Trojan.Generic.12555347_430f7a17ff

by malwarelabrobot on March 8th, 2015 in Malware Descriptions.

Trojan-Dropper.Win32.Agent.pfaq (Kaspersky), Trojan.Generic.12555347 (B) (Emsisoft), Trojan.Generic.12555347 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 430f7a17ff6bd4f5a8e129583e1b8a23
SHA1: 047cd149f0683d0f7f111d0773e4543f475b424b
SHA256: 93ba219839ab0fd1a8c16d012688d7b7f41f3f7c099216451b8985112630d45f
SSDeep: 12288:AoucvQQACqe5gcEfjpo24PKCNRD2BsnmIvL7m1uMMM7 fiuGXLL:A3cvQYefjZFCNRyBsnxTi15T qb
Size: 732680 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Destiny Media
Created at: 2014-12-10 23:16:41
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

CatalinaUpdate.exe:1964
CatalinaUpdate.exe:332
CatalinaUpdate.exe:260
%original file name%.exe:440

The Trojan injects its code into the following process(es):

CatalinaUpdate.exe:1668
CatalinaUpdate.exe:480

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process CatalinaUpdate.exe:332 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Install (0 bytes)

The process CatalinaUpdate.exe:480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_uk.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fil.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ja.dll (22 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fi.dll (26 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ta.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-CN.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_nl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_it.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lv.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bg.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdate.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_gu.dll (26 bytes)

The process %original file name%.exe:440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUT2.tmp (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdate.dll (1990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psuser.dll (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psmachine.dll (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe (58 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp (0 bytes)

Registry activity

The process CatalinaUpdate.exe:1964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"CLSID" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}]
"(Default)" = "ICatalinaUpdate3WebSecurity"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser]
"(Default)" = "Update3COMClass"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}]
"(Default)" = "IAppBundle"

[HKCU\Software\Classes\CLSID\{554335BD-87F8-43DA-806A-741504EEFF62}\InProcServer32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}\NumMethods]
"(Default)" = "39"

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}\NumMethods]
"(Default)" = "8"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}\NumMethods]
"(Default)" = "13"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}]
"(Default)" = "ICredentialDialog"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}]
"(Default)" = "ICatalinaUpdate"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}\NumMethods]
"(Default)" = "10"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}]
"(Default)" = "Update3COMClass"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\ProgID]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser.1.0"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser.1.0"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser\CLSID]
"(Default)" = "{2823499B-60F3-4940-8042-2C16D5829A39}"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}]
"(Default)" = "IAppVersionWeb"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{554335BD-87F8-43DA-806A-741504EEFF62}]
"(Default)" = "PSFactoryBuffer"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser.1.0"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}]
"(Default)" = "IOneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}]
"(Default)" = "ICoCreateAsync"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}]
"(Default)" = "ICurrentState"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\ProgID]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser.1.0"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}]
"(Default)" = "IAppBundleWeb"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}]
"(Default)" = "IApp"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}\NumMethods]
"(Default)" = "5"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser\CLSID]
"(Default)" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\CLSID\{554335BD-87F8-43DA-806A-741504EEFF62}\InProcServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser\CLSID]
"(Default)" = "{73436A91-85A6-4850-A7D0-375C4E369A5A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 0F E4 E2 59 99 9F 9A C4 9C A6 4A E7 85 EC 7A"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}\NumMethods]
"(Default)" = "44"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\VersionIndependentProgID]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}\NumMethods]
"(Default)" = "9"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}\NumMethods]
"(Default)" = "6"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"Policy" = "3"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}\NumMethods]
"(Default)" = "14"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\ProgID]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser.1.0"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}]
"(Default)" = "ICatalinaUpdateCore"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser.1.0]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\ProgID]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser.1.0"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser\CurVer]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser.1.0"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}\NumMethods]
"(Default)" = "10"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}]
"(Default)" = "ICatalinaUpdate3"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}]
"(Default)" = "IJobObserver"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}]
"(Default)" = "IAppVersion"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\CLSID\{D6C70234-3948-4009-8568-A538F47646CB}\InprocHandler32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}]
"(Default)" = "ICatalinaUpdate3Web"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}\NumMethods]
"(Default)" = "8"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser\CLSID]
"(Default)" = "{C8362D5A-4303-4E22-8668-BB10D65B95BD}"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}]
"(Default)" = "IBrowserHttpRequest2"

