Jump to content

Removal instructions for Catalina


Recommended Posts

  • Staff

What is Catalina?

The Malwarebytes research team has determined that Catalina is a potentially unwanted program (PUP) that behaves like adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by Catalina?

You may see these warnings during install:

warning1.png

these icons in your startmenu, your taskbar and on your desktop:

icons.png

these tasks in your Scheduled Tasks:

warning3.png

and this entry in your list of installed Programs and Features:

warning4.png

How did Catalina get on my computer?

Adware applications use different methods for distributing themselves. This particular one was installed by a bundler.
In this case with the Citrio browser:

website.png

How do I remove Catalina?

Our program Malwarebytes can detect and remove this potentially unwanted program.

  • Please download Malwarebytes to your desktop.
  • Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.

Is there anything else I need to do to get rid of Catalina?

  • No, Malwarebytes removes Catalina completely.
  • This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.
  • Malwarebytes does not remove the Citrio browser. If you want to remove it, you can uninstall that from the Windows Control Panel.

How would the full version of Malwarebytes help protect me?

We hope our application and this guide have helped you eradicate this adware.

As you can see below the full version of Malwarebytes would have protected you against the Catalina adware. It would have blocked the installer before it became too late.
 

protection1.png


Technical details for experts

Possible signs in FRST logs:

HKCU\...\Run: [CatalinaGroup Update] => C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe [132104 2019-02-13] (Catalina Group Limited -> Catalina Group Ltd.) <==== ATTENTION
FF Plugin HKCU: @catalinahub.net/CatalinaGroup Update;version=3 -> C:\Users\{username}\AppData\Local\CatalinaGroup\Update\1.3.25.225\npCatalinaUpdate3.dll [2019-02-13] (Catalina Group Ltd.)
FF Plugin HKCU: @catalinahub.net/CatalinaGroup Update;version=9 -> C:\Users\{username}\AppData\Local\CatalinaGroup\Update\1.3.25.225\npCatalinaUpdate3.dll [2019-02-13] (Catalina Group Ltd.)
C:\Users\{username}\Desktop\Chrome Web Store.lnk
C:\Users\{username}\Desktop\Facebook.lnk
C:\Users\{username}\Desktop\YouTube.lnk
C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Citrio.lnk
C:\Users\{username}\Desktop\Citrio.lnk
C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job
C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job
C:\Users\{username}\AppData\Local\CatalinaGroup
C:\Windows\System32\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA
C:\Windows\System32\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core
C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe

Citrio (HKCU\...\Citrio) (Version: 50.0.2661.276 - © Catalinagroup Ltd.) <==== ATTENTION
Task: {18948E4E-B2F0-4193-BCD3-984AB9734C95} - System32\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA => C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe (Catalina Group Limited -> Catalina Group Ltd.) [File not signed] <==== ATTENTION
Task: {467A2CF4-D247-447D-9C6F-0F2E9E5F9BB6} - System32\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core => C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe (Catalina Group Limited -> Catalina Group Ltd.) [File not signed] <==== ATTENTION
Task: C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job => C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe <==== ATTENTION
Task: C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job => C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe <==== ATTENTION
ShortcutWithArgument: C:\Users\{username}\Desktop\Facebook.lnk -> C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe (CatalinaGroup Ltd.) -> "hxxp://www.facebook.com"
ShortcutWithArgument: C:\Users\{username}\Desktop\YouTube.lnk -> C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe (CatalinaGroup Ltd.) -> "hxxp://www.youtube.com"
FirewallRules: [{E73D6DA6-FC7D-4EBA-8C14-BBAA3BFDD8FD}] => (Allow) C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe (Catalina Group Limited -> CatalinaGroup Ltd.)

