MD5: 4bb7454cf635dd6bf42a0d4cd222d55d
SHA1: aba63d2cc94e91bbce0bcc0a9a5b8747ba57a607
SHA256: 98afd2d1bafb5a06af9fecb9d46fc58ba43c854528b1e750f5739c9c8aa0f5b3
SSDeep: 393216:gBTWl/9b7hnLhuDtX 5qPWTEnSaKg6xfl7GGltf:gxWf3ruRXaqWvXxfl7GG7
Size: 14126116 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: AirInstaller
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

%original file name%.exe:448
regedit.exe:432
runonce.exe:436
grpconv.exe:1316
MsiExec.exe:1232
MsiExec.exe:1100

The Malware injects its code into the following process(es):

PDAgent.exe:372
PDEngine.exe:744

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process PDAgent.exe:372 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Raxco\PerfectDisk\12.5\pd_local.sdf (4 bytes)

The process %original file name%.exe:448 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcm80.dll (9364 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\English.tr (16110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcr80.dll (11472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\msxml6.dll (20729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\DefragFS\defragfs.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceqp35.dll (14043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\Config.ini (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\PerfectDisk12_5.adm (1328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVMDefrag.exe (10960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchangePS.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\English.tr (17101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtCore4.dll (49418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchange.exe (6471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlcese35.dll (8130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceoledb35.dll (2819 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtGui4.dll (180433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\CommonAppData\Raxco\PerfectDisk\12.5\pd_local.sdf (30618 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDElevationWorker.exe (3236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Win\System\msvcp100.dll (7538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PerfectDisk.exe (149995 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\ssleay32.dll (5370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\System32\Drivers\PDFsFilter.sys (1320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\PerfectDisk_x86.msi (44286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\System32\PDBoot.exe (4584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\libeay32.dll (20429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDAgent.tlb (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\qt_ja.qm (3005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (27304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Policies\2kfkwlwq.lm8\8.0.50727.42.policy (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceoledb35.dll (3996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDState.dll (13708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcp80.dll (10769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (47091 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuestPS.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Win\System\msvcr100.dll (13109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\wainakh.bat (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\AutoUpdGui.exe (17623 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceqp35.dll (10442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcp80.dll (8715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDEngine.exe (34064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDCmd.exe (7333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgent.exe (20320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceoledb35.raxco.manifest (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PdFsfilter.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\3kfkwlwq.lm8\8.0.50727.42.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\chartdir50.dll (35321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\3kfkwlwq.lm8\8.0.50727.42.policy (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDUtils.dll (4772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcr80.dll (12820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcm80.dll (9223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcr80.dll (9853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceoledb35.raxco.manifest (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PatchPDLocalDB.sql (1929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcp80.dll (12030 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\AutoUpdDLL.dll (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlcese35.dll (6929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcm80.dll (9530 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDFsPerf.dll (1062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgentS1.exe (830 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\en-us\PerfectDisk12_5.adml (1047 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\DefragFS\DefragFS.inf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\System32\Drivers\DefragFs.sys (2336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Policies\2kfkwlwq.lm8\8.0.50727.42.cat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\wainakh.reg (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PDFsFilter.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDEnginePS.dll (842 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PDFsPerf.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\PerfectDisk12_5.admx (1024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuest.dll (24837 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\$inst (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (0 bytes)

The process PDEngine.exe:744 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\wbem\Repository\FS\OBJECTS.MAP (12 bytes)
%System%\wbem\Logs (4 bytes)
%System%\config\AppEvent.Evt (16 bytes)
%WinDir%\Installer\{FD310764-B3E5-430F-980E-D6C0016B2660} (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b4.dat (4 bytes)
%WinDir%\Installer (8 bytes)
%System%\config\SOFTWARE.LOG (78492 bytes)
%Program Files%\Common Files (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
%System%\wbem\Repository\FS\MAPPING2.MAP (192 bytes)
C:\$Directory (1292 bytes)
%System% (2360 bytes)
%WinDir% (1156 bytes)
%System%\Microsoft\Protect\S-1-5-18\User (4 bytes)
%System%\config (108 bytes)
%System%\config\software (78350 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Program Files%\Common Files\Raxco\Shared (4 bytes)
%Documents and Settings%\All Users\Application Data (8 bytes)
%WinDir%\MICROSOFT.NET (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (47 bytes)
%Documents and Settings%\All Users\Application Data\Raxco\PerfectDisk\12.5\pd_local.sdf (4 bytes)

