Gen.Heur.SMHeist.3_4bb7454cf6 – Adaware

Gen:Heur.SMHeist.3 (B) (Emsisoft), Gen:Heur.SMHeist.3 (AdAware)Behaviour: Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 4bb7454cf635dd6bf42a0d4cd222d55d

SHA1: aba63d2cc94e91bbce0bcc0a9a5b8747ba57a607

SHA256: 98afd2d1bafb5a06af9fecb9d46fc58ba43c854528b1e750f5739c9c8aa0f5b3

SSDeep: 393216:gBTWl/9b7hnLhuDtX 5qPWTEnSaKg6xfl7GGltf:gxWf3ruRXaqWvXxfl7GG7

Size: 14126116 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6

Company: AirInstaller

Created at: 1992-06-20 01:22:17

Analyzed on: WindowsXP SP3 32-bit

Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

%original file name%.exe:448
regedit.exe:432
runonce.exe:436
grpconv.exe:1316
MsiExec.exe:1232
MsiExec.exe:1100

The Malware injects its code into the following process(es):

PDAgent.exe:372
PDEngine.exe:744

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process PDAgent.exe:372 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Raxco\PerfectDisk\12.5\pd_local.sdf (4 bytes)

The process %original file name%.exe:448 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcm80.dll (9364 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\English.tr (16110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcr80.dll (11472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\msxml6.dll (20729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\DefragFS\defragfs.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceqp35.dll (14043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\Config.ini (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\PerfectDisk12_5.adm (1328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVMDefrag.exe (10960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchangePS.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\English.tr (17101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtCore4.dll (49418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchange.exe (6471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlcese35.dll (8130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceoledb35.dll (2819 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtGui4.dll (180433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\CommonAppData\Raxco\PerfectDisk\12.5\pd_local.sdf (30618 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDElevationWorker.exe (3236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Win\System\msvcp100.dll (7538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PerfectDisk.exe (149995 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\ssleay32.dll (5370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\System32\Drivers\PDFsFilter.sys (1320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\PerfectDisk_x86.msi (44286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\System32\PDBoot.exe (4584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\libeay32.dll (20429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDAgent.tlb (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\qt_ja.qm (3005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (27304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Policies\2kfkwlwq.lm8\8.0.50727.42.policy (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceoledb35.dll (3996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDState.dll (13708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcp80.dll (10769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (47091 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuestPS.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Win\System\msvcr100.dll (13109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\wainakh.bat (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\AutoUpdGui.exe (17623 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceqp35.dll (10442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcp80.dll (8715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDEngine.exe (34064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDCmd.exe (7333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgent.exe (20320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceoledb35.raxco.manifest (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PdFsfilter.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\3kfkwlwq.lm8\8.0.50727.42.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\chartdir50.dll (35321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\3kfkwlwq.lm8\8.0.50727.42.policy (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDUtils.dll (4772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcr80.dll (12820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcm80.dll (9223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcr80.dll (9853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceoledb35.raxco.manifest (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PatchPDLocalDB.sql (1929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcp80.dll (12030 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\AutoUpdDLL.dll (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlcese35.dll (6929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcm80.dll (9530 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDFsPerf.dll (1062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgentS1.exe (830 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\en-us\PerfectDisk12_5.adml (1047 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\DefragFS\DefragFS.inf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\System32\Drivers\DefragFs.sys (2336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Policies\2kfkwlwq.lm8\8.0.50727.42.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\wainakh.reg (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PDFsFilter.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDEnginePS.dll (842 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PDFsPerf.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\PerfectDisk12_5.admx (1024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuest.dll (24837 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\$inst (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (0 bytes)

The process PDEngine.exe:744 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%System%\wbem\Repository\FS\OBJECTS.MAP (12 bytes)
%System%\wbem\Logs (4 bytes)
%System%\config\AppEvent.Evt (16 bytes)
%WinDir%\Installer\{FD310764-B3E5-430F-980E-D6C0016B2660} (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b4.dat (4 bytes)
%WinDir%\Installer (8 bytes)
%System%\config\SOFTWARE.LOG (78492 bytes)
%Program Files%\Common Files (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
%System%\wbem\Repository\FS\MAPPING2.MAP (192 bytes)
C:\$Directory (1292 bytes)
%System% (2360 bytes)
%WinDir% (1156 bytes)
%System%\Microsoft\Protect\S-1-5-18\User (4 bytes)
%System%\config (108 bytes)
%System%\config\software (78350 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Program Files%\Common Files\Raxco\Shared (4 bytes)
%Documents and Settings%\All Users\Application Data (8 bytes)
%WinDir%\MICROSOFT.NET (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (47 bytes)
%Documents and Settings%\All Users\Application Data\Raxco\PerfectDisk\12.5\pd_local.sdf (4 bytes)

Registry activity

The process PDAgent.exe:372 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThresholdVmHost" = "10000000"
"AutoScheduleHoursInterval" = "96"
"UserTimeThreshold" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\c155cd75-744b-11e2-8294-806d6172696f]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleNewVolumeBehavior" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\c155cd75-744b-11e2-8294-806d6172696f]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"KernelTimeThresholdVmHost" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"UserTimeThresholdVmHost" = "30"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\b98117e8-75ca-11e2-81b2-000c293708fb]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleNewVolumeBehaviorFirstRun" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\c155cd75-744b-11e2-8294-806d6172696f]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\b98117e8-75ca-11e2-81b2-000c293708fb]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoAdjustThresholds" = "1"
"AutoScheduleNoDefragDuring" = ""
"KernelTimeThreshold" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\b98117e8-75ca-11e2-81b2-000c293708fb]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleActivityTimeOut" = "300"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\b98117e8-75ca-11e2-81b2-000c293708fb]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThreshold" = "10000000"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 1D 8B 1B 60 29 D6 75 7F B7 C0 55 6F D2 B5 31"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"AutoUpdate" = "16 00 00 00 41 00 75 00 74 00 6F 00 55 00 70 00"
"Runs" = "00 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\c155cd75-744b-11e2-8294-806d6172696f]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\b98117e8-75ca-11e2-81b2-000c293708fb]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\c155cd75-744b-11e2-8294-806d6172696f]
"AutoScheduleNoDefragDuring" = ""

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"(Default)"
"Runs"

[HKLM\System\CurrentControlSet\Services\PerfDisk\Performance]
"Error Count"

[HKLM\System\CurrentControlSet\Services\PerfOS\Performance]
"Error Count"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"AutoUpdate"