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser.1.0\CLSID]
"(Default)" = "{2823499B-60F3-4940-8042-2C16D5829A39}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser.1.0]
"(Default)" = "Update3COMClass"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}\NumMethods]
"(Default)" = "24"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}]
"(Default)" = "IPackage"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser.1.0\CLSID]
"(Default)" = "{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}]
"(Default)" = "IAppWeb"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser.1.0\CLSID]
"(Default)" = "{C8362D5A-4303-4E22-8668-BB10D65B95BD}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\CLSID\{D6C70234-3948-4009-8568-A538F47646CB}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}\NumMethods]
"(Default)" = "24"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser.1.0\CLSID]
"(Default)" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}]
"(Default)" = "IProcessLauncher"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser.1.0"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\ProgID]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser.1.0"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser\CLSID]
"(Default)" = "{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser.1.0"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}]
"(Default)" = "IProgressWndEvents"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser.1.0\CLSID]
"(Default)" = "{73436A91-85A6-4850-A7D0-375C4E369A5A}"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}]
"(Default)" = "IRegistrationUpdateHook"

The Trojan deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}]
[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
[HKCU\Software\Classes\CLSID\{D6C70234-3948-4009-8568-A538F47646CB}\InprocHandler32]
[HKCU\Software\Classes\CLSID\{D6C70234-3948-4009-8568-A538F47646CB}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process CatalinaUpdate.exe:332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 01 09 A6 B2 14 7C 8A 41 CB BA 2A 55 70 95 92"

[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "IE"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"tttoken"
"iid"

The process CatalinaUpdate.exe:260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 99 C7 81 ED DD B8 D2 9A F8 01 29 07 10 DE 68"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "IE"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "02 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "02 00 00 00 00 00 00 00"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process CatalinaUpdate.exe:1668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 86 8D 61 11 2C D2 F6 FC 07 EC 55 F9 5F 89 07"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update]
"eulaaccepted"

The process CatalinaUpdate.exe:480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"Policy" = "3"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\ProgID]
"(Default)" = "CatalinaGroup.OneClickCtrl.9"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"iid" = "{CD3BB725-90A5-49B2-B11E-B14F3713DCD6}"

[HKCU\Software\CatalinaGroup\Update]
"UID" = "{06B9B04D-EBAB-411B-BD4E-3CEEFF48E59E}"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.catalinahub.oneclickctrl.9]
"CLSID" = "{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}"

[HKCU\Software\Classes\CatalinaGroup.OneClickCtrl.9\CLSID]
"(Default)" = "{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"Policy" = "3"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.catalinahub.update3webcontrol.3]
"CLSID" = "{71216BD6-4D03-4387-BD01-7FE8D9512541}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"AppName" = "CatalinaUpdate.exe"

[HKCU\Software\CatalinaGroup\Update]
"Version" = "1.3.25.215"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"

[HKCU\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"Name" = "Catalina Update"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=3]
"vendor" = "Catalina Group Ltd."

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"InstallTime" = "1425726202"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=3]
"Description" = "CatalinaGroup Update"

[HKCU\Software\Classes\CatalinaGroup.Update3WebControl.3]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=9]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=9]
"Description" = "CatalinaGroup Update"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=9]
"vendor" = "Catalina Group Ltd."

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"pv" = "1.3.25.215"
"brand" = "GGLS"

[HKCU\Software\Classes\CatalinaGroup.Update3WebControl.3\CLSID]
"(Default)" = "{71216BD6-4D03-4387-BD01-7FE8D9512541}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"AppName" = "CatalinaUpdateOnDemand.exe"

[HKCU\Software\CatalinaGroup\Update]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update]
"CatalinaUpdate.exe" = "CatalinaGroup Update"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 0A 32 33 D0 1E BB E0 05 B2 1B 57 BF 83 BC 2F"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"pv" = "1.3.25.215"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=3]
"ProductName" = "CatalinaGroup Update"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\ProgID]
"(Default)" = "CatalinaGroup.Update3WebControl.3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CatalinaGroup.OneClickCtrl.9]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=9]
"ProductName" = "CatalinaGroup Update"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=3]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=9]
"Version" = "9"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=3]
"Version" = "3"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CatalinaGroup Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe /c"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update]
"eulaaccepted"
"ui"
"LastChecked"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"UpdateAvailableSince"
"UpdateAvailableCount"

The process %original file name%.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 50 D4 33 C3 EE A8 D3 8C AC A0 12 EF EF 9E 52"

