Gen:Heur.SMHeist.3 (B) (Emsisoft), Gen:Heur.SMHeist.3 (AdAware)Behaviour: Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4bb7454cf635dd6bf42a0d4cd222d55d
SHA1: aba63d2cc94e91bbce0bcc0a9a5b8747ba57a607
SHA256: 98afd2d1bafb5a06af9fecb9d46fc58ba43c854528b1e750f5739c9c8aa0f5b3
SSDeep: 393216:gBTWl/9b7hnLhuDtX 5qPWTEnSaKg6xfl7GGltf:gxWf3ruRXaqWvXxfl7GG7
Size: 14126116 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: AirInstaller
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Malware creates the following process(es):
%original file name%.exe:448
regedit.exe:432
runonce.exe:436
grpconv.exe:1316
MsiExec.exe:1232
MsiExec.exe:1100
The Malware injects its code into the following process(es):
PDAgent.exe:372
PDEngine.exe:744
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process PDAgent.exe:372 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Raxco\PerfectDisk\12.5\pd_local.sdf (4 bytes)
The process %original file name%.exe:448 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcm80.dll (9364 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\English.tr (16110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcr80.dll (11472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\msxml6.dll (20729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\DefragFS\defragfs.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceqp35.dll (14043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\Config.ini (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\PerfectDisk12_5.adm (1328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVMDefrag.exe (10960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchangePS.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\English.tr (17101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtCore4.dll (49418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchange.exe (6471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlcese35.dll (8130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceoledb35.dll (2819 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtGui4.dll (180433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\CommonAppData\Raxco\PerfectDisk\12.5\pd_local.sdf (30618 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDElevationWorker.exe (3236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Win\System\msvcp100.dll (7538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PerfectDisk.exe (149995 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\ssleay32.dll (5370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\System32\Drivers\PDFsFilter.sys (1320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\PerfectDisk_x86.msi (44286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\System32\PDBoot.exe (4584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\libeay32.dll (20429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDAgent.tlb (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\qt_ja.qm (3005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (27304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Policies\2kfkwlwq.lm8\8.0.50727.42.policy (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceoledb35.dll (3996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDState.dll (13708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcp80.dll (10769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (47091 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuestPS.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Win\System\msvcr100.dll (13109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\wainakh.bat (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\AutoUpdGui.exe (17623 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceqp35.dll (10442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcp80.dll (8715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDEngine.exe (34064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDCmd.exe (7333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgent.exe (20320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceoledb35.raxco.manifest (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PdFsfilter.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\3kfkwlwq.lm8\8.0.50727.42.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\chartdir50.dll (35321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\3kfkwlwq.lm8\8.0.50727.42.policy (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDUtils.dll (4772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcr80.dll (12820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcm80.dll (9223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcr80.dll (9853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceoledb35.raxco.manifest (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PatchPDLocalDB.sql (1929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcp80.dll (12030 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\AutoUpdDLL.dll (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlcese35.dll (6929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcm80.dll (9530 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDFsPerf.dll (1062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgentS1.exe (830 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\en-us\PerfectDisk12_5.adml (1047 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\DefragFS\DefragFS.inf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\System32\Drivers\DefragFs.sys (2336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Policies\2kfkwlwq.lm8\8.0.50727.42.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\wainakh.reg (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PDFsFilter.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDEnginePS.dll (842 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PDFsPerf.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\PerfectDisk12_5.admx (1024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuest.dll (24837 bytes)
The Malware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\$inst (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (0 bytes)
The process PDEngine.exe:744 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%System%\wbem\Repository\FS\OBJECTS.MAP (12 bytes)
%System%\wbem\Logs (4 bytes)
%System%\config\AppEvent.Evt (16 bytes)
%WinDir%\Installer\{FD310764-B3E5-430F-980E-D6C0016B2660} (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b4.dat (4 bytes)
%WinDir%\Installer (8 bytes)
%System%\config\SOFTWARE.LOG (78492 bytes)
%Program Files%\Common Files (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
%System%\wbem\Repository\FS\MAPPING2.MAP (192 bytes)
C:\$Directory (1292 bytes)
%System% (2360 bytes)
%WinDir% (1156 bytes)
%System%\Microsoft\Protect\S-1-5-18\User (4 bytes)
%System%\config (108 bytes)
%System%\config\software (78350 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Program Files%\Common Files\Raxco\Shared (4 bytes)
%Documents and Settings%\All Users\Application Data (8 bytes)
%WinDir%\MICROSOFT.NET (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (47 bytes)
%Documents and Settings%\All Users\Application Data\Raxco\PerfectDisk\12.5\pd_local.sdf (4 bytes)
Registry activity
The process PDAgent.exe:372 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThresholdVmHost" = "10000000"
"AutoScheduleHoursInterval" = "96"
"UserTimeThreshold" = "30"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\c155cd75-744b-11e2-8294-806d6172696f]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleNewVolumeBehavior" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\c155cd75-744b-11e2-8294-806d6172696f]
"IsSS" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"KernelTimeThresholdVmHost" = "30"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"UserTimeThresholdVmHost" = "30"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\b98117e8-75ca-11e2-81b2-000c293708fb]
"IsOverride" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleNewVolumeBehaviorFirstRun" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\c155cd75-744b-11e2-8294-806d6172696f]
"AutoScheduleEnabled" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\b98117e8-75ca-11e2-81b2-000c293708fb]
"AutoScheduleNoDefragDuring" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoAdjustThresholds" = "1"
"AutoScheduleNoDefragDuring" = ""
"KernelTimeThreshold" = "30"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\b98117e8-75ca-11e2-81b2-000c293708fb]
"IsSS" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleActivityTimeOut" = "300"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\b98117e8-75ca-11e2-81b2-000c293708fb]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThreshold" = "10000000"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 1D 8B 1B 60 29 D6 75 7F B7 C0 55 6F D2 B5 31"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"
"IsOverride" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"AutoUpdate" = "16 00 00 00 41 00 75 00 74 00 6F 00 55 00 70 00"
"Runs" = "00 00 00 00"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\c155cd75-744b-11e2-8294-806d6172696f]
"IsOverride" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\b98117e8-75ca-11e2-81b2-000c293708fb]
"AutoScheduleEnabled" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\c155cd75-744b-11e2-8294-806d6172696f]
"AutoScheduleNoDefragDuring" = ""
The Malware deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"(Default)"
"Runs"
[HKLM\System\CurrentControlSet\Services\PerfDisk\Performance]
"Error Count"
[HKLM\System\CurrentControlSet\Services\PerfOS\Performance]
"Error Count"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"AutoUpdate"
The process %original file name%.exe:448 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BrandType" = "0"
"license" = "36 D2 8A 06 0B 41 5A 62 83 74 1C AB 1E D3 5C CD"
"ManageOnPort" = "4294967295"
"HelpURL" = "http://docs.raxco.com/perfectdisk/12_5/EN/Index.htm"
"WebsiteUrl" = "http://links.raxco.com/go.rax?id=PD12_5_PerfectDisk"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Version_Registry_Name" = "Build"
[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightSettings" = "01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleNewVolumeBehavior" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"WebinarsUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Webinars"
"BusinessUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Business"
[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\\\?\]
"Volume{52195469-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 43 00 3A 00 5C 00 00 00 62 00 00 00"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"proxy_port" = "80"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"DisableSmart" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SupportURL" = "http://links.raxco.com/go.rax?id=PD12_5_Support"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"UserTimeThresholdVmHost" = "30"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"UserGuidesUrl" = "http://links.raxco.com/go.rax?id=PD12_5_UserGuides"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"KernelTimeThreshold" = "30"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"RegisterURL" = "http://www.raxco.com/register"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"LData" = "eWRvlT4AkSPiOay5qg5mjBu5uQ43o7eL"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"VSSMode" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"DisplayVersion" = "12.5 Build 312"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThreshold" = "10000000"
[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\\\?\]
"Volume{52195465-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 44 00 3A 00 5C 00 00 00 62 00 00 00"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AlertSettings]
"(Default)" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"FaqUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_FAQ"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"USER_NAME" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"InstallSource" = "c:\"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"Registered" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Proxy_Server" = ""
"Version_Info_Path" = "Software\Raxco\PerfectDisk\12.5"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"UserTimeThreshold" = "30"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"URLInfoAbout" = "http://www.minutka15.com"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Password_Ciphered" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"OptiwriteAdvanced" = "0"
"ProductKeyURL" = "http://links.raxco.com/go.rax?id=PD12_5_SVR"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"Language" = "1049"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"HelpDownloadUrl" = "http://docs.raxco.com/perfectdisk/12_5/EN/download_Help/x86_PD12.5_Help.msi"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleActivityTimeOut" = "300"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleNewVolumeBehaviorFirstRun" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"Language" = "1033"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"InstallDate" = "20150304"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConnectUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Connect"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"EstimatedSize" = "50100"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoAdjustThresholds" = "1"
"AutoScheduleNoDefragDuring" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName1" = "Graphic"
"FileGroupName0" = "Text"
"FileGroupName3" = "Video"
"FileGroupName2" = "Program"
"FileGroupName5" = "Temporary"
"FileGroupName4" = "Music"
"FileGroupName6" = "User Defined"
"WebserviceEnabled" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"NoModify" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"StoreUrl" = "http://links.raxco.com/go.rax?id=PD12_5_OnlineStore"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowExternalHardDrives" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"Security" = "01 00 00 00 01 00 00 00 00 00 00 00 03 00 00 00"
"FeaturesUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_Features"
"FreeSpaceOnStart" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 41 1D 21 06 CC F0 19 2B 2A 1B 39 66 98 3C E5"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Ftp_Server" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"UninstallString" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Uninstall.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask2" = ".exe;.dll;.ocx;.sys;.vbs;.js;.wsf;.wsc;.com"
"FileGroupMask3" = ".avi;.mpg;.mov;.mp4;.mpeg;.wmv;.flv;.swf"
"FileGroupMask0" = ".txt;.doc;.docx;.rtf;.pdf;.htm;.html;.wpd;.wri"
"FileGroupMask1" = ".bmp;.jpg;.gif;.tif;.jpeg;.png"
"FileGroupMask6" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"InstallLocation" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask4" = ".mp3;.wav;.midi;.aac;.ogg;.wma"
"FileGroupMask5" = ".tmp"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThresholdVmHost" = "10000000"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SalesMail" = "sales@perfectdisk.com"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableTemperatureWarnings" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"LicenseKey" = "8ZkJZGINOMnz1XKWhTJf44z06WY2LoAfzfMSs8b8DHaj/Z6vT3FxP/gvbK5PIr88"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"ProcessPriority" = "16384"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleHoursInterval" = "96"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"VSSThreshold" = "30"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"KernelTimeThresholdVmHost" = "30"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"UseConfigIni" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Update_Root_Dir" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"VersionMajor" = "12"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Install_Option" = "Notify"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"DiskThresholdUnits" = "1024"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BlogUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Blog"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"http_url" = "http://update.raxco.com/pub/download/PD125/Client"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableSmartPolling" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BetaURL" = "http://beta.raxco.com"
"Wizard" = "1"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"SmartPollingPeriod" = "180"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConfigIniEngineCompleted" = "1"
"Build" = "312"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"DisplayName" = "Raxco PerfectDisk Server 12.5 Build 312"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"LogSettings" = "0F 00 00 00 02 00 00 00 02 00 00 00 00 00 02 00"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Software_Name" = "PerfectDisk 12.5 Server"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SuggestionsURL" = "http://links.raxco.com/go.rax?id=PD12_5_Suggestions"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SupportMail" = "http://links.raxco.com/go.rax?id=PD12_5_Support"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Version_Ini_Filename" = "PD125b312.ini"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"PFN" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowFlashDrives" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ContactSupportUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SupportMail"
"PerfectDiskUrl" = "http://links.raxco.com/go.rax?id=PD12_5_PerfectDisk"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"Publisher" = "Minutka15"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Auto_Check" = "No"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\server]
"wainakh.bat" = "wainakh"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"CriticalTemperature" = "00 00 00 00 00 00 49 40"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Proxy_Enabled" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"AutoUpdate" = "16 00 00 00 41 00 75 00 74 00 6F 00 55 00 70 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"NoRepair" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"PDManageLayoutIni" = "3"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConfigIniAgentCompleted" = "1"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"WebServiceUrl" = "http://updates.raxco.com/SMART/SMARTModelUpdates.asmx"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"DisplayIcon" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Uninstall.exe"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowSSD" = "1"
[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\\\?\]
"Volume{52195466-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 45 00 3A 00 5C 00 00 00 62 00 00 00"
[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightFirstRunDriveEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Protocol" = "http"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableDebug" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"VersionMinor" = "5312"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"HideOptiWrite" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"IoThrottling" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"Runs" = "00 00 00 00"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"KbUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_KB"
The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process regedit.exe:432 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BrandType" = "0"
"license" = "36 D2 8A 06 0B 41 5A 62 83 74 1C AB 1E D3 5C CD"
"ManageOnPort" = "4294967295"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"ExcludedVolumes" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"HelpURL" = "http://docs.raxco.com/perfectdisk/12_5/EN/Index.htm"
"WebsiteUrl" = "http://links.raxco.com/go.rax?id=PD12_5_PerfectDisk"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Version_Registry_Name" = "Build"
[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightSettings" = "01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleNewVolumeBehavior" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"WebinarsUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Webinars"
"BusinessUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Business"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"proxy_port" = "80"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"DisableSmart" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SupportURL" = "http://links.raxco.com/go.rax?id=PD12_5_Support"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"UserTimeThresholdVmHost" = "30"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"UserGuidesUrl" = "http://links.raxco.com/go.rax?id=PD12_5_UserGuides"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"KernelTimeThreshold" = "30"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"RegisterURL" = "http://www.raxco.com/register"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"LData" = "eWRvlT4AkSPiOay5qg5mjBu5uQ43o7eL"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"VSSMode" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThreshold" = "10000000"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Software_Name" = "PerfectDisk 12.5 Server"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AlertSettings]
"(Default)" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"FaqUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_FAQ"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"USER_NAME" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"Registered" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Proxy_Server" = ""
"Version_Info_Path" = "Software\Raxco\PerfectDisk\12.5"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"UserTimeThreshold" = "30"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Password_Ciphered" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"OptiwriteAdvanced" = "0"
"ProductKeyURL" = "http://links.raxco.com/go.rax?id=PD12_5_SVR"
"HelpDownloadUrl" = "http://docs.raxco.com/perfectdisk/12_5/EN/download_Help/x86_PD12.5_Help.msi"
[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\?]
"Volume{52195465-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 44 00 3A 00 5C 00 00 00 62 00 00 00"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleActivityTimeOut" = "300"
"AutoScheduleNewVolumeBehaviorFirstRun" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"Language" = "1033"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConnectUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Connect"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoAdjustThresholds" = "1"
"AutoScheduleNoDefragDuring" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName1" = "Graphic"
"FileGroupName0" = "Text"
"FileGroupName3" = "Video"
"FileGroupName2" = "Program"
"FileGroupName5" = "Temporary"
"FileGroupName4" = "Music"
"FileGroupName6" = "User Defined"
"WebserviceEnabled" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"StoreUrl" = "http://links.raxco.com/go.rax?id=PD12_5_OnlineStore"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowExternalHardDrives" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"Security" = "01 00 00 00 01 00 00 00 00 00 00 00 03 00 00 00"
"FeaturesUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_Features"
"FreeSpaceOnStart" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 75 60 BD 5C E5 E6 EB E9 3A 13 F6 E6 BF FB 06"
[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\?]
