MD5: f05c747876d3fecd499eeebb3d35cd23
SHA1: bfb6bd50e7a85ccdbe74380681459b5caf62e7e3
SHA256: b9a454454a56a15c6cb5ff012e5a892424fc7941e4fa03b3b063f51f0c2da6c1
SSDeep: 12288:AoucvQQACqe5gcEfjpo24PKCNRD2BsnmIvL7m1uMMM7 fiuGXLL:A3cvQYefjZFCNRyBsnxTi15T qb
Size: 732680 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2014-12-10 23:16:41
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

CatalinaUpdate.exe:1304
CatalinaUpdate.exe:1144
CatalinaUpdate.exe:1880
%original file name%.exe:1164

The Trojan injects its code into the following process(es):

CatalinaUpdate.exe:988
CatalinaUpdate.exe:224

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process CatalinaUpdate.exe:988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_uk.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fil.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ja.dll (22 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fi.dll (26 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ta.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-CN.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_nl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_it.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lv.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bg.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdate.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_gu.dll (26 bytes)

The process CatalinaUpdate.exe:1144 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Install (0 bytes)

The process %original file name%.exe:1164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUT2.tmp (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdate.dll (1990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psuser.dll (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psmachine.dll (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe (58 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp (0 bytes)

Registry activity

The process CatalinaUpdate.exe:1304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"CLSID" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}]
"(Default)" = "ICatalinaUpdate3WebSecurity"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser]
"(Default)" = "Update3COMClass"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}]
"(Default)" = "IAppBundle"

[HKCU\Software\Classes\CLSID\{554335BD-87F8-43DA-806A-741504EEFF62}\InProcServer32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}\NumMethods]
"(Default)" = "39"

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}\NumMethods]
"(Default)" = "8"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}\NumMethods]
"(Default)" = "13"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}]
"(Default)" = "ICredentialDialog"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}]
"(Default)" = "ICatalinaUpdate"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}\NumMethods]
"(Default)" = "10"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}]
"(Default)" = "Update3COMClass"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\ProgID]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser.1.0"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser.1.0"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser\CLSID]
"(Default)" = "{2823499B-60F3-4940-8042-2C16D5829A39}"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}]
"(Default)" = "IAppVersionWeb"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{554335BD-87F8-43DA-806A-741504EEFF62}]
"(Default)" = "PSFactoryBuffer"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser.1.0"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}]
"(Default)" = "IOneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}]
"(Default)" = "ICoCreateAsync"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}]
"(Default)" = "ICurrentState"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\ProgID]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser.1.0"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}]
"(Default)" = "IAppBundleWeb"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}]
"(Default)" = "IApp"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}\NumMethods]
"(Default)" = "5"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser\CLSID]
"(Default)" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\CLSID\{554335BD-87F8-43DA-806A-741504EEFF62}\InProcServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser\CLSID]
"(Default)" = "{73436A91-85A6-4850-A7D0-375C4E369A5A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 AA 62 37 29 21 92 20 AB 86 ED 8E 15 66 23 5E"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}\NumMethods]
"(Default)" = "44"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\VersionIndependentProgID]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}\NumMethods]
"(Default)" = "9"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}\NumMethods]
"(Default)" = "6"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"Policy" = "3"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}\NumMethods]
"(Default)" = "14"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\ProgID]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser.1.0"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}]
"(Default)" = "ICatalinaUpdateCore"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser.1.0]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\ProgID]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser.1.0"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser\CurVer]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser.1.0"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}\NumMethods]
"(Default)" = "10"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}]
"(Default)" = "ICatalinaUpdate3"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}]
"(Default)" = "IJobObserver"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}]
"(Default)" = "IAppVersion"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\CLSID\{D6C70234-3948-4009-8568-A538F47646CB}\InprocHandler32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}]
"(Default)" = "ICatalinaUpdate3Web"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}\NumMethods]
"(Default)" = "8"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser\CLSID]
"(Default)" = "{C8362D5A-4303-4E22-8668-BB10D65B95BD}"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}]
"(Default)" = "IBrowserHttpRequest2"