The process %original file name%.exe:448 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BrandType" = "0"
"license" = "36 D2 8A 06 0B 41 5A 62 83 74 1C AB 1E D3 5C CD"
"ManageOnPort" = "4294967295"
"HelpURL" = "http://docs.raxco.com/perfectdisk/12_5/EN/Index.htm"
"WebsiteUrl" = "http://links.raxco.com/go.rax?id=PD12_5_PerfectDisk"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Version_Registry_Name" = "Build"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightSettings" = "01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleNewVolumeBehavior" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"WebinarsUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Webinars"
"BusinessUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Business"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\\\?\]
"Volume{52195469-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 43 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"proxy_port" = "80"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"DisableSmart" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SupportURL" = "http://links.raxco.com/go.rax?id=PD12_5_Support"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"UserTimeThresholdVmHost" = "30"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"UserGuidesUrl" = "http://links.raxco.com/go.rax?id=PD12_5_UserGuides"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"KernelTimeThreshold" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"RegisterURL" = "http://www.raxco.com/register"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"LData" = "eWRvlT4AkSPiOay5qg5mjBu5uQ43o7eL"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"VSSMode" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"DisplayVersion" = "12.5 Build 312"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThreshold" = "10000000"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\\\?\]
"Volume{52195465-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 44 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AlertSettings]
"(Default)" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"FaqUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_FAQ"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"USER_NAME" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"InstallSource" = "c:\"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"Registered" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Proxy_Server" = ""
"Version_Info_Path" = "Software\Raxco\PerfectDisk\12.5"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"UserTimeThreshold" = "30"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"URLInfoAbout" = "http://www.minutka15.com"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Password_Ciphered" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"OptiwriteAdvanced" = "0"
"ProductKeyURL" = "http://links.raxco.com/go.rax?id=PD12_5_SVR"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"Language" = "1049"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"HelpDownloadUrl" = "http://docs.raxco.com/perfectdisk/12_5/EN/download_Help/x86_PD12.5_Help.msi"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleActivityTimeOut" = "300"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleNewVolumeBehaviorFirstRun" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"Language" = "1033"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"InstallDate" = "20150304"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConnectUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Connect"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"EstimatedSize" = "50100"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoAdjustThresholds" = "1"
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName1" = "Graphic"
"FileGroupName0" = "Text"
"FileGroupName3" = "Video"
"FileGroupName2" = "Program"
"FileGroupName5" = "Temporary"
"FileGroupName4" = "Music"
"FileGroupName6" = "User Defined"
"WebserviceEnabled" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"NoModify" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"StoreUrl" = "http://links.raxco.com/go.rax?id=PD12_5_OnlineStore"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowExternalHardDrives" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"Security" = "01 00 00 00 01 00 00 00 00 00 00 00 03 00 00 00"
"FeaturesUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_Features"
"FreeSpaceOnStart" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 41 1D 21 06 CC F0 19 2B 2A 1B 39 66 98 3C E5"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Ftp_Server" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"UninstallString" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask2" = ".exe;.dll;.ocx;.sys;.vbs;.js;.wsf;.wsc;.com"
"FileGroupMask3" = ".avi;.mpg;.mov;.mp4;.mpeg;.wmv;.flv;.swf"
"FileGroupMask0" = ".txt;.doc;.docx;.rtf;.pdf;.htm;.html;.wpd;.wri"
"FileGroupMask1" = ".bmp;.jpg;.gif;.tif;.jpeg;.png"
"FileGroupMask6" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"InstallLocation" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask4" = ".mp3;.wav;.midi;.aac;.ogg;.wma"
"FileGroupMask5" = ".tmp"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThresholdVmHost" = "10000000"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SalesMail" = "sales@perfectdisk.com"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableTemperatureWarnings" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"LicenseKey" = "8ZkJZGINOMnz1XKWhTJf44z06WY2LoAfzfMSs8b8DHaj/Z6vT3FxP/gvbK5PIr88"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"ProcessPriority" = "16384"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleHoursInterval" = "96"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"VSSThreshold" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"KernelTimeThresholdVmHost" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"UseConfigIni" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Update_Root_Dir" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"VersionMajor" = "12"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Install_Option" = "Notify"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"DiskThresholdUnits" = "1024"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BlogUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Blog"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"http_url" = "http://update.raxco.com/pub/download/PD125/Client"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableSmartPolling" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BetaURL" = "http://beta.raxco.com"
"Wizard" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"SmartPollingPeriod" = "180"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConfigIniEngineCompleted" = "1"
"Build" = "312"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"DisplayName" = "Raxco PerfectDisk Server 12.5 Build 312"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"LogSettings" = "0F 00 00 00 02 00 00 00 02 00 00 00 00 00 02 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Software_Name" = "PerfectDisk 12.5 Server"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SuggestionsURL" = "http://links.raxco.com/go.rax?id=PD12_5_Suggestions"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SupportMail" = "http://links.raxco.com/go.rax?id=PD12_5_Support"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Version_Ini_Filename" = "PD125b312.ini"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"PFN" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowFlashDrives" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ContactSupportUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SupportMail"
"PerfectDiskUrl" = "http://links.raxco.com/go.rax?id=PD12_5_PerfectDisk"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"Publisher" = "Minutka15"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Auto_Check" = "No"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\server]
"wainakh.bat" = "wainakh"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"CriticalTemperature" = "00 00 00 00 00 00 49 40"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Proxy_Enabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"AutoUpdate" = "16 00 00 00 41 00 75 00 74 00 6F 00 55 00 70 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"NoRepair" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"PDManageLayoutIni" = "3"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConfigIniAgentCompleted" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"WebServiceUrl" = "http://updates.raxco.com/SMART/SMARTModelUpdates.asmx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"DisplayIcon" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Uninstall.exe"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowSSD" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\\\?\]
"Volume{52195466-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 45 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightFirstRunDriveEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Protocol" = "http"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"VersionMinor" = "5312"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"HideOptiWrite" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"IoThrottling" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"Runs" = "00 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"KbUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_KB"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process regedit.exe:432 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BrandType" = "0"
"license" = "36 D2 8A 06 0B 41 5A 62 83 74 1C AB 1E D3 5C CD"
"ManageOnPort" = "4294967295"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"ExcludedVolumes" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"HelpURL" = "http://docs.raxco.com/perfectdisk/12_5/EN/Index.htm"
"WebsiteUrl" = "http://links.raxco.com/go.rax?id=PD12_5_PerfectDisk"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Version_Registry_Name" = "Build"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightSettings" = "01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleNewVolumeBehavior" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"WebinarsUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Webinars"
"BusinessUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Business"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"proxy_port" = "80"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"DisableSmart" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SupportURL" = "http://links.raxco.com/go.rax?id=PD12_5_Support"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"UserTimeThresholdVmHost" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"UserGuidesUrl" = "http://links.raxco.com/go.rax?id=PD12_5_UserGuides"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"KernelTimeThreshold" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"RegisterURL" = "http://www.raxco.com/register"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"LData" = "eWRvlT4AkSPiOay5qg5mjBu5uQ43o7eL"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"VSSMode" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThreshold" = "10000000"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Software_Name" = "PerfectDisk 12.5 Server"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AlertSettings]
"(Default)" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"FaqUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_FAQ"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"USER_NAME" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"Registered" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Proxy_Server" = ""
"Version_Info_Path" = "Software\Raxco\PerfectDisk\12.5"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"UserTimeThreshold" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Password_Ciphered" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"OptiwriteAdvanced" = "0"
"ProductKeyURL" = "http://links.raxco.com/go.rax?id=PD12_5_SVR"
"HelpDownloadUrl" = "http://docs.raxco.com/perfectdisk/12_5/EN/download_Help/x86_PD12.5_Help.msi"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\?]
"Volume{52195465-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 44 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleActivityTimeOut" = "300"
"AutoScheduleNewVolumeBehaviorFirstRun" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"Language" = "1033"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConnectUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Connect"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoAdjustThresholds" = "1"
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName1" = "Graphic"
"FileGroupName0" = "Text"
"FileGroupName3" = "Video"
"FileGroupName2" = "Program"
"FileGroupName5" = "Temporary"
"FileGroupName4" = "Music"
"FileGroupName6" = "User Defined"
"WebserviceEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"StoreUrl" = "http://links.raxco.com/go.rax?id=PD12_5_OnlineStore"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowExternalHardDrives" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"Security" = "01 00 00 00 01 00 00 00 00 00 00 00 03 00 00 00"
"FeaturesUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_Features"
"FreeSpaceOnStart" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 75 60 BD 5C E5 E6 EB E9 3A 13 F6 E6 BF FB 06"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\?]
"Volume{52195466-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 45 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Ftp_Server" = ""

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask2" = ".exe;.dll;.ocx;.sys;.vbs;.js;.wsf;.wsc;.com"
"FileGroupMask3" = ".avi;.mpg;.mov;.mp4;.mpeg;.wmv;.flv;.swf"
"FileGroupMask0" = ".txt;.doc;.docx;.rtf;.pdf;.htm;.html;.wpd;.wri"
"FileGroupMask1" = ".bmp;.jpg;.gif;.tif;.jpeg;.png"
"FileGroupMask6" = ""
"FileGroupMask4" = ".mp3;.wav;.midi;.aac;.ogg;.wma"
"FileGroupMask5" = ".tmp"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThresholdVmHost" = "10000000"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SalesMail" = "sales@perfectdisk.com"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableTemperatureWarnings" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"LicenseKey" = "8ZkJZGINOMnz1XKWhTJf44z06WY2LoAfzfMSs8b8DHaj/Z6vT3FxP/gvbK5PIr88"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"ProcessPriority" = "16384"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleHoursInterval" = "96"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"VSSThreshold" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"KernelTimeThresholdVmHost" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"UseConfigIni" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Update_Root_Dir" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Install_Option" = "Notify"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"DiskThresholdUnits" = "1024"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BlogUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Blog"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"http_url" = "http://update.raxco.com/pub/download/PD125/Client"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableSmartPolling" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BetaURL" = "http://beta.raxco.com"
"Wizard" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"SmartPollingPeriod" = "180"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConfigIniEngineCompleted" = "1"
"Build" = "312"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"LogSettings" = "0F 00 00 00 02 00 00 00 02 00 00 00 00 00 02 00"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\?]
"Volume{52195469-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 43 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SuggestionsURL" = "http://links.raxco.com/go.rax?id=PD12_5_Suggestions"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SupportMail" = "http://links.raxco.com/go.rax?id=PD12_5_Support"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Version_Ini_Filename" = "PD125b312.ini"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"PFN" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowFlashDrives" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ContactSupportUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SupportMail"
"PerfectDiskUrl" = "http://links.raxco.com/go.rax?id=PD12_5_PerfectDisk"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Auto_Check" = "No"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"CriticalTemperature" = "00 00 00 00 00 00 49 40"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Proxy_Enabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"AutoUpdate" = "16 00 00 00 41 00 75 00 74 00 6F 00 55 00 70 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"PDManageLayoutIni" = "3"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConfigIniAgentCompleted" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"WebServiceUrl" = "http://updates.raxco.com/SMART/SMARTModelUpdates.asmx"
"AllowSSD" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightFirstRunDriveEnable" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Protocol" = "http"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableDebug" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"HideOptiWrite" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"IoThrottling" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"Runs" = "00 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"KbUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_KB"

The process PDEngine.exe:744 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"EofWriteExtendSizeHigh" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"license" = "36 D2 8A 06 0B 41 5A 62 83 74 1C AB 1E D3 5C CD"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName2" = "Program"
"AllowFlashDrives" = "1"
"EnableTemperatureWarnings" = "1"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"EofWriteExtendSizeHigh" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask2" = ".exe;.dll;.ocx;.sys;.vbs;.js;.wsf;.wsc;.com"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"MinExtentSizeHigh" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightSettings" = "01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"CriticalTemperature" = "00 00 00 00 00 00 49 40"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"EofWriteExtendSizeLow" = "1048576"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"ProcessPriority" = "16384"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\?]
"Volume{b98117e8-75ca-11e2-81b2-000c293708fb}" = "08 00 00 00 44 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"EofWriteWhitelist" = ""

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"PDManageLayoutIni" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder]
"{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}" = "36 D2 8A 06 0B 41 5A 62 83 74 1C AB 1E D3 5C CD"

[HKLM\System\CurrentControlSet\Services\DefragFS\Parameters]
"BootMountTimestamp" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"IoThrottling" = "1"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"MaxExtentSizeLow" = "4294967295"
"Enable" = "0"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"EnableEofWriteDefrag" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"ExcludedVolumes" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"SmartPollingPeriod" = "180"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"EofWriteExtendSizeLow" = "1048576"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowSSD" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"LicenseKey" = "8ZkJZGINOMnz1XKWhTJf44z06WY2LoAfzfMSs8b8DHaj/Z6vT3FxP/gvbK5PIr88"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableSmartPolling" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightFirstRunDriveEnable" = "0"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"Enable" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask4" = ".mp3;.wav;.midi;.aac;.ogg;.wma"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"MinNumFragmentsThreshold" = "2"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"MaxExtentSizeHigh" = "4294967295"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout]
"EnableAutoLayout" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName1" = "Graphic"
"FileGroupName0" = "Text"
"FileGroupName3" = "Video"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"MinExtentSizeHigh" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName5" = "Temporary"
"FileGroupName4" = "Music"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"MaxExtentSizeLow" = "4294967295"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName6" = "User Defined"
"DisableSmart" = "0"
"AllowExternalHardDrives" = "1"
"EnableDebug" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\?]
"Volume{c155cd75-744b-11e2-8294-806d6172696f}" = "08 00 00 00 43 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"MaxExtentSizeHigh" = "4294967295"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 8F 5B E6 7B A4 C4 26 92 B6 DB AB 82 47 19 D9"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"NumFreeSpaceExtentsStored" = "100"
"EnableEofWriteDefrag" = "1"
"EofWriteWhitelist" = ""

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"MinExtentSizeLow" = "0"
"MinNumFragmentsThreshold" = "2"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"MinExtentSizeLow" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask3" = ".avi;.mpg;.mov;.mp4;.mpeg;.wmv;.flv;.swf"
"FileGroupMask0" = ".txt;.doc;.docx;.rtf;.pdf;.htm;.html;.wpd;.wri"
"FileGroupMask1" = ".bmp;.jpg;.gif;.tif;.jpeg;.png"
"FileGroupMask6" = ""
"VSSMode" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder]
"{5F79448F-AD6F-4931-B39D-13B5DFB34108}" = ""

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask5" = ".tmp"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"NumFreeSpaceExtentsStored" = "100"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"VSSThreshold" = "30"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder]
"LExtra"

[HKLM\System\CurrentControlSet\Services\DefragFS\Parameters]
"BootErrorLogFile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder]
"{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}"

The process runonce.exe:436 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 E7 B7 F5 B0 D4 D1 0E 1F C3 CF 2E 2D C0 65 52"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Malware deletes the following value(s) in system registry:

The Malware disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"

The process grpconv.exe:1316 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 4A AA 74 F8 B2 06 BD 78 E7 D9 02 47 26 6C 31"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv]
"Log" = "Init Application."