"Volume{52195466-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 45 00 3A 00 5C 00 00 00 62 00 00 00"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Ftp_Server" = ""
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask2" = ".exe;.dll;.ocx;.sys;.vbs;.js;.wsf;.wsc;.com"
"FileGroupMask3" = ".avi;.mpg;.mov;.mp4;.mpeg;.wmv;.flv;.swf"
"FileGroupMask0" = ".txt;.doc;.docx;.rtf;.pdf;.htm;.html;.wpd;.wri"
"FileGroupMask1" = ".bmp;.jpg;.gif;.tif;.jpeg;.png"
"FileGroupMask6" = ""
"FileGroupMask4" = ".mp3;.wav;.midi;.aac;.ogg;.wma"
"FileGroupMask5" = ".tmp"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThresholdVmHost" = "10000000"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SalesMail" = "sales@perfectdisk.com"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableTemperatureWarnings" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"LicenseKey" = "8ZkJZGINOMnz1XKWhTJf44z06WY2LoAfzfMSs8b8DHaj/Z6vT3FxP/gvbK5PIr88"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"ProcessPriority" = "16384"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleHoursInterval" = "96"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"VSSThreshold" = "30"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"KernelTimeThresholdVmHost" = "30"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"UseConfigIni" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Update_Root_Dir" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Install_Option" = "Notify"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"DiskThresholdUnits" = "1024"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BlogUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Blog"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"http_url" = "http://update.raxco.com/pub/download/PD125/Client"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableSmartPolling" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BetaURL" = "http://beta.raxco.com"
"Wizard" = "1"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"SmartPollingPeriod" = "180"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConfigIniEngineCompleted" = "1"
"Build" = "312"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"LogSettings" = "0F 00 00 00 02 00 00 00 02 00 00 00 00 00 02 00"
[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\?]
"Volume{52195469-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 43 00 3A 00 5C 00 00 00 62 00 00 00"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SuggestionsURL" = "http://links.raxco.com/go.rax?id=PD12_5_Suggestions"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SupportMail" = "http://links.raxco.com/go.rax?id=PD12_5_Support"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Version_Ini_Filename" = "PD125b312.ini"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"PFN" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowFlashDrives" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ContactSupportUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SupportMail"
"PerfectDiskUrl" = "http://links.raxco.com/go.rax?id=PD12_5_PerfectDisk"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Auto_Check" = "No"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"CriticalTemperature" = "00 00 00 00 00 00 49 40"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Proxy_Enabled" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"AutoUpdate" = "16 00 00 00 41 00 75 00 74 00 6F 00 55 00 70 00"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"PDManageLayoutIni" = "3"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConfigIniAgentCompleted" = "1"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"WebServiceUrl" = "http://updates.raxco.com/SMART/SMARTModelUpdates.asmx"
"AllowSSD" = "1"
[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightFirstRunDriveEnable" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Protocol" = "http"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableDebug" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"HideOptiWrite" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"IoThrottling" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"Runs" = "00 00 00 00"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"KbUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_KB"
The process PDEngine.exe:744 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"EofWriteExtendSizeHigh" = "0"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"license" = "36 D2 8A 06 0B 41 5A 62 83 74 1C AB 1E D3 5C CD"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName2" = "Program"
"AllowFlashDrives" = "1"
"EnableTemperatureWarnings" = "1"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"EofWriteExtendSizeHigh" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask2" = ".exe;.dll;.ocx;.sys;.vbs;.js;.wsf;.wsc;.com"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"MinExtentSizeHigh" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightSettings" = "01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"CriticalTemperature" = "00 00 00 00 00 00 49 40"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"EofWriteExtendSizeLow" = "1048576"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"ProcessPriority" = "16384"
[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\?]
"Volume{b98117e8-75ca-11e2-81b2-000c293708fb}" = "08 00 00 00 44 00 3A 00 5C 00 00 00 62 00 00 00"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"EofWriteWhitelist" = ""
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"PDManageLayoutIni" = "3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder]
"{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}" = "36 D2 8A 06 0B 41 5A 62 83 74 1C AB 1E D3 5C CD"
[HKLM\System\CurrentControlSet\Services\DefragFS\Parameters]
"BootMountTimestamp" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"IoThrottling" = "1"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"MaxExtentSizeLow" = "4294967295"
"Enable" = "0"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"EnableEofWriteDefrag" = "1"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"ExcludedVolumes" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"SmartPollingPeriod" = "180"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"EofWriteExtendSizeLow" = "1048576"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowSSD" = "1"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"LicenseKey" = "8ZkJZGINOMnz1XKWhTJf44z06WY2LoAfzfMSs8b8DHaj/Z6vT3FxP/gvbK5PIr88"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableSmartPolling" = "1"
[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightFirstRunDriveEnable" = "0"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"Enable" = "1"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask4" = ".mp3;.wav;.midi;.aac;.ogg;.wma"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"MinNumFragmentsThreshold" = "2"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"MaxExtentSizeHigh" = "4294967295"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout]
"EnableAutoLayout" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName1" = "Graphic"
"FileGroupName0" = "Text"
"FileGroupName3" = "Video"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"MinExtentSizeHigh" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName5" = "Temporary"
"FileGroupName4" = "Music"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"MaxExtentSizeLow" = "4294967295"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName6" = "User Defined"
"DisableSmart" = "0"
"AllowExternalHardDrives" = "1"
"EnableDebug" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\?]
"Volume{c155cd75-744b-11e2-8294-806d6172696f}" = "08 00 00 00 43 00 3A 00 5C 00 00 00 62 00 00 00"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"MaxExtentSizeHigh" = "4294967295"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 8F 5B E6 7B A4 C4 26 92 B6 DB AB 82 47 19 D9"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"NumFreeSpaceExtentsStored" = "100"
"EnableEofWriteDefrag" = "1"
"EofWriteWhitelist" = ""
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"MinExtentSizeLow" = "0"
"MinNumFragmentsThreshold" = "2"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"MinExtentSizeLow" = "0"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask3" = ".avi;.mpg;.mov;.mp4;.mpeg;.wmv;.flv;.swf"
"FileGroupMask0" = ".txt;.doc;.docx;.rtf;.pdf;.htm;.html;.wpd;.wri"
"FileGroupMask1" = ".bmp;.jpg;.gif;.tif;.jpeg;.png"
"FileGroupMask6" = ""
"VSSMode" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder]
"{5F79448F-AD6F-4931-B39D-13B5DFB34108}" = ""
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask5" = ".tmp"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"NumFreeSpaceExtentsStored" = "100"
[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"VSSThreshold" = "30"
The Malware deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder]
"LExtra"
[HKLM\System\CurrentControlSet\Services\DefragFS\Parameters]
"BootErrorLogFile"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder]
"{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}"
The process runonce.exe:436 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 E7 B7 F5 B0 D4 D1 0E 1F C3 CF 2E 2D C0 65 52"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"
The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Malware deletes the following value(s) in system registry:
The Malware disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"
The process grpconv.exe:1316 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 4A AA 74 F8 B2 06 BD 78 E7 D9 02 47 26 6C 31"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv]
"Log" = "Init Application."
[HKCR\MSProgramGroup\Shell\Open\Command]
"(Default)" = "%System%\grpconv.exe %1"
[HKCR\MSProgramGroup]
"(Default)" = "Microsoft Program Group"
[HKCR\.grp]
"(Default)" = "MSProgramGroup"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"
The process MsiExec.exe:1232 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 E5 9D F6 7B E0 E5 4F A7 38 A4 90 C7 3D 3C 13"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder]
"{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}" = "FB 0A 17 BA 75 E3 CB A1 83 74 1C AB 1E D3 5C CD"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Instances\PDFsFilter Instance]
"Flags" = "0"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Instances]
"DefaultInstance" = "PDFsFilter Instance"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters]
"(Default)" = ""
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"FSFilter Activity Monitor" = "04 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00"
[HKLM\System\CurrentControlSet\Services\PDFSFilter\Instances\PDFsFilter Instance]
"Altitude" = "186000"
[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"UseConfigIni" = "1"
To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"
The Malware deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Services\DefragFS]
"ImagePath"
The process MsiExec.exe:1100 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 3C 3D D5 88 69 07 32 A1 54 10 EA E7 41 35 EE"
Dropped PE files
MD5 | File path |
---|---|
f2e2227dbb8efc26ff8af64b88bcd0af | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\AutoUpdDLL.dll |
ef96be5e0db97ae7ed4b225c056c7755 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\PDEngine.exe |
98cd0a213afcba97c54d20a3908c1b39 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\PDEnginePS.dll |
467c76ef3d69e70d95b6448ebaf3df07 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\PDState.dll |
a1d0cf53b3fcaec84b92fba57f2d7e0d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\PDUtils.dll |
c3ba67167abfac31c39bc959b250ced8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\sqlceoledb35.dll |
36ccd0cfe3fc326260baa7425bde5c9a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\sqlceqp35.dll |
958582542e5827c3b1b191f1c6c123f4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Common\Raxco\Shared\sqlcese35.dll |
13e9d581f1d3e769d3f359a7bab89976 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\System32\Drivers\DefragFs.sys |
4bf1b60276be359158f0e68681713872 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\System32\Drivers\PDFsFilter.sys |
a06717db2c87193973ee9a4938c8945b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\System32\PDBoot.exe |
03e9314004f504a14a61c3d364b62f66 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Win\System\msvcp100.dll |
67ec459e42d3081dd8fd34356f7cafc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Win\System\msvcr100.dll |
cdcc63e967d64ece3729246720af4fcc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\system32\msvcm80.dll |
2bc650257fb0867abd54fd460ec2bafc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\system32\msvcp80.dll |
16d7ddf3b659f7cf1cb9f4dcff4219f0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\system32\msvcr80.dll |
cdcc63e967d64ece3729246720af4fcc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcm80.dll |
2bc650257fb0867abd54fd460ec2bafc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcp80.dll |
16d7ddf3b659f7cf1cb9f4dcff4219f0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcr80.dll |
cdcc63e967d64ece3729246720af4fcc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcm80.dll |
2bc650257fb0867abd54fd460ec2bafc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcp80.dll |
16d7ddf3b659f7cf1cb9f4dcff4219f0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcr80.dll |
2bdfdede525a32856d0050abca658834 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\AutoUpdGui.exe |
eaaa7462a31d15e7237798f2d931a211 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgent.exe |
735fe4711cf9d90d60191f88f4cf2397 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgentS1.exe |
af83c581aabd967e2c52e1d7c4a8036b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDCmd.exe |
86543a8db5ed771ac24cd90a969cc7e5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDElevationWorker.exe |
40c66fd754cd88d91b17f8f52e6cd01a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchange.exe |
84312b22ab0429b0c82662b6d17720d9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchangePS.dll |
22334939e56fac64fc9c4d2cd4979d5a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDFsPerf.dll |
8f588bd253a40ffe33dc23e7f5e9e5c1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVMDefrag.exe |
a7e05807b2832d93f2f84890235bab08 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuest.dll |
fe6e753a7da0e194ec09b6ac82fc3caf | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuestPS.dll |
31b955b714c43c878ec107dde2e918f5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PerfectDisk.exe |
fc47f710b7748b1c45a1f3539c97936c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtCore4.dll |
6b697b2ecfe09ede3286b5f092b1ecd9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtGui4.dll |
8c2cf347efcc4a8fc985e93121d2a419 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\chartdir50.dll |
caa87a1dbaf7899677239ed7e591f714 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\libeay32.dll |
7ae1b12c29b35f391bfcefce8776f9d2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\msxml6.dll |
c3ba67167abfac31c39bc959b250ced8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceoledb35.dll |
36ccd0cfe3fc326260baa7425bde5c9a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceqp35.dll |
958582542e5827c3b1b191f1c6c123f4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlcese35.dll |
99963f1e23ac6fabbdf14c469312e85e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server\program files\Raxco\PerfectDisk\ssleay32.dll |
f2e2227dbb8efc26ff8af64b88bcd0af | c:\Program Files\Common Files\Raxco\Shared\AutoUpdDLL.dll |
ef96be5e0db97ae7ed4b225c056c7755 | c:\Program Files\Common Files\Raxco\Shared\PDEngine.exe |
98cd0a213afcba97c54d20a3908c1b39 | c:\Program Files\Common Files\Raxco\Shared\PDEnginePS.dll |
467c76ef3d69e70d95b6448ebaf3df07 | c:\Program Files\Common Files\Raxco\Shared\PDState.dll |
a1d0cf53b3fcaec84b92fba57f2d7e0d | c:\Program Files\Common Files\Raxco\Shared\PDUtils.dll |
c3ba67167abfac31c39bc959b250ced8 | c:\Program Files\Common Files\Raxco\Shared\sqlceoledb35.dll |
36ccd0cfe3fc326260baa7425bde5c9a | c:\Program Files\Common Files\Raxco\Shared\sqlceqp35.dll |
958582542e5827c3b1b191f1c6c123f4 | c:\Program Files\Common Files\Raxco\Shared\sqlcese35.dll |
2bdfdede525a32856d0050abca658834 | c:\Program Files\Raxco\PerfectDisk\AutoUpdGui.exe |
eaaa7462a31d15e7237798f2d931a211 | c:\Program Files\Raxco\PerfectDisk\PDAgent.exe |
735fe4711cf9d90d60191f88f4cf2397 | c:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe |
af83c581aabd967e2c52e1d7c4a8036b | c:\Program Files\Raxco\PerfectDisk\PDCmd.exe |
86543a8db5ed771ac24cd90a969cc7e5 | c:\Program Files\Raxco\PerfectDisk\PDElevationWorker.exe |
22334939e56fac64fc9c4d2cd4979d5a | c:\Program Files\Raxco\PerfectDisk\PDFsPerf.dll |
a7e05807b2832d93f2f84890235bab08 | c:\Program Files\Raxco\PerfectDisk\PDVmGuest.dll |
fe6e753a7da0e194ec09b6ac82fc3caf | c:\Program Files\Raxco\PerfectDisk\PDVmGuestPS.dll |
31b955b714c43c878ec107dde2e918f5 | c:\Program Files\Raxco\PerfectDisk\PerfectDisk.exe |
fc47f710b7748b1c45a1f3539c97936c | c:\Program Files\Raxco\PerfectDisk\QtCore4.dll |
6b697b2ecfe09ede3286b5f092b1ecd9 | c:\Program Files\Raxco\PerfectDisk\QtGui4.dll |
8c2cf347efcc4a8fc985e93121d2a419 | c:\Program Files\Raxco\PerfectDisk\chartdir50.dll |
caa87a1dbaf7899677239ed7e591f714 | c:\Program Files\Raxco\PerfectDisk\libeay32.dll |
c3ba67167abfac31c39bc959b250ced8 | c:\Program Files\Raxco\PerfectDisk\sqlceoledb35.dll |
36ccd0cfe3fc326260baa7425bde5c9a | c:\Program Files\Raxco\PerfectDisk\sqlceqp35.dll |
958582542e5827c3b1b191f1c6c123f4 | c:\Program Files\Raxco\PerfectDisk\sqlcese35.dll |
99963f1e23ac6fabbdf14c469312e85e | c:\Program Files\Raxco\PerfectDisk\ssleay32.dll |
3ea0582339f05f7bfc764b5571fad30f | c:\WINDOWS\Installer\{FD310764-B3E5-430F-980E-D6C0016B2660}\MenuStartPD.exe |
cdcc63e967d64ece3729246720af4fcc | c:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll |
2bc650257fb0867abd54fd460ec2bafc | c:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll |
16d7ddf3b659f7cf1cb9f4dcff4219f0 | c:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll |
a06717db2c87193973ee9a4938c8945b | c:\WINDOWS\system32\PDBoot.exe |
13e9d581f1d3e769d3f359a7bab89976 | c:\WINDOWS\system32\drivers\DefragFs.sys |
4bf1b60276be359158f0e68681713872 | c:\WINDOWS\system32\drivers\PDFsFilter.sys |
03e9314004f504a14a61c3d364b62f66 | c:\WINDOWS\system32\msvcp100.dll |
67ec459e42d3081dd8fd34356f7cafc1 | c:\WINDOWS\system32\msvcr100.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver " %System%\Drivers\DefragFS.SYS" the Malware attaches its filter-device object to the Volume Device Object (VDO) of the file system driver.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:448
regedit.exe:432
runonce.exe:436
grpconv.exe:1316
MsiExec.exe:1232
MsiExec.exe:1100 - Delete the original Malware file.