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser.1.0\CLSID]
"(Default)" = "{2823499B-60F3-4940-8042-2C16D5829A39}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser.1.0]
"(Default)" = "Update3COMClass"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}\NumMethods]
"(Default)" = "24"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}]
"(Default)" = "IPackage"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser.1.0\CLSID]
"(Default)" = "{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}]
"(Default)" = "IAppWeb"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser.1.0\CLSID]
"(Default)" = "{C8362D5A-4303-4E22-8668-BB10D65B95BD}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\CLSID\{D6C70234-3948-4009-8568-A538F47646CB}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}\NumMethods]
"(Default)" = "24"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser.1.0\CLSID]
"(Default)" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}]
"(Default)" = "IProcessLauncher"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser.1.0"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\ProgID]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser.1.0"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser\CLSID]
"(Default)" = "{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser.1.0"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}]
"(Default)" = "IProgressWndEvents"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser.1.0\CLSID]
"(Default)" = "{73436A91-85A6-4850-A7D0-375C4E369A5A}"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}]
"(Default)" = "IRegistrationUpdateHook"

The Trojan deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}]
[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
[HKCU\Software\Classes\CLSID\{D6C70234-3948-4009-8568-A538F47646CB}\InprocHandler32]
[HKCU\Software\Classes\CLSID\{D6C70234-3948-4009-8568-A538F47646CB}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process CatalinaUpdate.exe:988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"Policy" = "3"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\ProgID]
"(Default)" = "CatalinaGroup.OneClickCtrl.9"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"iid" = "{27BF9067-D8C4-4BBD-A5BA-AA31C8769960}"

[HKCU\Software\CatalinaGroup\Update]
"UID" = "{3D0F063E-93FC-46DC-B00E-7654CA758FF7}"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.catalinahub.oneclickctrl.9]
"CLSID" = "{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}"

[HKCU\Software\Classes\CatalinaGroup.OneClickCtrl.9\CLSID]
"(Default)" = "{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"Policy" = "3"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.catalinahub.update3webcontrol.3]
"CLSID" = "{71216BD6-4D03-4387-BD01-7FE8D9512541}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"AppName" = "CatalinaUpdate.exe"

[HKCU\Software\CatalinaGroup\Update]
"Version" = "1.3.25.215"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"

[HKCU\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"Name" = "Catalina Update"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=3]
"vendor" = "Catalina Group Ltd."

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"InstallTime" = "1425121816"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=3]
"Description" = "CatalinaGroup Update"

[HKCU\Software\Classes\CatalinaGroup.Update3WebControl.3]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=9]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=9]
"Description" = "CatalinaGroup Update"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=9]
"vendor" = "Catalina Group Ltd."

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"pv" = "1.3.25.215"
"brand" = "GGLS"

[HKCU\Software\Classes\CatalinaGroup.Update3WebControl.3\CLSID]
"(Default)" = "{71216BD6-4D03-4387-BD01-7FE8D9512541}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"AppName" = "CatalinaUpdateOnDemand.exe"

[HKCU\Software\CatalinaGroup\Update]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update]
"CatalinaUpdate.exe" = "CatalinaGroup Update"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 87 3E 78 BE 83 CB 94 20 11 AE 88 75 3F 8F 6D"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"pv" = "1.3.25.215"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=3]
"ProductName" = "CatalinaGroup Update"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\ProgID]
"(Default)" = "CatalinaGroup.Update3WebControl.3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CatalinaGroup.OneClickCtrl.9]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=9]
"ProductName" = "CatalinaGroup Update"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=3]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=9]
"Version" = "9"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=3]
"Version" = "3"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CatalinaGroup Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe /c"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update]
"eulaaccepted"
"ui"
"LastChecked"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"UpdateAvailableSince"
"UpdateAvailableCount"