Dropped PE files

MD5 File path
6cea215160ae4188fee4a92ef15dda05 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaCrashHandler.exe
6cea215160ae4188fee4a92ef15dda05 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdate.exe
7ad1bcd40606876cb6680d83c9ec989a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateBroker.exe
2b3cf7ea69432a594e10f40cb922ac26 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe
2c2b5f94feeb782f83bb15f016a6bf68 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdate.dll
aaf96cdd105289e7ff35394d325cc3dc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_am.dll
a399a7747af02e7f6289398aa2265c3c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ar.dll
c3b2b4701849ea07b96fa137a6e94e02 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bg.dll
de800351848d365dd563631771f5b5b0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bn.dll
d8e741a14434f59b778db9e562625838 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ca.dll
6e27092a569dda3f4b0aa1a9948089a2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_cs.dll
c72c8072a466e9a32d2a926071bc400c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_da.dll
387cc6ea3e3b20fb7e55be314cf41ef9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_de.dll
fa3a9047608e216c68e83f3b3f4e62ec c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_el.dll
c18e8508c8b691aad860de077390d9d3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en-GB.dll
f8e1288bb72f67c25c367e5a61651bca c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en.dll
e67f2ba7b2d5e2841e7f317080f3fd62 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es-419.dll
4a80f1645d7dd9e9b1392841ad02d970 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es.dll
d83ed084a47c3352d5e68404500ce4af c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_et.dll
a420edd640c17822899c730af0d516ad c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fa.dll
028b1d4af503a3209383ad0a2e1c6dac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fi.dll
428a992a1329cebe4c48bb7d54ba44d7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fil.dll
6805edac4a9be23a70947c5d990dbf8c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fr.dll
f7e7d920bf9c0e98d350dd19a0dff5c3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_gu.dll
05770102a6c300aa14d917b773b13f72 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hi.dll
4c7c2b2f13eb1d17fdeb8974f1b9a1ab c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hr.dll
5ae0ab73c27fa94752554f811e54548e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hu.dll
571702223ba20e311291c4641db8a0e5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_id.dll
b60ad05c51a0deb944c9b6d515ba3f75 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_is.dll
d140749f5da947cad9d95a568c92a412 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_it.dll
7572629ccdc27e59f98185b0b100a81d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_iw.dll
e00fc2475ee6221a470f7a02304ef577 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ja.dll
1f9c169f28c96a84ad699ad7d8e8ecea c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_kn.dll
5426cd1549caf223134627d50c8f2fd7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ko.dll
fcedbb1d3960e1ed1f208e426b461e47 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lt.dll
677c82aee1a8e1bc1d8679051a7a7ef6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lv.dll
5adbacbe7871978d5487e50d4f9d5fd9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ml.dll
7a7e9bbf621bd0310b27a29dae338b25 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_mr.dll
f55cca95c0ce7bb9dd0df7426d0850b7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ms.dll
b635337f96458e4240d6d36a0f1ad0c0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_nl.dll
a9d7acb329bb58291371783bfd765747 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_no.dll
151e2197c465d69f0531f1eda0ae723e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pl.dll
16f588b707fa9574c2c4c033442a54bc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-BR.dll
742c5173ad19be9995323f9aa55c7ce6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-PT.dll
9187e5a69439016f6d87d2400433652f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ro.dll
1088f9f75d48492f9a59b327a1b4150f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ru.dll
7aa2aa0182bf743aee50f0da6211fc25 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sk.dll
9f97e32ab67e6176a310f80750195055 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sl.dll
80d3b8af8f5ea5fabc59f6c3871f8c8b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sr.dll
172d968afada4520e29d1fd274f89a4f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sv.dll
7fc9f569c18a6dea813dd9a596aedb59 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sw.dll
ef7097038ed66124b148e2a796f591c3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ta.dll
30ff6ccc5934ac9b9feec18c17534324 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_te.dll
3405f18d69e7a10e02258f0cee5ca9a4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_th.dll
d07cd67deabd1d6bcbfd581eddb55191 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_tr.dll
b5a72b466f81ab67a4efb1e8925fc4bc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_uk.dll
cec3e2877c12ec603e0f0c523909717e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ur.dll
b31627a3b5d15e05b94c1261f3b3b85a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_vi.dll
b397baf228f38e28e2690ddb20852bce c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-CN.dll
1b0dea6bce09f17beec9646bae225517 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-TW.dll
5d092b19ed729ece612a2247cf45c358 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll
4c3a99424c4a6fa0cfde4261b8c784d5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psmachine.dll
6c87927c9537cc20f16943bded647e30 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll
6cea215160ae4188fee4a92ef15dda05 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe
6cea215160ae4188fee4a92ef15dda05 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe
6cea215160ae4188fee4a92ef15dda05 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe
7ad1bcd40606876cb6680d83c9ec989a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe
2b3cf7ea69432a594e10f40cb922ac26 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe
2c2b5f94feeb782f83bb15f016a6bf68 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdate.dll
aaf96cdd105289e7ff35394d325cc3dc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll
a399a7747af02e7f6289398aa2265c3c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll
c3b2b4701849ea07b96fa137a6e94e02 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll
de800351848d365dd563631771f5b5b0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll
d8e741a14434f59b778db9e562625838 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll
6e27092a569dda3f4b0aa1a9948089a2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll
c72c8072a466e9a32d2a926071bc400c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll
387cc6ea3e3b20fb7e55be314cf41ef9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll
fa3a9047608e216c68e83f3b3f4e62ec c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll
c18e8508c8b691aad860de077390d9d3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll
f8e1288bb72f67c25c367e5a61651bca c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll
e67f2ba7b2d5e2841e7f317080f3fd62 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll
4a80f1645d7dd9e9b1392841ad02d970 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll
d83ed084a47c3352d5e68404500ce4af c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll
a420edd640c17822899c730af0d516ad c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll
028b1d4af503a3209383ad0a2e1c6dac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll
428a992a1329cebe4c48bb7d54ba44d7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll
6805edac4a9be23a70947c5d990dbf8c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll
f7e7d920bf9c0e98d350dd19a0dff5c3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll
05770102a6c300aa14d917b773b13f72 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll
4c7c2b2f13eb1d17fdeb8974f1b9a1ab c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll
5ae0ab73c27fa94752554f811e54548e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll
571702223ba20e311291c4641db8a0e5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll
b60ad05c51a0deb944c9b6d515ba3f75 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll
d140749f5da947cad9d95a568c92a412 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll
7572629ccdc27e59f98185b0b100a81d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll
e00fc2475ee6221a470f7a02304ef577 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll
1f9c169f28c96a84ad699ad7d8e8ecea c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll
5426cd1549caf223134627d50c8f2fd7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll
fcedbb1d3960e1ed1f208e426b461e47 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll
677c82aee1a8e1bc1d8679051a7a7ef6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll
5adbacbe7871978d5487e50d4f9d5fd9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll
7a7e9bbf621bd0310b27a29dae338b25 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll
f55cca95c0ce7bb9dd0df7426d0850b7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll
b635337f96458e4240d6d36a0f1ad0c0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll
a9d7acb329bb58291371783bfd765747 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll
151e2197c465d69f0531f1eda0ae723e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll
16f588b707fa9574c2c4c033442a54bc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll
742c5173ad19be9995323f9aa55c7ce6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll
9187e5a69439016f6d87d2400433652f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll
1088f9f75d48492f9a59b327a1b4150f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll
7aa2aa0182bf743aee50f0da6211fc25 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll
9f97e32ab67e6176a310f80750195055 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll
80d3b8af8f5ea5fabc59f6c3871f8c8b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll
172d968afada4520e29d1fd274f89a4f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll
7fc9f569c18a6dea813dd9a596aedb59 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll
ef7097038ed66124b148e2a796f591c3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll
30ff6ccc5934ac9b9feec18c17534324 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll
3405f18d69e7a10e02258f0cee5ca9a4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll
d07cd67deabd1d6bcbfd581eddb55191 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll
b5a72b466f81ab67a4efb1e8925fc4bc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll
cec3e2877c12ec603e0f0c523909717e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll
b31627a3b5d15e05b94c1261f3b3b85a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll
b397baf228f38e28e2690ddb20852bce c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll
1b0dea6bce09f17beec9646bae225517 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll
5d092b19ed729ece612a2247cf45c358 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll
4c3a99424c4a6fa0cfde4261b8c784d5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\psmachine.dll
6c87927c9537cc20f16943bded647e30 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\psuser.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Catalina Group Ltd.
Product Name: CatalinaGroup Update
Product Version: 1.3.25.215
Legal Copyright: Copyright 2013 Catalina Group Ltd.
Legal Trademarks:
Original Filename: CatalinaUpdateSetup.exe
Internal Name: CatalinaGroup Update Setup
File Version: 1.3.25.215
File Description: CatalinaGroup Update Setup
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 47535 47616 4.63666 da072aeedacb67c58ca3952875d79a2b
.rdata 53248 10788 11264 3.70551 cc85a67bbda310b5aa377cecaa3156cf
.data 65536 6428 3584 1.72368 8e425fbedc6927dfabb8fdfaaf8e8d97
.rsrc 73728 659744 659968 5.30312 89169e477c01dd8186928471af10e787
.reloc 737280 5598 5632 2.64966 17957bd86fff892742280f82a0bf537a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 33
52e93d93473e442df41b45a8df00f628
8197dcd6af91174c7e4ed99cda1f5dd8
155df244efb56d5ac4452b8b5c5db144
a79d1eb06eff95b9fd9f933f8e280429
9d2d18977465aba1ce38b83220d20f09
e33aaa5782ab6d3573291c0b9dfe654c
0de1dedf8f8ff314658761edf266c472
5bd2a434b0f8a0d27023e9a8d66da0ad
450cb8a32997ae1522fa340e659da7f9
f3f9747c4d9a40cf8b05b1a2356b9602
47bdf3d199e467f3d1613d69dcf63f3e
05cd4d2811937ace563cb37b346eb562
6fea5b8d14c637c20a7e4c3b7d0af70e
78ca8c9f73fa1bd81cb2a3324e3b719e
d427e63df9cc884606db9221fb5856e5
5b460db94f90f3f40a17374bd3779a4e
f05c747876d3fecd499eeebb3d35cd23
f1351428b3e81bf3a6b8972c71a26f0d
54377355d4b7290a0a998471c7846e24
d832665608fcf53ef06453b7932a39d2
bf20e4684fc070983c29557b1f2b8728
3f4b2b26245f3679f51cedafcfbb7815
f36dddc368f66380c5a0dcae5f68a86a
7596819db358e116e206821a6508a77a
d5920889911ace49d013c03ea70a0526