[HKCR\MSProgramGroup\Shell\Open\Command]
"(Default)" = "%System%\grpconv.exe %1"

[HKCR\MSProgramGroup]
"(Default)" = "Microsoft Program Group"

[HKCR\.grp]
"(Default)" = "MSProgramGroup"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The process MsiExec.exe:1232 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 E5 9D F6 7B E0 E5 4F A7 38 A4 90 C7 3D 3C 13"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder]
"{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}" = "FB 0A 17 BA 75 E3 CB A1 83 74 1C AB 1E D3 5C CD"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Instances\PDFsFilter Instance]
"Flags" = "0"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Instances]
"DefaultInstance" = "PDFsFilter Instance"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters]
"(Default)" = ""

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"FSFilter Activity Monitor" = "04 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Instances\PDFsFilter Instance]
"Altitude" = "186000"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"UseConfigIni" = "1"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"

The Malware deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\DefragFS]
"ImagePath"

The process MsiExec.exe:1100 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 3C 3D D5 88 69 07 32 A1 54 10 EA E7 41 35 EE"

Dropped PE files

MD5	File path
f2e2227dbb8efc26ff8af64b88bcd0af	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\AutoUpdDLL.dll
ef96be5e0db97ae7ed4b225c056c7755	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\PDEngine.exe
98cd0a213afcba97c54d20a3908c1b39	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\PDEnginePS.dll
467c76ef3d69e70d95b6448ebaf3df07	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\PDState.dll
a1d0cf53b3fcaec84b92fba57f2d7e0d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\PDUtils.dll
c3ba67167abfac31c39bc959b250ced8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\sqlceoledb35.dll
36ccd0cfe3fc326260baa7425bde5c9a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\sqlceqp35.dll
958582542e5827c3b1b191f1c6c123f4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\sqlcese35.dll
13e9d581f1d3e769d3f359a7bab89976	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\System32\Drivers\DefragFs.sys
4bf1b60276be359158f0e68681713872	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\System32\Drivers\PDFsFilter.sys
a06717db2c87193973ee9a4938c8945b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\System32\PDBoot.exe
03e9314004f504a14a61c3d364b62f66	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Win\System\msvcp100.dll
67ec459e42d3081dd8fd34356f7cafc1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Win\System\msvcr100.dll
cdcc63e967d64ece3729246720af4fcc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\system32\msvcm80.dll
2bc650257fb0867abd54fd460ec2bafc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\system32\msvcp80.dll
16d7ddf3b659f7cf1cb9f4dcff4219f0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\system32\msvcr80.dll
cdcc63e967d64ece3729246720af4fcc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcm80.dll
2bc650257fb0867abd54fd460ec2bafc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcp80.dll
16d7ddf3b659f7cf1cb9f4dcff4219f0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcr80.dll
cdcc63e967d64ece3729246720af4fcc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcm80.dll
2bc650257fb0867abd54fd460ec2bafc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcp80.dll
16d7ddf3b659f7cf1cb9f4dcff4219f0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcr80.dll
2bdfdede525a32856d0050abca658834	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\AutoUpdGui.exe
eaaa7462a31d15e7237798f2d931a211	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgent.exe
735fe4711cf9d90d60191f88f4cf2397	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgentS1.exe
af83c581aabd967e2c52e1d7c4a8036b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDCmd.exe
86543a8db5ed771ac24cd90a969cc7e5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDElevationWorker.exe
40c66fd754cd88d91b17f8f52e6cd01a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchange.exe
84312b22ab0429b0c82662b6d17720d9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchangePS.dll
22334939e56fac64fc9c4d2cd4979d5a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDFsPerf.dll
8f588bd253a40ffe33dc23e7f5e9e5c1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVMDefrag.exe
a7e05807b2832d93f2f84890235bab08	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuest.dll
fe6e753a7da0e194ec09b6ac82fc3caf	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuestPS.dll
31b955b714c43c878ec107dde2e918f5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PerfectDisk.exe
fc47f710b7748b1c45a1f3539c97936c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtCore4.dll
6b697b2ecfe09ede3286b5f092b1ecd9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtGui4.dll
8c2cf347efcc4a8fc985e93121d2a419	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\chartdir50.dll
caa87a1dbaf7899677239ed7e591f714	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\libeay32.dll
7ae1b12c29b35f391bfcefce8776f9d2	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\msxml6.dll
c3ba67167abfac31c39bc959b250ced8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceoledb35.dll
36ccd0cfe3fc326260baa7425bde5c9a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceqp35.dll
958582542e5827c3b1b191f1c6c123f4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlcese35.dll
99963f1e23ac6fabbdf14c469312e85e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\ssleay32.dll
f2e2227dbb8efc26ff8af64b88bcd0af	c:\Program Files\Common Files\Raxco\Shared\AutoUpdDLL.dll
ef96be5e0db97ae7ed4b225c056c7755	c:\Program Files\Common Files\Raxco\Shared\PDEngine.exe
98cd0a213afcba97c54d20a3908c1b39	c:\Program Files\Common Files\Raxco\Shared\PDEnginePS.dll
467c76ef3d69e70d95b6448ebaf3df07	c:\Program Files\Common Files\Raxco\Shared\PDState.dll
a1d0cf53b3fcaec84b92fba57f2d7e0d	c:\Program Files\Common Files\Raxco\Shared\PDUtils.dll
c3ba67167abfac31c39bc959b250ced8	c:\Program Files\Common Files\Raxco\Shared\sqlceoledb35.dll
36ccd0cfe3fc326260baa7425bde5c9a	c:\Program Files\Common Files\Raxco\Shared\sqlceqp35.dll
958582542e5827c3b1b191f1c6c123f4	c:\Program Files\Common Files\Raxco\Shared\sqlcese35.dll
2bdfdede525a32856d0050abca658834	c:\Program Files\Raxco\PerfectDisk\AutoUpdGui.exe
eaaa7462a31d15e7237798f2d931a211	c:\Program Files\Raxco\PerfectDisk\PDAgent.exe
735fe4711cf9d90d60191f88f4cf2397	c:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe
af83c581aabd967e2c52e1d7c4a8036b	c:\Program Files\Raxco\PerfectDisk\PDCmd.exe
86543a8db5ed771ac24cd90a969cc7e5	c:\Program Files\Raxco\PerfectDisk\PDElevationWorker.exe
22334939e56fac64fc9c4d2cd4979d5a	c:\Program Files\Raxco\PerfectDisk\PDFsPerf.dll
a7e05807b2832d93f2f84890235bab08	c:\Program Files\Raxco\PerfectDisk\PDVmGuest.dll
fe6e753a7da0e194ec09b6ac82fc3caf	c:\Program Files\Raxco\PerfectDisk\PDVmGuestPS.dll
31b955b714c43c878ec107dde2e918f5	c:\Program Files\Raxco\PerfectDisk\PerfectDisk.exe
fc47f710b7748b1c45a1f3539c97936c	c:\Program Files\Raxco\PerfectDisk\QtCore4.dll
6b697b2ecfe09ede3286b5f092b1ecd9	c:\Program Files\Raxco\PerfectDisk\QtGui4.dll
8c2cf347efcc4a8fc985e93121d2a419	c:\Program Files\Raxco\PerfectDisk\chartdir50.dll
caa87a1dbaf7899677239ed7e591f714	c:\Program Files\Raxco\PerfectDisk\libeay32.dll
c3ba67167abfac31c39bc959b250ced8	c:\Program Files\Raxco\PerfectDisk\sqlceoledb35.dll
36ccd0cfe3fc326260baa7425bde5c9a	c:\Program Files\Raxco\PerfectDisk\sqlceqp35.dll
958582542e5827c3b1b191f1c6c123f4	c:\Program Files\Raxco\PerfectDisk\sqlcese35.dll
99963f1e23ac6fabbdf14c469312e85e	c:\Program Files\Raxco\PerfectDisk\ssleay32.dll
3ea0582339f05f7bfc764b5571fad30f	c:\WINDOWS\Installer\{FD310764-B3E5-430F-980E-D6C0016B2660}\MenuStartPD.exe
cdcc63e967d64ece3729246720af4fcc	c:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
2bc650257fb0867abd54fd460ec2bafc	c:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
16d7ddf3b659f7cf1cb9f4dcff4219f0	c:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
a06717db2c87193973ee9a4938c8945b	c:\WINDOWS\system32\PDBoot.exe
13e9d581f1d3e769d3f359a7bab89976	c:\WINDOWS\system32\drivers\DefragFs.sys
4bf1b60276be359158f0e68681713872	c:\WINDOWS\system32\drivers\PDFsFilter.sys
03e9314004f504a14a61c3d364b62f66	c:\WINDOWS\system32\msvcp100.dll
67ec459e42d3081dd8fd34356f7cafc1	c:\WINDOWS\system32\msvcr100.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver " %System%\Drivers\DefragFS.SYS" the Malware attaches its filter-device object to the Volume Device Object (VDO) of the file system driver.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:448
regedit.exe:432
runonce.exe:436
grpconv.exe:1316
MsiExec.exe:1232
MsiExec.exe:1100
Delete the original Malware file.
Delete or disinfect the following files created/modified by the Malware:
%Documents and Settings%\All Users\Application Data\Raxco\PerfectDisk\12.5\pd_local.sdf (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcm80.dll (9364 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\English.tr (16110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcr80.dll (11472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\msxml6.dll (20729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\DefragFS\defragfs.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceqp35.dll (14043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\Config.ini (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\PerfectDisk12_5.adm (1328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVMDefrag.exe (10960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchangePS.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\English.tr (17101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtCore4.dll (49418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchange.exe (6471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlcese35.dll (8130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceoledb35.dll (2819 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtGui4.dll (180433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\CommonAppData\Raxco\PerfectDisk\12.5\pd_local.sdf (30618 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDElevationWorker.exe (3236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Win\System\msvcp100.dll (7538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PerfectDisk.exe (149995 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\ssleay32.dll (5370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\System32\Drivers\PDFsFilter.sys (1320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\PerfectDisk_x86.msi (44286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\System32\PDBoot.exe (4584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\libeay32.dll (20429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDAgent.tlb (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\qt_ja.qm (3005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (27304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Policies\2kfkwlwq.lm8\8.0.50727.42.policy (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceoledb35.dll (3996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDState.dll (13708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcp80.dll (10769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (47091 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuestPS.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Win\System\msvcr100.dll (13109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\wainakh.bat (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\AutoUpdGui.exe (17623 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceqp35.dll (10442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcp80.dll (8715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDEngine.exe (34064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDCmd.exe (7333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgent.exe (20320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceoledb35.raxco.manifest (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PdFsfilter.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\3kfkwlwq.lm8\8.0.50727.42.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\chartdir50.dll (35321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\3kfkwlwq.lm8\8.0.50727.42.policy (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDUtils.dll (4772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcr80.dll (12820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcm80.dll (9223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcr80.dll (9853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceoledb35.raxco.manifest (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PatchPDLocalDB.sql (1929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcp80.dll (12030 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\AutoUpdDLL.dll (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlcese35.dll (6929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcm80.dll (9530 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDFsPerf.dll (1062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgentS1.exe (830 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\en-us\PerfectDisk12_5.adml (1047 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\DefragFS\DefragFS.inf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\System32\Drivers\DefragFs.sys (2336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Policies\2kfkwlwq.lm8\8.0.50727.42.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\wainakh.reg (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PDFsFilter.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDEnginePS.dll (842 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PDFsPerf.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\PerfectDisk12_5.admx (1024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuest.dll (24837 bytes)
%System%\wbem\Repository\FS\OBJECTS.MAP (12 bytes)
%System%\wbem\Logs (4 bytes)
%System%\config\AppEvent.Evt (16 bytes)
%WinDir%\Installer\{FD310764-B3E5-430F-980E-D6C0016B2660} (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b4.dat (4 bytes)
%System%\config\SOFTWARE.LOG (78492 bytes)
%Program Files%\Common Files (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
%System%\wbem\Repository\FS\MAPPING2.MAP (192 bytes)
C:\$Directory (1292 bytes)
%System%\Microsoft\Protect\S-1-5-18\User (4 bytes)
%System%\config\software (78350 bytes)
%Program Files%\Common Files\Raxco\Shared (4 bytes)
%WinDir%\MICROSOFT.NET (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (47 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Minutka15
Product Name:
Product Version:
Legal Copyright: Minutka15
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 12.5 Build 312
File Description: Raxco PerfectDisk Server 12.5 Build 312 Installation
Comments:
Language: Language Neutral