The process CatalinaUpdate.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 21 BF D7 EA 67 ED 47 11 1B 98 FA 4F 3A 5A 6B"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update]
"eulaaccepted"

The process CatalinaUpdate.exe:1144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 29 5B F1 57 49 AD 21 C8 35 16 17 15 1F 8F 5D"

[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "IE"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"tttoken"
"iid"

The process CatalinaUpdate.exe:1880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 A9 01 4D 7A EB C6 2A AE 13 30 0E 20 8F 84 19"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "IE"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "02 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "02 00 00 00 00 00 00 00"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process %original file name%.exe:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D E6 E7 C9 4F 80 23 95 74 02 44 C8 16 28 B1 6E"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Catalina Group Ltd.
Product Name: CatalinaGroup Update
Product Version: 1.3.25.215
Legal Copyright: Copyright 2013 Catalina Group Ltd.
Legal Trademarks:
Original Filename: CatalinaUpdateSetup.exe
Internal Name: CatalinaGroup Update Setup
File Version: 1.3.25.215
File Description: CatalinaGroup Update Setup
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 22
52e93d93473e442df41b45a8df00f628
05cd4d2811937ace563cb37b346eb562
6fea5b8d14c637c20a7e4c3b7d0af70e
78ca8c9f73fa1bd81cb2a3324e3b719e
d427e63df9cc884606db9221fb5856e5
5b460db94f90f3f40a17374bd3779a4e
f1351428b3e81bf3a6b8972c71a26f0d
54377355d4b7290a0a998471c7846e24
d832665608fcf53ef06453b7932a39d2
bf20e4684fc070983c29557b1f2b8728
3f4b2b26245f3679f51cedafcfbb7815
f36dddc368f66380c5a0dcae5f68a86a
7596819db358e116e206821a6508a77a
d5920889911ace49d013c03ea70a0526
d931749be1fbc569b0871bdbfa5aec24
cb01ead685dd56990c0c9e610c52c810
ebd74ee6007cc6ec1e790edb7f3b21ac
a51e088751e1c2f05f4cca3124aff881
5f6e40882047b48ad3a9372cf3fb0747
1a6d4ed37dab4cc2cc2d731b08b7b100
94ef08fc3d994e8dbdb57e69c1f0c844
6466bc55d8e289bc0952cf54f03b0222

URLs

URL	IP
hxxp://catalinahub.com/update/ping	162.252.82.211
hxxp://catalinahub.com/update/check?w=3:CK71LhsJDcYrH9dF7LBKPjavgiThgOABBfVShtCpM8StBZ-wKfcA5hZIDlaBQhyoe9QfE8vqgJrUCkVliQYo4o6yohPN2djNv8uQtSjTAZb3xUYHfKiKcq4K48KsS37GNEQiohcgefxpKYlTUUZjDnyVciIpre0SRg6lyG-k9dw	162.252.82.211
hxxp://catalinahub.com/update/check	162.252.82.211
hxxp://catalinahub.silvercdn.com/download/citrio_40.0.2214.250_1.exe
hxxp://static.citrio.com/download/citrio_40.0.2214.250_1.exe	46.234.113.86

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /update/check HTTP/1.1

User-Agent: Google Update/1.3.25.215;winhttp

X-Last-HR: 0x80040880

X-Last-HTTP-Status-Code: 200

X-Retry-Count: 0

Host: catalinahub.com

Content-Length: 567

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.25.215" ismachine="0" sessionid="{E7F019A1-148A-41C1-A549-FD25329D9204}" userid="{3D0F063E-93FC-46DC-B00E-7654CA758FF7}" installsource="taggedmi" testsource="auto" requestid="{2E9AE201-03E8-4427-9587-59D4109F1580}"><os platform="win" version="5.1" sp="Service Pack 3" arch="x86"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" version="" nextversion="" buildtype="1" lang="en" brand="" client="" installage="-1" iid="{27BF9067-D8C4-4BBD-A5BA-AA31C8769960}"><updatecheck/></app></request>
HTTP/1.1 200 OK