Significant changes made by the installer:

File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application
       Adds the file chrome.VisualElementsManifest.xml"="2/13/2019 10:26 AM, 342 bytes, A
       Adds the file citrio.exe"="5/31/2017 6:03 AM, 1083264 bytes, A
       Adds the file debug.log"="2/13/2019 10:26 AM, 258 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\CrashReports
    Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Update
       Adds the file CatalinaUpdate.exe"="2/13/2019 10:25 AM, 132104 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Update\1.3.25.225
       Adds the file CatalinaCrashHandler.exe"="2/13/2019 10:25 AM, 132104 bytes, A
       Adds the file CatalinaUpdate.exe"="2/13/2019 10:25 AM, 132104 bytes, A
       Adds the file CatalinaUpdateBroker.exe"="2/13/2019 10:25 AM, 59912 bytes, A
       Adds the file CatalinaUpdateHelper.msi"="2/13/2019 10:25 AM, 40960 bytes, A
       Adds the file CatalinaUpdateOnDemand.exe"="2/13/2019 10:25 AM, 59912 bytes, A
       Adds the file goopdate.dll"="2/13/2019 10:25 AM, 802312 bytes, A
       Adds the file goopdateres_am.dll"="2/13/2019 10:25 AM, 24072 bytes, A
       Adds the file goopdateres_ar.dll"="2/13/2019 10:25 AM, 25608 bytes, A
       Adds the file goopdateres_bg.dll"="2/13/2019 10:25 AM, 29192 bytes, A
       Adds the file goopdateres_bn.dll"="2/13/2019 10:25 AM, 28168 bytes, A
       Adds the file goopdateres_ca.dll"="2/13/2019 10:25 AM, 28680 bytes, A
       Adds the file goopdateres_cs.dll"="2/13/2019 10:25 AM, 27656 bytes, A
       Adds the file goopdateres_da.dll"="2/13/2019 10:25 AM, 28168 bytes, A
       Adds the file goopdateres_de.dll"="2/13/2019 10:25 AM, 30216 bytes, A
       Adds the file goopdateres_el.dll"="2/13/2019 10:25 AM, 29704 bytes, A
       Adds the file goopdateres_en.dll"="2/13/2019 10:25 AM, 26632 bytes, A
       Adds the file goopdateres_en-GB.dll"="2/13/2019 10:25 AM, 27144 bytes, A
       Adds the file goopdateres_es.dll"="2/13/2019 10:25 AM, 30216 bytes, A
       Adds the file goopdateres_es-419.dll"="2/13/2019 10:25 AM, 28168 bytes, A
       Adds the file goopdateres_et.dll"="2/13/2019 10:25 AM, 27144 bytes, A
       Adds the file goopdateres_fa.dll"="2/13/2019 10:25 AM, 26632 bytes, A
       Adds the file goopdateres_fi.dll"="2/13/2019 10:25 AM, 28168 bytes, A
       Adds the file goopdateres_fil.dll"="2/13/2019 10:25 AM, 29192 bytes, A
       Adds the file goopdateres_fr.dll"="2/13/2019 10:25 AM, 29704 bytes, A
       Adds the file goopdateres_gu.dll"="2/13/2019 10:25 AM, 28168 bytes, A
       Adds the file goopdateres_hi.dll"="2/13/2019 10:25 AM, 28168 bytes, A
       Adds the file goopdateres_hr.dll"="2/13/2019 10:25 AM, 28680 bytes, A
       Adds the file goopdateres_hu.dll"="2/13/2019 10:25 AM, 28680 bytes, A
       Adds the file goopdateres_id.dll"="2/13/2019 10:25 AM, 27144 bytes, A
       Adds the file goopdateres_is.dll"="2/13/2019 10:25 AM, 27656 bytes, A
       Adds the file goopdateres_it.dll"="2/13/2019 10:25 AM, 29704 bytes, A
       Adds the file goopdateres_iw.dll"="2/13/2019 10:25 AM, 25096 bytes, A
       Adds the file goopdateres_ja.dll"="2/13/2019 10:25 AM, 23560 bytes, A
       Adds the file goopdateres_kn.dll"="2/13/2019 10:25 AM, 28680 bytes, A
       Adds the file goopdateres_ko.dll"="2/13/2019 10:25 AM, 23048 bytes, A
       Adds the file goopdateres_lt.dll"="2/13/2019 10:25 AM, 27144 bytes, A
       Adds the file goopdateres_lv.dll"="2/13/2019 10:25 AM, 29192 bytes, A
       Adds the file goopdateres_ml.dll"="2/13/2019 10:25 AM, 30728 bytes, A
       Adds the file goopdateres_mr.dll"="2/13/2019 10:25 AM, 27656 bytes, A
       Adds the file goopdateres_ms.dll"="2/13/2019 10:25 AM, 27656 bytes, A
       Adds the file goopdateres_nl.dll"="2/13/2019 10:25 AM, 29192 bytes, A
       Adds the file goopdateres_no.dll"="2/13/2019 10:25 AM, 28168 bytes, A
       Adds the file goopdateres_pl.dll"="2/13/2019 10:25 AM, 29192 bytes, A
       Adds the file goopdateres_pt-BR.dll"="2/13/2019 10:25 AM, 28168 bytes, A
       Adds the file goopdateres_pt-PT.dll"="2/13/2019 10:25 AM, 28168 bytes, A
       Adds the file goopdateres_ro.dll"="2/13/2019 10:25 AM, 28680 bytes, A
       Adds the file goopdateres_ru.dll"="2/13/2019 10:25 AM, 27656 bytes, A