Registry activity

The process PDAgent.exe:372 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThresholdVmHost" = "10000000"
"AutoScheduleHoursInterval" = "96"
"UserTimeThreshold" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\c155cd75-744b-11e2-8294-806d6172696f]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleNewVolumeBehavior" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\c155cd75-744b-11e2-8294-806d6172696f]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"KernelTimeThresholdVmHost" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"UserTimeThresholdVmHost" = "30"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\b98117e8-75ca-11e2-81b2-000c293708fb]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleNewVolumeBehaviorFirstRun" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\c155cd75-744b-11e2-8294-806d6172696f]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\b98117e8-75ca-11e2-81b2-000c293708fb]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoAdjustThresholds" = "1"
"AutoScheduleNoDefragDuring" = ""
"KernelTimeThreshold" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\b98117e8-75ca-11e2-81b2-000c293708fb]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleActivityTimeOut" = "300"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\b98117e8-75ca-11e2-81b2-000c293708fb]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThreshold" = "10000000"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 1D 8B 1B 60 29 D6 75 7F B7 C0 55 6F D2 B5 31"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"AutoUpdate" = "16 00 00 00 41 00 75 00 74 00 6F 00 55 00 70 00"
"Runs" = "00 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\c155cd75-744b-11e2-8294-806d6172696f]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\b98117e8-75ca-11e2-81b2-000c293708fb]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\c155cd75-744b-11e2-8294-806d6172696f]
"AutoScheduleNoDefragDuring" = ""

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"(Default)"
"Runs"

[HKLM\System\CurrentControlSet\Services\PerfDisk\Performance]
"Error Count"

[HKLM\System\CurrentControlSet\Services\PerfOS\Performance]
"Error Count"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"AutoUpdate"