Date: Sat, 28 Feb 2015 11:10:13 GMT

Server: Apache-Coyote/1.1

Content-Type: application/xml;charset=UTF-8

Connection: close

Transfer-Encoding: chunked
2a6..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><
response protocol="3.0" server="dist"><dayStart elapsed_seconds=
"40213"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" sta
tus="ok"><updatecheck status="ok"><urls><url codebas
e="hXXp://static.citrio.com/download/"/></urls><manifest v
ersion="40.0.2214.250"><packages><package hash="e j641Pk9x
3Db9XzFsa5f6zZKok=" name="citrio_40.0.2214.250_1.exe" required="true" 
size="55189904"/></packages><actions><action argumen
ts="--chrome --do-not-launch-chrome" event="install" run="citrio_40.0.
2214.250_1.exe"/><action event="postinstall" onsuccess="exitsile
ntlyonlaunchcmd"/></actions></manifest></updatecheck
></app></response>..0..

HEAD /download/citrio_40.0.2214.250_1.exe HTTP/1.1

Accept: */*

Accept-Encoding: identity

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

User-Agent: Microsoft BITS/6.7

Host: static.citrio.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 28 Feb 2015 08:02:13 GMT

Server: Apache-Coyote/1.1

ETag: W/"55189904-1424786513000"

Last-Modified: Tue, 24 Feb 2015 14:01:53 GMT

Content-Type: application/octet-stream;charset=UTF-8

Age: 11283

Content-Length: 55189904

Connection: close

POST /update/ping HTTP/1.1

User-Agent: Google Update/1.3.25.215;winhttp

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: catalinahub.com

Content-Length: 613

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.25.215" ismachine="0" sessionid="{E7F019A1-148A-41C1-A549-FD25329D9204}" userid="{3D0F063E-93FC-46DC-B00E-7654CA758FF7}" installsource="taggedmi" testsource="auto" requestid="{F1CE7B9B-E417-4AD2-BDC5-824278C1083D}"><os platform="win" version="5.1" sp="Service Pack 3" arch="x86"/><app appid="{6C598730-F715-407B-A7AE-A8F10D0F8FA7}" version="" nextversion="1.3.25.215" buildtype="" lang="en" brand="" client="" iid="{27BF9067-D8C4-4BBD-A5BA-AA31C8769960}"><event eventtype="2" eventresult="1" errorcode="0" extracode1="0"/></app></request>
HTTP/1.1 200 OK

Date: Sat, 28 Feb 2015 11:10:11 GMT

Server: Apache-Coyote/1.1

Content-Type: application/xml;charset=UTF-8

Connection: close

Transfer-Encoding: chunked
e6..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><r
esponse protocol="3.0" server="dist"><dayStart elapsed_seconds="
40211"/><app appid="{6C598730-F715-407B-A7AE-A8F10D0F8FA7}" stat
us="ok"><event status="ok"/></app></response>..0.
.

POST /update/check?w=3:CK71LhsJDcYrH9dF7LBKPjavgiThgOABBfVShtCpM8StBZ-wKfcA5hZIDlaBQhyoe9QfE8vqgJrUCkVliQYo4o6yohPN2djNv8uQtSjTAZb3xUYHfKiKcq4K48KsS37GNEQiohcgefxpKYlTUUZjDnyVciIpre0SRg6lyG-k9dw HTTP/1.1

User-Agent: Google Update/1.3.25.215;winhttp;cup

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

If-Match: "De17nhyasaIugUcWqfP2sKPtJRo"

Host: catalinahub.com

Content-Length: 567

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.25.215" ismachine="0" sessionid="{E7F019A1-148A-41C1-A549-FD25329D9204}" userid="{3D0F063E-93FC-46DC-B00E-7654CA758FF7}" installsource="taggedmi" testsource="auto" requestid="{2E9AE201-03E8-4427-9587-59D4109F1580}"><os platform="win" version="5.1" sp="Service Pack 3" arch="x86"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" version="" nextversion="" buildtype="1" lang="en" brand="" client="" installage="-1" iid="{27BF9067-D8C4-4BBD-A5BA-AA31C8769960}"><updatecheck/></app></request>
HTTP/1.1 200 OK

