Files%\GUM7992.tmp\goopdateres_fa.dll (42 bytes)
%Program Files%\GUM7992.tmp\goopdateres_fil.dll (44 bytes)
%Program Files%\GUM7992.tmp\goopdateres_bg.dll (44 bytes)
%Program Files%\GUM7992.tmp\goopdateres_gu.dll (44 bytes)
%Program Files%\GUM7992.tmp\goopdateres_en.dll (42 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ru.dll (42 bytes)
%Program Files%\GUM7992.tmp\goopdateres_el.dll (44 bytes)
%Program Files%\GUM7992.tmp\goopdateres_zh-TW.dll (36 bytes)
%Program Files%\GUM7992.tmp\goopdateres_te.dll (44 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ko.dll (38 bytes)
%Program Files%\GUM7992.tmp\goopdateres_sv.dll (43 bytes)
%Program Files%\GUM7992.tmp\goopdateres_pl.dll (43 bytes)
%Program Files%\GUM7992.tmp\goopdateres_nl.dll (44 bytes)
%Program Files%\GUM7992.tmp\goopdateres_id.dll (42 bytes)
%Program Files%\GUM7992.tmp\goopdateres_mr.dll (44 bytes)
%Program Files%\GUM7992.tmp\goopdateres_sk.dll (43 bytes)
%Program Files%\GUM7992.tmp\goopdateres_uk.dll (43 bytes)
%Program Files%\GUM7992.tmp\goopdateres_de.dll (45 bytes)
%Program Files%\GUM7992.tmp\goopdateres_hr.dll (43 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ro.dll (44 bytes)
%Program Files%\GUM7992.tmp\goopdateres_hu.dll (43 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdate.exe (308 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdateBroker.exe (96 bytes)
%Program Files%\GUM7992.tmp\goopdateres_th.dll (42 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ms.dll (42 bytes)
%Program Files%\GUM7992.tmp\goopdateres_sr.dll (43 bytes)
%Program Files%\GUM7992.tmp\goopdateres_tr.dll (43 bytes)
%Program Files%\GUM7992.tmp\goopdateres_is.dll (43 bytes)
%Program Files%\GUM7992.tmp\goopdateres_zh-CN.dll (36 bytes)
%Program Files%\GUM7992.tmp\goopdateres_pt-BR.dll (43 bytes)
%Program Files%\GUM7992.tmp\goopdate.dll (2632 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ca.dll (44 bytes)
%Program Files%\GUM7992.tmp\goopdateres_fi.dll (43 bytes)
%Program Files%\GUM7992.tmp\GoogleCrashHandler.exe (550 bytes)
%Program Files%\GUM7992.tmp\goopdateres_es.dll (45 bytes)
%Program Files%\GUM7992.tmp\goopdateres_bn.dll (44 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdateHelper.msi (40 bytes)
%Program Files%\GUM7992.tmp\goopdateres_sl.dll (43 bytes)
%Program Files%\GUM7992.tmp\psmachine.dll (206 bytes)
%Program Files%\GUM7992.tmp\goopdateres_lt.dll (42 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ta.dll (45 bytes)
%Program Files%\GUM7992.tmp\goopdateres_pt-PT.dll (43 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdateCore.exe (838 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
%Program Files%\GUM7992.tmp (32 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ur.dll (43 bytes)
%Program Files%\GUM7992.tmp\goopdateres_cs.dll (43 bytes)
%Program Files%\GUM7992.tmp\goopdateres_et.dll (42 bytes)
%Program Files%\GUM7992.tmp\goopdateres_iw.dll (40 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ar.dll (41 bytes)
%Program Files%\GUM7992.tmp\psmachine_64.dll (248 bytes)
%Program Files%\GUM7992.tmp\psuser.dll (206 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdateOnDemand.exe (96 bytes)
%Program Files%\GUM7992.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\GUM7992.tmp\goopdateres_no.dll (43 bytes)
%Program Files%\GUM7992.tmp\goopdateres_kn.dll (44 bytes)
%Program Files%\GUM7992.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files%\GUM7992.tmp\goopdateres_hi.dll (43 bytes)