- Delete or disinfect the following files created/modified by the Malware:
%Documents and Settings%\All Users\Application Data\Raxco\PerfectDisk\12.5\pd_local.sdf (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcm80.dll (9364 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\English.tr (16110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcr80.dll (11472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\msxml6.dll (20729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\DefragFS\defragfs.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceqp35.dll (14043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\Config.ini (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\PerfectDisk12_5.adm (1328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVMDefrag.exe (10960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchangePS.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\English.tr (17101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtCore4.dll (49418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchange.exe (6471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlcese35.dll (8130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceoledb35.dll (2819 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtGui4.dll (180433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\CommonAppData\Raxco\PerfectDisk\12.5\pd_local.sdf (30618 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDElevationWorker.exe (3236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Win\System\msvcp100.dll (7538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PerfectDisk.exe (149995 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\ssleay32.dll (5370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\System32\Drivers\PDFsFilter.sys (1320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\PerfectDisk_x86.msi (44286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\System32\PDBoot.exe (4584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\libeay32.dll (20429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDAgent.tlb (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\qt_ja.qm (3005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (27304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Policies\2kfkwlwq.lm8\8.0.50727.42.policy (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceoledb35.dll (3996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDState.dll (13708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcp80.dll (10769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (47091 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuestPS.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Win\System\msvcr100.dll (13109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\wainakh.bat (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\AutoUpdGui.exe (17623 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceqp35.dll (10442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcp80.dll (8715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDEngine.exe (34064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDCmd.exe (7333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgent.exe (20320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceoledb35.raxco.manifest (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PdFsfilter.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\3kfkwlwq.lm8\8.0.50727.42.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\chartdir50.dll (35321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\3kfkwlwq.lm8\8.0.50727.42.policy (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDUtils.dll (4772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcr80.dll (12820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcm80.dll (9223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcr80.dll (9853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceoledb35.raxco.manifest (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PatchPDLocalDB.sql (1929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcp80.dll (12030 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\AutoUpdDLL.dll (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlcese35.dll (6929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcm80.dll (9530 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDFsPerf.dll (1062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgentS1.exe (830 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\en-us\PerfectDisk12_5.adml (1047 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\DefragFS\DefragFS.inf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\System32\Drivers\DefragFs.sys (2336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Policies\2kfkwlwq.lm8\8.0.50727.42.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\wainakh.reg (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PDFsFilter.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDEnginePS.dll (842 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PDFsPerf.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\PerfectDisk12_5.admx (1024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuest.dll (24837 bytes)
%System%\wbem\Repository\FS\OBJECTS.MAP (12 bytes)
%System%\wbem\Logs (4 bytes)
%System%\config\AppEvent.Evt (16 bytes)
%WinDir%\Installer\{FD310764-B3E5-430F-980E-D6C0016B2660} (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b4.dat (4 bytes)
%System%\config\SOFTWARE.LOG (78492 bytes)
%Program Files%\Common Files (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
%System%\wbem\Repository\FS\MAPPING2.MAP (192 bytes)
C:\$Directory (1292 bytes)
%System%\Microsoft\Protect\S-1-5-18\User (4 bytes)
%System%\config\software (78350 bytes)
%Program Files%\Common Files\Raxco\Shared (4 bytes)
%WinDir%\MICROSOFT.NET (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (47 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Minutka15
Product Name:
Product Version:
Legal Copyright: Minutka15
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 12.5 Build 312
File Description: Raxco PerfectDisk Server 12.5 Build 312 Installation
Comments:
Language: Language Neutral
Company Name: Minutka15 Product Name: Product Version: Legal Copyright: Minutka15 Legal Trademarks: Original Filename: Internal Name: File Version: 12.5 Build 312 File Description: Raxco PerfectDisk Server 12.5 Build 312 Installation Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 148684 | 148992 | 4.57087 | bac8bae7a5e5326cf49943b90d1c062a |
DATA | 155648 | 10388 | 10752 | 2.62963 | abafcbfbd7f8ac0226ca496a92a0cf06 |
BSS | 167936 | 4341 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 176128 | 6040 | 6144 | 3.38637 | 7a4934595db0efc364c3982c4e335d8c |
.tls | 184320 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 188416 | 24 | 512 | 0.14174 | c4fdd0c5c9efb616fcc85d66056ca490 |
.reloc | 192512 | 6276 | 6656 | 4.56552 | 867a1120317d51734587a74f6ee70016 |
.rsrc | 200704 | 43416 | 43520 | 3.68595 | 8cd200a5fec9362fbc2c5d8562cd9f8c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl | |
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl | |
hxxp://crl.verisign.com/pca3-g5.crl | 23.43.133.163 |
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl | 23.43.133.163 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "8d383c4069ca22795a1696d1945c4a26:1425459915"
Last-Modified: Wed, 04 Mar 2015 09:05:15 GMT
Date: Wed, 04 Mar 2015 15:39:38 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0..3.0..2....0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA..150304090004Z..150318090004Z0..1.0!.....S.@.k....6..c..140730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&...130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s..130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9..130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H......120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.....w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M83...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........'u..140521222808Z0!......0..........I..130912181631Z0!.....1.;C,.. L..0...141111073655Z0!....6e...~..T.......130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u......130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v..........n..120724160733Z0!....n[..P..a.y...p..141121045513Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|.
<<< skipped >>>
GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "0eb6836c44430f9901d468ac9e53f3c4:1418965221"
Last-Modified: Fri, 19 Dec 2014 05:00:21 GMT
Date: Wed, 04 Mar 2015 15:39:38 GMT
Content-Length: 533
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..141210000000Z..150331235959Z0...*.H..............(.Y.&..-.f.....5uC..[..I/..S.....g...%#..M..... .#.1..:A#rrl9....nKA......TP.....3......N.d5..Y......svZV..8..h..JV.#T..u..)=..i...d..]m.aSY....vu.p..K..G9=>.!LYh0yu.(....@k...n'H..)...v..O/.....B.[j...%.xt...-)"|..P...Q.......p..y..............q...&...t...
Map
The Malware connects to the servers at the folowing location(s):
Strings from Dumps
PDAgent.exe_372:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SSSSh
SSSSh
@.text
@.text
Scheduler cannot stop operation on drive %1 because of higher priority operation is active.
Scheduler cannot stop operation on drive %1 because of higher priority operation is active.
Scheduler cannot start offline defragmentation of drive %1 because offline defrag of FAT is no longer supported and we cannot lock the drive.
Scheduler cannot start offline defragmentation of drive %1 because offline defrag of FAT is no longer supported and we cannot lock the drive.
Scheduler cannot start offline defragmentation of drive %1 because of higher priority operation is active.
Scheduler cannot start offline defragmentation of drive %1 because of higher priority operation is active.
Scheduler cannot start defragmentation of drive %1 because of higher priority operation is active.
Scheduler cannot start defragmentation of drive %1 because of higher priority operation is active.
Scheduler cannot start Zero Free Space operation on drive %1 because a higher priority operation is active.
Scheduler cannot start Zero Free Space operation on drive %1 because a higher priority operation is active.
Schedule (%1)(%2) execution status is (%3).
Schedule (%1)(%2) execution status is (%3).
%3 %4 %5 %6 %7 %8
%3 %4 %5 %6 %7 %8
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
ManageOnPort
ManageOnPort
ImportantProcessList
ImportantProcessList
ADODB.Connection
ADODB.Connection
ADODB.Recordset
ADODB.Recordset
License key has been disabled
License key has been disabled
Invalid license key
Invalid license key
Successfull operation
Successfull operation
ProxyBypass
ProxyBypass
AutoConfigURL
AutoConfigURL
RegOpenKeyTransactedW
RegOpenKeyTransactedW
advapi32.dll
advapi32.dll
license.raxco.com
license.raxco.com
secure/PDLicense/PDLicenseServer.dll
secure/PDLicense/PDLicenseServer.dll
D:\PerfectDisk_v12.5\Dev\binaries\Win32\Release\PDAgent.pdb
D:\PerfectDisk_v12.5\Dev\binaries\Win32\Release\PDAgent.pdb
WTSAPI32.dll
WTSAPI32.dll
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpSetOption
WinHttpSetOption
WinHttpSendRequest
WinHttpSendRequest
WinHttpConnect
WinHttpConnect
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpOpen
WinHttpOpen
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpReadData
WinHttpReadData
WINHTTP.dll
WINHTTP.dll
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpGetProxyForUrl
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeW
WaitNamedPipeW
PeekNamedPipe
PeekNamedPipe
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
ReportEventW
ReportEventW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
pdh.dll
pdh.dll
RPCRT4.dll
RPCRT4.dll
InternetCrackUrlW
InternetCrackUrlW
InternetCanonicalizeUrlW
InternetCanonicalizeUrlW
WININET.dll
WININET.dll
USERENV.dll
USERENV.dll
VERSION.dll
VERSION.dll
WS2_32.dll
WS2_32.dll
PSAPI.DLL
PSAPI.DLL
UrlUnescapeW
UrlUnescapeW
SHLWAPI.dll
SHLWAPI.dll
MSVCP100.dll
MSVCP100.dll
MSVCR100.dll
MSVCR100.dll
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
_crt_debugger_hook
_crt_debugger_hook
POWRPROF.dll
POWRPROF.dll
GetProcessHeap
GetProcessHeap
.?AUISupportErrorInfo@@
.?AUISupportErrorInfo@@
.?AVDriveSettingVolumePresenceOperator@@
.?AVDriveSettingVolumePresenceOperator@@
.?AVVolumePresenceOperator@@
.?AVVolumePresenceOperator@@
.?AVWipingOnVolumePresenceOperator@@
.?AVWipingOnVolumePresenceOperator@@
.?AVStandardVolumePresenceOperator@@
.?AVStandardVolumePresenceOperator@@
.?AVCTCPIPClient@@
.?AVCTCPIPClient@@
.?AV?$CComObjectNoLock@V?$CComClassFactorySingleton@VCPDAgentSpaceReports@@@ATL@@@ATL@@
.?AV?$CComObjectNoLock@V?$CComClassFactorySingleton@VCPDAgentSpaceReports@@@ATL@@@ATL@@
.?AV?$CComClassFactorySingleton@VCPDAgentSpaceReports@@@ATL@@
.?AV?$CComClassFactorySingleton@VCPDAgentSpaceReports@@@ATL@@
.?AV?$CComObject@VCPDAgentSpaceReports@@@ATL@@
.?AV?$CComObject@VCPDAgentSpaceReports@@@ATL@@
.?AVCPDAgentSpaceReports@@
.?AVCPDAgentSpaceReports@@
.?AV?$CComCoClass@VCPDAgentSpaceReports@@$1?CLSID_PDAgentSpaceReports@@3U_GUID@@B@ATL@@
.?AV?$CComCoClass@VCPDAgentSpaceReports@@$1?CLSID_PDAgentSpaceReports@@3U_GUID@@B@ATL@@
.?AV?$IDispatchImpl@UIFileSpaceReports@@$1?IID_IPDAgentSpaceReports@@3U_GUID@@B$1?LIBID_PDAgentLib@@3U3@B$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$IDispatchImpl@UIFileSpaceReports@@$1?IID_IPDAgentSpaceReports@@3U_GUID@@B$1?LIBID_PDAgentLib@@3U3@B$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@
.?AUIFileSpaceReports@@
.?AUIFileSpaceReports@@
.?AUIFileReports@@
.?AUIFileReports@@
.?AV?$IObjectSafetyImpl@VCPDAgentSpaceReports@@$02@ATL@@
.?AV?$IObjectSafetyImpl@VCPDAgentSpaceReports@@$02@ATL@@
.?AV?$CComAggObject@VCPDAgentSpaceReports@@@ATL@@
.?AV?$CComAggObject@VCPDAgentSpaceReports@@@ATL@@
.?AV?$CComContainedObject@VCPDAgentSpaceReports@@@ATL@@
.?AV?$CComContainedObject@VCPDAgentSpaceReports@@@ATL@@
.?AV?$CComObjectCached@VCPDAgentSpaceReports@@@ATL@@
.?AV?$CComObjectCached@VCPDAgentSpaceReports@@@ATL@@
.?AVCTCPIPServer@@
.?AVCTCPIPServer@@
.?AVCPipeClient@@
.?AVCPipeClient@@
.?AVCMailSlotTransport@@
.?AVCMailSlotTransport@@
.?AVIMessageTransport@@
.?AVIMessageTransport@@
{E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F} = s 'PDAgent'
{E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F} = s 'PDAgent'
'PDAgent.EXE'
'PDAgent.EXE'
val AppID = s {E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F}
val AppID = s {E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F}
PDAgent.PDAgent.1 = s 'PDAgent Class'
PDAgent.PDAgent.1 = s 'PDAgent Class'
CLSID = s '{CC5C2398-3512-464D-B59D-C9B85541AD50}'
CLSID = s '{CC5C2398-3512-464D-B59D-C9B85541AD50}'
PDAgent.PDAgent = s 'PDAgent Class'
PDAgent.PDAgent = s 'PDAgent Class'
CurVer = s 'PDAgent.PDAgent.1'
CurVer = s 'PDAgent.PDAgent.1'
ForceRemove {CC5C2398-3512-464D-B59D-C9B85541AD50} = s 'PDAgent Class'
ForceRemove {CC5C2398-3512-464D-B59D-C9B85541AD50} = s 'PDAgent Class'
ProgID = s 'PDAgent.PDAgent.1'
ProgID = s 'PDAgent.PDAgent.1'
VersionIndependentProgID = s 'PDAgent.PDAgent'
VersionIndependentProgID = s 'PDAgent.PDAgent'
val AppID = s '{E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F}'
val AppID = s '{E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F}'
'TypeLib' = s '{2070972B-BE20-4395-9AC7-88A9CCF160BB}'
'TypeLib' = s '{2070972B-BE20-4395-9AC7-88A9CCF160BB}'