Date: Sat, 28 Feb 2015 11:10:13 GMT

Server: Apache-Coyote/1.1

Content-Type: application/xml;charset=UTF-8

Connection: close

Transfer-Encoding: chunked
2a6..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><
response protocol="3.0" server="dist"><dayStart elapsed_seconds=
"40213"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" sta
tus="ok"><updatecheck status="ok"><urls><url codebas
e="hXXp://static.citrio.com/download/"/></urls><manifest v
ersion="40.0.2214.250"><packages><package hash="e j641Pk9x
3Db9XzFsa5f6zZKok=" name="citrio_40.0.2214.250_1.exe" required="true" 
size="55189904"/></packages><actions><action argumen
ts="--chrome --do-not-launch-chrome" event="install" run="citrio_40.0.
2214.250_1.exe"/><action event="postinstall" onsuccess="exitsile
ntlyonlaunchcmd"/></actions></manifest></updatecheck
></app></response>..0..

GET /download/citrio_40.0.2214.250_1.exe HTTP/1.1

Accept: */*

Accept-Encoding: identity

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

User-Agent: Microsoft BITS/6.7

Host: static.citrio.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 28 Feb 2015 08:02:13 GMT

Server: Apache-Coyote/1.1

ETag: W/"55189904-1424786513000"

Last-Modified: Tue, 24 Feb 2015 14:01:53 GMT

Content-Type: application/octet-stream;charset=UTF-8

Age: 11285

Content-Length: 55189904

Connection: close

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..............]...]
...]...]...]9.K]...]...]...]..)]...]..e]...]..,]...]Rich...]........PE
..L...0S.T................."....I......!.......@....@.................
.........`J.....f.J......................................P..P....`..x.
I...........J......PJ.p.......8.......................................
.....P...............................text...t!......."................
.. ..`.data........@[email protected].......&..
............@[email protected]..`....I..,..............@[email protected]
[email protected]............................................
......................................................................
......................................................................
......................................................................
......................................................................
................................................0S.T........g...L...L.
......0S.T....................{.9.2.F.8.A.2.1.9.-.E.7.4.0.-.4.9.D.5.-.
B.7.8.5.-.B.9.6.2.A.D.8.1.9.7.2.4.}.....{.E.9.F.2.4.A.7.C.-.1.3.C.A.-.
4.2.F.B.-.A.4.D.9.-.7.9.C.3.C.9.D.2.1.B.2.8.}.....{.0.1.0.5.E.A.0.2.-.
8.0.2.D.-.4.B.3.7.-.8.1.6.1.-.4.E.D.2.5.C.4.9.3.2.6.6.}.....{.D.E.2.8.
A.2.E.A.-.7.7.F.A.-.4.F.2.B.-.8.2.5.2.-.C.3.B.5.8.4.4.F.6.4.5.5.}.....
{.F.0.B.5.0.D.5.A.-.4.B.B.A.-.4.5.1.4.-.A.D.2.C.-.E.B.A.5.0.C.2.9.C.4.
6.0.}.....-.-.c.h.r.o.m.e.-.s.x.s.....-.-.c.h.r.o.m.e.....-.-.c.h.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

mi_exe_stub.pdb

GetCPInfo

KERNEL32.dll

SHLWAPI.dll

GetProcessHeap

ole32.dll

USER32.dll

c:\%original file name%.exe

7&ftP

4.Ppi

1.Mx.e

y.Ar`

%X/|0

P@5=%d

.uBSQ

 Ja%F' LG3R

Xgl.ES

d".qp

)p.Rq

X:\.f

.Pz ;

^%FT7

lWB%S

X;.RG

x%9s\

v.ls?