The VirTool deletes the following file(s):

%Program Files%\GUM7992.tmp\psuser_64.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_vi.dll (0 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\GUT7993.tmp (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ja.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_fr.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_it.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_am.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_da.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ml.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_en-GB.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_lv.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_es-419.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_sw.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_fa.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_fil.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_bg.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_gu.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_en.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ru.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_el.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_te.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ko.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_sv.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_pl.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_nl.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_id.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_mr.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_sk.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_uk.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_de.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_hr.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ro.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_hu.dll (0 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdate.exe (0 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_th.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ms.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_sr.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_tr.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_is.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdate.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ca.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_fi.dll (0 bytes)
%Program Files%\GUM7992.tmp\GoogleCrashHandler.exe (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_es.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_bn.dll (0 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_sl.dll (0 bytes)
%Program Files%\GUM7992.tmp\psmachine.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_lt.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ta.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdateCore.exe (0 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\GUM7992.tmp (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ur.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_cs.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_et.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_iw.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_ar.dll (0 bytes)
%Program Files%\GUM7992.tmp\psmachine_64.dll (0 bytes)
%Program Files%\GUM7992.tmp\psuser.dll (0 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\GUM7992.tmp\npGoogleUpdate3.dll (0 bytes)
%Program Files%\GUM7992.tmp\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_no.dll (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_kn.dll (0 bytes)
%Program Files%\GUM7992.tmp\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\GUM7992.tmp\goopdateres_hi.dll (0 bytes)

Registry activity

The process GoogleUpdate.exe:1644 makes changes in the system registry.
The VirTool creates and/or sets the following values in system registry:

[HKCR\Google.Update3WebControl.3\CLSID]
"(Default)" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCR\Google.OneClickCtrl.9]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Google\Update]
"UninstallCmdLine" = "%Program Files%\Google\Update\GoogleUpdate.exe /uninstall"

[HKCR\Google.Update3WebControl.3]
"(Default)" = "Google Update Plugin"

[HKCR\Google.OneClickCtrl.9\CLSID]
"(Default)" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName" = "GoogleUpdateBroker.exe"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName" = "Google Update"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
"(Default)" = "Google.OneClickCtrl.9"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{B4C40401-3862-4E5B-8B6A-32F90C5EF797}]
"PersistedPingTime" = "131742148288149068"
"PersistedPingString" = ""

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description" = "Google Update"

[HKLM\SOFTWARE\Google\Update]
"LastOSVersion" = "1C 01 00 00 06 00 00 00 01 00 00 00 B1 1D 00 00"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastCheckSuccess" = "1529741228"

[HKLM\SOFTWARE\Google\Update]
"Version" = "1.3.33.17"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
"(Default)" = "Google.Update3WebControl.3"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"(Default)" = "Google Update Plugin"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description" = "Google Update"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"vendor" = "Google Inc."

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateTime" = "1529741228"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Google\Update]
"IsMSIHelperRegistered" = "0"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"vendor" = "Google Inc."

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version" = "9"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName" = "Google Update"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Google\Update\1.3.31.5,"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version" = "3"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName" = "GoogleUpdateWebPlugin.exe"

[HKLM\SOFTWARE\Google\Update]
"Path" = "%Program Files%\Google\Update\GoogleUpdate.exe"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy" = "3"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy" = "3"

[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "Google Update"

The VirTool deletes the following registry key(s):

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{B4C40401-3862-4E5B-8B6A-32F90C5EF797}]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains\*]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes\application/x-vnd.google.update3webcontrol.3]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
[HKCR\Google.Update3WebControl.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKCR\Google.OneClickCtrl.9]
[HKCR\Google.Update3WebControl.3\CLSID]
[HKCR\Google.OneClickCtrl.9\CLSID]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains\*]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore]