PDAgent.DuplicatesFinder.1 = s 'DuplicatesFinder Class'
PDAgent.DuplicatesFinder.1 = s 'DuplicatesFinder Class'
CLSID = s '{35C6767E-B901-46A6-8203-30FCFFD4AB81}'
CLSID = s '{35C6767E-B901-46A6-8203-30FCFFD4AB81}'
PDAgent.DuplicatesFinder = s 'DuplicatesFinder Class'
PDAgent.DuplicatesFinder = s 'DuplicatesFinder Class'
CurVer = s 'PDAgent.DuplicatesFinder.1'
CurVer = s 'PDAgent.DuplicatesFinder.1'
ForceRemove {35C6767E-B901-46A6-8203-30FCFFD4AB81} = s 'DuplicatesFinder Class'
ForceRemove {35C6767E-B901-46A6-8203-30FCFFD4AB81} = s 'DuplicatesFinder Class'
ProgID = s 'PDAgent.DuplicatesFinder.1'
ProgID = s 'PDAgent.DuplicatesFinder.1'
VersionIndependentProgID = s 'PDAgent.DuplicatesFinder'
VersionIndependentProgID = s 'PDAgent.DuplicatesFinder'
PDAgent.WebBrowserCleaner.1 = s 'WebBrowserCleaner Class'
PDAgent.WebBrowserCleaner.1 = s 'WebBrowserCleaner Class'
CLSID = s '{2C67080E-6071-4777-AA16-CE4681DFB250}'
CLSID = s '{2C67080E-6071-4777-AA16-CE4681DFB250}'
PDAgent.WebBrowserCleaner = s 'WebBrowserCleaner Class'
PDAgent.WebBrowserCleaner = s 'WebBrowserCleaner Class'
CurVer = s 'PDAgent.WebBrowserCleaner.1'
CurVer = s 'PDAgent.WebBrowserCleaner.1'
ForceRemove {2C67080E-6071-4777-AA16-CE4681DFB250} = s 'WebBrowserCleaner Class'
ForceRemove {2C67080E-6071-4777-AA16-CE4681DFB250} = s 'WebBrowserCleaner Class'
ProgID = s 'PDAgent.WebBrowserCleaner.1'
ProgID = s 'PDAgent.WebBrowserCleaner.1'
VersionIndependentProgID = s 'PDAgent.WebBrowserCleaner'
VersionIndependentProgID = s 'PDAgent.WebBrowserCleaner'
val AppID = s '{2B6C1FB1-B230-4080-8A36-87883698C408}'
val AppID = s '{2B6C1FB1-B230-4080-8A36-87883698C408}'
'TypeLib' = s '{877723D5-D216-4DB9-A8B3-61692B96DC2B}'
'TypeLib' = s '{877723D5-D216-4DB9-A8B3-61692B96DC2B}'
PDAgent.SpaceRecycler.1 = s 'SpaceRecycler Class'
PDAgent.SpaceRecycler.1 = s 'SpaceRecycler Class'
CLSID = s '{18EC0531-7D75-46E7-8869-384AEDB699C9}'
CLSID = s '{18EC0531-7D75-46E7-8869-384AEDB699C9}'
PDAgent.SpaceRecycler = s 'SpaceRecycler Class'
PDAgent.SpaceRecycler = s 'SpaceRecycler Class'
CurVer = s 'PDAgent.SpaceRecycler.1'
CurVer = s 'PDAgent.SpaceRecycler.1'
ForceRemove {18EC0531-7D75-46E7-8869-384AEDB699C9} = s 'SpaceRecycler Class'
ForceRemove {18EC0531-7D75-46E7-8869-384AEDB699C9} = s 'SpaceRecycler Class'
ProgID = s 'PDAgent.SpaceRecycler.1'
ProgID = s 'PDAgent.SpaceRecycler.1'
VersionIndependentProgID = s 'PDAgent.SpaceRecycler'
VersionIndependentProgID = s 'PDAgent.SpaceRecycler'
PDAgent.FileShredder.1 = s 'FileShredder Class'
PDAgent.FileShredder.1 = s 'FileShredder Class'
CLSID = s '{0DC8D89E-EB99-4B77-88D3-03E207AA8738}'
CLSID = s '{0DC8D89E-EB99-4B77-88D3-03E207AA8738}'
PDAgent.FileShredder = s 'FileShredder Class'
PDAgent.FileShredder = s 'FileShredder Class'
CurVer = s 'PDAgent.FileShredder.1'
CurVer = s 'PDAgent.FileShredder.1'
ForceRemove {0DC8D89E-EB99-4B77-88D3-03E207AA8738} = s 'FileShredder Class'
ForceRemove {0DC8D89E-EB99-4B77-88D3-03E207AA8738} = s 'FileShredder Class'
ProgID = s 'PDAgent.FileShredder.1'
ProgID = s 'PDAgent.FileShredder.1'
VersionIndependentProgID = s 'PDAgent.FileShredder'
VersionIndependentProgID = s 'PDAgent.FileShredder'
PDAgent.PDAgentFileSet.1 = s 'PDAgentFileSet Class'
PDAgent.PDAgentFileSet.1 = s 'PDAgentFileSet Class'
CLSID = s '{B83F237B-81DD-4C3F-87FF-E7A534D221CA}'
CLSID = s '{B83F237B-81DD-4C3F-87FF-E7A534D221CA}'
PDAgent.PDAgentFileSet = s 'PDAgentFileSet Class'
PDAgent.PDAgentFileSet = s 'PDAgentFileSet Class'
CurVer = s 'PDAgent.PDAgentFileSet.1'
CurVer = s 'PDAgent.PDAgentFileSet.1'
ForceRemove {B83F237B-81DD-4C3F-87FF-E7A534D221CA} = s 'PDAgentFileSet Class'
ForceRemove {B83F237B-81DD-4C3F-87FF-E7A534D221CA} = s 'PDAgentFileSet Class'
ProgID = s 'PDAgent.PDAgentFileSet.1'
ProgID = s 'PDAgent.PDAgentFileSet.1'
VersionIndependentProgID = s 'PDAgent.PDAgentFileSet'
VersionIndependentProgID = s 'PDAgent.PDAgentFileSet'
PDAgent.PDAgentFileOp.1 = s 'PDAgentFileOp Class'
PDAgent.PDAgentFileOp.1 = s 'PDAgentFileOp Class'
CLSID = s '{997E2C76-4654-41A6-ABCB-C169E72CBFC5}'
CLSID = s '{997E2C76-4654-41A6-ABCB-C169E72CBFC5}'
PDAgent.PDAgentFileOp = s 'PDAgentFileOp Class'
PDAgent.PDAgentFileOp = s 'PDAgentFileOp Class'
CurVer = s 'PDAgent.PDAgentFileOp.1'
CurVer = s 'PDAgent.PDAgentFileOp.1'
ForceRemove {997E2C76-4654-41A6-ABCB-C169E72CBFC5} = s 'PDAgentFileOp Class'
ForceRemove {997E2C76-4654-41A6-ABCB-C169E72CBFC5} = s 'PDAgentFileOp Class'
ProgID = s 'PDAgent.PDAgentFileOp.1'
ProgID = s 'PDAgent.PDAgentFileOp.1'
VersionIndependentProgID = s 'PDAgent.PDAgentFileOp'
VersionIndependentProgID = s 'PDAgent.PDAgentFileOp'
PDAgent.PDAgentSpaceReports.1 = s 'PDAgentSpaceReports Class'
PDAgent.PDAgentSpaceReports.1 = s 'PDAgentSpaceReports Class'
CLSID = s '{63056E08-D7A8-486B-BF99-DD6FA63C0018}'
CLSID = s '{63056E08-D7A8-486B-BF99-DD6FA63C0018}'
PDAgent.PDAgentSpaceReports = s 'PDAgentSpaceReports Class'
PDAgent.PDAgentSpaceReports = s 'PDAgentSpaceReports Class'
CurVer = s 'PDAgent.PDAgentSpaceReports.1'
CurVer = s 'PDAgent.PDAgentSpaceReports.1'
ForceRemove {63056E08-D7A8-486B-BF99-DD6FA63C0018} = s 'PDAgentSpaceReports Class'
ForceRemove {63056E08-D7A8-486B-BF99-DD6FA63C0018} = s 'PDAgentSpaceReports Class'
ProgID = s 'PDAgent.PDAgentSpaceReports.1'
ProgID = s 'PDAgent.PDAgentSpaceReports.1'
VersionIndependentProgID = s 'PDAgent.PDAgentSpaceReports'
VersionIndependentProgID = s 'PDAgent.PDAgentSpaceReports'
PDAgent.PDAgentFileBrowser.1 = s 'PDAgentFileBrowser Class'
PDAgent.PDAgentFileBrowser.1 = s 'PDAgentFileBrowser Class'
CLSID = s '{DF274096-221E-4244-8967-5378E36A9E11}'
CLSID = s '{DF274096-221E-4244-8967-5378E36A9E11}'
PDAgent.PDAgentFileBrowser = s 'PDAgentFileBrowser Class'
PDAgent.PDAgentFileBrowser = s 'PDAgentFileBrowser Class'
CurVer = s 'PDAgent.PDAgentFileBrowser.1'
CurVer = s 'PDAgent.PDAgentFileBrowser.1'
ForceRemove {DF274096-221E-4244-8967-5378E36A9E11} = s 'PDAgentFileBrowser Class'
ForceRemove {DF274096-221E-4244-8967-5378E36A9E11} = s 'PDAgentFileBrowser Class'
ProgID = s 'PDAgent.PDAgentFileBrowser.1'
ProgID = s 'PDAgent.PDAgentFileBrowser.1'
VersionIndependentProgID = s 'PDAgent.PDAgentFileBrowser'
VersionIndependentProgID = s 'PDAgent.PDAgentFileBrowser'
stdole2.tlbWWW@"
stdole2.tlbWWW@"
AutoUpdateUrlWWW
AutoUpdateUrlWWW
urlW
urlW
ProxyPasswordWWW
ProxyPasswordWWW
ProxyServerPortW
ProxyServerPortW
port
port
passwordd
passwordd
%VirtualHostSensingPasswordWWd
%VirtualHostSensingPasswordWWd
$=SetKeyValueW
$=SetKeyValueW
.UnSubscribeW
.UnSubscribeW
WebBrowserCleanerWWW(
WebBrowserCleanerWWW(
IRx2WebBrowserCleanerWWW(
IRx2WebBrowserCleanerWWW(
vPDAgentSpaceReportsW
vPDAgentSpaceReportsW
8cBIPDAgentSpaceReportst
8cBIPDAgentSpaceReportst
property AutoUpdateUrl
property AutoUpdateUrl
property ProxyPassword
property ProxyPassword
property ProxyServerPortWW
property ProxyServerPortWW
property VirtualHostSensingPasswordWWW
property VirtualHostSensingPasswordWWW
method SetKeyValue
method SetKeyValue
property PasswordW
property PasswordW
WebBrowserCleaner ClassWWW
WebBrowserCleaner ClassWWW
IRx2WebBrowserCleaner InterfaceWWW
IRx2WebBrowserCleaner InterfaceWWW
PDAgentSpaceReports ClassW
PDAgentSpaceReports ClassW
IPDAgentSpaceReports Interface
IPDAgentSpaceReports Interface
Created by MIDL version 7.00.0555 at Thu Oct 04 17:23:56 2012
Created by MIDL version 7.00.0555 at Thu Oct 04 17:23:56 2012
PerfectDisk is a disk defragmenter, thus it needs low level access to systemPAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
PerfectDisk is a disk defragmenter, thus it needs low level access to systemPAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
16267#8)8
16267#8)8
8%9S9
8%9S9
3$3/3:3^3
3$3/3:3^3
6o6
6o6
=">\>|>
=">\>|>
8$8(8,80848
8$8(8,80848
> >$>(>,>0>4>8>
> >$>(>,>0>4>8>
7 7(707
7 7(707
6,686@6`6
6,686@6`6
9 9(949\9
9 9(949\9
ClientConsolePort
ClientConsolePort
hiberfil.sys
hiberfil.sys
?:\hiberfil.sys
?:\hiberfil.sys
Win32_OperatingSystem
Win32_OperatingSystem
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall
%s-%s
%s-%s
\StringFileInfo\xx\%s
\StringFileInfo\xx\%s
SOFTWARE\Classes\CLSID\{CC5C2398-3512-464D-B59D-C9B85541AD50}\LocalServer32
SOFTWARE\Classes\CLSID\{CC5C2398-3512-464D-B59D-C9B85541AD50}\LocalServer32
PerfectDisk.exe
PerfectDisk.exe
ControlLogicReport.cpp
ControlLogicReport.cpp
LicenseKey
LicenseKey
127.0.0.1
127.0.0.1
.Software\Raxco\PerfectDisk\12.5
.Software\Raxco\PerfectDisk\12.5
PerfectDisk.exe /autonag
PerfectDisk.exe /autonag
.pd_schedule_data.cpp
.pd_schedule_data.cpp
pd_schedule_data.cpp
pd_schedule_data.cpp
2pd_schedule_data.cpp
2pd_schedule_data.cpp
AutoUpdGui.exe
AutoUpdGui.exe
.online-part
.online-part
PDAgentS1.exe
PDAgentS1.exe
F6C76BD7-43ED-45EC-A273-C4773238908A
F6C76BD7-43ED-45EC-A273-C4773238908A
{92EA7FF7-DE29-4E91-A2B1-FD9E58CD485D}
{92EA7FF7-DE29-4E91-A2B1-FD9E58CD485D}
{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}
{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}
Call to TalkToConsole failed. Returned buffer size is 0. Console name: %s, port %d
Call to TalkToConsole failed. Returned buffer size is 0. Console name: %s, port %d
Call to TalkToConsole failed. HRESULT=%u. Console name: %s, port %d
Call to TalkToConsole failed. HRESULT=%u. Console name: %s, port %d
d:\perfectdisk_v12.5\dev\pdframework\..\PDAgent\talk_to_console.hpp
d:\perfectdisk_v12.5\dev\pdframework\..\PDAgent\talk_to_console.hpp
/#%d)
/#%d)
_d-d-d ddd d
_d-d-d ddd d
%s %s %s %s d u %s/d (%s) %s
%s %s %s %s d u %s/d (%s) %s
d:d:d.d
d:d:d.d
Call to tcpip(msg_in,msg_out) failed. HRESULT=0x%8.8X (%lu). Console name=%s
Call to tcpip(msg_in,msg_out) failed. HRESULT=0x%8.8X (%lu). Console name=%s
Call to tcpip(msg_in,msg_out) was successful
Call to tcpip(msg_in,msg_out) was successful
GetIpAddressesByNameHRESULT found no IP addresses. Console name=%s
GetIpAddressesByNameHRESULT found no IP addresses. Console name=%s
Call to GetIpAddressesByNameHRESULT failed. HRESULT=0x%8.8X (%lu). Console name=%s
Call to GetIpAddressesByNameHRESULT failed. HRESULT=0x%8.8X (%lu). Console name=%s
Call to CreateMutex failed. Microsoft Error Code=%u
Call to CreateMutex failed. Microsoft Error Code=%u
_##_%d
_##_%d
Call to rpc_client.CallServer(byte_buff_in,byte_buff_out) failed. status=%u
Call to rpc_client.CallServer(byte_buff_in,byte_buff_out) failed. status=%u
CTalkToConsoleViaTCPIP::operator ()
CTalkToConsoleViaTCPIP::operator ()
Call to rpc_client.Connect(m_IpAddress,m_Port) failed. status=%u
Call to rpc_client.Connect(m_IpAddress,m_Port) failed. status=%u
pd_scheduler.cpp
pd_scheduler.cpp
PerfectDisk.exe /nag
PerfectDisk.exe /nag
PDAgent.exe
PDAgent.exe
PDEngine.exe
PDEngine.exe
PDExchange.exe
PDExchange.exe
PDVMDefrag.exe
PDVMDefrag.exe
1pd_scheduler.cpp
1pd_scheduler.cpp
1pd_scheduler_operations.cpp
1pd_scheduler_operations.cpp
.\\.\
.\\.\
cscript.exe /B /NoLogo
cscript.exe /B /NoLogo
\cmd.exe /C
\cmd.exe /C
{E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F}
{E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F}
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
J\\.\pipe\
J\\.\pipe\
\pipe\
\pipe\
NTDLL.DLL
NTDLL.DLL
\\.\LCD
\\.\LCD
explorer.exe
explorer.exe
Wtsapi32.dll
Wtsapi32.dll
pdagent_module.cpp
pdagent_module.cpp
user32.dll
user32.dll
SELECT MAX(StatsDefragOffline.StatsDate),
SELECT MAX(StatsDefragOffline.StatsDate),
Volumes.VolumeName
Volumes.VolumeName
LEFT OUTER JOIN Volumes
LEFT OUTER JOIN Volumes
ON Volumes.VolumeId = StatsDefragOffline.VolumeId
ON Volumes.VolumeId = StatsDefragOffline.VolumeId
GROUP BY Volumes.VolumeName ;
GROUP BY Volumes.VolumeName ;
P\\.\mailslot\
P\\.\mailslot\
SELECT TemporaryStalledAlerts.AlertsId FROM TemporaryStalledAlerts INNER JOIN Alerts
SELECT TemporaryStalledAlerts.AlertsId FROM TemporaryStalledAlerts INNER JOIN Alerts
ON TemporaryStalledAlerts.AlertsId = Alerts.AlertsId
ON TemporaryStalledAlerts.AlertsId = Alerts.AlertsId
OLEAUT32.DLL
OLEAUT32.DLL
config.ini
config.ini
23:00:00
23:00:00
AUURL
AUURL
ManageViaTCPIPEnable
ManageViaTCPIPEnable
AutoScreenSaverImportantProcesses
AutoScreenSaverImportantProcesses
AutoScreenSaverSSHours
AutoScreenSaverSSHours
PDAgentOp.cpp
PDAgentOp.cpp
WHERE Logs.LogTime
WHERE Logs.LogTime
AND Logs.LogTime >= %2%;
AND Logs.LogTime >= %2%;
SELECT TOP(%3%) Logs.LogTime ,
SELECT TOP(%3%) Logs.LogTime ,
Logs.Source ,
Logs.Source ,
Logs.EventType,
Logs.EventType,
Logs.EventId ,
Logs.EventId ,
Logs.Message
Logs.Message
WHERE Logs.LogTime
WHERE Logs.LogTime
AND Logs.LogTime >= %2% ;
AND Logs.LogTime >= %2% ;
SELECT StatsDefragOnline.StatsDate ,
SELECT StatsDefragOnline.StatsDate ,
StatsDefragOnline.FileFragmentationBefore ,
StatsDefragOnline.FileFragmentationBefore ,
StatsDefragOnline.FileFragmentationAfter ,
StatsDefragOnline.FileFragmentationAfter ,
StatsDefragOnline.FreeSpaceFragmentationBefore ,
StatsDefragOnline.FreeSpaceFragmentationBefore ,
StatsDefragOnline.FreeSpaceFragmentationAfter ,
StatsDefragOnline.FreeSpaceFragmentationAfter ,
StatsDefragOnline.DrivePerformanceBefore ,
StatsDefragOnline.DrivePerformanceBefore ,
StatsDefragOnline.DrivePerformanceAfter
StatsDefragOnline.DrivePerformanceAfter
INNER JOIN Volumes
INNER JOIN Volumes
ON StatsDefragOnline.VolumeId = Volumes.VolumeId
ON StatsDefragOnline.VolumeId = Volumes.VolumeId
WHERE (UPPER(Volumes.VolumeName) = UPPER(%1%) AND
WHERE (UPPER(Volumes.VolumeName) = UPPER(%1%) AND
StatsDefragOnline.StatsDate
StatsDefragOnline.StatsDate
ORDER BY StatsDefragOnline.StatsDate DESC;
ORDER BY StatsDefragOnline.StatsDate DESC;
PDComputerInfo.cpp
PDComputerInfo.cpp
SELECT StatsFreeSpaceClean.StatsDate ,
SELECT StatsFreeSpaceClean.StatsDate ,
StatsFreeSpaceClean.TotalSize ,
StatsFreeSpaceClean.TotalSize ,
StatsFreeSpaceClean.FreeSpaceBefore ,
StatsFreeSpaceClean.FreeSpaceBefore ,
StatsFreeSpaceClean.RecycleBinBefore ,
StatsFreeSpaceClean.RecycleBinBefore ,
StatsFreeSpaceClean.TempFilesBefore ,
StatsFreeSpaceClean.TempFilesBefore ,
StatsFreeSpaceClean.FreeSpaceAfter ,
StatsFreeSpaceClean.FreeSpaceAfter ,
StatsFreeSpaceClean.RecycleBinAfter ,
StatsFreeSpaceClean.RecycleBinAfter ,
StatsFreeSpaceClean.TempFilesAfter
StatsFreeSpaceClean.TempFilesAfter
INNER JOIN Volumes
INNER JOIN Volumes
ON StatsFreeSpaceClean.VolumeId = Volumes.VolumeId
ON StatsFreeSpaceClean.VolumeId = Volumes.VolumeId
WHERE (UPPER(Volumes.VolumeName) = UPPER(%1%) AND
WHERE (UPPER(Volumes.VolumeName) = UPPER(%1%) AND
StatsFreeSpaceClean.StatsDate
StatsFreeSpaceClean.StatsDate
ORDER BY StatsFreeSpaceClean.StatsDate DESC;
ORDER BY StatsFreeSpaceClean.StatsDate DESC;
PTF://
PTF://
PDConfiguration.cpp
PDConfiguration.cpp
B45EFD40-2FD3-49EC-9495-87AC9CF11686
B45EFD40-2FD3-49EC-9495-87AC9CF11686
6272517F-F036-4EF6-85C2-F9082F248FA4
6272517F-F036-4EF6-85C2-F9082F248FA4
\\?\Volume{
\\?\Volume{
db_manager.cpp
db_manager.cpp
Return code: 0x%8.8X (%lu) (%s/#%d)
Return code: 0x%8.8X (%lu) (%s/#%d)
ado_implement.cpp
ado_implement.cpp
SQL Query:
SQL Query:
Advapi32.dll
Advapi32.dll
Software\Microsoft\Windows\CurrentVersion\Controls Folder
Software\Microsoft\Windows\CurrentVersion\Controls Folder
%SystemDrive%
%SystemDrive%
12, 5, 0, 312
12, 5, 0, 312
PDAgent.EXE
PDAgent.EXE
PDEngine.exe_744:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SSSSSh
SSSSSh
SSSSSh
SSSSSh
}=SSSSSh
}=SSSSSh
u7SSSSSh
u7SSSSSh
2SSSShH9
2SSSShH9
PSShl9
PSShl9
88888888888888
88888888888888
RegOpenKeyTransactedW
RegOpenKeyTransactedW
kernel32.dll
kernel32.dll
-d
-d
d:d:d.d
d:d:d.d
RegCreateKeyTransactedW
RegCreateKeyTransactedW
Offline defragmentation does not support the file system on drive %1.