URLs

URL IP
hxxp://catalinahub.com/update/ping
hxxp://catalinahub.com/update/check?w=3:QtFYNqGc4nYq7pl7A5gFLxxLHmZs5NzFCxWE4eEjv4wyhM-cAr7wabMYXODRvmysIrKWTtcl5JU7brjHHJ1QZ7ptEY-fQaMKa5plUmNRwKcuFdbANkxsbZht_ZTQeOQhTrDBd97cgge1NHLr48hWJE9-nnonh6sRNfvpJb4znhA
hxxp://catalinahub.com/update/check
hxxp://catalinahub.silvercdn.com/download/citrio_40.0.2214.251_1.exe
hxxp://static.citrio.com/download/citrio_40.0.2214.251_1.exe 46.234.113.79


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /update/check?w=3:QtFYNqGc4nYq7pl7A5gFLxxLHmZs5NzFCxWE4eEjv4wyhM-cAr7wabMYXODRvmysIrKWTtcl5JU7brjHHJ1QZ7ptEY-fQaMKa5plUmNRwKcuFdbANkxsbZht_ZTQeOQhTrDBd97cgge1NHLr48hWJE9-nnonh6sRNfvpJb4znhA HTTP/1.1
User-Agent: Google Update/1.3.25.215;winhttp;cup
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
If-Match: "6MPMLHVS3zu5gH1A0HPHqXN-_Xs"
Host: catalinahub.com
Content-Length: 567
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.25.215" ismachine="0" sessionid="{8E0E8503-7027-4418-BE2F-5AD82FF82503}" userid="{06B9B04D-EBAB-411B-BD4E-3CEEFF48E59E}" installsource="taggedmi" testsource="auto" requestid="{DD6B9168-2711-4108-9AC0-B0F6D62ABC6B}"><os platform="win" version="5.1" sp="Service Pack 3" arch="x86"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" version="" nextversion="" buildtype="1" lang="en" brand="" client="" installage="-1" iid="{CD3BB725-90A5-49B2-B11E-B14F3713DCD6}"><updatecheck/></app></request>
HTTP/1.1 200 OK
Date: Sat, 07 Mar 2015 11:03:56 GMT
Server: Apache-Coyote/1.1
Content-Type: application/xml;charset=UTF-8
Connection: close
Transfer-Encoding: chunked
2a6..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><
response protocol="3.0" server="dist"><dayStart elapsed_seconds=
"39836"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" sta
tus="ok"><updatecheck status="ok"><urls><url codebas
e="hXXp://static.citrio.com/download/"/></urls><manifest v
ersion="40.0.2214.251"><packages><package hash="k3oSAxc6BD
lGjvsPlTwGMZTd9O4=" name="citrio_40.0.2214.251_1.exe" required="true" 
size="55183760"/></packages><actions><action argumen
ts="--chrome --do-not-launch-chrome" event="install" run="citrio_40.0.
2214.251_1.exe"/><action event="postinstall" onsuccess="exitsile
ntlyonlaunchcmd"/></actions></manifest></updatecheck
></app></response>..0..