       Adds the file goopdateres_sk.dll"="2/13/2019 10:25 AM, 28680 bytes, A
       Adds the file goopdateres_sl.dll"="2/13/2019 10:25 AM, 28680 bytes, A
       Adds the file goopdateres_sr.dll"="2/13/2019 10:25 AM, 28168 bytes, A
       Adds the file goopdateres_sv.dll"="2/13/2019 10:25 AM, 28168 bytes, A
       Adds the file goopdateres_sw.dll"="2/13/2019 10:25 AM, 28168 bytes, A
       Adds the file goopdateres_ta.dll"="2/13/2019 10:25 AM, 29192 bytes, A
       Adds the file goopdateres_te.dll"="2/13/2019 10:25 AM, 28168 bytes, A
       Adds the file goopdateres_th.dll"="2/13/2019 10:25 AM, 26632 bytes, A
       Adds the file goopdateres_tr.dll"="2/13/2019 10:25 AM, 28168 bytes, A
       Adds the file goopdateres_uk.dll"="2/13/2019 10:25 AM, 27656 bytes, A
       Adds the file goopdateres_ur.dll"="2/13/2019 10:25 AM, 27656 bytes, A
       Adds the file goopdateres_vi.dll"="2/13/2019 10:25 AM, 27144 bytes, A
       Adds the file goopdateres_zh-CN.dll"="2/13/2019 10:25 AM, 21000 bytes, A
       Adds the file goopdateres_zh-TW.dll"="2/13/2019 10:25 AM, 21000 bytes, A
       Adds the file npCatalinaUpdate3.dll"="2/13/2019 10:25 AM, 237576 bytes, A
       Adds the file psmachine.dll"="2/13/2019 10:25 AM, 156680 bytes, A
       Adds the file psuser.dll"="2/13/2019 10:25 AM, 162824 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Update\Download\{92F8A219-E740-49D5-B785-B962AD819724}\50.0.2661.276
       Adds the file citrio_50.0.2661.276_1.exe"="6/1/2017 10:00 AM, 59432320 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Update\Install\{5066949F-6C76-4D2D-B5F4-9BA14B8C062B}
       Adds the file citrio_50.0.2661.276_1.exe"="6/1/2017 10:00 AM, 59432320 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Update\Offline\{BD55EF3F-9661-4327-B056-D2D1C9BD36F7}
    In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
       Adds the file Citrio.lnk"="2/13/2019 10:26 AM, 2455 bytes, A
    In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
       Adds the file Citrio.lnk"="2/13/2019 10:26 AM, 2478 bytes, A
    In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
       Adds the file Citrio.lnk"="2/13/2019 10:26 AM, 2478 bytes, A
    In the existing folder C:\Users\{username}\Desktop
       Adds the file Chrome Web Store.lnk"="2/13/2019 10:26 AM, 2533 bytes, A
       Adds the file Citrio.lnk"="2/13/2019 10:26 AM, 2453 bytes, A
       Adds the file Facebook.lnk"="2/13/2019 10:26 AM, 2493 bytes, A
       Adds the file YouTube.lnk"="2/13/2019 10:26 AM, 2489 bytes, A
    In the existing folder C:\Windows\System32\Tasks
       Adds the file CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core"="2/13/2019 10:25 AM, 3540 bytes, A
       Adds the file CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA"="2/13/2019 10:25 AM, 3936 bytes, A
    In the existing folder C:\Windows\Tasks
       Adds the file CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job"="2/13/2019 10:25 AM, 902 bytes, A
       Adds the file CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job"="2/13/2019 10:25 AM, 954 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures]
       "CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job"="REG_BINARY, ............................$...
       "CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job.fp"="REG_DWORD", 1917796137
       "CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job"="REG_BINARY, ................................
       "CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job.fp"="REG_DWORD", 1081281079
    [HKEY_CURRENT_USER\Software\CatalinaGroup\CitrioDownloader]
    [HKEY_CURRENT_USER\Software\CatalinaGroup\Update]
       "LastInstallerError"="REG_DWORD", 0
       "LastInstallerResult"="REG_DWORD", 0
       "LastInstallerSuccessLaunchCmdLine"="REG_SZ", ""C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe""
       "path"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe"
       "uid"="REG_SZ", "{6AC4AB17-5F65-4002-8353-583D7EDA74B4}"
       "version"="REG_SZ", "1.3.25.225"
    [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
       "bt"="REG_SZ", "1"
       "lang"="REG_SZ", "en"
       "name"="REG_SZ", "Citrio App Launcher"
       "oopcrashes"="REG_DWORD", 1
       "pv"="REG_SZ", "50.0.2661.276"
    [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