The VirTool deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update]
"LastCodeRedCheck"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath"

[HKLM\SOFTWARE\Google\Update]
"old-uid"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path"

[HKLM\SOFTWARE\Google\Update]
"eulaaccepted"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Vendor"

[HKLM\SOFTWARE\Google\Update]
"uid"
"LastChecked"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID"

[HKLM\SOFTWARE\Google\Update]
"ui"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Vendor"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName"
"Version"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName"
"Policy"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy"

[HKLM\SOFTWARE\Google\Update]
"mi"

The process GoogleUpdate.exe:2276 makes changes in the system registry.
The VirTool creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The VirTool deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:1828 makes changes in the system registry.
The VirTool creates and/or sets the following values in system registry:

[HKCR\GoogleUpdate.Update3WebSvc\CurVer]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\GoogleUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.Update3COMClassService\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\GoogleUpdate.Update3WebSvc\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\GoogleUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc"

[HKCR\GoogleUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"

[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "ServiceModule"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"LocalService" = "gupdatem"

[HKCR\GoogleUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "Update3COMClass"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "Google Update Legacy On Demand"
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "ServiceModule"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreClass"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"ServiceParameters" = "/comsvc"

[HKCR\GoogleUpdate.CoreClass\CurVer]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\GoogleUpdate.CoreClass]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"LocalService" = "gupdate"

[HKCR\GoogleUpdate.CoreClass.1\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

[HKCR\GoogleUpdate.Update3COMClassService\CurVer]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"ServiceParameters" = "/comsvc"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\GoogleUpdate.CoreClass\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

The VirTool deletes the following registry key(s):

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
[HKCR\AppID\GoogleUpdate.exe]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]

The VirTool deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:572 makes changes in the system registry.
The VirTool creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The VirTool deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:3632 makes changes in the system registry.
The VirTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"RollCallDayStartSec" = "1529737210"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "54.0.2840.59"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "3"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastRollCall" = "4191"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastRollCall" = "4191"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ActivePingDayStartSec" = "1529737210"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{BE9CBAC8-B779-428E-ACBB-9E47672ABB7F}]
"PersistedPingTime" = "131742147840740282"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastActivity" = "4191"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Hint" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Hint" = ""

[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallTimeRemainingMs" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"DayOfLastRollCall" = "4191"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallProgressPercent" = "100"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"RollCallDayStartSec" = "1529737210"
"ping_freshness" = "{7DB7262E-46B5-47F0-91A8-E345920B7867}"

[HKLM\SOFTWARE\Google\Update]
"LastChecked" = "1529741191"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"(Default)" = "1:b8:"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.59"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.31.5"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Name" = "Stable"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ping_freshness" = "{135064EE-A081-46A9-A10F-EFFCD4E9E262}"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ActivePingDayStartSec" = "1529737210"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{BE9CBAC8-B779-428E-ACBB-9E47672ABB7F}]
"PersistedPingString" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Name" = "Everyone Else"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastActivity" = "4191"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"ping_freshness" = "{4191975C-0FD0-44FE-8BC5-DD6F2B713412}"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"(Default)" = "1:9co:"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadProgressPercent" = "0"
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{8C7E9D04-1320-4F9F-BECA-4E95390F17A6}]
"PersistedPingString" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastCheckSuccess" = "1529741191"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{8C7E9D04-1320-4F9F-BECA-4E95390F17A6}]
"PersistedPingTime" = "131742147917024416"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"RollCallDayStartSec" = "1529737210"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The VirTool deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{8C7E9D04-1320-4F9F-BECA-4E95390F17A6}]
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{BE9CBAC8-B779-428E-ACBB-9E47672ABB7F}]
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]

The VirTool deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerExtraCode1"

[HKLM\SOFTWARE\Google\Update]
"old-uid"
"LastInstallerError"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerResult"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerError"

[HKLM\SOFTWARE\Google\Update]
"uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"tttoken"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"tttoken"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine"
"LastInstallerExtraCode1"
"LastInstallerResult"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"