The process %original file name%.exe:448 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BrandType" = "0"
"license" = "36 D2 8A 06 0B 41 5A 62 83 74 1C AB 1E D3 5C CD"
"ManageOnPort" = "4294967295"
"HelpURL" = "http://docs.raxco.com/perfectdisk/12_5/EN/Index.htm"
"WebsiteUrl" = "http://links.raxco.com/go.rax?id=PD12_5_PerfectDisk"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Version_Registry_Name" = "Build"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightSettings" = "01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleNewVolumeBehavior" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"WebinarsUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Webinars"
"BusinessUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Business"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\\\?\]
"Volume{52195469-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 43 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"proxy_port" = "80"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"DisableSmart" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SupportURL" = "http://links.raxco.com/go.rax?id=PD12_5_Support"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"UserTimeThresholdVmHost" = "30"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"UserGuidesUrl" = "http://links.raxco.com/go.rax?id=PD12_5_UserGuides"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"KernelTimeThreshold" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"RegisterURL" = "http://www.raxco.com/register"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"LData" = "eWRvlT4AkSPiOay5qg5mjBu5uQ43o7eL"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"VSSMode" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"DisplayVersion" = "12.5 Build 312"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThreshold" = "10000000"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\\\?\]
"Volume{52195465-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 44 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AlertSettings]
"(Default)" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"FaqUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_FAQ"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"USER_NAME" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"InstallSource" = "c:\"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"Registered" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Proxy_Server" = ""
"Version_Info_Path" = "Software\Raxco\PerfectDisk\12.5"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"UserTimeThreshold" = "30"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"URLInfoAbout" = "http://www.minutka15.com"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Password_Ciphered" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"OptiwriteAdvanced" = "0"
"ProductKeyURL" = "http://links.raxco.com/go.rax?id=PD12_5_SVR"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"Language" = "1049"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"HelpDownloadUrl" = "http://docs.raxco.com/perfectdisk/12_5/EN/download_Help/x86_PD12.5_Help.msi"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleActivityTimeOut" = "300"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleNewVolumeBehaviorFirstRun" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"Language" = "1033"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"InstallDate" = "20150304"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConnectUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Connect"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"EstimatedSize" = "50100"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoAdjustThresholds" = "1"
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName1" = "Graphic"
"FileGroupName0" = "Text"
"FileGroupName3" = "Video"
"FileGroupName2" = "Program"
"FileGroupName5" = "Temporary"
"FileGroupName4" = "Music"
"FileGroupName6" = "User Defined"
"WebserviceEnabled" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"NoModify" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"StoreUrl" = "http://links.raxco.com/go.rax?id=PD12_5_OnlineStore"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowExternalHardDrives" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"Security" = "01 00 00 00 01 00 00 00 00 00 00 00 03 00 00 00"
"FeaturesUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_Features"
"FreeSpaceOnStart" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 41 1D 21 06 CC F0 19 2B 2A 1B 39 66 98 3C E5"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Ftp_Server" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"UninstallString" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask2" = ".exe;.dll;.ocx;.sys;.vbs;.js;.wsf;.wsc;.com"
"FileGroupMask3" = ".avi;.mpg;.mov;.mp4;.mpeg;.wmv;.flv;.swf"
"FileGroupMask0" = ".txt;.doc;.docx;.rtf;.pdf;.htm;.html;.wpd;.wri"
"FileGroupMask1" = ".bmp;.jpg;.gif;.tif;.jpeg;.png"
"FileGroupMask6" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"InstallLocation" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask4" = ".mp3;.wav;.midi;.aac;.ogg;.wma"
"FileGroupMask5" = ".tmp"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThresholdVmHost" = "10000000"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SalesMail" = "[email protected]"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableTemperatureWarnings" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"LicenseKey" = "8ZkJZGINOMnz1XKWhTJf44z06WY2LoAfzfMSs8b8DHaj/Z6vT3FxP/gvbK5PIr88"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"ProcessPriority" = "16384"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleHoursInterval" = "96"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"VSSThreshold" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"KernelTimeThresholdVmHost" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"UseConfigIni" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Update_Root_Dir" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"VersionMajor" = "12"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Install_Option" = "Notify"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"DiskThresholdUnits" = "1024"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BlogUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Blog"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"http_url" = "http://update.raxco.com/pub/download/PD125/Client"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableSmartPolling" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BetaURL" = "http://beta.raxco.com"
"Wizard" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"SmartPollingPeriod" = "180"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConfigIniEngineCompleted" = "1"
"Build" = "312"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"DisplayName" = "Raxco PerfectDisk Server 12.5 Build 312"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"LogSettings" = "0F 00 00 00 02 00 00 00 02 00 00 00 00 00 02 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Software_Name" = "PerfectDisk 12.5 Server"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SuggestionsURL" = "http://links.raxco.com/go.rax?id=PD12_5_Suggestions"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SupportMail" = "http://links.raxco.com/go.rax?id=PD12_5_Support"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Version_Ini_Filename" = "PD125b312.ini"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"PFN" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowFlashDrives" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ContactSupportUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SupportMail"
"PerfectDiskUrl" = "http://links.raxco.com/go.rax?id=PD12_5_PerfectDisk"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"Publisher" = "Minutka15"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Auto_Check" = "No"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\server]
"wainakh.bat" = "wainakh"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"CriticalTemperature" = "00 00 00 00 00 00 49 40"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Proxy_Enabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"AutoUpdate" = "16 00 00 00 41 00 75 00 74 00 6F 00 55 00 70 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"NoRepair" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"PDManageLayoutIni" = "3"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConfigIniAgentCompleted" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"WebServiceUrl" = "http://updates.raxco.com/SMART/SMARTModelUpdates.asmx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"DisplayIcon" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Uninstall.exe"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowSSD" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\\\?\]
"Volume{52195466-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 45 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightFirstRunDriveEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Protocol" = "http"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Raxco PerfectDisk Server 12.5 Build 312]
"VersionMinor" = "5312"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"HideOptiWrite" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"IoThrottling" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"Runs" = "00 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"KbUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_KB"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process regedit.exe:432 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BrandType" = "0"
"license" = "36 D2 8A 06 0B 41 5A 62 83 74 1C AB 1E D3 5C CD"
"ManageOnPort" = "4294967295"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"ExcludedVolumes" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"HelpURL" = "http://docs.raxco.com/perfectdisk/12_5/EN/Index.htm"
"WebsiteUrl" = "http://links.raxco.com/go.rax?id=PD12_5_PerfectDisk"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Version_Registry_Name" = "Build"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightSettings" = "01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleNewVolumeBehavior" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"WebinarsUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Webinars"
"BusinessUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Business"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"proxy_port" = "80"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"DisableSmart" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SupportURL" = "http://links.raxco.com/go.rax?id=PD12_5_Support"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"UserTimeThresholdVmHost" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"UserGuidesUrl" = "http://links.raxco.com/go.rax?id=PD12_5_UserGuides"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"KernelTimeThreshold" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"RegisterURL" = "http://www.raxco.com/register"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"LData" = "eWRvlT4AkSPiOay5qg5mjBu5uQ43o7eL"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"VSSMode" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThreshold" = "10000000"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Software_Name" = "PerfectDisk 12.5 Server"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AlertSettings]
"(Default)" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"FaqUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_FAQ"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"USER_NAME" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"Registered" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Proxy_Server" = ""
"Version_Info_Path" = "Software\Raxco\PerfectDisk\12.5"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"UserTimeThreshold" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Password_Ciphered" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"OptiwriteAdvanced" = "0"
"ProductKeyURL" = "http://links.raxco.com/go.rax?id=PD12_5_SVR"
"HelpDownloadUrl" = "http://docs.raxco.com/perfectdisk/12_5/EN/download_Help/x86_PD12.5_Help.msi"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\?]
"Volume{52195465-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 44 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleActivityTimeOut" = "300"
"AutoScheduleNewVolumeBehaviorFirstRun" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"Language" = "1033"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConnectUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Connect"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoAdjustThresholds" = "1"
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName1" = "Graphic"
"FileGroupName0" = "Text"
"FileGroupName3" = "Video"
"FileGroupName2" = "Program"
"FileGroupName5" = "Temporary"
"FileGroupName4" = "Music"
"FileGroupName6" = "User Defined"
"WebserviceEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"StoreUrl" = "http://links.raxco.com/go.rax?id=PD12_5_OnlineStore"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowExternalHardDrives" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"Security" = "01 00 00 00 01 00 00 00 00 00 00 00 03 00 00 00"
"FeaturesUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_Features"
"FreeSpaceOnStart" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 75 60 BD 5C E5 E6 EB E9 3A 13 F6 E6 BF FB 06"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\?]
"Volume{52195466-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 45 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Ftp_Server" = ""