Offline defragmentation does not support the file system on drive %1.
Drive %1 is marked dirty. The offline defragmentation pass of your system files cannot continue. Please run CHKDSK on the drive.
Drive %1 is marked dirty. The offline defragmentation pass of your system files cannot continue. Please run CHKDSK on the drive.
During the Offline line defragmentation pass PerfectDisk was unable to verify drive %1 because the user stopped the operation.
During the Offline line defragmentation pass PerfectDisk was unable to verify drive %1 because the user stopped the operation.
RegDeleteKeyExW
RegDeleteKeyExW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
LogInformationMessages
LogInformationMessages
advapi32.dll
advapi32.dll
An error occurred trying to read new drive information S.M.A.R.T. web service.
An error occurred trying to read new drive information S.M.A.R.T. web service.
An error occurred trying to save new drive information from the S.M.A.R.T. web service into the database.
An error occurred trying to save new drive information from the S.M.A.R.T. web service into the database.
An error occurred while submitting data to the S.M.A.R.T. web service.
An error occurred while submitting data to the S.M.A.R.T. web service.
This parameter displays the average time to spin up the drive spindle (from zero RPM to fully operational [milliseconds]).
This parameter displays the average time to spin up the drive spindle (from zero RPM to fully operational [milliseconds]).
This parameter specifies an average performance of seek operations of the magnetic heads.
This parameter specifies an average performance of seek operations of the magnetic heads.
This parameter shows the total count of retry of spin start attempts to reach the fully operational speed (under the condition that the first attempt was unsuccessful).
This parameter shows the total count of retry of spin start attempts to reach the fully operational speed (under the condition that the first attempt was unsuccessful).
This parameter value indicates uncorrected read errors reported to the operating system.
This parameter value indicates uncorrected read errors reported to the operating system.
This parameter displays the total count of aborted operations due to HDD timeout. This value should be equal to zero. If the value is too high, then most likely there will be some serious problems with power supply or an oxidized data cable.
This parameter displays the total count of aborted operations due to HDD timeout. This value should be equal to zero. If the value is too high, then most likely there will be some serious problems with power supply or an oxidized data cable.
This parameter displays a total count of high fly write errors over the lifetime of the drive. Additional protections for write operations are provided by HDD producers by implementing a Fly Height Monitor which detects when a recording head is flying outside its normal operating range. In the process of detecting an unsafe fly height condition, the write process is stopped, and the information is rewritten or reallocated to a safe region of the hard drive. The errors detected over the lifetime of a drive are then counted and displayed in this parameter.
This parameter displays a total count of high fly write errors over the lifetime of the drive. Additional protections for write operations are provided by HDD producers by implementing a Fly Height Monitor which detects when a recording head is flying outside its normal operating range. In the process of detecting an unsafe fly height condition, the write process is stopped, and the information is rewritten or reallocated to a safe region of the hard drive. The errors detected over the lifetime of a drive are then counted and displayed in this parameter.
This parameter displays a count of remap operations i.e., the total count of attempts to transfer data from reallocated sectors to a spare area. Both successful & unsuccessful attempts are counted.
This parameter displays a count of remap operations i.e., the total count of attempts to transfer data from reallocated sectors to a spare area. Both successful & unsuccessful attempts are counted.
This parameter shows the amount of vibration encountered during write operations.
This parameter shows the amount of vibration encountered during write operations.
This parameter shows the amount of shock encountered during write operations.
This parameter shows the amount of shock encountered during write operations.
This parameter shows the rate of friction between mechanical parts of the hard disk while operating. Only the time when heads were in the operating position is counted. When the value increases, it indicates that there is a problem with the mechanical subsystem of the drive.
This parameter shows the rate of friction between mechanical parts of the hard disk while operating. Only the time when heads were in the operating position is counted. When the value increases, it indicates that there is a problem with the mechanical subsystem of the drive.
This parameter specifies a count of head moving distances between operations.
This parameter specifies a count of head moving distances between operations.
Reported Uncorrectable Errors
Reported Uncorrectable Errors
hXXp://schemas.xmlsoap.org/soap/envelope/
hXXp://schemas.xmlsoap.org/soap/envelope/
hXXp://VVV.w3.org/*/soap-envelope
hXXp://VVV.w3.org/*/soap-envelope
hXXp://schemas.xmlsoap.org/soap/encoding/
hXXp://schemas.xmlsoap.org/soap/encoding/
hXXp://VVV.w3.org/*/soap-encoding
hXXp://VVV.w3.org/*/soap-encoding
hXXp://VVV.w3.org/2001/XMLSchema-instance
hXXp://VVV.w3.org/2001/XMLSchema-instance
hXXp://VVV.w3.org/*/XMLSchema-instance
hXXp://VVV.w3.org/*/XMLSchema-instance
hXXp://VVV.w3.org/2001/XMLSchema
hXXp://VVV.w3.org/2001/XMLSchema
hXXp://VVV.w3.org/*/XMLSchema
hXXp://VVV.w3.org/*/XMLSchema
hXXp://web.services.raxco.com/smart/1.0/SMARTModelUpdatesSoap
hXXp://web.services.raxco.com/smart/1.0/SMARTModelUpdatesSoap
hXXp://web.services.raxco.com/smart/1.0/
hXXp://web.services.raxco.com/smart/1.0/
hXXp://web.services.raxco.com/smart/1.0/SMARTModelUpdatesSoap12
hXXp://web.services.raxco.com/smart/1.0/SMARTModelUpdatesSoap12
ns1:KBArticleURL
ns1:KBArticleURL
ns1:ManufacturerURL
ns1:ManufacturerURL
ns1:ThresholdComparisonOperator
ns1:ThresholdComparisonOperator
ns1:MinOperatingTemperature
ns1:MinOperatingTemperature
ns1:MaxOperatingTemperature
ns1:MaxOperatingTemperature
hXXp://web.services.raxco.com/smart/1.0/SubmitDrive
hXXp://web.services.raxco.com/smart/1.0/SubmitDrive
hXXp://sandbox.development.raxco.com:8383/SMARTModelUpdates.asmx
hXXp://sandbox.development.raxco.com:8383/SMARTModelUpdates.asmx
hXXp://web.services.raxco.com/smart/1.0/SubmitDrives
hXXp://web.services.raxco.com/smart/1.0/SubmitDrives
hXXp://web.services.raxco.com/smart/1.0/GetDrivesByLastTransactionId
hXXp://web.services.raxco.com/smart/1.0/GetDrivesByLastTransactionId
hXXp://web.services.raxco.com/smart/1.0/GetAttributesByLastTransactionId
hXXp://web.services.raxco.com/smart/1.0/GetAttributesByLastTransactionId
hXXp://web.services.raxco.com/smart/1.0/GetAttributeTypesByLastTransactionId
hXXp://web.services.raxco.com/smart/1.0/GetAttributeTypesByLastTransactionId
hXXp://web.services.raxco.com/smart/1.0/GetAttributeDescriptionsByLastTransactionId
hXXp://web.services.raxco.com/smart/1.0/GetAttributeDescriptionsByLastTransactionId
hXXp://web.services.raxco.com/smart/1.0/GetDriveIssuesByLastTransactionId
hXXp://web.services.raxco.com/smart/1.0/GetDriveIssuesByLastTransactionId
hXXp://VVV.w3.org/2003/05/soap-envelope
hXXp://VVV.w3.org/2003/05/soap-envelope
hXXp://VVV.w3.org/2003/05/soap-encoding
hXXp://VVV.w3.org/2003/05/soap-encoding
hXXp://VVV.w3.org/2003/05/soap-rpc
hXXp://VVV.w3.org/2003/05/soap-rpc
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
Unsupported Media Type
Unsupported Media Type
HTTP Version not supported
HTTP Version not supported
%s[%d
%s[%d
TCP/UDP IP error %d
TCP/UDP IP error %d
TCP init failed in tcp_connect()
TCP init failed in tcp_connect()
socket failed in tcp_connect()
socket failed in tcp_connect()
setsockopt SO_LINGER failed in tcp_connect()
setsockopt SO_LINGER failed in tcp_connect()
setsockopt failed in tcp_connect()
setsockopt failed in tcp_connect()
setsockopt SO_KEEPALIVE failed in tcp_connect()
setsockopt SO_KEEPALIVE failed in tcp_connect()
setsockopt SO_SNDBUF failed in tcp_connect()
setsockopt SO_SNDBUF failed in tcp_connect()
setsockopt SO_RCVBUF failed in tcp_connect()
setsockopt SO_RCVBUF failed in tcp_connect()
setsockopt TCP_NODELAY failed in tcp_connect()
setsockopt TCP_NODELAY failed in tcp_connect()
setsockopt IP_MULTICAST_TTL failed in tcp_connect()
setsockopt IP_MULTICAST_TTL failed in tcp_connect()
setsockopt IP_MULTICAST_IF failed in tcp_connect()
setsockopt IP_MULTICAST_IF failed in tcp_connect()
get proxy host by name failed in tcp_connect()
get proxy host by name failed in tcp_connect()
get host by name failed in tcp_connect()
get host by name failed in tcp_connect()
connect failed in tcp_connect()
connect failed in tcp_connect()
https:*
https:*
TCP init failed in soap_bind()
TCP init failed in soap_bind()
setsockopt TCP_NODELAY failed in soap_bind()
setsockopt TCP_NODELAY failed in soap_bind()
setsockopt TCP_NODELAY failed in soap_accept()
setsockopt TCP_NODELAY failed in soap_accept()
HTTP/
HTTP/
HTTP Error
HTTP Error
hXXp://
hXXp://
HTTP/1.1 100 Continue
HTTP/1.1 100 Continue
http:*
http:*
httpg:
httpg:
%s %s HTTP/%s
%s %s HTTP/%s
%s /%s HTTP/%s
%s /%s HTTP/%s
%s:%d
%s:%d
%s:%s
%s:%s
HTTP/%s %s
HTTP/%s %s
HTTP/%s %d %s
HTTP/%s %d %s
gSOAP Web Service
gSOAP Web Service
Basic realm="%s"
Basic realm="%s"
xmlns:xop="hXXp://VVV.w3.org/2004/08/xop/include" href
xmlns:xop="hXXp://VVV.w3.org/2004/08/xop/include" href
cid:id%d
cid:id%d
xmlns:%s
xmlns:%s
hXXp://schemas.xmlsoap.org/soap/actor/next
hXXp://schemas.xmlsoap.org/soap/actor/next
hXXp://VVV.w3.org/2003/05/soap-envelope/role/next
hXXp://VVV.w3.org/2003/05/soap-envelope/role/next
xmlns:_%d
xmlns:_%d
%Y-%m-%dT%H:%M:%SZ
%Y-%m-%dT%H:%M:%SZ
%d-%d-%dT%d:%d:%d1s
%d-%d-%dT%d:%d:%d1s
M--T%d:%d:%d1s
M--T%d:%d:%d1s
M--T---1s
M--T---1s
%d:%d
%d:%d
Content-Type: %s
Content-Type: %s
Content-ID: %s
Content-ID: %s
soap.udp:
soap.udp:
multipart/related; charset=utf-8; boundary="%s"; type="
multipart/related; charset=utf-8; boundary="%s"; type="
%s; action="%s"
%s; action="%s"
Validation constraint violation: %s%s in element '%s'
Validation constraint violation: %s%s in element '%s'
Validation constraint violation: %s%s
Validation constraint violation: %s%s
The data in element '%s' must be understood but cannot be handled
The data in element '%s' must be understood but cannot be handled
Unsupported SOAP data encoding
Unsupported SOAP data encoding
Data required for operation
Data required for operation
Method '%s' not implemented: method name or namespace not recognized