The process GoogleUpdate.exe:1944 makes changes in the system registry.
The VirTool creates and/or sets the following values in system registry:

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"

[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Google.OneClickProcessLauncherMachine]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\GoogleUpdate.Update3WebMachine\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\GoogleUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine"

[HKCR\GoogleUpdate.CoreMachineClass\CurVer]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\GoogleUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.CoreMachineClass\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Google.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
"(Default)" = "CoCreateAsync"

[HKCR\GoogleUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.CoCreateAsync\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\GoogleUpdate.ProcessLauncher\CurVer]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\GoogleUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"

[HKCR\Google.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\GoogleUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass"

[HKCR\GoogleUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine"

[HKCR\GoogleUpdate.CoCreateAsync\CurVer]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\GoogleUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\GoogleUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\GoogleUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"(Default)" = "Google Update Core Class"

[HKCR\Google.OneClickProcessLauncherMachine.1.0]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync"

[HKCR\GoogleUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\GoogleUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Google.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\GoogleUpdate.Update3WebMachine\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"Enabled" = "1"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\GoogleUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"CLSID" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\GoogleUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}]
"(Default)" = "PSFactoryBuffer"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"Policy" = "3"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\GoogleUpdate.ProcessLauncher\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

The VirTool deletes the following registry key(s):

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]