TBs.Vz

=q6%D

t%1Xg

N7N.rta

%U:NT

?.NLp

t#$%S

a.mW3

_%F!R

.yBoo

.UfX~

L%u`=m=W

M0.aZ

.Mc0W

o0.NJ

TßR! 

C%Fn'6

.zfqLg

%x$/a44

EFTP

*_r.Cd

k.lhx

pK.gJ

:sssh 

7:<<<6000

<requestedExecutionLevel level="asInvoker" />

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--This Id value indicates the application supports Windows 8 functionality-->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--This Id value indicates the application supports Windows 8.1 functionality-->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*' />

: :%:/:=:}:

3'3,30343]3

mscoree.dll

KERNEL32.DLL

appguid={92F8A219-E740-49D5-B785-B962AD819724}&installerargs=--make-chrome-default

Windows 2000 Service Pack 4

Windows 2000

lador de %1!s! requereix Windows 2000 amb Service Pack 4 o una versi

m Windows 2000 Service Pack 4 nebo nov

ver Windows 2000 Service Pack 4 eller bedre.

r den %1!s!-Installer wird Windows 2000 Service Pack 4 oder h

Unknown Installer ErrorTInstallation failed. %1!s! Installer requires Windows 2000 Service Pack 4 or better.

Windows 2000 Service Pack 4:n tai uudemman.

cessite Windows

je Windows 2000 Service Pack 4-et vagy frissebb verzi

krefst Windows 2000

Google#Programma di installazione di %1!s!!Errore sconosciuto dell'installertInstallazione non riuscita. Il programma di installazione di %1!s! richiede Windows 2000 Service Pack 4 o superiore.

Installatieprogramma van %1!s!'Onbekende fout van installatieprogrammasDe installatie is mislukt. Voor het installatieprogramma van %1!s! is Windows 2000 Service Pack 4 of hoger vereist.

Ukjent installasjonsfeilgInstallasjonen mislyktes. %1!s! installasjonsprogrammet krever Windows 2000 Service Pack 4 eller nyere.

. Instalator %1!s! wymaga systemu Windows 2000 z dodatkiem Service Pack 4 lub nowszego.

o. O instalador do %1!s! requer o Windows 2000 Service Pack 4 ou posterior.

it. %1!s! Programul de instalare are nevoie de Windows 2000 Service Pack 4 sau de o versiune superioar

ka alata za instalacijulInstalacija nije uspjela. Za instalacijski program %1!s! potreban je Windows 2000 Service Pack 4 ili noviji.

m Windows 2000 Service Pack 4 alebo nov

ver Windows 2000 Service Pack 4 eller b

kleyicisi Windows 2000 Hizmet Paketi 4 veya sonras

Program pemasang %1!s!!Kesalahan Installer Tak DiketahuiePemasangan gagal. Program pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.

na. Za namestitveni program za %1!s! potrebujete Windows 2000 s servisnim paketom SP 4 ali novej

uab rakendust Windows 2000 hoolduspakett 4 v

ama Windows

Windows 2000

u Windows 2000 G

Pemasang %1!s!#Ralat Pemasang yang Tidak Diketahui]Pemasangan gagal. Pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.

Kisakinishi cha %1!s!%Hitilafu ya Kisakinishi Isiyojulikana_Usakinishaji haukufaulu. Kisakinishi cha %1!s! kinahitaji Windows 2000 Service Pack 4 au zaidi.

. Windows 2000

Installer ng %1!s! Hindi Alam na Error ng InstallerlNabigo ang pag-install. Nangangailangan ang Installer ng %1!s! ng Windows 2000 Service Pack 4 o mas mahusay.

n. %1!s! El instalador requiere Windows 2000 Service Pack 4 o superior.

o %1!s! necessita do Windows 2000 Service Pack 4 ou superior.

n. %1!s! Installer requiere Windows 2000 Service Pack 4 o versiones posteriores.