Company Name: Minutka15 Product Name: Product Version: Legal Copyright: Minutka15 Legal Trademarks: Original Filename: Internal Name: File Version: 12.5 Build 312 File Description: Raxco PerfectDisk Server 12.5 Build 312 Installation Comments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	148684	148992	4.57087	bac8bae7a5e5326cf49943b90d1c062a
DATA	155648	10388	10752	2.62963	abafcbfbd7f8ac0226ca496a92a0cf06
BSS	167936	4341	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	176128	6040	6144	3.38637	7a4934595db0efc364c3982c4e335d8c
.tls	184320	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	188416	24	512	0.14174	c4fdd0c5c9efb616fcc85d66056ca490
.reloc	192512	6276	6656	4.56552	867a1120317d51734587a74f6ee70016
.rsrc	200704	43416	43520	3.68595	8cd200a5fec9362fbc2c5d8562cd9f8c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl
hxxp://crl.verisign.com/pca3-g5.crl	23.43.133.163
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl	23.43.133.163

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /CSC3-2010.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2010-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "8d383c4069ca22795a1696d1945c4a26:1425459915"

Last-Modified: Wed, 04 Mar 2015 09:05:15 GMT

Date: Wed, 04 Mar 2015 15:39:38 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Connection: Transfer-Encoding

Content-Type: application/pkix-crl

00006000..0..3.0..2....0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA..150304090004Z..150318090004Z0..1.0!.....S.@.k....6..c..140730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&...130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s..130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9..130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H......120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.....w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M83...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........'u..140521222808Z0!......0..........I..130912181631Z0!.....1.;C,.. L..0...141111073655Z0!....6e...~..T.......130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u......130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v..........n..120724160733Z0!....n[..P..a.y...p..141121045513Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|.

<<< skipped >>>

GET /pca3-g5.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "0eb6836c44430f9901d468ac9e53f3c4:1418965221"

Last-Modified: Fri, 19 Dec 2014 05:00:21 GMT

Date: Wed, 04 Mar 2015 15:39:38 GMT

Content-Length: 533

Connection: keep-alive

Content-Type: application/pkix-crl

0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..141210000000Z..150331235959Z0...*.H..............(.Y.&..-.f.....5uC..[..I/..S.....g...%#..M..... .#.1..:A#rrl9....nKA......TP.....3......N.d5..Y......svZV..8..h..JV.#T..u..)=..i...d..]m.aSY....vu.p..K..G9=>.!LYh0yu.(....@k...n'H..)...v..O/.....B.[j...%.xt...-)"|..P...Q.......p..y..............q...&...t...

Map

The Malware connects to the servers at the folowing location(s):

Strings from Dumps

PDAgent.exe_372:

.text

`.rdata

@.data

.rsrc

@.reloc

SSSSh

@.text

Scheduler cannot stop operation on drive %1 because of higher priority operation is active.

Scheduler cannot start offline defragmentation of drive %1 because offline defrag of FAT is no longer supported and we cannot lock the drive.

Scheduler cannot start offline defragmentation of drive %1 because of higher priority operation is active.

Scheduler cannot start defragmentation of drive %1 because of higher priority operation is active.

Scheduler cannot start Zero Free Space operation on drive %1 because a higher priority operation is active.

Schedule (%1)(%2) execution status is (%3).

%3 %4 %5 %6 %7 %8

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

ManageOnPort

ImportantProcessList

ADODB.Connection

ADODB.Recordset

License key has been disabled

Invalid license key

Successfull operation

ProxyBypass

AutoConfigURL

RegOpenKeyTransactedW

advapi32.dll

license.raxco.com

secure/PDLicense/PDLicenseServer.dll

D:\PerfectDisk_v12.5\Dev\binaries\Win32\Release\PDAgent.pdb

WTSAPI32.dll

WinHttpReceiveResponse

WinHttpSetTimeouts

WinHttpSetOption

WinHttpSendRequest

WinHttpConnect

WinHttpCloseHandle

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpOpen

WinHttpOpenRequest

WinHttpReadData

WINHTTP.dll

WinHttpGetIEProxyConfigForCurrentUser

WinHttpGetProxyForUrl

SetNamedPipeHandleState

WaitNamedPipeW

PeekNamedPipe

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExW

RegEnumKeyExW

RegCreateKeyExW

RegDeleteKeyW

RegQueryInfoKeyW

ReportEventW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

pdh.dll

RPCRT4.dll

InternetCrackUrlW

InternetCanonicalizeUrlW

WININET.dll

USERENV.dll

VERSION.dll

WS2_32.dll

PSAPI.DLL

UrlUnescapeW

SHLWAPI.dll

MSVCP100.dll

MSVCR100.dll

_amsg_exit

_wcmdln

_crt_debugger_hook

POWRPROF.dll

GetProcessHeap

.?AUISupportErrorInfo@@

.?AVDriveSettingVolumePresenceOperator@@

.?AVVolumePresenceOperator@@

.?AVWipingOnVolumePresenceOperator@@

.?AVStandardVolumePresenceOperator@@

.?AVCTCPIPClient@@

.?AV?$CComObjectNoLock@V?$CComClassFactorySingleton@VCPDAgentSpaceReports@@@ATL@@@ATL@@

.?AV?$CComClassFactorySingleton@VCPDAgentSpaceReports@@@ATL@@

.?AV?$CComObject@VCPDAgentSpaceReports@@@ATL@@

.?AVCPDAgentSpaceReports@@

.?AV?$CComCoClass@VCPDAgentSpaceReports@@$1?CLSID_PDAgentSpaceReports@@3U_GUID@@B@ATL@@

.?AV?$IDispatchImpl@UIFileSpaceReports@@$1?IID_IPDAgentSpaceReports@@3U_GUID@@B$1?LIBID_PDAgentLib@@3U3@B$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@

.?AUIFileSpaceReports@@

.?AUIFileReports@@

.?AV?$IObjectSafetyImpl@VCPDAgentSpaceReports@@$02@ATL@@

.?AV?$CComAggObject@VCPDAgentSpaceReports@@@ATL@@

.?AV?$CComContainedObject@VCPDAgentSpaceReports@@@ATL@@

.?AV?$CComObjectCached@VCPDAgentSpaceReports@@@ATL@@

.?AVCTCPIPServer@@

.?AVCPipeClient@@

.?AVCMailSlotTransport@@

.?AVIMessageTransport@@

{E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F} = s 'PDAgent'

'PDAgent.EXE'

val AppID = s {E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F}

PDAgent.PDAgent.1 = s 'PDAgent Class'

CLSID = s '{CC5C2398-3512-464D-B59D-C9B85541AD50}'

PDAgent.PDAgent = s 'PDAgent Class'

CurVer = s 'PDAgent.PDAgent.1'

ForceRemove {CC5C2398-3512-464D-B59D-C9B85541AD50} = s 'PDAgent Class'

ProgID = s 'PDAgent.PDAgent.1'

VersionIndependentProgID = s 'PDAgent.PDAgent'

val AppID = s '{E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F}'

'TypeLib' = s '{2070972B-BE20-4395-9AC7-88A9CCF160BB}'

PDAgent.DuplicatesFinder.1 = s 'DuplicatesFinder Class'

CLSID = s '{35C6767E-B901-46A6-8203-30FCFFD4AB81}'

PDAgent.DuplicatesFinder = s 'DuplicatesFinder Class'

CurVer = s 'PDAgent.DuplicatesFinder.1'

ForceRemove {35C6767E-B901-46A6-8203-30FCFFD4AB81} = s 'DuplicatesFinder Class'

ProgID = s 'PDAgent.DuplicatesFinder.1'

VersionIndependentProgID = s 'PDAgent.DuplicatesFinder'

PDAgent.WebBrowserCleaner.1 = s 'WebBrowserCleaner Class'

CLSID = s '{2C67080E-6071-4777-AA16-CE4681DFB250}'

PDAgent.WebBrowserCleaner = s 'WebBrowserCleaner Class'

CurVer = s 'PDAgent.WebBrowserCleaner.1'

ForceRemove {2C67080E-6071-4777-AA16-CE4681DFB250} = s 'WebBrowserCleaner Class'

ProgID = s 'PDAgent.WebBrowserCleaner.1'

VersionIndependentProgID = s 'PDAgent.WebBrowserCleaner'

val AppID = s '{2B6C1FB1-B230-4080-8A36-87883698C408}'