The VirTool deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process %original file name%.exe:3548 makes changes in the system registry.
The VirTool creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\d76d53c4f5e9fbaef9089b506403e952_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\d76d53c4f5e9fbaef9089b506403e952_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\d76d53c4f5e9fbaef9089b506403e952_RASMANCS]
"EnableConsoleTracing" = "0"
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\d76d53c4f5e9fbaef9089b506403e952_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d76d53c4f5e9fbaef9089b506403e952_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\d76d53c4f5e9fbaef9089b506403e952_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\d76d53c4f5e9fbaef9089b506403e952_RASAPI32]
"FileTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the VirTool adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tzqrrdljbxk" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\zsqhuj.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The VirTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
6c718849d436a7ccebed72538f8bd04b c:\Program Files\Google\Update\1.3.33.17\GoogleCrashHandler.exe
d2f56e366f1cb26866a6f43bd53b46c3 c:\Program Files\Google\Update\1.3.33.17\GoogleCrashHandler64.exe
92ee791a630830452485e8e375f8db35 c:\Program Files\Google\Update\1.3.33.17\GoogleUpdate.exe
8171211b809414b6d8a8e4f6ea8cf140 c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateBroker.exe
03b587bfaf6dd67b330ccb6fb99ca59a c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe
678dd73ca364411bcf431892b8f878da c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateCore.exe
96e08eb0d929c279536bdbbc543da8fb c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe
53baee50f7a69bf3bc0fffe25341a923 c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateSetup.exe
063ca1017835923689c4957562ea2862 c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe
463a426da94fc2418a713ceebb799e22 c:\Program Files\Google\Update\1.3.33.17\goopdate.dll
e433408ca45786f9b6b7873709f57eba c:\Program Files\Google\Update\1.3.33.17\goopdateres_am.dll
9d85c8517de4db2380aa14593d8a899a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ar.dll
f376765117f5b82123ec1f4fd352fb9c c:\Program Files\Google\Update\1.3.33.17\goopdateres_bg.dll
4a5e2fac15b93b43a2ee673e2e111478 c:\Program Files\Google\Update\1.3.33.17\goopdateres_bn.dll
230fe7b526bde7aff33b616618a8d05a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ca.dll
9b598c6a4d3d9586f93feca20f51da70 c:\Program Files\Google\Update\1.3.33.17\goopdateres_cs.dll
b1bd2d1889f42f20aeac5f1998d8b21b c:\Program Files\Google\Update\1.3.33.17\goopdateres_da.dll
e5ea4068551b3ac782d955a699222067 c:\Program Files\Google\Update\1.3.33.17\goopdateres_de.dll
68cf3b8fef6b56cd583e8c30ae8ca563 c:\Program Files\Google\Update\1.3.33.17\goopdateres_el.dll
2087af32c82c00e32094ae86dcf35607 c:\Program Files\Google\Update\1.3.33.17\goopdateres_en-GB.dll
9c2a3eec41cd4effd6ffecaa910dd7da c:\Program Files\Google\Update\1.3.33.17\goopdateres_en.dll
7c7c2b897c7107e910eab8b669c93738 c:\Program Files\Google\Update\1.3.33.17\goopdateres_es-419.dll
73ccbf92e13acc6389bb9f7dd04935b6 c:\Program Files\Google\Update\1.3.33.17\goopdateres_es.dll
a2cb2c0b126c87336bc2b29a3e995dc5 c:\Program Files\Google\Update\1.3.33.17\goopdateres_et.dll
1d688c7571f047a36b585d810e02067f c:\Program Files\Google\Update\1.3.33.17\goopdateres_fa.dll
81f8d0fbff693910fedc808047cdf156 c:\Program Files\Google\Update\1.3.33.17\goopdateres_fi.dll
6cec555d88a69bdb910188c2b53b19a3 c:\Program Files\Google\Update\1.3.33.17\goopdateres_fil.dll
598294ce0043943aa4cc04edc139e6c8 c:\Program Files\Google\Update\1.3.33.17\goopdateres_fr.dll
7d3a8a7aec219fcbecacd04f1ad66053 c:\Program Files\Google\Update\1.3.33.17\goopdateres_gu.dll
0a9a7354a95c559a4093f24fff784911 c:\Program Files\Google\Update\1.3.33.17\goopdateres_hi.dll
de931037c2f487efa900aa6590cac9e0 c:\Program Files\Google\Update\1.3.33.17\goopdateres_hr.dll
456664b46a1948b0df8785bd5b87f858 c:\Program Files\Google\Update\1.3.33.17\goopdateres_hu.dll
43a73db8674c025026ed4cad9359a574 c:\Program Files\Google\Update\1.3.33.17\goopdateres_id.dll
5e609c7d0ab38fa244949da75da04a1b c:\Program Files\Google\Update\1.3.33.17\goopdateres_is.dll
d002a3352574a6e6999a6f2c23566745 c:\Program Files\Google\Update\1.3.33.17\goopdateres_it.dll
ffef2d63908222cacee0e40c138d5986 c:\Program Files\Google\Update\1.3.33.17\goopdateres_iw.dll