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask2" = ".exe;.dll;.ocx;.sys;.vbs;.js;.wsf;.wsc;.com"
"FileGroupMask3" = ".avi;.mpg;.mov;.mp4;.mpeg;.wmv;.flv;.swf"
"FileGroupMask0" = ".txt;.doc;.docx;.rtf;.pdf;.htm;.html;.wpd;.wri"
"FileGroupMask1" = ".bmp;.jpg;.gif;.tif;.jpeg;.png"
"FileGroupMask6" = ""
"FileGroupMask4" = ".mp3;.wav;.midi;.aac;.ogg;.wma"
"FileGroupMask5" = ".tmp"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"IoThresholdVmHost" = "10000000"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SalesMail" = "[email protected]"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"IsOverride" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableTemperatureWarnings" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"LicenseKey" = "8ZkJZGINOMnz1XKWhTJf44z06WY2LoAfzfMSs8b8DHaj/Z6vT3FxP/gvbK5PIr88"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"ProcessPriority" = "16384"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleHoursInterval" = "96"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"VSSThreshold" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"KernelTimeThresholdVmHost" = "30"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"UseConfigIni" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Update_Root_Dir" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Install_Option" = "Notify"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"DiskThresholdUnits" = "1024"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BlogUrl" = "http://links.raxco.com/go.rax?id=PD12_5_Blog"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"http_url" = "http://update.raxco.com/pub/download/PD125/Client"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableSmartPolling" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleNoDefragDuring" = ""