       "name"="REG_SZ", "Catalina Update"
       "pv"="REG_SZ", "1.3.25.225"
    [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
       "bt"="REG_SZ", "1"
       "lang"="REG_SZ", "en"
       "name"="REG_SZ", "Citrio"
       "oopcrashes"="REG_DWORD", 1
       "pv"="REG_SZ", "50.0.2661.276"
    [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}\Commands\on-os-upgrade]
       "AutoRunOnOSUpgrade"="REG_DWORD", 1
       "CommandLine"="REG_SZ", ""C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\50.0.2661.276\Installer\setup.exe" --on-os-upgrade --verbose-logging"
    [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
       "brand"="REG_SZ", "GGLS"
       "iid"="REG_SZ", "{B7A36BE9-E198-4287-9D35-BC1CFD561747}"
       "InstallTime"="REG_DWORD", 1550049952
       "pv"="REG_SZ", "1.3.25.225"
    [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
       "_NumAccounts"="REG_SZ", "1"
       "_NumSignedIn"="REG_SZ", "0"
       "brand"="REG_SZ", "GGLS"
       "bt"="REG_SZ", "1"
       "dr"="REG_SZ", "1"
       "iid"="REG_SZ", "{B7A36BE9-E198-4287-9D35-BC1CFD561747}"
       "InstallTime"="REG_DWORD", 1550049966
       "lang"="REG_SZ", "en"
       "LastCheckSuccess"="REG_DWORD", 1550049978
       "LastInstallerError"="REG_DWORD", 0
       "LastInstallerResult"="REG_DWORD", 0
       "LastInstallerSuccessLaunchCmdLine"="REG_SZ", ""C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe""
       "lastrun"="REG_SZ", "13194523582822146"
       "LastWasDefault"="REG_QWORD, ....
       "pv"="REG_SZ", "50.0.2661.276"
       "referral"="REG_SZ", "1:citrio_website"
       "UninstallArguments"="REG_SZ", " --uninstall"
       "UninstallString"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\50.0.2661.276\Installer\setup.exe"
       "usagestats"="REG_DWORD", 0
    [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\network\secure]
    [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\proxy]
       "source"="REG_SZ", "IE"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
       "CatalinaGroup Update"="REG_SZ", ""C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe" /c"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
       "DisplayIcon"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe,0"
       "DisplayName"="REG_SZ", "Citrio"
       "DisplayVersion"="REG_SZ", "50.0.2661.276"
       "InstallDate"="REG_SZ", "20190213"
       "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application"
       "NoModify"="REG_DWORD", 1
       "NoRepair"="REG_DWORD", 1
       "Publisher"="REG_SZ", "© Catalinagroup Ltd."
       "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\50.0.2661.276\Installer\setup.exe" --uninstall"
       "Version"="REG_SZ", "50.0.2661.276"
       "VersionMajor"="REG_DWORD", 2661
       "VersionMinor"="REG_DWORD", 276
    [HKEY_CURRENT_USER\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
       "Description"="REG_SZ", "CatalinaGroup Update"
       "Path"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Update\1.3.25.225\npCatalinaUpdate3.dll"
       "ProductName"="REG_SZ", "CatalinaGroup Update"
       "Vendor"="REG_SZ", "Catalina Group Ltd."
       "Version"="REG_SZ", "3"
    [HKEY_CURRENT_USER\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3\MimeTypes\application/x-vnd.catalinahub.update3webcontrol.3]
    [HKEY_CURRENT_USER\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
       "Description"="REG_SZ", "CatalinaGroup Update"
       "Path"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Update\1.3.25.225\npCatalinaUpdate3.dll"
       "ProductName"="REG_SZ", "CatalinaGroup Update"
       "Vendor"="REG_SZ", "Catalina Group Ltd."
       "Version"="REG_SZ", "9"
    [HKEY_CURRENT_USER\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9\MimeTypes\application/x-vnd.catalinahub.oneclickctrl.9]
    [HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Extensions\dcagnhpbnggmbihndfkkhfjojgbaaedo\1.2.40_0\binaries\win\imageformats]
       "qico4.dll"="REG_MULTI_SZ, "2017-02-17T13:35:50 ico "
    [HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Extensions\dcagnhpbnggmbihndfkkhfjojgbaaedo\1.2.40_0\binaries\win\imageformats]
       "qico4.dll"="REG_MULTI_SZ, "40806 0 Windows msvc release full-config 2017-02-17T13:35:50 "