'TypeLib' = s '{877723D5-D216-4DB9-A8B3-61692B96DC2B}'

PDAgent.SpaceRecycler.1 = s 'SpaceRecycler Class'

CLSID = s '{18EC0531-7D75-46E7-8869-384AEDB699C9}'

PDAgent.SpaceRecycler = s 'SpaceRecycler Class'

CurVer = s 'PDAgent.SpaceRecycler.1'

ForceRemove {18EC0531-7D75-46E7-8869-384AEDB699C9} = s 'SpaceRecycler Class'

ProgID = s 'PDAgent.SpaceRecycler.1'

VersionIndependentProgID = s 'PDAgent.SpaceRecycler'

PDAgent.FileShredder.1 = s 'FileShredder Class'

CLSID = s '{0DC8D89E-EB99-4B77-88D3-03E207AA8738}'

PDAgent.FileShredder = s 'FileShredder Class'

CurVer = s 'PDAgent.FileShredder.1'

ForceRemove {0DC8D89E-EB99-4B77-88D3-03E207AA8738} = s 'FileShredder Class'

ProgID = s 'PDAgent.FileShredder.1'

VersionIndependentProgID = s 'PDAgent.FileShredder'

PDAgent.PDAgentFileSet.1 = s 'PDAgentFileSet Class'

CLSID = s '{B83F237B-81DD-4C3F-87FF-E7A534D221CA}'

PDAgent.PDAgentFileSet = s 'PDAgentFileSet Class'

CurVer = s 'PDAgent.PDAgentFileSet.1'

ForceRemove {B83F237B-81DD-4C3F-87FF-E7A534D221CA} = s 'PDAgentFileSet Class'

ProgID = s 'PDAgent.PDAgentFileSet.1'

VersionIndependentProgID = s 'PDAgent.PDAgentFileSet'

PDAgent.PDAgentFileOp.1 = s 'PDAgentFileOp Class'

CLSID = s '{997E2C76-4654-41A6-ABCB-C169E72CBFC5}'

PDAgent.PDAgentFileOp = s 'PDAgentFileOp Class'

CurVer = s 'PDAgent.PDAgentFileOp.1'

ForceRemove {997E2C76-4654-41A6-ABCB-C169E72CBFC5} = s 'PDAgentFileOp Class'

ProgID = s 'PDAgent.PDAgentFileOp.1'

VersionIndependentProgID = s 'PDAgent.PDAgentFileOp'

PDAgent.PDAgentSpaceReports.1 = s 'PDAgentSpaceReports Class'

CLSID = s '{63056E08-D7A8-486B-BF99-DD6FA63C0018}'

PDAgent.PDAgentSpaceReports = s 'PDAgentSpaceReports Class'

CurVer = s 'PDAgent.PDAgentSpaceReports.1'

ForceRemove {63056E08-D7A8-486B-BF99-DD6FA63C0018} = s 'PDAgentSpaceReports Class'

ProgID = s 'PDAgent.PDAgentSpaceReports.1'

VersionIndependentProgID = s 'PDAgent.PDAgentSpaceReports'

PDAgent.PDAgentFileBrowser.1 = s 'PDAgentFileBrowser Class'

CLSID = s '{DF274096-221E-4244-8967-5378E36A9E11}'

PDAgent.PDAgentFileBrowser = s 'PDAgentFileBrowser Class'

CurVer = s 'PDAgent.PDAgentFileBrowser.1'

ForceRemove {DF274096-221E-4244-8967-5378E36A9E11} = s 'PDAgentFileBrowser Class'

ProgID = s 'PDAgent.PDAgentFileBrowser.1'

VersionIndependentProgID = s 'PDAgent.PDAgentFileBrowser'

stdole2.tlbWWW@"

AutoUpdateUrlWWW

urlW

ProxyPasswordWWW

ProxyServerPortW

port

passwordd

%VirtualHostSensingPasswordWWd

$=SetKeyValueW

.UnSubscribeW

WebBrowserCleanerWWW(

IRx2WebBrowserCleanerWWW(

vPDAgentSpaceReportsW

8cBIPDAgentSpaceReportst

property AutoUpdateUrl

property ProxyPassword

property ProxyServerPortWW

property VirtualHostSensingPasswordWWW

method SetKeyValue

property PasswordW

WebBrowserCleaner ClassWWW

IRx2WebBrowserCleaner InterfaceWWW

PDAgentSpaceReports ClassW

IPDAgentSpaceReports Interface

Created by MIDL version 7.00.0555 at Thu Oct 04 17:23:56 2012

PerfectDisk is a disk defragmenter, thus it needs low level access to systemPAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

16267#8)8

8%9S9

3$3/3:3^3

6o6

=">\>|>

8$8(8,80848

> >$>(>,>0>4>8>

7 7(707

6,686@6`6

9 9(949\9

ClientConsolePort

hiberfil.sys

?:\hiberfil.sys

Win32_OperatingSystem

Software\Microsoft\Windows\CurrentVersion\Uninstall

%s-%s

\StringFileInfo\xx\%s

SOFTWARE\Classes\CLSID\{CC5C2398-3512-464D-B59D-C9B85541AD50}\LocalServer32

PerfectDisk.exe

ControlLogicReport.cpp

LicenseKey

127.0.0.1

.Software\Raxco\PerfectDisk\12.5

PerfectDisk.exe /autonag

.pd_schedule_data.cpp

pd_schedule_data.cpp

2pd_schedule_data.cpp

AutoUpdGui.exe

.online-part

PDAgentS1.exe

F6C76BD7-43ED-45EC-A273-C4773238908A

{92EA7FF7-DE29-4E91-A2B1-FD9E58CD485D}

{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}

Call to TalkToConsole failed. Returned buffer size is 0. Console name: %s, port %d

Call to TalkToConsole failed. HRESULT=%u. Console name: %s, port %d

d:\perfectdisk_v12.5\dev\pdframework\..\PDAgent\talk_to_console.hpp

/#%d)

_d-d-d ddd d

%s %s %s %s d u %s/d (%s) %s

d:d:d.d

Call to tcpip(msg_in,msg_out) failed. HRESULT=0x%8.8X (%lu). Console name=%s

Call to tcpip(msg_in,msg_out) was successful

GetIpAddressesByNameHRESULT found no IP addresses. Console name=%s

Call to GetIpAddressesByNameHRESULT failed. HRESULT=0x%8.8X (%lu). Console name=%s

Call to CreateMutex failed. Microsoft Error Code=%u

_##_%d

Call to rpc_client.CallServer(byte_buff_in,byte_buff_out) failed. status=%u

CTalkToConsoleViaTCPIP::operator ()

Call to rpc_client.Connect(m_IpAddress,m_Port) failed. status=%u

pd_scheduler.cpp

PerfectDisk.exe /nag

PDAgent.exe

PDEngine.exe

PDExchange.exe

PDVMDefrag.exe

1pd_scheduler.cpp

1pd_scheduler_operations.cpp

.\\.\

cscript.exe /B /NoLogo

\cmd.exe /C

{E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F}

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

J\\.\pipe\

\pipe\

NTDLL.DLL

\\.\LCD

explorer.exe

Wtsapi32.dll

pdagent_module.cpp

user32.dll

SELECT MAX(StatsDefragOffline.StatsDate),

Volumes.VolumeName

LEFT OUTER JOIN Volumes

ON Volumes.VolumeId = StatsDefragOffline.VolumeId

GROUP BY Volumes.VolumeName ;

P\\.\mailslot\

SELECT TemporaryStalledAlerts.AlertsId FROM TemporaryStalledAlerts INNER JOIN Alerts

ON TemporaryStalledAlerts.AlertsId = Alerts.AlertsId

OLEAUT32.DLL

config.ini

23:00:00

AUURL

ManageViaTCPIPEnable

AutoScreenSaverImportantProcesses

AutoScreenSaverSSHours

PDAgentOp.cpp

WHERE Logs.LogTime

AND Logs.LogTime >= %2%;

SELECT TOP(%3%) Logs.LogTime ,

Logs.Source ,

Logs.EventType,

Logs.EventId ,

Logs.Message

WHERE Logs.LogTime

AND Logs.LogTime >= %2% ;

SELECT StatsDefragOnline.StatsDate ,

StatsDefragOnline.FileFragmentationBefore ,

StatsDefragOnline.FileFragmentationAfter ,

StatsDefragOnline.FreeSpaceFragmentationBefore ,

StatsDefragOnline.FreeSpaceFragmentationAfter ,

StatsDefragOnline.DrivePerformanceBefore ,

StatsDefragOnline.DrivePerformanceAfter

INNER JOIN Volumes

ON StatsDefragOnline.VolumeId = Volumes.VolumeId

WHERE (UPPER(Volumes.VolumeName) = UPPER(%1%) AND

StatsDefragOnline.StatsDate

ORDER BY StatsDefragOnline.StatsDate DESC;

PDComputerInfo.cpp

SELECT StatsFreeSpaceClean.StatsDate ,

StatsFreeSpaceClean.TotalSize ,

StatsFreeSpaceClean.FreeSpaceBefore ,

StatsFreeSpaceClean.RecycleBinBefore ,

StatsFreeSpaceClean.TempFilesBefore ,

StatsFreeSpaceClean.FreeSpaceAfter ,

StatsFreeSpaceClean.RecycleBinAfter ,

StatsFreeSpaceClean.TempFilesAfter

INNER JOIN Volumes

ON StatsFreeSpaceClean.VolumeId = Volumes.VolumeId

WHERE (UPPER(Volumes.VolumeName) = UPPER(%1%) AND

StatsFreeSpaceClean.StatsDate

ORDER BY StatsFreeSpaceClean.StatsDate DESC;

PTF://

PDConfiguration.cpp

B45EFD40-2FD3-49EC-9495-87AC9CF11686

6272517F-F036-4EF6-85C2-F9082F248FA4

\\?\Volume{

db_manager.cpp

Return code: 0x%8.8X (%lu) (%s/#%d)

ado_implement.cpp

SQL Query:

Advapi32.dll

Software\Microsoft\Windows\CurrentVersion\Controls Folder

%SystemDrive%

12, 5, 0, 312

PDAgent.EXE

PDEngine.exe_744:

.text

`.rdata

@.data

.rsrc

@.reloc

SSSSSh

}=SSSSSh

u7SSSSSh

2SSSShH9

PSShl9

88888888888888

RegOpenKeyTransactedW

kernel32.dll

-d

d:d:d.d

RegCreateKeyTransactedW

Offline defragmentation does not support the file system on drive %1.