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"BetaURL" = "http://beta.raxco.com"
"Wizard" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"SmartPollingPeriod" = "180"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConfigIniEngineCompleted" = "1"
"Build" = "312"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"LogSettings" = "0F 00 00 00 02 00 00 00 02 00 00 00 00 00 02 00"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\?]
"Volume{52195469-4700-11e2-afe3-806e6f6e6963}" = "08 00 00 00 43 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195469-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SuggestionsURL" = "http://links.raxco.com/go.rax?id=PD12_5_Suggestions"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"IsSS" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"SupportMail" = "http://links.raxco.com/go.rax?id=PD12_5_Support"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Version_Ini_Filename" = "PD125b312.ini"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"PFN" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowFlashDrives" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ContactSupportUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SupportMail"
"PerfectDiskUrl" = "http://links.raxco.com/go.rax?id=PD12_5_PerfectDisk"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Auto_Check" = "No"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"CriticalTemperature" = "00 00 00 00 00 00 49 40"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Proxy_Enabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleEnabled" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"AutoUpdate" = "16 00 00 00 41 00 75 00 74 00 6F 00 55 00 70 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195466-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"PDManageLayoutIni" = "3"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"ConfigIniAgentCompleted" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"WebServiceUrl" = "http://updates.raxco.com/SMART/SMARTModelUpdates.asmx"
"AllowSSD" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightFirstRunDriveEnable" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoUpdSettings]
"Protocol" = "http"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableDebug" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"HideOptiWrite" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"IoThrottling" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\SchedulerSettings]
"Runs" = "00 00 00 00"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5\AutoSchedulePlanner\52195465-4700-11e2-afe3-806e6f6e6963]
"AutoScheduleExclusionPeriod" = "111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"KbUrl" = "http://links.raxco.com/go.rax?id=PD12_5_SVR_KB"

The process PDEngine.exe:744 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"EofWriteExtendSizeHigh" = "0"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"license" = "36 D2 8A 06 0B 41 5A 62 83 74 1C AB 1E D3 5C CD"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName2" = "Program"
"AllowFlashDrives" = "1"
"EnableTemperatureWarnings" = "1"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"EofWriteExtendSizeHigh" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask2" = ".exe;.dll;.ocx;.sys;.vbs;.js;.wsf;.wsc;.com"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"MinExtentSizeHigh" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightSettings" = "01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"CriticalTemperature" = "00 00 00 00 00 00 49 40"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"EofWriteExtendSizeLow" = "1048576"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"ProcessPriority" = "16384"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\?]
"Volume{b98117e8-75ca-11e2-81b2-000c293708fb}" = "08 00 00 00 44 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"EofWriteWhitelist" = ""

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"PDManageLayoutIni" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder]
"{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}" = "36 D2 8A 06 0B 41 5A 62 83 74 1C AB 1E D3 5C CD"

[HKLM\System\CurrentControlSet\Services\DefragFS\Parameters]
"BootMountTimestamp" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"IoThrottling" = "1"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"MaxExtentSizeLow" = "4294967295"
"Enable" = "0"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"EnableEofWriteDefrag" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"ExcludedVolumes" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"SmartPollingPeriod" = "180"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"EofWriteExtendSizeLow" = "1048576"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"AllowSSD" = "1"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"LicenseKey" = "8ZkJZGINOMnz1XKWhTJf44z06WY2LoAfzfMSs8b8DHaj/Z6vT3FxP/gvbK5PIr88"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"EnableSmartPolling" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings]
"WriteRightFirstRunDriveEnable" = "0"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"Enable" = "1"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask4" = ".mp3;.wav;.midi;.aac;.ogg;.wma"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"MinNumFragmentsThreshold" = "2"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"MaxExtentSizeHigh" = "4294967295"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout]
"EnableAutoLayout" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName1" = "Graphic"
"FileGroupName0" = "Text"
"FileGroupName3" = "Video"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"MinExtentSizeHigh" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName5" = "Temporary"
"FileGroupName4" = "Music"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"MaxExtentSizeLow" = "4294967295"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupName6" = "User Defined"
"DisableSmart" = "0"
"AllowExternalHardDrives" = "1"
"EnableDebug" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5\DriveSettings\\\?]
"Volume{c155cd75-744b-11e2-8294-806d6172696f}" = "08 00 00 00 43 00 3A 00 5C 00 00 00 62 00 00 00"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"MaxExtentSizeHigh" = "4294967295"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 8F 5B E6 7B A4 C4 26 92 B6 DB AB 82 47 19 D9"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"NumFreeSpaceExtentsStored" = "100"
"EnableEofWriteDefrag" = "1"
"EofWriteWhitelist" = ""