Method '%s' not implemented: method name or namespace not recognized
HTTP GET method not implemented
HTTP GET method not implemented
HTTP PUT method not implemented
HTTP PUT method not implemented
HTTP method not implemented
HTTP method not implemented
Message too large for UDP packet
Message too large for UDP packet
An HTTP processing error occurred
An HTTP processing error occurred
HTTP Error: %d %s
HTTP Error: %d %s
Error %d
Error %d
Operation interrupted or timed out
Operation interrupted or timed out
(%d%cs receive delay)
(%d%cs receive delay)
(%d%cs send delay)
(%d%cs send delay)
%s%d fault: %s [%s]
%s%d fault: %s [%s]
Detail: %s
Detail: %s
ADODB.Connection
ADODB.Connection
ADODB.Recordset
ADODB.Recordset
D:\PerfectDisk_v12.5\Dev\binaries\Win32\Release\PDEngine.pdb
D:\PerfectDisk_v12.5\Dev\binaries\Win32\Release\PDEngine.pdb
ntdll.dll
ntdll.dll
SHFOLDER.dll
SHFOLDER.dll
WTSAPI32.dll
WTSAPI32.dll
USERENV.dll
USERENV.dll
PSAPI.DLL
PSAPI.DLL
WSOCK32.dll
WSOCK32.dll
FilterConnectCommunicationPort
FilterConnectCommunicationPort
FLTLIB.DLL
FLTLIB.DLL
GetProcessHeap
GetProcessHeap
SetThreadExecutionState
SetThreadExecutionState
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeW
WaitNamedPipeW
PeekNamedPipe
PeekNamedPipe
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegFlushKey
RegFlushKey
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
ReportEventW
ReportEventW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
RPCRT4.dll
RPCRT4.dll
WS2_32.dll
WS2_32.dll
MSVCP100.dll
MSVCP100.dll
MSVCR100.dll
MSVCR100.dll
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
_crt_debugger_hook
_crt_debugger_hook
POWRPROF.dll
POWRPROF.dll
PDEngine.exe
PDEngine.exe
.?AVCOperationBase@@
.?AVCOperationBase@@
.?AUIOperation2@@
.?AUIOperation2@@
.?AUIOperation@@
.?AUIOperation@@
.?AUISupportErrorInfo@@
.?AUISupportErrorInfo@@
.?AVCOperationCreator@@
.?AVCOperationCreator@@
.?AV?$CComObject@VCWiperOperation@@@ATL@@
.?AV?$CComObject@VCWiperOperation@@@ATL@@
.?AVCWiperOperation@@
.?AVCWiperOperation@@
.?AV?$CComCoClass@VCWiperOperation@@$1?CLSID_WiperOperation@@3U_GUID@@B@ATL@@
.?AV?$CComCoClass@VCWiperOperation@@$1?CLSID_WiperOperation@@3U_GUID@@B@ATL@@
.?AV?$CComAggObject@VCWiperOperation@@@ATL@@
.?AV?$CComAggObject@VCWiperOperation@@@ATL@@
.?AV?$CComContainedObject@VCWiperOperation@@@ATL@@
.?AV?$CComContainedObject@VCWiperOperation@@@ATL@@
.?AVCPipeClient@@
.?AVCPipeClient@@
.?AVCMailSlotTransport@@
.?AVCMailSlotTransport@@
.?AVIMessageTransport@@
.?AVIMessageTransport@@
.?AVCTCPIPClient@@
.?AVCTCPIPClient@@
.?AVSmartWebService@@
.?AVSmartWebService@@
{3CD0151D-3AAA-41CB-8B05-FC809A228886} = s 'PDEngine'
{3CD0151D-3AAA-41CB-8B05-FC809A228886} = s 'PDEngine'
'PDEngine.EXE'
'PDEngine.EXE'
val AppID = s {3CD0151D-3AAA-41CB-8B05-FC809A228886}
val AppID = s {3CD0151D-3AAA-41CB-8B05-FC809A228886}
PDEngine.DriveManager.1 = s 'DriveManager Class'
PDEngine.DriveManager.1 = s 'DriveManager Class'
CLSID = s '{5BBEF00D-06EF-47BE-AE47-3662B6BE78DC}'
CLSID = s '{5BBEF00D-06EF-47BE-AE47-3662B6BE78DC}'
PDEngine.DriveManager = s 'DriveManager Class'
PDEngine.DriveManager = s 'DriveManager Class'
CurVer = s 'PDEngine.DriveManager.1'
CurVer = s 'PDEngine.DriveManager.1'
ForceRemove {5BBEF00D-06EF-47BE-AE47-3662B6BE78DC} = s 'DriveManager Class'
ForceRemove {5BBEF00D-06EF-47BE-AE47-3662B6BE78DC} = s 'DriveManager Class'
ProgID = s 'PDEngine.DriveManager.1'
ProgID = s 'PDEngine.DriveManager.1'
VersionIndependentProgID = s 'PDEngine.DriveManager'
VersionIndependentProgID = s 'PDEngine.DriveManager'
val AppID = s '{3CD0151D-3AAA-41CB-8B05-FC809A228886}'
val AppID = s '{3CD0151D-3AAA-41CB-8B05-FC809A228886}'
'TypeLib' = s '{39633C4D-66C0-46E1-96E5-A1E3686F1FD7}'
'TypeLib' = s '{39633C4D-66C0-46E1-96E5-A1E3686F1FD7}'
PDEngine.Drive.1 = s 'Drive Class'
PDEngine.Drive.1 = s 'Drive Class'
CLSID = s '{1CE95E9C-67E8-45F5-BEA9-E43E653F4CB2}'
CLSID = s '{1CE95E9C-67E8-45F5-BEA9-E43E653F4CB2}'
PDEngine.Drive = s 'Drive Class'
PDEngine.Drive = s 'Drive Class'
CurVer = s 'PDEngine.Drive.1'
CurVer = s 'PDEngine.Drive.1'
ForceRemove {1CE95E9C-67E8-45F5-BEA9-E43E653F4CB2} = s 'Drive Class'
ForceRemove {1CE95E9C-67E8-45F5-BEA9-E43E653F4CB2} = s 'Drive Class'
ProgID = s 'PDEngine.Drive.1'
ProgID = s 'PDEngine.Drive.1'
VersionIndependentProgID = s 'PDEngine.Drive'
VersionIndependentProgID = s 'PDEngine.Drive'
PDEngine.Analyze.1 = s 'Analyze Class'
PDEngine.Analyze.1 = s 'Analyze Class'
CLSID = s '{65F863A6-74A8-4604-83A2-59E013826C1B}'
CLSID = s '{65F863A6-74A8-4604-83A2-59E013826C1B}'
PDEngine.Analyze = s 'Analyze Class'
PDEngine.Analyze = s 'Analyze Class'
CurVer = s 'PDEngine.Analyze.1'
CurVer = s 'PDEngine.Analyze.1'
ForceRemove {65F863A6-74A8-4604-83A2-59E013826C1B} = s 'Analyze Class'
ForceRemove {65F863A6-74A8-4604-83A2-59E013826C1B} = s 'Analyze Class'
ProgID = s 'PDEngine.Analyze.1'
ProgID = s 'PDEngine.Analyze.1'
VersionIndependentProgID = s 'PDEngine.Analyze'
VersionIndependentProgID = s 'PDEngine.Analyze'
PDEngine.SmartPlacement.1 = s 'SmartPlacement Class'
PDEngine.SmartPlacement.1 = s 'SmartPlacement Class'
CLSID = s '{FE4CFAFE-910B-49E4-A581-D2B5B335250A}'
CLSID = s '{FE4CFAFE-910B-49E4-A581-D2B5B335250A}'
PDEngine.SmartPlacement = s 'SmartPlacement Class'
PDEngine.SmartPlacement = s 'SmartPlacement Class'
CurVer = s 'PDEngine.SmartPlacement.1'
CurVer = s 'PDEngine.SmartPlacement.1'
ForceRemove {FE4CFAFE-910B-49E4-A581-D2B5B335250A} = s 'SmartPlacement Class'
ForceRemove {FE4CFAFE-910B-49E4-A581-D2B5B335250A} = s 'SmartPlacement Class'
ProgID = s 'PDEngine.SmartPlacement.1'
ProgID = s 'PDEngine.SmartPlacement.1'
VersionIndependentProgID = s 'PDEngine.SmartPlacement'
VersionIndependentProgID = s 'PDEngine.SmartPlacement'
PDEngine.DefragOnly.1 = s 'DefragOnly Class'
PDEngine.DefragOnly.1 = s 'DefragOnly Class'
CLSID = s '{6A2448B5-6D47-4927-A429-89466114489E}'
CLSID = s '{6A2448B5-6D47-4927-A429-89466114489E}'
PDEngine.DefragOnly = s 'DefragOnly Class'
PDEngine.DefragOnly = s 'DefragOnly Class'
CurVer = s 'PDEngine.DefragOnly.1'
CurVer = s 'PDEngine.DefragOnly.1'
ForceRemove {6A2448B5-6D47-4927-A429-89466114489E} = s 'DefragOnly Class'
ForceRemove {6A2448B5-6D47-4927-A429-89466114489E} = s 'DefragOnly Class'
ProgID = s 'PDEngine.DefragOnly.1'
ProgID = s 'PDEngine.DefragOnly.1'
VersionIndependentProgID = s 'PDEngine.DefragOnly'
VersionIndependentProgID = s 'PDEngine.DefragOnly'
PDEngine.ConsolidateFreeSpace.1 = s 'ConsolidateFreeSpace Class'
PDEngine.ConsolidateFreeSpace.1 = s 'ConsolidateFreeSpace Class'
CLSID = s '{14AE005C-338A-4C5F-B9B0-2C7CD2F077EE}'
CLSID = s '{14AE005C-338A-4C5F-B9B0-2C7CD2F077EE}'
PDEngine.ConsolidateFreeSpace = s 'ConsolidateFreeSpace Class'
PDEngine.ConsolidateFreeSpace = s 'ConsolidateFreeSpace Class'
CurVer = s 'PDEngine.ConsolidateFreeSpace.1'
CurVer = s 'PDEngine.ConsolidateFreeSpace.1'
ForceRemove {14AE005C-338A-4C5F-B9B0-2C7CD2F077EE} = s 'ConsolidateFreeSpace Class'
ForceRemove {14AE005C-338A-4C5F-B9B0-2C7CD2F077EE} = s 'ConsolidateFreeSpace Class'
ProgID = s 'PDEngine.ConsolidateFreeSpace.1'
ProgID = s 'PDEngine.ConsolidateFreeSpace.1'
VersionIndependentProgID = s 'PDEngine.ConsolidateFreeSpace'
VersionIndependentProgID = s 'PDEngine.ConsolidateFreeSpace'
PDEngine.DefragFiles.1 = s 'DefragFiles Class'
PDEngine.DefragFiles.1 = s 'DefragFiles Class'
CLSID = s '{0E733394-7AE3-40A3-B43A-FEAFC2FF1FF7}'
CLSID = s '{0E733394-7AE3-40A3-B43A-FEAFC2FF1FF7}'
PDEngine.DefragFiles = s 'DefragFiles Class'
PDEngine.DefragFiles = s 'DefragFiles Class'
CurVer = s 'PDEngine.DefragFiles.1'
CurVer = s 'PDEngine.DefragFiles.1'
ForceRemove {0E733394-7AE3-40A3-B43A-FEAFC2FF1FF7} = s 'DefragFiles Class'
ForceRemove {0E733394-7AE3-40A3-B43A-FEAFC2FF1FF7} = s 'DefragFiles Class'
ProgID = s 'PDEngine.DefragFiles.1'
ProgID = s 'PDEngine.DefragFiles.1'
VersionIndependentProgID = s 'PDEngine.DefragFiles'
VersionIndependentProgID = s 'PDEngine.DefragFiles'
PDEngine.PDEngineConfig.1 = s 'PDEngineConfig Class'
PDEngine.PDEngineConfig.1 = s 'PDEngineConfig Class'
CLSID = s '{7C8C9637-5840-4647-8F3B-B08A6D06454A}'
CLSID = s '{7C8C9637-5840-4647-8F3B-B08A6D06454A}'
PDEngine.PDEngineConfig = s 'PDEngineConfig Class'
PDEngine.PDEngineConfig = s 'PDEngineConfig Class'
CurVer = s 'PDEngine.PDEngineConfig.1'
CurVer = s 'PDEngine.PDEngineConfig.1'
ForceRemove {7C8C9637-5840-4647-8F3B-B08A6D06454A} = s 'PDEngineConfig Class'
ForceRemove {7C8C9637-5840-4647-8F3B-B08A6D06454A} = s 'PDEngineConfig Class'
ProgID = s 'PDEngine.PDEngineConfig.1'
ProgID = s 'PDEngine.PDEngineConfig.1'
VersionIndependentProgID = s 'PDEngine.PDEngineConfig'
VersionIndependentProgID = s 'PDEngine.PDEngineConfig'
PDEngine.OfflineDefrag.1 = s 'OfflineDefrag Class'
PDEngine.OfflineDefrag.1 = s 'OfflineDefrag Class'
CLSID = s '{CB212A1F-2B9E-4A67-BC26-88A4059AFF16}'
CLSID = s '{CB212A1F-2B9E-4A67-BC26-88A4059AFF16}'
PDEngine.OfflineDefrag = s 'OfflineDefrag Class'
PDEngine.OfflineDefrag = s 'OfflineDefrag Class'
CurVer = s 'PDEngine.OfflineDefrag.1'
CurVer = s 'PDEngine.OfflineDefrag.1'
ForceRemove {CB212A1F-2B9E-4A67-BC26-88A4059AFF16} = s 'OfflineDefrag Class'
ForceRemove {CB212A1F-2B9E-4A67-BC26-88A4059AFF16} = s 'OfflineDefrag Class'
ProgID = s 'PDEngine.OfflineDefrag.1'
ProgID = s 'PDEngine.OfflineDefrag.1'
VersionIndependentProgID = s 'PDEngine.OfflineDefrag'
VersionIndependentProgID = s 'PDEngine.OfflineDefrag'
PDEngine.PDEngineLicense.1 = s 'PDEngineLicense Class'
PDEngine.PDEngineLicense.1 = s 'PDEngineLicense Class'
CLSID = s '{E5BFC15E-3DC6-4B0A-B577-59F5F7FFD0F1}'
CLSID = s '{E5BFC15E-3DC6-4B0A-B577-59F5F7FFD0F1}'
PDEngine.PDEngineLicense = s 'PDEngineLicense Class'
PDEngine.PDEngineLicense = s 'PDEngineLicense Class'
CurVer = s 'PDEngine.PDEngineLicense.1'
CurVer = s 'PDEngine.PDEngineLicense.1'
ForceRemove {E5BFC15E-3DC6-4B0A-B577-59F5F7FFD0F1} = s 'PDEngineLicense Class'
ForceRemove {E5BFC15E-3DC6-4B0A-B577-59F5F7FFD0F1} = s 'PDEngineLicense Class'
ProgID = s 'PDEngine.PDEngineLicense.1'
ProgID = s 'PDEngine.PDEngineLicense.1'
VersionIndependentProgID = s 'PDEngine.PDEngineLicense'
VersionIndependentProgID = s 'PDEngine.PDEngineLicense'
PDEngine.ConsolidateFreeSpaceNoDefrag.1 = s 'ConsolidateFreeSpaceNoDefrag Class'
PDEngine.ConsolidateFreeSpaceNoDefrag.1 = s 'ConsolidateFreeSpaceNoDefrag Class'
CLSID = s '{B4FE62FF-AA05-444f-AA6A-719AF3CF41A6}'
CLSID = s '{B4FE62FF-AA05-444f-AA6A-719AF3CF41A6}'
PDEngine.ConsolidateFreeSpaceNoDefrag = s 'ConsolidateFreeSpaceNoDefrag Class'
PDEngine.ConsolidateFreeSpaceNoDefrag = s 'ConsolidateFreeSpaceNoDefrag Class'
CurVer = s 'PDEngine.ConsolidateFreeSpaceNoDefrag.1'
CurVer = s 'PDEngine.ConsolidateFreeSpaceNoDefrag.1'
ForceRemove {B4FE62FF-AA05-444f-AA6A-719AF3CF41A6} = s 'ConsolidateFreeSpaceNoDefrag Class'
ForceRemove {B4FE62FF-AA05-444f-AA6A-719AF3CF41A6} = s 'ConsolidateFreeSpaceNoDefrag Class'
ProgID = s 'PDEngine.ConsolidateFreeSpaceNoDefrag.1'
ProgID = s 'PDEngine.ConsolidateFreeSpaceNoDefrag.1'
VersionIndependentProgID = s 'PDEngine.ConsolidateFreeSpaceNoDefrag'