Malwarebytes log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/13/19
Scan Time: 10:34 AM
Log File: 99374b67-2f72-11e9-8ffc-00ffdcc6fdfc.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.527
Update Package Version: 1.0.9238
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 236076
Threats Detected: 26
Threats Quarantined: 26
Time Elapsed: 4 min, 27 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\1.3.25.225\CATALINACRASHHANDLER.EXE, Quarantined, [500], [635491],1.0.9238

Module: 2
PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\1.3.25.225\GOOPDATE.DLL, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\1.3.25.225\CATALINACRASHHANDLER.EXE, Quarantined, [500], [635491],1.0.9238

Registry Key: 6
PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{467A2CF4-D247-447D-9C6F-0F2E9E5F9BB6}, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{467A2CF4-D247-447D-9C6F-0F2E9E5F9BB6}, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{18948E4E-B2F0-4193-BCD3-984AB9734C95}, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{18948E4E-B2F0-4193-BCD3-984AB9734C95}, Quarantined, [500], [635491],1.0.9238

Registry Value: 1
PUP.Optional.Catalina, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|CatalinaGroup Update, Quarantined, [500], [635491],1.0.9238

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 16
PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\1.3.25.225\GOOPDATE.DLL, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\1.3.25.225\CATALINACRASHHANDLER.EXE, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\WINDOWS\TASKS\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\WINDOWS\SYSTEM32\TASKS\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\WINDOWS\TASKS\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\WINDOWS\SYSTEM32\TASKS\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\CATALINAUPDATE.EXE, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\USERS\{username}\DESKTOP\CATALINAUPDATESETUP.EXE, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Internet Explorer\Quick Launch\Citrio.lnk, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\User Pinned\TaskBar\Citrio.lnk, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Windows\Start Menu\Programs\Citrio.lnk, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\USERS\{username}\DESKTOP\Chrome Web Store.lnk, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\USERS\{username}\DESKTOP\Citrio.lnk, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\USERS\{username}\DESKTOP\Facebook.lnk, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\USERS\{username}\DESKTOP\YouTube.lnk, Quarantined, [500], [635491],1.0.9238
PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\CITRIO\APPLICATION\CITRIO.EXE, Quarantined, [500], [635491],1.0.9238

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Edited by Metallica
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.