POST /update/check HTTP/1.1
User-Agent: Google Update/1.3.25.215;winhttp
X-Last-HR: 0x80040880
X-Last-HTTP-Status-Code: 200
X-Retry-Count: 0
Host: catalinahub.com
Content-Length: 567
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.25.215" ismachine="0" sessionid="{8E0E8503-7027-4418-BE2F-5AD82FF82503}" userid="{06B9B04D-EBAB-411B-BD4E-3CEEFF48E59E}" installsource="taggedmi" testsource="auto" requestid="{DD6B9168-2711-4108-9AC0-B0F6D62ABC6B}"><os platform="win" version="5.1" sp="Service Pack 3" arch="x86"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" version="" nextversion="" buildtype="1" lang="en" brand="" client="" installage="-1" iid="{CD3BB725-90A5-49B2-B11E-B14F3713DCD6}"><updatecheck/></app></request>
HTTP/1.1 200 OK
Date: Sat, 07 Mar 2015 11:03:56 GMT
Server: Apache-Coyote/1.1
Content-Type: application/xml;charset=UTF-8
Connection: close
Transfer-Encoding: chunked
2a6..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><
response protocol="3.0" server="dist"><dayStart elapsed_seconds=
"39836"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" sta
tus="ok"><updatecheck status="ok"><urls><url codebas
e="hXXp://static.citrio.com/download/"/></urls><manifest v
ersion="40.0.2214.251"><packages><package hash="k3oSAxc6BD
lGjvsPlTwGMZTd9O4=" name="citrio_40.0.2214.251_1.exe" required="true" 
size="55183760"/></packages><actions><action argumen
ts="--chrome --do-not-launch-chrome" event="install" run="citrio_40.0.
2214.251_1.exe"/><action event="postinstall" onsuccess="exitsile
ntlyonlaunchcmd"/></actions></manifest></updatecheck
></app></response>..0..



HEAD /download/citrio_40.0.2214.251_1.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: static.citrio.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 07 Mar 2015 07:39:43 GMT
Server: Apache-Coyote/1.1
ETag: W/"55183760-1425390425000"
Last-Modified: Tue, 03 Mar 2015 13:47:05 GMT
Content-Type: application/octet-stream;charset=UTF-8
Age: 12254
Content-Length: 55183760
Connection: close



HEAD /download/citrio_40.0.2214.251_1.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: static.citrio.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 07 Mar 2015 07:39:43 GMT
Server: Apache-Coyote/1.1
ETag: W/"55183760-1425390425000"
Last-Modified: Tue, 03 Mar 2015 13:47:05 GMT
Content-Type: application/octet-stream;charset=UTF-8
Age: 12243
Content-Length: 55183760
Connection: close



GET /download/citrio_40.0.2214.251_1.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: static.citrio.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 07 Mar 2015 07:39:43 GMT
Server: Apache-Coyote/1.1
ETag: W/"55183760-1425390425000"
Last-Modified: Tue, 03 Mar 2015 13:47:05 GMT
Content-Type: application/octet-stream;charset=UTF-8
Age: 12255
Content-Length: 55183760
Connection: close
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..............]...]
...]...]...]9.K]...]...]...]..)]...]..e]...]..,]...]Rich...]........PE
..L......T................."....I......!.......@....@.................
[email protected]....`....
I...........I......0J.p.......8.......................................
.....P...............................text...t!......."................
.. ..`.data........@[email protected].......&..
............@[email protected]..`....I..,..............@[email protected]
[email protected]............................................
......................................................................
......................................................................
......................................................................
......................................................................
...................................................T........g...L...L.
.........T....................{.9.2.F.8.A.2.1.9.-.E.7.4.0.-.4.9.D.5.-.
B.7.8.5.-.B.9.6.2.A.D.8.1.9.7.2.4.}.....{.E.9.F.2.4.A.7.C.-.1.3.C.A.-.
4.2.F.B.-.A.4.D.9.-.7.9.C.3.C.9.D.2.1.B.2.8.}.....{.0.1.0.5.E.A.0.2.-.
8.0.2.D.-.4.B.3.7.-.8.1.6.1.-.4.E.D.2.5.C.4.9.3.2.6.6.}.....{.D.E.2.8.
A.2.E.A.-.7.7.F.A.-.4.F.2.B.-.8.2.5.2.-.C.3.B.5.8.4.4.F.6.4.5.5.}.....
{.F.0.B.5.0.D.5.A.-.4.B.B.A.-.4.5.1.4.-.A.D.2.C.-.E.B.A.5.0.C.2.9.C.4.
6.0.}.....-.-.c.h.r.o.m.e.-.s.x.s.....-.-.c.h.r.o.m.e.....-.-.c.h.
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_440:




.text
`.rdata
@.data
.rsrc
@.reloc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
mi_exe_stub.pdb
GetCPInfo
KERNEL32.dll
SHLWAPI.dll
GetProcessHeap
ole32.dll
USER32.dll
c:\%original file name%.exe
7&ftP
4.Ppi
1.Mx.e
y.Ar`
%X/|0
P@5=%d
.uBSQ
 Ja%F' LG3R
Xgl.ES
d".qp
)p.Rq
X:\.f
.Pz ;
^%FT7
lWB%S
X;.RG
x%9s\
v.ls?
TBs.Vz
=q6%D
t%1Xg
N7N.rta
%U:NT
?.NLp
t#$%S
a.mW3
_%F!R
.yBoo
.UfX~
L%u`=m=W
M0.aZ
.Mc0W
o0.NJ
TßR! 
C%Fn'6
.zfqLg
%x$/a44
EFTP
*_r.Cd
k.lhx
pK.gJ
:sssh 
7:<<<6000
<requestedExecutionLevel level="asInvoker" />
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--This Id value indicates the application supports Windows 8 functionality-->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!--This Id value indicates the application supports Windows 8.1 functionality-->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*' />
: :%:/:=:}:
3'3,30343]3
mscoree.dll
KERNEL32.DLL
appguid={92F8A219-E740-49D5-B785-B962AD819724}&installerargs=--make-chrome-default
Windows 2000 Service Pack 4
Windows 2000
lador de %1!s! requereix Windows 2000 amb Service Pack 4 o una versi
m Windows 2000 Service Pack 4 nebo nov
ver Windows 2000 Service Pack 4 eller bedre.
r den %1!s!-Installer wird Windows 2000 Service Pack 4 oder h
Unknown Installer ErrorTInstallation failed. %1!s! Installer requires Windows 2000 Service Pack 4 or better.
Windows 2000 Service Pack 4:n tai uudemman.
cessite Windows
je Windows 2000 Service Pack 4-et vagy frissebb verzi
krefst Windows 2000
Google#Programma di installazione di %1!s!!Errore sconosciuto dell'installertInstallazione non riuscita. Il programma di installazione di %1!s! richiede Windows 2000 Service Pack 4 o superiore.
Installatieprogramma van %1!s!'Onbekende fout van installatieprogrammasDe installatie is mislukt. Voor het installatieprogramma van %1!s! is Windows 2000 Service Pack 4 of hoger vereist.
Ukjent installasjonsfeilgInstallasjonen mislyktes. %1!s! installasjonsprogrammet krever Windows 2000 Service Pack 4 eller nyere.
. Instalator %1!s! wymaga systemu Windows 2000 z dodatkiem Service Pack 4 lub nowszego.
o. O instalador do %1!s! requer o Windows 2000 Service Pack 4 ou posterior.
it. %1!s! Programul de instalare are nevoie de Windows 2000 Service Pack 4 sau de o versiune superioar
ka alata za instalacijulInstalacija nije uspjela. Za instalacijski program %1!s! potreban je Windows 2000 Service Pack 4 ili noviji.
m Windows 2000 Service Pack 4 alebo nov
ver Windows 2000 Service Pack 4 eller b
kleyicisi Windows 2000 Hizmet Paketi 4 veya sonras
Program pemasang %1!s!!Kesalahan Installer Tak DiketahuiePemasangan gagal. Program pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.
na. Za namestitveni program za %1!s! potrebujete Windows 2000 s servisnim paketom SP 4 ali novej
uab rakendust Windows 2000 hoolduspakett 4 v
ama Windows
Windows 2000
u Windows 2000 G
Pemasang %1!s!#Ralat Pemasang yang Tidak Diketahui]Pemasangan gagal. Pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.
Kisakinishi cha %1!s!%Hitilafu ya Kisakinishi Isiyojulikana_Usakinishaji haukufaulu. Kisakinishi cha %1!s! kinahitaji Windows 2000 Service Pack 4 au zaidi.
. Windows 2000
Installer ng %1!s! Hindi Alam na Error ng InstallerlNabigo ang pag-install. Nangangailangan ang Installer ng %1!s! ng Windows 2000 Service Pack 4 o mas mahusay.
n. %1!s! El instalador requiere Windows 2000 Service Pack 4 o superior.
o %1!s! necessita do Windows 2000 Service Pack 4 ou superior.
n. %1!s! Installer requiere Windows 2000 Service Pack 4 o versiones posteriores.
1.3.25.215
CatalinaUpdateSetup.exe