VersionIndependentProgID = s 'PDEngine.ConsolidateFreeSpaceNoDefrag'
PDEngine.ConsolidateFreeSpaceArbitraryRegion.1 = s 'ConsolidateFreeSpaceArbitraryRegion Class'
PDEngine.ConsolidateFreeSpaceArbitraryRegion.1 = s 'ConsolidateFreeSpaceArbitraryRegion Class'
CLSID = s '{45A03850-8EAF-4ffe-B18A-5A17333795A7}'
CLSID = s '{45A03850-8EAF-4ffe-B18A-5A17333795A7}'
PDEngine.ConsolidateFreeSpaceArbitraryRegion = s 'ConsolidateFreeSpaceArbitraryRegion Class'
PDEngine.ConsolidateFreeSpaceArbitraryRegion = s 'ConsolidateFreeSpaceArbitraryRegion Class'
CurVer = s 'PDEngine.ConsolidateFreeSpaceArbitraryRegion.1'
CurVer = s 'PDEngine.ConsolidateFreeSpaceArbitraryRegion.1'
ForceRemove {45A03850-8EAF-4ffe-B18A-5A17333795A7} = s 'ConsolidateFreeSpaceArbitraryRegion Class'
ForceRemove {45A03850-8EAF-4ffe-B18A-5A17333795A7} = s 'ConsolidateFreeSpaceArbitraryRegion Class'
ProgID = s 'PDEngine.ConsolidateFreeSpaceArbitraryRegion.1'
ProgID = s 'PDEngine.ConsolidateFreeSpaceArbitraryRegion.1'
VersionIndependentProgID = s 'PDEngine.ConsolidateFreeSpaceArbitraryRegion'
VersionIndependentProgID = s 'PDEngine.ConsolidateFreeSpaceArbitraryRegion'
PDEngine.CFreeChunksDefrag.1 = s 'CFreeChunksDefrag Class'
PDEngine.CFreeChunksDefrag.1 = s 'CFreeChunksDefrag Class'
CLSID = s '{3FD132FE-8062-4285-81A2-66244463C3DA}'
CLSID = s '{3FD132FE-8062-4285-81A2-66244463C3DA}'
PDEngine.CFreeChunksDefrag = s 'CFreeChunksDefrag Class'
PDEngine.CFreeChunksDefrag = s 'CFreeChunksDefrag Class'
CurVer = s 'PDEngine.CFreeChunksDefrag.1'
CurVer = s 'PDEngine.CFreeChunksDefrag.1'
ForceRemove {3FD132FE-8062-4285-81A2-66244463C3DA} = s 'CFreeChunksDefrag Class'
ForceRemove {3FD132FE-8062-4285-81A2-66244463C3DA} = s 'CFreeChunksDefrag Class'
ProgID = s 'PDEngine.CFreeChunksDefrag.1'
ProgID = s 'PDEngine.CFreeChunksDefrag.1'
VersionIndependentProgID = s 'PDEngine.CFreeChunksDefrag'
VersionIndependentProgID = s 'PDEngine.CFreeChunksDefrag'
PDEngine.CChunkSensativeDefragOnly.1 = s 'CChunkSensativeDefragOnly Class'
PDEngine.CChunkSensativeDefragOnly.1 = s 'CChunkSensativeDefragOnly Class'
CLSID = s '{77499A0B-E5FE-4db5-A490-ADF727549681}'
CLSID = s '{77499A0B-E5FE-4db5-A490-ADF727549681}'
PDEngine.CChunkSensativeDefragOnly = s 'CChunkSensativeDefragOnly Class'
PDEngine.CChunkSensativeDefragOnly = s 'CChunkSensativeDefragOnly Class'
CurVer = s 'PDEngine.CChunkSensativeDefragOnly.1'
CurVer = s 'PDEngine.CChunkSensativeDefragOnly.1'
ForceRemove {77499A0B-E5FE-4db5-A490-ADF727549681} = s 'CChunkSensativeDefragOnly Class'
ForceRemove {77499A0B-E5FE-4db5-A490-ADF727549681} = s 'CChunkSensativeDefragOnly Class'
ProgID = s 'PDEngine.CChunkSensativeDefragOnly.1'
ProgID = s 'PDEngine.CChunkSensativeDefragOnly.1'
VersionIndependentProgID = s 'PDEngine.CChunkSensativeDefragOnly'
VersionIndependentProgID = s 'PDEngine.CChunkSensativeDefragOnly'
PDEngine.SmartDrive.1 = s 'SmartDrive Class'
PDEngine.SmartDrive.1 = s 'SmartDrive Class'
CLSID = s '{01B47415-0E1E-412d-87F2-CF50AF49856E}'
CLSID = s '{01B47415-0E1E-412d-87F2-CF50AF49856E}'
PDEngine.SmartDrive = s 'SmartDrive Class'
PDEngine.SmartDrive = s 'SmartDrive Class'
CurVer = s 'PDEngine.SmartDrive.1'
CurVer = s 'PDEngine.SmartDrive.1'
ForceRemove {01B47415-0E1E-412d-87F2-CF50AF49856E} = s 'SmartDrive Class'
ForceRemove {01B47415-0E1E-412d-87F2-CF50AF49856E} = s 'SmartDrive Class'
ProgID = s 'PDEngine.SmartDrive.1'
ProgID = s 'PDEngine.SmartDrive.1'
VersionIndependentProgID = s 'PDEngine.SmartDrive'
VersionIndependentProgID = s 'PDEngine.SmartDrive'
PDEngine.SmartSettings.1 = s 'SmartSettings Class'
PDEngine.SmartSettings.1 = s 'SmartSettings Class'
CLSID = s '{D8727363-34CE-4E79-8B84-1986D941371E}'
CLSID = s '{D8727363-34CE-4E79-8B84-1986D941371E}'
PDEngine.SmartSettings = s 'SmartSettings Class'
PDEngine.SmartSettings = s 'SmartSettings Class'
CurVer = s 'PDEngine.SmartSettings.1'
CurVer = s 'PDEngine.SmartSettings.1'
ForceRemove {D8727363-34CE-4E79-8B84-1986D941371E} = s 'SmartSettings Class'
ForceRemove {D8727363-34CE-4E79-8B84-1986D941371E} = s 'SmartSettings Class'
ProgID = s 'PDEngine.SmartSettings.1'
ProgID = s 'PDEngine.SmartSettings.1'
VersionIndependentProgID = s 'PDEngine.SmartSettings'
VersionIndependentProgID = s 'PDEngine.SmartSettings'
PDEngine.WWSettings.1 = s 'WWSettings Class'
PDEngine.WWSettings.1 = s 'WWSettings Class'
CLSID = s '{E81DE8EC-17C9-4F1D-B3B7-CD9CDED9CD7A}'
CLSID = s '{E81DE8EC-17C9-4F1D-B3B7-CD9CDED9CD7A}'
PDEngine.WWSettings = s 'WWSettings Class'
PDEngine.WWSettings = s 'WWSettings Class'
CurVer = s 'PDEngine.WWSettings.1'
CurVer = s 'PDEngine.WWSettings.1'
ForceRemove {E81DE8EC-17C9-4F1D-B3B7-CD9CDED9CD7A} = s 'WWSettings Class'
ForceRemove {E81DE8EC-17C9-4F1D-B3B7-CD9CDED9CD7A} = s 'WWSettings Class'
ProgID = s 'PDEngine.WWSettings.1'
ProgID = s 'PDEngine.WWSettings.1'
VersionIndependentProgID = s 'PDEngine.WWSettings'
VersionIndependentProgID = s 'PDEngine.WWSettings'
PDEngine.WWGlobalSettings.1 = s 'WWGlobalSettings Class'
PDEngine.WWGlobalSettings.1 = s 'WWGlobalSettings Class'
CLSID = s '{F01E003F-2784-4178-9209-5128ED010A65}'
CLSID = s '{F01E003F-2784-4178-9209-5128ED010A65}'
PDEngine.WWGlobalSettings = s 'WWGlobalSettings Class'
PDEngine.WWGlobalSettings = s 'WWGlobalSettings Class'
CurVer = s 'PDEngine.WWGlobalSettings.1'
CurVer = s 'PDEngine.WWGlobalSettings.1'
ForceRemove {F01E003F-2784-4178-9209-5128ED010A65} = s 'WWGlobalSettings Class'
ForceRemove {F01E003F-2784-4178-9209-5128ED010A65} = s 'WWGlobalSettings Class'
ProgID = s 'PDEngine.WWGlobalSettings.1'
ProgID = s 'PDEngine.WWGlobalSettings.1'
VersionIndependentProgID = s 'PDEngine.WWGlobalSettings'
VersionIndependentProgID = s 'PDEngine.WWGlobalSettings'
PDEngine.WiperOperation.1 = s 'WiperOperation Class'
PDEngine.WiperOperation.1 = s 'WiperOperation Class'
CLSID = s '{62DBE6CE-65DF-4704-921E-52D17B77D391}'
CLSID = s '{62DBE6CE-65DF-4704-921E-52D17B77D391}'
PDEngine.WiperOperation = s 'WiperOperation Class'
PDEngine.WiperOperation = s 'WiperOperation Class'
CurVer = s 'PDEngine.WiperOperation.1'
CurVer = s 'PDEngine.WiperOperation.1'
ForceRemove {62DBE6CE-65DF-4704-921E-52D17B77D391} = s 'WiperOperation Class'
ForceRemove {62DBE6CE-65DF-4704-921E-52D17B77D391} = s 'WiperOperation Class'
ProgID = s 'PDEngine.WiperOperation.1'
ProgID = s 'PDEngine.WiperOperation.1'
VersionIndependentProgID = s 'PDEngine.WiperOperation'
VersionIndependentProgID = s 'PDEngine.WiperOperation'
PDEngine.GlobalAlertSettings.1 = s 'GlobalAlertSettings Class'
PDEngine.GlobalAlertSettings.1 = s 'GlobalAlertSettings Class'
CLSID = s '{30E9EF1B-8E5F-48B4-919C-940FC938443E}'
CLSID = s '{30E9EF1B-8E5F-48B4-919C-940FC938443E}'
PDEngine.GlobalAlertSettings = s 'GlobalAlertSettings Class'
PDEngine.GlobalAlertSettings = s 'GlobalAlertSettings Class'
CurVer = s 'PDEngine.GlobalAlertSettings.1'
CurVer = s 'PDEngine.GlobalAlertSettings.1'
ForceRemove {30E9EF1B-8E5F-48B4-919C-940FC938443E} = s 'GlobalAlertSettings Class'
ForceRemove {30E9EF1B-8E5F-48B4-919C-940FC938443E} = s 'GlobalAlertSettings Class'
ProgID = s 'PDEngine.GlobalAlertSettings.1'
ProgID = s 'PDEngine.GlobalAlertSettings.1'
VersionIndependentProgID = s 'PDEngine.GlobalAlertSettings'
VersionIndependentProgID = s 'PDEngine.GlobalAlertSettings'
PDEngine.VolumeAlertSettings.1 = s 'VolumeAlertSettings Class'
PDEngine.VolumeAlertSettings.1 = s 'VolumeAlertSettings Class'
CLSID = s '{681FCBAE-D536-4083-9D76-E4D91644B755}'
CLSID = s '{681FCBAE-D536-4083-9D76-E4D91644B755}'
PDEngine.VolumeAlertSettings = s 'VolumeAlertSettings Class'
PDEngine.VolumeAlertSettings = s 'VolumeAlertSettings Class'
CurVer = s 'PDEngine.VolumeAlertSettings.1'
CurVer = s 'PDEngine.VolumeAlertSettings.1'
ForceRemove {681FCBAE-D536-4083-9D76-E4D91644B755} = s 'VolumeAlertSettings Class'
ForceRemove {681FCBAE-D536-4083-9D76-E4D91644B755} = s 'VolumeAlertSettings Class'
ProgID = s 'PDEngine.VolumeAlertSettings.1'
ProgID = s 'PDEngine.VolumeAlertSettings.1'
VersionIndependentProgID = s 'PDEngine.VolumeAlertSettings'
VersionIndependentProgID = s 'PDEngine.VolumeAlertSettings'
stdole2.tlbWWW
stdole2.tlbWWW
8-sEDriveOperationW
8-sEDriveOperationW
0F=Operation_IdleWW
0F=Operation_IdleWW
Operation_AnalyzeWWW
Operation_AnalyzeWWW
COperation_DefragSmartPlacementWW
COperation_DefragSmartPlacementWW
HOperation_DefragOnly
HOperation_DefragOnly
Operation_ConsolidateFreeSpaceWW
Operation_ConsolidateFreeSpaceWW
Operation_DefragFilesWWW
Operation_DefragFilesWWW
Operation_DefragOfflineW
Operation_DefragOfflineW
Operation_ConsolidateFreeSpaceNoDefragWW
Operation_ConsolidateFreeSpaceNoDefragWW
Operation_ConsolidateFreeSpaceArbitraryRegionWWW
Operation_ConsolidateFreeSpaceArbitraryRegionWWW
Operation_FreeChunks
Operation_FreeChunks
Operation_DefragWithChunksWW
Operation_DefragWithChunksWW
Operation_WipeFreeSpaceW,
Operation_WipeFreeSpaceW,
yOperationWWW
yOperationWWW
grfLocksSupportedWWW
grfLocksSupportedWWW
.UnSubscribeW`
.UnSubscribeW`
password`
password`
8}CEOperationPriorityWWT
8}CEOperationPriorityWWT
SupportedFeaturesWWW
SupportedFeaturesWWW
IssueKBArticleURLWWW
IssueKBArticleURLWWW
kb_article_urlWW
kb_article_urlWW
IssueManufacturerURL
IssueManufacturerURL
manufacturer_url
manufacturer_url
?.serialized_log_dataW
?.serialized_log_dataW
keyW
keyW
]GetCurrentOperationW
]GetCurrentOperationW
drive_operationW4
drive_operationW4
ISupportErrorInfoWWW
ISupportErrorInfoWWW
HInterfaceSupportsErrorInfoWW
HInterfaceSupportsErrorInfoWW
IOperation2W
IOperation2W
8;qIOperationWW
8;qIOperationWW
8[{WiperOperationWW
8[{WiperOperationWW
property Operation
property Operation
property SupportedFeatures
property SupportedFeatures
property IssueKBArticleURL
property IssueKBArticleURL
property IssueManufacturerURLW
property IssueManufacturerURLW
method GetCurrentOperation
method GetCurrentOperation
IOperation2 InterfaceW
IOperation2 InterfaceW
IOperation InterfaceWW
IOperation InterfaceWW
WiperOperation ClassWW
WiperOperation ClassWW
Created by MIDL version 7.00.0555 at Thu Oct 04 17:22:47 2012
Created by MIDL version 7.00.0555 at Thu Oct 04 17:22:47 2012
PerfectDisk is a disk defragmenter, thus it needs low level access to systemPPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
PerfectDisk is a disk defragmenter, thus it needs low level access to systemPPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
808;8[8}8
808;8[8}8
2M4
2M4
?$?*?]?
?$?*?]?
= >4>:>}>
= >4>:>}>
5 5$5(5,5054585
5 5$5(5,5054585
6 6$6(6,6
6 6$6(6,6
= = =8=^=
= = =8=^=
"0'040}0
"0'040}0
? ?$?(?,?0?4?8?@?
? ?$?(?,?0?4?8?@?
:$:*:0:@:
:$:*:0:@:
9 9$9(9,9094989
9 9$9(9,9094989
4$4,444
4$4,444
7 747
7 747
9$9,989\9|9
9$9,989\9|9
0(040
0(040
=(=4=
=(=4=
>,>8>@>\>|>
>,>8>@>\>|>
AllocationBitmap.cpp
AllocationBitmap.cpp
ClientInterface.cpp
ClientInterface.cpp
Advapi32.dll
Advapi32.dll
eClusApi.dll
eClusApi.dll
ResUtils.Dll
ResUtils.Dll
\\?\Volume
\\?\Volume
DiskOb.cpp
DiskOb.cpp
%s$Mft
%s$Mft
.CVarLenArray: Deallocating page pointer array.
.CVarLenArray: Deallocating page pointer array.