b71ff4a60875f30db7e492d4806f0c92 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ja.dll
c6a1c2e334df66970a03b30539757f36 c:\Program Files\Google\Update\1.3.33.17\goopdateres_kn.dll
fb58fffc04f44137610caae567cfaf6a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ko.dll
3b033e1092474acd6b7cfcf01a999d34 c:\Program Files\Google\Update\1.3.33.17\goopdateres_lt.dll
3b00a99d877881ba0fc786fdd8e3b426 c:\Program Files\Google\Update\1.3.33.17\goopdateres_lv.dll
157bf7b8eca4bc66d5c7fb3e358d5c58 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ml.dll
7c864e8d77ebe0bc8451ade4f67f68b3 c:\Program Files\Google\Update\1.3.33.17\goopdateres_mr.dll
225c45af996ebf983800025ea32f6c18 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ms.dll
2b04cd187acac2019e13195a3cc53a31 c:\Program Files\Google\Update\1.3.33.17\goopdateres_nl.dll
38651bcc330768d3e74763452a8e46e2 c:\Program Files\Google\Update\1.3.33.17\goopdateres_no.dll
531e1fca96b1cc6dfbb74c2e96d990c7 c:\Program Files\Google\Update\1.3.33.17\goopdateres_pl.dll
237642b8bddfe765e073a3aa6c29ca0a c:\Program Files\Google\Update\1.3.33.17\goopdateres_pt-BR.dll
298f4f2bd4e7b962615bcf0ed3d673ca c:\Program Files\Google\Update\1.3.33.17\goopdateres_pt-PT.dll
ea1ef744fb8ba02148b362adeac70952 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ro.dll
774b5644ad40e4d3863d81a7d30d4fae c:\Program Files\Google\Update\1.3.33.17\goopdateres_ru.dll
6ffd62c9d080288bcc95816afd018048 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sk.dll
d7b41237faca93b3d0666e4fd38092b8 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sl.dll
25bbd03fc02f7daa9168dce7dfaef624 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sr.dll
e645c5eb4401b5e443a9744fc141b2f5 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sv.dll
2f111d7785bfcd6b4228df0cdf353407 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sw.dll
8bb63ae799037b02a89c42408abf755a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ta.dll
2f40316ac456b383c58be478daf69ce9 c:\Program Files\Google\Update\1.3.33.17\goopdateres_te.dll
cdc5e8fdba12f79c056bcf3085335ac5 c:\Program Files\Google\Update\1.3.33.17\goopdateres_th.dll
811ac46d616f94ae885175863e0ce95d c:\Program Files\Google\Update\1.3.33.17\goopdateres_tr.dll
23725511dd277f08993bbfbaf27123c1 c:\Program Files\Google\Update\1.3.33.17\goopdateres_uk.dll
3edc8f630a94d57674097194540a9f6a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ur.dll
baff2a81498cb67c560d443e96153060 c:\Program Files\Google\Update\1.3.33.17\goopdateres_vi.dll
6c2d04d599eb5b4549653d030d9d6550 c:\Program Files\Google\Update\1.3.33.17\goopdateres_zh-CN.dll
f66719fb333de285e6edd1fd20e0edf8 c:\Program Files\Google\Update\1.3.33.17\goopdateres_zh-TW.dll
671e1e25f6f08809863bb9aed544e70e c:\Program Files\Google\Update\1.3.33.17\npGoogleUpdate3.dll
cca7a6b6c2bce1e8af12a95f69c4cc8f c:\Program Files\Google\Update\1.3.33.17\psmachine.dll
edad26bca1696d23ecb9dc3ab48fd551 c:\Program Files\Google\Update\1.3.33.17\psmachine_64.dll
c2762290bb2ece339d4c63f7a8a6acc8 c:\Program Files\Google\Update\1.3.33.17\psuser.dll
58b48e4352559d4d76776377fde5df0c c:\Program Files\Google\Update\1.3.33.17\psuser_64.dll
53baee50f7a69bf3bc0fffe25341a923 c:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe
53baee50f7a69bf3bc0fffe25341a923 c:\Program Files\Google\Update\Install\{4BE618D2-770F-4708-9A9A-3C9A3C3461E4}\GoogleUpdateSetup.exe
a40452963939747d135181e0f062dfc6 c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\zsqhuj.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the VirTool's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 35712 35840 4.56272 1ea4ac900e56dc7599c8670f629bd1aa
.rdata 40960 9070 9216 3.73107 d1c080549311a95bba26473aa80cb7a5
.data 53248 56296 4608 1.37316 9477729baa6b8085e90166dc6649ee9c
.rsrc 110592 156698 157184 5.43389 437a99d82d7767693d7d9b5579cd6f6f
.reloc 270336 4066 4096 3.00907 8becf2f3da6418e7487c8a6caff060a0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://ipv4bot.whatismyipaddress.com/ 66.171.248.178
hxxp://tools.l.google.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe
hxxp://r5.sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529740947&mv=u&pcm2cms=yes&pl=24&shardbypass=yes
hxxp://r5---sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529740947&mv=u&pcm2cms=yes&pl=24&shardbypass=yes 80.91.179.80
hxxp://bitdefender.com/
hxxp://redirector.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe 216.58.205.238
tools.google.com 216.58.205.238
update.googleapis.com 216.58.205.227