CatalinaUpdate.exe_480:




.text
`.data
.text/DE
@.rsrc
@.reloc
SHELL32.dll
USER32.dll
SHLWAPI.dll
WINTRUST.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
CatalinaUpdate_unsigned.pdb
RegOpenKeyExW
ADVAPI32.dll
KERNEL32.dll
ole32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
<requestedExecutionLevel level="asInvoker" />
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--This Id value indicates the application supports Windows 8 functionality-->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!--This Id value indicates the application supports Windows 8.1 functionality-->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
###7777_{
###____777
###````87{
3 3$3(3,30343~3
5 5$5(5,5
?$?(?,?4?<?
= =$=@=`=
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\GUM1.tmp\CatalinaUpdate.exe
KERNEL32.DLL
mscoree.dll
goopdate.dll
CatalinaUpdate.exe
Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}
1.3.25.215
2007-2010
2007-2010

CatalinaUpdate.exe_1668:




.text
`.data
.text/DE
@.rsrc
@.reloc
SHELL32.dll
USER32.dll
SHLWAPI.dll
WINTRUST.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
CatalinaUpdate_unsigned.pdb
RegOpenKeyExW
ADVAPI32.dll
KERNEL32.dll
ole32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
<requestedExecutionLevel level="asInvoker" />
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--This Id value indicates the application supports Windows 8 functionality-->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!--This Id value indicates the application supports Windows 8.1 functionality-->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
###7777_{
###____777
###````87{
3 3$3(3,30343~3
5 5$5(5,5
?$?(?,?4?<?
= =$=@=`=
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe
KERNEL32.DLL
mscoree.dll
goopdate.dll
CatalinaUpdate.exe
Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}
1.3.25.215
2007-2010
2007-2010

CatalinaUpdate.exe_332:




.text
`.data
.text/DE
@.rsrc
@.reloc
SHELL32.dll
USER32.dll
SHLWAPI.dll
WINTRUST.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
CatalinaUpdate_unsigned.pdb
RegOpenKeyExW
ADVAPI32.dll
KERNEL32.dll
ole32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
<requestedExecutionLevel level="asInvoker" />
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--This Id value indicates the application supports Windows 8 functionality-->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!--This Id value indicates the application supports Windows 8.1 functionality-->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
###7777_{
###____777
###````87{
3 3$3(3,30343~3
5 5$5(5,5
?$?(?,?4?<?
= =$=@=`=
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe
KERNEL32.DLL
mscoree.dll
goopdate.dll
CatalinaUpdate.exe
Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}
1.3.25.215
2007-2010
2007-2010






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    CatalinaUpdate.exe:1964
    CatalinaUpdate.exe:332
    CatalinaUpdate.exe:260
    %original file name%.exe:440
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hu.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_uk.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_no.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_th.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fil.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ja.dll (22 bytes)
    %WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pl.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fi.dll (26 bytes)
    %WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-PT.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en-GB.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fr.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_et.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sk.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_mr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bn.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_kn.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es-419.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sl.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sw.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_iw.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateBroker.exe (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ta.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ko.dll (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_de.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hr.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_am.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-BR.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-CN.dll (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaCrashHandler.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-TW.dll (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_vi.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_cs.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ar.dll (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ca.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_nl.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psmachine.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_el.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_it.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sv.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lv.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ur.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_te.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_is.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ru.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdate.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ro.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_id.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fa.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lt.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_tr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bg.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateHelper.msi (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ms.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdate.dll (5873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hi.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ml.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_da.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_gu.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUT2.tmp (22433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdate.dll (1990 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll (237 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psuser.dll (161 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateHelper.msi (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psmachine.dll (155 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe (58 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "CatalinaGroup Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe /c"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now