DriveManager.cpp
DriveManager.cpp
\\?\Volume{
\\?\Volume{
%s\%s
%s\%s
BootExecute
BootExecute
PDBoot.exe
PDBoot.exe
d:\perfectdisk_v12.5\dev\pdengine\CalculateAlertMessage.hpp
d:\perfectdisk_v12.5\dev\pdengine\CalculateAlertMessage.hpp
Software\Microsoft\Windows\CurrentVersion\Controls Folder
Software\Microsoft\Windows\CurrentVersion\Controls Folder
{92EA7FF7-DE29-4E91-A2B1-FD9E58CD485D}
{92EA7FF7-DE29-4E91-A2B1-FD9E58CD485D}
{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}
{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}
/#%d)
/#%d)
.pd_wiper
.pd_wiper
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
Sense key (bit 3)
Sense key (bit 3)
Sense key (bit 2)
Sense key (bit 2)
Sense key (bit 1)
Sense key (bit 1)
Sense key (bit 0)
Sense key (bit 0)
%d sectors
%d sectors
at LBA = 0xx = %u
at LBA = 0xx = %u
-- -- -- -- -- -- --
-- -- -- -- -- -- --
-- -- -- == -- == == == -- -- -- -- --
-- -- -- == -- == == == -- -- -- -- --
[RESERVED FOR MEDIA CARD PASS THROUGH]
[RESERVED FOR MEDIA CARD PASS THROUGH]
SECURITY SET PASSWORD
SECURITY SET PASSWORD
SECURITY DISABLE PASSWORD
SECURITY DISABLE PASSWORD
SMART EXECUTE OFF-LINE IMMEDIATE
SMART EXECUTE OFF-LINE IMMEDIATE
SMART ENABLE OPERATIONS
SMART ENABLE OPERATIONS
SMART DISABLE OPERATIONS
SMART DISABLE OPERATIONS
SET MAX SET PASSWORD
SET MAX SET PASSWORD
d-d
d-d
%s\drivers\%s.sys
%s\drivers\%s.sys
%s\*.nls
%s\*.nls
Software\Microsoft\Windows\CurrentVersion\OptimalLayout
Software\Microsoft\Windows\CurrentVersion\OptimalLayout
1MonitoringWWClass.cpp
1MonitoringWWClass.cpp
D:\PerfectDisk_v12.5\Dev\PDFramework\PDFsFilterInterface.hpp
D:\PerfectDisk_v12.5\Dev\PDFramework\PDFsFilterInterface.hpp
1Unknown error: %d
1Unknown error: %d
OperationBase.cpp
OperationBase.cpp
{3808876B-C176-4E48-B7AE-04046E6CC752}
{3808876B-C176-4E48-B7AE-04046E6CC752}
{3CD0151D-3AAA-41CB-8B05-FC809A228886}
{3CD0151D-3AAA-41CB-8B05-FC809A228886}
PDAgentS1.exe
PDAgentS1.exe
F6C76BD7-43ED-45EC-A273-C4773238908A
F6C76BD7-43ED-45EC-A273-C4773238908A
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
H\\.\pipe\
H\\.\pipe\
\pipe\
\pipe\
NTDLL.DLL
NTDLL.DLL
\\.\LCD
\\.\LCD
SOFTWARE\Classes\CLSID\{CC5C2398-3512-464D-B59D-C9B85541AD50}\LocalServer32
SOFTWARE\Classes\CLSID\{CC5C2398-3512-464D-B59D-C9B85541AD50}\LocalServer32
explorer.exe
explorer.exe
Wtsapi32.dll
Wtsapi32.dll
1pdengine_module.cpp
1pdengine_module.cpp
pdengine_module.cpp
pdengine_module.cpp
PerfectDisk.exe
PerfectDisk.exe
V\\.\mailslot\
V\\.\mailslot\
ClientConsolePort
ClientConsolePort
SELECT TemporaryStalledAlerts.AlertsId FROM TemporaryStalledAlerts INNER JOIN Alerts
SELECT TemporaryStalledAlerts.AlertsId FROM TemporaryStalledAlerts INNER JOIN Alerts
ON TemporaryStalledAlerts.AlertsId = Alerts.AlertsId
ON TemporaryStalledAlerts.AlertsId = Alerts.AlertsId
OLEAUT32.DLL
OLEAUT32.DLL
Call to TalkToConsole failed. Returned buffer size is 0. Console name: %s, port %d
Call to TalkToConsole failed. Returned buffer size is 0. Console name: %s, port %d
Call to TalkToConsole failed. HRESULT=%u. Console name: %s, port %d
Call to TalkToConsole failed. HRESULT=%u. Console name: %s, port %d
d:\perfectdisk_v12.5\dev\pdframework\..\PDAgent\talk_to_console.hpp
d:\perfectdisk_v12.5\dev\pdframework\..\PDAgent\talk_to_console.hpp
_d-d-d ddd d
_d-d-d ddd d
%s %s %s %s d u %s/d (%s) %s
%s %s %s %s d u %s/d (%s) %s
Call to tcpip(msg_in,msg_out) failed. HRESULT=0x%8.8X (%lu). Console name=%s
Call to tcpip(msg_in,msg_out) failed. HRESULT=0x%8.8X (%lu). Console name=%s
Call to tcpip(msg_in,msg_out) was successful
Call to tcpip(msg_in,msg_out) was successful
GetIpAddressesByNameHRESULT found no IP addresses. Console name=%s
GetIpAddressesByNameHRESULT found no IP addresses. Console name=%s
Call to GetIpAddressesByNameHRESULT failed. HRESULT=0x%8.8X (%lu). Console name=%s
Call to GetIpAddressesByNameHRESULT failed. HRESULT=0x%8.8X (%lu). Console name=%s
Call to CreateMutex failed. Microsoft Error Code=%u
Call to CreateMutex failed. Microsoft Error Code=%u
_##_%d
_##_%d
Call to rpc_client.CallServer(byte_buff_in,byte_buff_out) failed. status=%u
Call to rpc_client.CallServer(byte_buff_in,byte_buff_out) failed. status=%u
CTalkToConsoleViaTCPIP::operator ()
CTalkToConsoleViaTCPIP::operator ()
Call to rpc_client.Connect(m_IpAddress,m_Port) failed. status=%u
Call to rpc_client.Connect(m_IpAddress,m_Port) failed. status=%u
.midi
.midi
.mpeg
.mpeg
.jpeg
.jpeg
.html
.html
.docx
.docx
PDLicenseKeyEnable
PDLicenseKeyEnable
PDLicenseKey
PDLicenseKey
config.ini
config.ini
LicenseKey
LicenseKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
{9307000D-38CF-4e9e-AB97-6AC9243AFB9C}
{9307000D-38CF-4e9e-AB97-6AC9243AFB9C}
{E972C77D-BABA-4EA9-88D5-5AD6517EF444}
{E972C77D-BABA-4EA9-88D5-5AD6517EF444}
{5F79448F-AD6F-4931-B39D-13B5DFB34108}
{5F79448F-AD6F-4931-B39D-13B5DFB34108}
SmartAlerting.cpp
SmartAlerting.cpp
SmartDatabaseBase.cpp
SmartDatabaseBase.cpp
ThresholdOperator = %6%,
ThresholdOperator = %6%,
ThresholdOperator,
ThresholdOperator,
KBArticleURL = %6% ,
KBArticleURL = %6% ,
ManufacturerURL = %7%,
ManufacturerURL = %7%,
KBArticleURL ,
KBArticleURL ,
ManufacturerURL,
ManufacturerURL,
MinOperatingTemperature = %7% ,
MinOperatingTemperature = %7% ,
MaxOperatingTemperature = %8% ,
MaxOperatingTemperature = %8% ,
MinOperatingTemperature ,
MinOperatingTemperature ,
MaxOperatingTemperature ,
MaxOperatingTemperature ,
MinOperatingTemperature ,
MinOperatingTemperature ,
MaxOperatingTemperature ,
MaxOperatingTemperature ,
ThresholdOperator,
ThresholdOperator,
SELECT TOP(%5%) SmartErrorLog.Timestamp ,
SELECT TOP(%5%) SmartErrorLog.Timestamp ,
SmartErrorLog.Data
SmartErrorLog.Data
WHERE SmartErrorLog.Timestamp
WHERE SmartErrorLog.Timestamp
AND SmartErrorLog.Timestamp >= %2%
AND SmartErrorLog.Timestamp >= %2%
AND SmartErrorLog.ModelName = %3%
AND SmartErrorLog.ModelName = %3%
AND SmartErrorLog.SerialNumber = %4% ;
AND SmartErrorLog.SerialNumber = %4% ;
SELECT top(%6%) SmartHistory.Timestamp ,
SELECT top(%6%) SmartHistory.Timestamp ,
SmartHistory.RawValue ,
SmartHistory.RawValue ,
SmartHistory.NormalizedValue
SmartHistory.NormalizedValue
WHERE SmartHistory.Timestamp
WHERE SmartHistory.Timestamp
AND SmartHistory.Timestamp >= %2%
AND SmartHistory.Timestamp >= %2%
AND SmartHistory.ModelName = %3%
AND SmartHistory.ModelName = %3%
AND SmartHistory.SerialNumber = %4%
AND SmartHistory.SerialNumber = %4%
AND SmartHistory.AttributeID = %5% ;
AND SmartHistory.AttributeID = %5% ;
SELECT SmartDriveMap.NameRegex,
SELECT SmartDriveMap.NameRegex,
SmartDriveMap.FirmwareRegex,
SmartDriveMap.FirmwareRegex,
SmartDriveMap.SerialRegex,
SmartDriveMap.SerialRegex,
SmartDriveIssues.Description,
SmartDriveIssues.Description,
SmartDriveIssues.LongDescription,
SmartDriveIssues.LongDescription,
SmartDriveIssues.KBArticleURL,
SmartDriveIssues.KBArticleURL,
SmartDriveIssues.ManufacturerURL
SmartDriveIssues.ManufacturerURL
INNER JOIN SmartDriveIssues
INNER JOIN SmartDriveIssues
ON SmartDriveMap.ID = SmartDriveIssues.DriveID
ON SmartDriveMap.ID = SmartDriveIssues.DriveID
WHERE SmartDriveIssues.DisableSMART 0
WHERE SmartDriveIssues.DisableSMART 0
AND SmartDriveIssues.Language = %1%;
AND SmartDriveIssues.Language = %1%;
1SmartDatabaseBase.cpp
1SmartDatabaseBase.cpp
\\.\PhysicalDrive
\\.\PhysicalDrive
.Software\Raxco\PDCore\12.5
.Software\Raxco\PDCore\12.5
WebServiceEnabled
WebServiceEnabled
SmartDatabase.cpp
SmartDatabase.cpp
1SmartDatabase.cpp
1SmartDatabase.cpp
SmartPollingClass.cpp
SmartPollingClass.cpp
1SmartPollingClass.cpp
1SmartPollingClass.cpp
WebServiceUrl
WebServiceUrl
B45EFD40-2FD3-49EC-9495-87AC9CF11686
B45EFD40-2FD3-49EC-9495-87AC9CF11686
6272517F-F036-4EF6-85C2-F9082F248FA4
6272517F-F036-4EF6-85C2-F9082F248FA4
e6272517F-F036-4EF6-85C2-F9082F248FA4
e6272517F-F036-4EF6-85C2-F9082F248FA4
Windows NT
Windows NT
VssApi.dll
VssApi.dll
\PDFsFilterPort
\PDFsFilterPort
2\\.\%s%u
2\\.\%s%u
db_manager.cpp
db_manager.cpp
Return code: 0x%8.8X (%lu) (%s/#%d)
Return code: 0x%8.8X (%lu) (%s/#%d)
ado_implement.cpp
ado_implement.cpp
SQL Query:
SQL Query:
boot.ini
boot.ini
ntdetect.com
ntdetect.com
ntbootdd.sys
ntbootdd.sys
drivers\diskdump.sys
drivers\diskdump.sys
Moving in %s
Moving in %s
Moving out %s
Moving out %s
Skipping %s
Skipping %s
Skipping file %d, LCN=%d
Skipping file %d, LCN=%d
Skipping file %s, LCN=%d
Skipping file %s, LCN=%d
%s %s VCN=%d Size=%d to LCN %d (LastError=%d).
%s %s VCN=%d Size=%d to LCN %d (LastError=%d).
%s %d VCN=%d Size=%d to LCN %d (LastError=%d).
%s %d VCN=%d Size=%d to LCN %d (LastError=%d).
%s %s VCN=%d Size=%d from LCN=%d to LCN %d (LastError=%d).
%s %s VCN=%d Size=%d from LCN=%d to LCN %d (LastError=%d).
%s %d VCN=%d Size=%d from LCN=%d to LCN %d (LastError=%d).
%s %d VCN=%d Size=%d from LCN=%d to LCN %d (LastError=%d).
\Hiberfil.sys
\Hiberfil.sys
%c:%s
%c:%s
Starting boot-time defragmentation pass.
Starting boot-time defragmentation pass.
Hit any key to restart immediately. Restarting in %d.
Hit any key to restart immediately. Restarting in %d.
ERROR: Unable to open keyboard. Exiting.
ERROR: Unable to open keyboard. Exiting.
ERROR: Invalid registry key. Exiting.
ERROR: Invalid registry key. Exiting.
Could not gain exclusive access to drive %s (%d).
Could not gain exclusive access to drive %s (%d).
There is a possible driver conflict. (%s)
There is a possible driver conflict. (%s)
Unable to verify drive %s due to inconsistencies (%d, %d).
Unable to verify drive %s due to inconsistencies (%d, %d).
Please run 'chkdsk /r /f %s'.
Please run 'chkdsk /r /f %s'.
File system on drive %s not supported.
File system on drive %s not supported.
Could not find the file pagefile.sys on drive %s.
Could not find the file pagefile.sys on drive %s.
Could not lock drive %s for exclusive access.
Could not lock drive %s for exclusive access.
Drive %s is marked dirty.
Drive %s is marked dirty.
Failed to read boot sector (pSector=0xx, bytes per sector=%d).
Failed to read boot sector (pSector=0xx, bytes per sector=%d).
Failed to read FAT (FAT offset=%d, bytes per FAT=%d).
Failed to read FAT (FAT offset=%d, bytes per FAT=%d).
User specified PDBootNoKeyboardOK = %d.
User specified PDBootNoKeyboardOK = %d.
Failed to create keyboard event #%d (%d).
Failed to create keyboard event #%d (%d).
User specified PDBiosGT8GBCapable = %d.
User specified PDBiosGT8GBCapable = %d.
User specified PDUseDefragReboot = %d.
User specified PDUseDefragReboot = %d.
Pagefile Id = %d
Pagefile Id = %d
Pagefile on FAT drive (%s)
Pagefile on FAT drive (%s)
Failed to open pagefile (%s) for File ID query (%d)
Failed to open pagefile (%s) for File ID query (%d)
Hiberfil.sys id = %d
Hiberfil.sys id = %d
Found hiberfil.sys.
Found hiberfil.sys.
Failed to read state file signature and entries count (%d).
Failed to read state file signature and entries count (%d).
Incorrect state file signature - %X
Incorrect state file signature - %X
Failed to read state file entries (%d)
Failed to read state file entries (%d)
DefragQueryDriverVersion() failed (%d,%d).
DefragQueryDriverVersion() failed (%d,%d).
Failed to open volume using DefragFS (%d,%d).
Failed to open volume using DefragFS (%d,%d).
Failed to verify volume using DefragFS (%d,%d).
Failed to verify volume using DefragFS (%d,%d).
Failed to wait for verify volume using DefragFS (%d,%d).
Failed to wait for verify volume using DefragFS (%d,%d).
Failed to open state file (%d,%d).
Failed to open state file (%d,%d).
DefragZeroFile() failed (%d,%d)
DefragZeroFile() failed (%d,%d)
GetDiskFreeSpace() failed (%d).
GetDiskFreeSpace() failed (%d).
GetVolumeInformation() failed (%d)
GetVolumeInformation() failed (%d)
Invalid filesystem (%s).
Invalid filesystem (%s).
Failed to query allocation bitmap using DefragFS (%d).
Failed to query allocation bitmap using DefragFS (%d).
Failed to load unmovable files list from the registry (%d).
Failed to load unmovable files list from the registry (%d).
Failed to query volume state using DefragFS (%d,%d).
Failed to query volume state using DefragFS (%d,%d).
Failed to query DefragFS version (%d).
Failed to query DefragFS version (%d).
Failed to query NTFS info using DefragFS (%d,%d).
Failed to query NTFS info using DefragFS (%d,%d).
Failed to open volume using CreateFile (%d).
Failed to open volume using CreateFile (%d).
Failed to query FAT volume information (%d).
Failed to query FAT volume information (%d).
Check for volume dirty is failed: Failed to open volume online using DefragFS (%d,%d).
Check for volume dirty is failed: Failed to open volume online using DefragFS (%d,%d).
Num excluded entries = %d
Num excluded entries = %d
Failed to query file '%s' id (%d).
Failed to query file '%s' id (%d).
Failed to open file "%s" for excluding (%d).
Failed to open file "%s" for excluding (%d).
Failed to open create file 1 (%d). File name: %s
Failed to open create file 1 (%d). File name: %s
NtQueryVolumeInformationFile 1 failed (%d)(%x)
NtQueryVolumeInformationFile 1 failed (%d)(%x)
NtQueryVolumeInformationFile 2 failed (%d)(%d).
NtQueryVolumeInformationFile 2 failed (%d)(%d).
Failed to open Volume (%d).
Failed to open Volume (%d).
Opening Volume Handle for %s
Opening Volume Handle for %s
PDBoot.msg
PDBoot.msg
Failed to read message file entries (%d).
Failed to read message file entries (%d).
\\.\C:
\\.\C:
Unable to verify volume (%d,%d).
Unable to verify volume (%d,%d).
X:\System Volume Information
X:\System Volume Information
12, 5, 0, 312
12, 5, 0, 312