Drive %1 is marked dirty. The offline defragmentation pass of your system files cannot continue. Please run CHKDSK on the drive.

During the Offline line defragmentation pass PerfectDisk was unable to verify drive %1 because the user stopped the operation.

RegDeleteKeyExW

RegDeleteKeyTransactedW

LogInformationMessages

advapi32.dll

An error occurred trying to read new drive information S.M.A.R.T. web service.

An error occurred trying to save new drive information from the S.M.A.R.T. web service into the database.

An error occurred while submitting data to the S.M.A.R.T. web service.

This parameter displays the average time to spin up the drive spindle (from zero RPM to fully operational [milliseconds]).

This parameter specifies an average performance of seek operations of the magnetic heads.

This parameter shows the total count of retry of spin start attempts to reach the fully operational speed (under the condition that the first attempt was unsuccessful).

This parameter value indicates uncorrected read errors reported to the operating system.

This parameter displays the total count of aborted operations due to HDD timeout. This value should be equal to zero. If the value is too high, then most likely there will be some serious problems with power supply or an oxidized data cable.

This parameter displays a total count of high fly write errors over the lifetime of the drive. Additional protections for write operations are provided by HDD producers by implementing a Fly Height Monitor which detects when a recording head is flying outside its normal operating range. In the process of detecting an unsafe fly height condition, the write process is stopped, and the information is rewritten or reallocated to a safe region of the hard drive. The errors detected over the lifetime of a drive are then counted and displayed in this parameter.

This parameter displays a count of remap operations i.e., the total count of attempts to transfer data from reallocated sectors to a spare area. Both successful & unsuccessful attempts are counted.

This parameter shows the amount of vibration encountered during write operations.

This parameter shows the amount of shock encountered during write operations.

This parameter shows the rate of friction between mechanical parts of the hard disk while operating. Only the time when heads were in the operating position is counted. When the value increases, it indicates that there is a problem with the mechanical subsystem of the drive.

This parameter specifies a count of head moving distances between operations.

Reported Uncorrectable Errors

hXXp://schemas.xmlsoap.org/soap/envelope/

hXXp://VVV.w3.org/*/soap-envelope

hXXp://schemas.xmlsoap.org/soap/encoding/

hXXp://VVV.w3.org/*/soap-encoding

hXXp://VVV.w3.org/2001/XMLSchema-instance

hXXp://VVV.w3.org/*/XMLSchema-instance

hXXp://VVV.w3.org/2001/XMLSchema

hXXp://VVV.w3.org/*/XMLSchema

hXXp://web.services.raxco.com/smart/1.0/SMARTModelUpdatesSoap

hXXp://web.services.raxco.com/smart/1.0/

hXXp://web.services.raxco.com/smart/1.0/SMARTModelUpdatesSoap12

ns1:KBArticleURL

ns1:ManufacturerURL

ns1:ThresholdComparisonOperator

ns1:MinOperatingTemperature

ns1:MaxOperatingTemperature

hXXp://web.services.raxco.com/smart/1.0/SubmitDrive

hXXp://sandbox.development.raxco.com:8383/SMARTModelUpdates.asmx

hXXp://web.services.raxco.com/smart/1.0/SubmitDrives

hXXp://web.services.raxco.com/smart/1.0/GetDrivesByLastTransactionId

hXXp://web.services.raxco.com/smart/1.0/GetAttributesByLastTransactionId

hXXp://web.services.raxco.com/smart/1.0/GetAttributeTypesByLastTransactionId

hXXp://web.services.raxco.com/smart/1.0/GetAttributeDescriptionsByLastTransactionId

hXXp://web.services.raxco.com/smart/1.0/GetDriveIssuesByLastTransactionId

hXXp://VVV.w3.org/2003/05/soap-envelope

hXXp://VVV.w3.org/2003/05/soap-encoding

hXXp://VVV.w3.org/2003/05/soap-rpc

!"#$%&'()* ,-./0123

Unsupported Media Type

HTTP Version not supported

%s[%d

TCP/UDP IP error %d

TCP init failed in tcp_connect()

socket failed in tcp_connect()

setsockopt SO_LINGER failed in tcp_connect()

setsockopt failed in tcp_connect()

setsockopt SO_KEEPALIVE failed in tcp_connect()

setsockopt SO_SNDBUF failed in tcp_connect()

setsockopt SO_RCVBUF failed in tcp_connect()

setsockopt TCP_NODELAY failed in tcp_connect()

setsockopt IP_MULTICAST_TTL failed in tcp_connect()

setsockopt IP_MULTICAST_IF failed in tcp_connect()

get proxy host by name failed in tcp_connect()

get host by name failed in tcp_connect()

connect failed in tcp_connect()

https:*

TCP init failed in soap_bind()

setsockopt TCP_NODELAY failed in soap_bind()

setsockopt TCP_NODELAY failed in soap_accept()

HTTP/

HTTP Error

hXXp://

HTTP/1.1 100 Continue

http:*

httpg:

%s %s HTTP/%s

%s /%s HTTP/%s

%s:%d

%s:%s

HTTP/%s %s

HTTP/%s %d %s

gSOAP Web Service

Basic realm="%s"

xmlns:xop="hXXp://VVV.w3.org/2004/08/xop/include" href

cid:id%d

xmlns:%s

hXXp://schemas.xmlsoap.org/soap/actor/next

hXXp://VVV.w3.org/2003/05/soap-envelope/role/next

xmlns:_%d

%Y-%m-%dT%H:%M:%SZ

%d-%d-%dT%d:%d:%d1s

M--T%d:%d:%d1s

M--T---1s

%d:%d

Content-Type: %s

Content-ID: %s

soap.udp:

multipart/related; charset=utf-8; boundary="%s"; type="

%s; action="%s"

Validation constraint violation: %s%s in element '%s'

Validation constraint violation: %s%s

The data in element '%s' must be understood but cannot be handled

Unsupported SOAP data encoding

Data required for operation

Method '%s' not implemented: method name or namespace not recognized

HTTP GET method not implemented

HTTP PUT method not implemented

HTTP method not implemented

Message too large for UDP packet

An HTTP processing error occurred

HTTP Error: %d %s

Error %d

Operation interrupted or timed out

(%d%cs receive delay)

(%d%cs send delay)

%s%d fault: %s [%s]

Detail: %s

ADODB.Connection

ADODB.Recordset

D:\PerfectDisk_v12.5\Dev\binaries\Win32\Release\PDEngine.pdb

ntdll.dll

SHFOLDER.dll

WTSAPI32.dll

USERENV.dll

PSAPI.DLL

WSOCK32.dll

FilterConnectCommunicationPort

FLTLIB.DLL

GetProcessHeap

SetThreadExecutionState

SetNamedPipeHandleState

WaitNamedPipeW

PeekNamedPipe

KERNEL32.dll

USER32.dll

RegOpenKeyExA

RegCloseKey

RegOpenKeyExW

RegFlushKey

RegCreateKeyExW

RegDeleteKeyW

RegEnumKeyExW

RegQueryInfoKeyW

ReportEventW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

RPCRT4.dll

WS2_32.dll

MSVCP100.dll

MSVCR100.dll

_amsg_exit

_wcmdln

_crt_debugger_hook

POWRPROF.dll

PDEngine.exe

.?AVCOperationBase@@

.?AUIOperation2@@

.?AUIOperation@@

.?AUISupportErrorInfo@@

.?AVCOperationCreator@@

.?AV?$CComObject@VCWiperOperation@@@ATL@@

.?AVCWiperOperation@@

.?AV?$CComCoClass@VCWiperOperation@@$1?CLSID_WiperOperation@@3U_GUID@@B@ATL@@

.?AV?$CComAggObject@VCWiperOperation@@@ATL@@

.?AV?$CComContainedObject@VCWiperOperation@@@ATL@@

.?AVCPipeClient@@

.?AVCMailSlotTransport@@

.?AVIMessageTransport@@

.?AVCTCPIPClient@@

.?AVSmartWebService@@

{3CD0151D-3AAA-41CB-8B05-FC809A228886} = s 'PDEngine'

'PDEngine.EXE'

val AppID = s {3CD0151D-3AAA-41CB-8B05-FC809A228886}

PDEngine.DriveManager.1 = s 'DriveManager Class'

CLSID = s '{5BBEF00D-06EF-47BE-AE47-3662B6BE78DC}'

PDEngine.DriveManager = s 'DriveManager Class'

CurVer = s 'PDEngine.DriveManager.1'

ForceRemove {5BBEF00D-06EF-47BE-AE47-3662B6BE78DC} = s 'DriveManager Class'

ProgID = s 'PDEngine.DriveManager.1'

VersionIndependentProgID = s 'PDEngine.DriveManager'

val AppID = s '{3CD0151D-3AAA-41CB-8B05-FC809A228886}'

'TypeLib' = s '{39633C4D-66C0-46E1-96E5-A1E3686F1FD7}'

PDEngine.Drive.1 = s 'Drive Class'

CLSID = s '{1CE95E9C-67E8-45F5-BEA9-E43E653F4CB2}'

PDEngine.Drive = s 'Drive Class'

CurVer = s 'PDEngine.Drive.1'

ForceRemove {1CE95E9C-67E8-45F5-BEA9-E43E653F4CB2} = s 'Drive Class'

ProgID = s 'PDEngine.Drive.1'

VersionIndependentProgID = s 'PDEngine.Drive'

PDEngine.Analyze.1 = s 'Analyze Class'

CLSID = s '{65F863A6-74A8-4604-83A2-59E013826C1B}'

PDEngine.Analyze = s 'Analyze Class'

CurVer = s 'PDEngine.Analyze.1'

ForceRemove {65F863A6-74A8-4604-83A2-59E013826C1B} = s 'Analyze Class'

ProgID = s 'PDEngine.Analyze.1'

VersionIndependentProgID = s 'PDEngine.Analyze'

PDEngine.SmartPlacement.1 = s 'SmartPlacement Class'

CLSID = s '{FE4CFAFE-910B-49E4-A581-D2B5B335250A}'

PDEngine.SmartPlacement = s 'SmartPlacement Class'

CurVer = s 'PDEngine.SmartPlacement.1'

ForceRemove {FE4CFAFE-910B-49E4-A581-D2B5B335250A} = s 'SmartPlacement Class'

ProgID = s 'PDEngine.SmartPlacement.1'

VersionIndependentProgID = s 'PDEngine.SmartPlacement'

PDEngine.DefragOnly.1 = s 'DefragOnly Class'

CLSID = s '{6A2448B5-6D47-4927-A429-89466114489E}'

PDEngine.DefragOnly = s 'DefragOnly Class'

CurVer = s 'PDEngine.DefragOnly.1'