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

Web Traffic was not found.

The VirTool connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    GoogleUpdate.exe:1644
    GoogleUpdate.exe:2276
    GoogleUpdate.exe:1828
    GoogleUpdate.exe:572
    GoogleUpdate.exe:3632
    GoogleUpdate.exe:1944
    GoogleUpdateSetup.exe:556

  2. Delete the original VirTool file.
  3. Delete or disinfect the following files created/modified by the VirTool:

    %Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_en.dll (45 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
    %Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
    %Program Files%\GUM7992.tmp\goopdate.dll (49 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
    %Program Files%\Google\Update\1.3.31.5 (28 bytes)
    %Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)
    %Program Files%\Google\Update\Install\{4BE618D2-770F-4708-9A9A-3C9A3C3461E4}\GoogleUpdateSetup.exe (7596 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\zsqhuj.exe (211 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ipv4bot_whatismyipaddress_com[1].htm (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\c5b88721db08c824db69d0bbc702beb8_88dcd395-b062-45b3-a6cd-79f37c0eba08 (44 bytes)
    %Program Files%\GUM7992.tmp\psuser_64.dll (248 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_vi.dll (42 bytes)
    %Program Files%\GUM7992.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
    %Program Files%\GUT7993.tmp (7 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_ja.dll (39 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_fr.dll (44 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_it.dll (44 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_am.dll (42 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_da.dll (43 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_ml.dll (46 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_en-GB.dll (42 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_lv.dll (44 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_es-419.dll (43 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_sw.dll (44 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_fa.dll (42 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_fil.dll (44 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_bg.dll (44 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_gu.dll (44 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_ru.dll (42 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_el.dll (44 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_zh-TW.dll (36 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_te.dll (44 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_ko.dll (38 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_sv.dll (43 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_pl.dll (43 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_nl.dll (44 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_id.dll (42 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_mr.dll (44 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_sk.dll (43 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_uk.dll (43 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_de.dll (45 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_hr.dll (43 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_ro.dll (44 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_hu.dll (43 bytes)
    %Program Files%\GUM7992.tmp\GoogleUpdate.exe (308 bytes)
    %Program Files%\GUM7992.tmp\GoogleUpdateBroker.exe (96 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_th.dll (42 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_ms.dll (42 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_sr.dll (43 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_tr.dll (43 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_is.dll (43 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_zh-CN.dll (36 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_pt-BR.dll (43 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_ca.dll (44 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_fi.dll (43 bytes)
    %Program Files%\GUM7992.tmp\GoogleCrashHandler.exe (550 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_es.dll (45 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_bn.dll (44 bytes)
    %Program Files%\GUM7992.tmp\GoogleUpdateHelper.msi (40 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_sl.dll (43 bytes)
    %Program Files%\GUM7992.tmp\psmachine.dll (206 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_lt.dll (42 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_ta.dll (45 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_pt-PT.dll (43 bytes)
    %Program Files%\GUM7992.tmp\GoogleUpdateCore.exe (838 bytes)
    %Program Files%\GUM7992.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_ur.dll (43 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_cs.dll (43 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_et.dll (42 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_iw.dll (40 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_ar.dll (41 bytes)
    %Program Files%\GUM7992.tmp\psmachine_64.dll (248 bytes)
    %Program Files%\GUM7992.tmp\psuser.dll (206 bytes)
    %Program Files%\GUM7992.tmp\GoogleUpdateOnDemand.exe (96 bytes)
    %Program Files%\GUM7992.tmp\npGoogleUpdate3.dll (838 bytes)
    %Program Files%\GUM7992.tmp\GoogleUpdateSetup.exe (7547 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_no.dll (43 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_kn.dll (44 bytes)
    %Program Files%\GUM7992.tmp\GoogleCrashHandler64.exe (550 bytes)
    %Program Files%\GUM7992.tmp\goopdateres_hi.dll (43 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "tzqrrdljbxk" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\zsqhuj.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 1.4 (5 votes)

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now