1.3.25.215

CatalinaUpdateSetup.exe

CatalinaUpdate.exe_988:

.text

`.data

.text/DE

@.rsrc

@.reloc

SHELL32.dll

USER32.dll

SHLWAPI.dll

WINTRUST.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

CatalinaUpdate_unsigned.pdb

RegOpenKeyExW

ADVAPI32.dll

KERNEL32.dll

ole32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

<requestedExecutionLevel level="asInvoker" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--This Id value indicates the application supports Windows 8 functionality-->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--This Id value indicates the application supports Windows 8.1 functionality-->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

###7777_{

###____777

###````87{

3 3$3(3,30343~3

5 5$5(5,5

?$?(?,?4?<?

= =$=@=`=

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\GUM1.tmp\CatalinaUpdate.exe

KERNEL32.DLL

mscoree.dll

goopdate.dll

CatalinaUpdate.exe

Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}

1.3.25.215

2007-2010

2007-2010

CatalinaUpdate.exe_224:

.text

`.data

.text/DE

@.rsrc

@.reloc

SHELL32.dll

USER32.dll

SHLWAPI.dll

WINTRUST.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

CatalinaUpdate_unsigned.pdb

RegOpenKeyExW

ADVAPI32.dll

KERNEL32.dll

ole32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

<requestedExecutionLevel level="asInvoker" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--This Id value indicates the application supports Windows 8 functionality-->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--This Id value indicates the application supports Windows 8.1 functionality-->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

###7777_{

###____777

###````87{

3 3$3(3,30343~3

5 5$5(5,5

?$?(?,?4?<?

= =$=@=`=

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe

KERNEL32.DLL

mscoree.dll

goopdate.dll

CatalinaUpdate.exe

Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}

1.3.25.215

2007-2010

2007-2010

CatalinaUpdate.exe_1144:

.text

`.data

.text/DE

@.rsrc

@.reloc

SHELL32.dll

USER32.dll

SHLWAPI.dll

WINTRUST.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

CatalinaUpdate_unsigned.pdb

RegOpenKeyExW

ADVAPI32.dll

KERNEL32.dll

ole32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

<requestedExecutionLevel level="asInvoker" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--This Id value indicates the application supports Windows 8 functionality-->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--This Id value indicates the application supports Windows 8.1 functionality-->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

###7777_{

###____777

###````87{

3 3$3(3,30343~3

5 5$5(5,5

?$?(?,?4?<?

= =$=@=`=

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe

KERNEL32.DLL

mscoree.dll

goopdate.dll

CatalinaUpdate.exe

Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}

1.3.25.215

2007-2010

2007-2010

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   CatalinaUpdate.exe:1304
   CatalinaUpdate.exe:1144
   CatalinaUpdate.exe:1880
   %original file name%.exe:1164

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe (58 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hu.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_uk.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_no.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_th.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fil.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ja.dll (22 bytes)
   %WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (948 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pl.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fi.dll (26 bytes)
   %WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-PT.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en-GB.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fr.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_et.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sk.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_mr.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bn.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_kn.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es-419.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sl.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sw.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_iw.dll (23 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateBroker.exe (58 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ta.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ko.dll (21 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_de.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hr.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_am.dll (22 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-BR.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sr.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-CN.dll (19 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaCrashHandler.exe (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-TW.dll (19 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_vi.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_cs.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ar.dll (24 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ca.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll (1281 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_nl.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psmachine.dll (673 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_el.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_it.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sv.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lv.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ur.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_te.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_is.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ru.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdate.exe (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ro.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_id.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll (673 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fa.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lt.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_tr.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bg.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateHelper.msi (36 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ms.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdate.dll (5873 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hi.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ml.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_da.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_gu.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUT2.tmp (22433 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll (23 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll (19 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe (58 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdate.dll (1990 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll (22 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll (237 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psuser.dll (161 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll (21 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll (19 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe (130 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll (24 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateHelper.msi (36 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll (22 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psmachine.dll (155 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe (130 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe (58 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "CatalinaGroup Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe /c"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.