ForceRemove {6A2448B5-6D47-4927-A429-89466114489E} = s 'DefragOnly Class'

ProgID = s 'PDEngine.DefragOnly.1'

VersionIndependentProgID = s 'PDEngine.DefragOnly'

PDEngine.ConsolidateFreeSpace.1 = s 'ConsolidateFreeSpace Class'

CLSID = s '{14AE005C-338A-4C5F-B9B0-2C7CD2F077EE}'

PDEngine.ConsolidateFreeSpace = s 'ConsolidateFreeSpace Class'

CurVer = s 'PDEngine.ConsolidateFreeSpace.1'

ForceRemove {14AE005C-338A-4C5F-B9B0-2C7CD2F077EE} = s 'ConsolidateFreeSpace Class'

ProgID = s 'PDEngine.ConsolidateFreeSpace.1'

VersionIndependentProgID = s 'PDEngine.ConsolidateFreeSpace'

PDEngine.DefragFiles.1 = s 'DefragFiles Class'

CLSID = s '{0E733394-7AE3-40A3-B43A-FEAFC2FF1FF7}'

PDEngine.DefragFiles = s 'DefragFiles Class'

CurVer = s 'PDEngine.DefragFiles.1'

ForceRemove {0E733394-7AE3-40A3-B43A-FEAFC2FF1FF7} = s 'DefragFiles Class'

ProgID = s 'PDEngine.DefragFiles.1'

VersionIndependentProgID = s 'PDEngine.DefragFiles'

PDEngine.PDEngineConfig.1 = s 'PDEngineConfig Class'

CLSID = s '{7C8C9637-5840-4647-8F3B-B08A6D06454A}'

PDEngine.PDEngineConfig = s 'PDEngineConfig Class'

CurVer = s 'PDEngine.PDEngineConfig.1'

ForceRemove {7C8C9637-5840-4647-8F3B-B08A6D06454A} = s 'PDEngineConfig Class'

ProgID = s 'PDEngine.PDEngineConfig.1'

VersionIndependentProgID = s 'PDEngine.PDEngineConfig'

PDEngine.OfflineDefrag.1 = s 'OfflineDefrag Class'

CLSID = s '{CB212A1F-2B9E-4A67-BC26-88A4059AFF16}'

PDEngine.OfflineDefrag = s 'OfflineDefrag Class'

CurVer = s 'PDEngine.OfflineDefrag.1'

ForceRemove {CB212A1F-2B9E-4A67-BC26-88A4059AFF16} = s 'OfflineDefrag Class'

ProgID = s 'PDEngine.OfflineDefrag.1'

VersionIndependentProgID = s 'PDEngine.OfflineDefrag'

PDEngine.PDEngineLicense.1 = s 'PDEngineLicense Class'

CLSID = s '{E5BFC15E-3DC6-4B0A-B577-59F5F7FFD0F1}'

PDEngine.PDEngineLicense = s 'PDEngineLicense Class'

CurVer = s 'PDEngine.PDEngineLicense.1'

ForceRemove {E5BFC15E-3DC6-4B0A-B577-59F5F7FFD0F1} = s 'PDEngineLicense Class'

ProgID = s 'PDEngine.PDEngineLicense.1'

VersionIndependentProgID = s 'PDEngine.PDEngineLicense'

PDEngine.ConsolidateFreeSpaceNoDefrag.1 = s 'ConsolidateFreeSpaceNoDefrag Class'

CLSID = s '{B4FE62FF-AA05-444f-AA6A-719AF3CF41A6}'

PDEngine.ConsolidateFreeSpaceNoDefrag = s 'ConsolidateFreeSpaceNoDefrag Class'

CurVer = s 'PDEngine.ConsolidateFreeSpaceNoDefrag.1'

ForceRemove {B4FE62FF-AA05-444f-AA6A-719AF3CF41A6} = s 'ConsolidateFreeSpaceNoDefrag Class'

ProgID = s 'PDEngine.ConsolidateFreeSpaceNoDefrag.1'

VersionIndependentProgID = s 'PDEngine.ConsolidateFreeSpaceNoDefrag'

PDEngine.ConsolidateFreeSpaceArbitraryRegion.1 = s 'ConsolidateFreeSpaceArbitraryRegion Class'

CLSID = s '{45A03850-8EAF-4ffe-B18A-5A17333795A7}'

PDEngine.ConsolidateFreeSpaceArbitraryRegion = s 'ConsolidateFreeSpaceArbitraryRegion Class'

CurVer = s 'PDEngine.ConsolidateFreeSpaceArbitraryRegion.1'

ForceRemove {45A03850-8EAF-4ffe-B18A-5A17333795A7} = s 'ConsolidateFreeSpaceArbitraryRegion Class'

ProgID = s 'PDEngine.ConsolidateFreeSpaceArbitraryRegion.1'

VersionIndependentProgID = s 'PDEngine.ConsolidateFreeSpaceArbitraryRegion'

PDEngine.CFreeChunksDefrag.1 = s 'CFreeChunksDefrag Class'

CLSID = s '{3FD132FE-8062-4285-81A2-66244463C3DA}'

PDEngine.CFreeChunksDefrag = s 'CFreeChunksDefrag Class'

CurVer = s 'PDEngine.CFreeChunksDefrag.1'

ForceRemove {3FD132FE-8062-4285-81A2-66244463C3DA} = s 'CFreeChunksDefrag Class'

ProgID = s 'PDEngine.CFreeChunksDefrag.1'

VersionIndependentProgID = s 'PDEngine.CFreeChunksDefrag'

PDEngine.CChunkSensativeDefragOnly.1 = s 'CChunkSensativeDefragOnly Class'

CLSID = s '{77499A0B-E5FE-4db5-A490-ADF727549681}'

PDEngine.CChunkSensativeDefragOnly = s 'CChunkSensativeDefragOnly Class'

CurVer = s 'PDEngine.CChunkSensativeDefragOnly.1'

ForceRemove {77499A0B-E5FE-4db5-A490-ADF727549681} = s 'CChunkSensativeDefragOnly Class'

ProgID = s 'PDEngine.CChunkSensativeDefragOnly.1'

VersionIndependentProgID = s 'PDEngine.CChunkSensativeDefragOnly'

PDEngine.SmartDrive.1 = s 'SmartDrive Class'

CLSID = s '{01B47415-0E1E-412d-87F2-CF50AF49856E}'

PDEngine.SmartDrive = s 'SmartDrive Class'

CurVer = s 'PDEngine.SmartDrive.1'

ForceRemove {01B47415-0E1E-412d-87F2-CF50AF49856E} = s 'SmartDrive Class'

ProgID = s 'PDEngine.SmartDrive.1'

VersionIndependentProgID = s 'PDEngine.SmartDrive'

PDEngine.SmartSettings.1 = s 'SmartSettings Class'

CLSID = s '{D8727363-34CE-4E79-8B84-1986D941371E}'

PDEngine.SmartSettings = s 'SmartSettings Class'

CurVer = s 'PDEngine.SmartSettings.1'

ForceRemove {D8727363-34CE-4E79-8B84-1986D941371E} = s 'SmartSettings Class'

ProgID = s 'PDEngine.SmartSettings.1'

VersionIndependentProgID = s 'PDEngine.SmartSettings'

PDEngine.WWSettings.1 = s 'WWSettings Class'

CLSID = s '{E81DE8EC-17C9-4F1D-B3B7-CD9CDED9CD7A}'

PDEngine.WWSettings = s 'WWSettings Class'

CurVer = s 'PDEngine.WWSettings.1'

ForceRemove {E81DE8EC-17C9-4F1D-B3B7-CD9CDED9CD7A} = s 'WWSettings Class'

ProgID = s 'PDEngine.WWSettings.1'

VersionIndependentProgID = s 'PDEngine.WWSettings'

PDEngine.WWGlobalSettings.1 = s 'WWGlobalSettings Class'

CLSID = s '{F01E003F-2784-4178-9209-5128ED010A65}'

PDEngine.WWGlobalSettings = s 'WWGlobalSettings Class'

CurVer = s 'PDEngine.WWGlobalSettings.1'

ForceRemove {F01E003F-2784-4178-9209-5128ED010A65} = s 'WWGlobalSettings Class'

ProgID = s 'PDEngine.WWGlobalSettings.1'

VersionIndependentProgID = s 'PDEngine.WWGlobalSettings'

PDEngine.WiperOperation.1 = s 'WiperOperation Class'

CLSID = s '{62DBE6CE-65DF-4704-921E-52D17B77D391}'

PDEngine.WiperOperation = s 'WiperOperation Class'

CurVer = s 'PDEngine.WiperOperation.1'

ForceRemove {62DBE6CE-65DF-4704-921E-52D17B77D391} = s 'WiperOperation Class'

ProgID = s 'PDEngine.WiperOperation.1'

VersionIndependentProgID = s 'PDEngine.WiperOperation'

PDEngine.GlobalAlertSettings.1 = s 'GlobalAlertSettings Class'

CLSID = s '{30E9EF1B-8E5F-48B4-919C-940FC938443E}'

PDEngine.GlobalAlertSettings = s 'GlobalAlertSettings Class'

CurVer = s 'PDEngine.GlobalAlertSettings.1'

ForceRemove {30E9EF1B-8E5F-48B4-919C-940FC938443E} = s 'GlobalAlertSettings Class'

ProgID = s 'PDEngine.GlobalAlertSettings.1'

VersionIndependentProgID = s 'PDEngine.GlobalAlertSettings'

PDEngine.VolumeAlertSettings.1 = s 'VolumeAlertSettings Class'

CLSID = s '{681FCBAE-D536-4083-9D76-E4D91644B755}'

PDEngine.VolumeAlertSettings = s 'VolumeAlertSettings Class'

CurVer = s 'PDEngine.VolumeAlertSettings.1'

ForceRemove {681FCBAE-D536-4083-9D76-E4D91644B755} = s 'VolumeAlertSettings Class'

ProgID = s 'PDEngine.VolumeAlertSettings.1'

VersionIndependentProgID = s 'PDEngine.VolumeAlertSettings'

stdole2.tlbWWW

8-sEDriveOperationW

0F=Operation_IdleWW

Operation_AnalyzeWWW

COperation_DefragSmartPlacementWW

HOperation_DefragOnly

Operation_ConsolidateFreeSpaceWW

Operation_DefragFilesWWW

Operation_DefragOfflineW

Operation_ConsolidateFreeSpaceNoDefragWW

Operation_ConsolidateFreeSpaceArbitraryRegionWWW

Operation_FreeChunks

Operation_DefragWithChunksWW

Operation_WipeFreeSpaceW,

yOperationWWW

grfLocksSupportedWWW

.UnSubscribeW`

password`

8}CEOperationPriorityWWT

SupportedFeaturesWWW

IssueKBArticleURLWWW

kb_article_urlWW

IssueManufacturerURL

manufacturer_url

?.serialized_log_dataW

keyW

]GetCurrentOperationW

drive_operationW4

ISupportErrorInfoWWW

HInterfaceSupportsErrorInfoWW

IOperation2W

8;qIOperationWW

8[{WiperOperationWW

property Operation

property SupportedFeatures

property IssueKBArticleURL

property IssueManufacturerURLW

method GetCurrentOperation

IOperation2 InterfaceW

IOperation InterfaceWW

WiperOperation ClassWW

Created by MIDL version 7.00.0555 at Thu Oct 04 17:22:47 2012

PerfectDisk is a disk defragmenter, thus it needs low level access to systemPPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING

808;8[8}8

2M4

?$?*?]?

= >4>:>}>

5 5$5(5,5054585

6 6$6(6,6

= = =8=^=

"0'040}0

? ?$?(?,?0?4?8?@?

:$:*:0:@:

9 9$9(9,9094989

4$4,444

7 747

9$9,989\9|9

0(040

=(=4=

>,>8>@>\>|>

AllocationBitmap.cpp

ClientInterface.cpp

Advapi32.dll

eClusApi.dll

ResUtils.Dll

\\?\Volume

DiskOb.cpp

%s$Mft

.CVarLenArray: Deallocating page pointer array.

DriveManager.cpp

\\?\Volume{

%s\%s

BootExecute

PDBoot.exe

d:\perfectdisk_v12.5\dev\pdengine\CalculateAlertMessage.hpp

Software\Microsoft\Windows\CurrentVersion\Controls Folder

{92EA7FF7-DE29-4E91-A2B1-FD9E58CD485D}

{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}

/#%d)

.pd_wiper

\\.\PhysicalDrive%d

Sense key (bit 3)

Sense key (bit 2)

Sense key (bit 1)

Sense key (bit 0)

%d sectors

at LBA = 0xx = %u

-- -- -- -- -- -- --

-- -- -- == -- == == == -- -- -- -- --

[RESERVED FOR MEDIA CARD PASS THROUGH]

SECURITY SET PASSWORD

SECURITY DISABLE PASSWORD

SMART EXECUTE OFF-LINE IMMEDIATE

SMART ENABLE OPERATIONS

SMART DISABLE OPERATIONS

SET MAX SET PASSWORD

d-d

%s\drivers\%s.sys

%s\*.nls

Software\Microsoft\Windows\CurrentVersion\OptimalLayout

1MonitoringWWClass.cpp

D:\PerfectDisk_v12.5\Dev\PDFramework\PDFsFilterInterface.hpp

1Unknown error: %d

OperationBase.cpp

{3808876B-C176-4E48-B7AE-04046E6CC752}

{3CD0151D-3AAA-41CB-8B05-FC809A228886}

PDAgentS1.exe

F6C76BD7-43ED-45EC-A273-C4773238908A

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

H\\.\pipe\

\pipe\

NTDLL.DLL

\\.\LCD

SOFTWARE\Classes\CLSID\{CC5C2398-3512-464D-B59D-C9B85541AD50}\LocalServer32

explorer.exe

Wtsapi32.dll

1pdengine_module.cpp

pdengine_module.cpp

PerfectDisk.exe

V\\.\mailslot\

ClientConsolePort

SELECT TemporaryStalledAlerts.AlertsId FROM TemporaryStalledAlerts INNER JOIN Alerts

ON TemporaryStalledAlerts.AlertsId = Alerts.AlertsId

OLEAUT32.DLL

Call to TalkToConsole failed. Returned buffer size is 0. Console name: %s, port %d

Call to TalkToConsole failed. HRESULT=%u. Console name: %s, port %d

d:\perfectdisk_v12.5\dev\pdframework\..\PDAgent\talk_to_console.hpp

_d-d-d ddd d

%s %s %s %s d u %s/d (%s) %s

Call to tcpip(msg_in,msg_out) failed. HRESULT=0x%8.8X (%lu). Console name=%s

Call to tcpip(msg_in,msg_out) was successful

GetIpAddressesByNameHRESULT found no IP addresses. Console name=%s

Call to GetIpAddressesByNameHRESULT failed. HRESULT=0x%8.8X (%lu). Console name=%s

Call to CreateMutex failed. Microsoft Error Code=%u

_##_%d

Call to rpc_client.CallServer(byte_buff_in,byte_buff_out) failed. status=%u

CTalkToConsoleViaTCPIP::operator ()

Call to rpc_client.Connect(m_IpAddress,m_Port) failed. status=%u

.midi

.mpeg

.jpeg

.html

.docx

PDLicenseKeyEnable

PDLicenseKey

config.ini

LicenseKey

SOFTWARE\Microsoft\Windows NT\CurrentVersion

{9307000D-38CF-4e9e-AB97-6AC9243AFB9C}

{E972C77D-BABA-4EA9-88D5-5AD6517EF444}

{5F79448F-AD6F-4931-B39D-13B5DFB34108}

SmartAlerting.cpp

SmartDatabaseBase.cpp

ThresholdOperator = %6%,

ThresholdOperator,

KBArticleURL = %6% ,

ManufacturerURL = %7%,

KBArticleURL ,

ManufacturerURL,

MinOperatingTemperature = %7% ,

MaxOperatingTemperature = %8% ,

MinOperatingTemperature ,

MaxOperatingTemperature ,

MinOperatingTemperature ,

MaxOperatingTemperature ,

ThresholdOperator,

SELECT TOP(%5%) SmartErrorLog.Timestamp ,

SmartErrorLog.Data

WHERE SmartErrorLog.Timestamp

AND SmartErrorLog.Timestamp >= %2%

AND SmartErrorLog.ModelName = %3%

AND SmartErrorLog.SerialNumber = %4% ;

SELECT top(%6%) SmartHistory.Timestamp ,

SmartHistory.RawValue ,

SmartHistory.NormalizedValue

WHERE SmartHistory.Timestamp

AND SmartHistory.Timestamp >= %2%

AND SmartHistory.ModelName = %3%

AND SmartHistory.SerialNumber = %4%

AND SmartHistory.AttributeID = %5% ;

SELECT SmartDriveMap.NameRegex,

SmartDriveMap.FirmwareRegex,

SmartDriveMap.SerialRegex,

SmartDriveIssues.Description,

SmartDriveIssues.LongDescription,

SmartDriveIssues.KBArticleURL,

SmartDriveIssues.ManufacturerURL

INNER JOIN SmartDriveIssues

ON SmartDriveMap.ID = SmartDriveIssues.DriveID

WHERE SmartDriveIssues.DisableSMART 0

AND SmartDriveIssues.Language = %1%;

1SmartDatabaseBase.cpp

\\.\PhysicalDrive

.Software\Raxco\PDCore\12.5

WebServiceEnabled

SmartDatabase.cpp

1SmartDatabase.cpp

SmartPollingClass.cpp

1SmartPollingClass.cpp

WebServiceUrl

B45EFD40-2FD3-49EC-9495-87AC9CF11686

6272517F-F036-4EF6-85C2-F9082F248FA4

e6272517F-F036-4EF6-85C2-F9082F248FA4

Windows NT

VssApi.dll

\PDFsFilterPort

2\\.\%s%u

db_manager.cpp

Return code: 0x%8.8X (%lu) (%s/#%d)

ado_implement.cpp

SQL Query:

boot.ini

ntdetect.com

ntbootdd.sys

drivers\diskdump.sys

Moving in %s

Moving out %s

Skipping %s

Skipping file %d, LCN=%d

Skipping file %s, LCN=%d

%s %s VCN=%d Size=%d to LCN %d (LastError=%d).

%s %d VCN=%d Size=%d to LCN %d (LastError=%d).

%s %s VCN=%d Size=%d from LCN=%d to LCN %d (LastError=%d).

%s %d VCN=%d Size=%d from LCN=%d to LCN %d (LastError=%d).

\Hiberfil.sys

%c:%s

Starting boot-time defragmentation pass.

Hit any key to restart immediately. Restarting in %d.

ERROR: Unable to open keyboard. Exiting.

ERROR: Invalid registry key. Exiting.

Could not gain exclusive access to drive %s (%d).

There is a possible driver conflict. (%s)

Unable to verify drive %s due to inconsistencies (%d, %d).

Please run 'chkdsk /r /f %s'.

File system on drive %s not supported.

Could not find the file pagefile.sys on drive %s.

Could not lock drive %s for exclusive access.

Drive %s is marked dirty.

Failed to read boot sector (pSector=0xx, bytes per sector=%d).

Failed to read FAT (FAT offset=%d, bytes per FAT=%d).

User specified PDBootNoKeyboardOK = %d.

Failed to create keyboard event #%d (%d).

User specified PDBiosGT8GBCapable = %d.

User specified PDUseDefragReboot = %d.

Pagefile Id = %d

Pagefile on FAT drive (%s)

Failed to open pagefile (%s) for File ID query (%d)

Hiberfil.sys id = %d

Found hiberfil.sys.

Failed to read state file signature and entries count (%d).

Incorrect state file signature - %X

Failed to read state file entries (%d)

DefragQueryDriverVersion() failed (%d,%d).

Failed to open volume using DefragFS (%d,%d).

Failed to verify volume using DefragFS (%d,%d).

Failed to wait for verify volume using DefragFS (%d,%d).

Failed to open state file (%d,%d).

DefragZeroFile() failed (%d,%d)

GetDiskFreeSpace() failed (%d).

GetVolumeInformation() failed (%d)

Invalid filesystem (%s).

Failed to query allocation bitmap using DefragFS (%d).

Failed to load unmovable files list from the registry (%d).

Failed to query volume state using DefragFS (%d,%d).

Failed to query DefragFS version (%d).

Failed to query NTFS info using DefragFS (%d,%d).

Failed to open volume using CreateFile (%d).

Failed to query FAT volume information (%d).

Check for volume dirty is failed: Failed to open volume online using DefragFS (%d,%d).

Num excluded entries = %d

Failed to query file '%s' id (%d).

Failed to open file "%s" for excluding (%d).

Failed to open create file 1 (%d). File name: %s

NtQueryVolumeInformationFile 1 failed (%d)(%x)

NtQueryVolumeInformationFile 2 failed (%d)(%d).

Failed to open Volume (%d).

Opening Volume Handle for %s

PDBoot.msg

Failed to read message file entries (%d).

\\.\C:

Unable to verify volume (%d,%d).

X:\System Volume Information

12, 5, 0, 312