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"MinExtentSizeLow" = "0"
"MinNumFragmentsThreshold" = "2"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"MinExtentSizeLow" = "0"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask3" = ".avi;.mpg;.mov;.mp4;.mpeg;.wmv;.flv;.swf"
"FileGroupMask0" = ".txt;.doc;.docx;.rtf;.pdf;.htm;.html;.wpd;.wri"
"FileGroupMask1" = ".bmp;.jpg;.gif;.tif;.jpeg;.png"
"FileGroupMask6" = ""
"VSSMode" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder]
"{5F79448F-AD6F-4931-B39D-13B5DFB34108}" = ""

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"FileGroupMask5" = ".tmp"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters\{c155cd75-744b-11e2-8294-806d6172696f}]
"NumFreeSpaceExtentsStored" = "100"

[HKLM\SOFTWARE\Raxco\PDCore\12.5]
"VSSThreshold" = "30"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder]
"LExtra"

[HKLM\System\CurrentControlSet\Services\DefragFS\Parameters]
"BootErrorLogFile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder]
"{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}"

The process runonce.exe:436 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 E7 B7 F5 B0 D4 D1 0E 1F C3 CF 2E 2D C0 65 52"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Malware deletes the following value(s) in system registry:
The Malware disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"

The process grpconv.exe:1316 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 4A AA 74 F8 B2 06 BD 78 E7 D9 02 47 26 6C 31"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv]
"Log" = "Init Application."

[HKCR\MSProgramGroup\Shell\Open\Command]
"(Default)" = "%System%\grpconv.exe %1"

[HKCR\MSProgramGroup]
"(Default)" = "Microsoft Program Group"

[HKCR\.grp]
"(Default)" = "MSProgramGroup"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The process MsiExec.exe:1232 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 E5 9D F6 7B E0 E5 4F A7 38 A4 90 C7 3D 3C 13"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder]
"{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}" = "FB 0A 17 BA 75 E3 CB A1 83 74 1C AB 1E D3 5C CD"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Instances\PDFsFilter Instance]
"Flags" = "0"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Instances]
"DefaultInstance" = "PDFsFilter Instance"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Parameters]
"(Default)" = ""

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"FSFilter Activity Monitor" = "04 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00"

[HKLM\System\CurrentControlSet\Services\PDFSFilter\Instances\PDFsFilter Instance]
"Altitude" = "186000"

[HKLM\SOFTWARE\Raxco\PerfectDisk\12.5]
"UseConfigIni" = "1"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"

The Malware deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\DefragFS]
"ImagePath"

The process MsiExec.exe:1100 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 3C 3D D5 88 69 07 32 A1 54 10 EA E7 41 35 EE"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver " %System%\Drivers\DefragFS.SYS" the Malware attaches its filter-device object to the Volume Device Object (VDO) of the file system driver.

Propagation

VersionInfo

Company Name: Minutka15
Product Name:
Product Version:
Legal Copyright: Minutka15
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 12.5 Build 312
File Description: Raxco PerfectDisk Server 12.5 Build 312 Installation
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl
hxxp://crl.verisign.com/pca3-g5.crl	23.43.133.163
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl	23.43.133.163

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /CSC3-2010.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2010-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "8d383c4069ca22795a1696d1945c4a26:1425459915"

Last-Modified: Wed, 04 Mar 2015 09:05:15 GMT

Date: Wed, 04 Mar 2015 15:39:38 GMT

Transfer-Encoding:  chunked

Connection: keep-alive

Connection: Transfer-Encoding

Content-Type: application/pkix-crl
00006000..0..3.0..2....0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Sign
ing 2010 [email protected]
0730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&..
.130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s.
.130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9.
.130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H..
....120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......
0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v....
.w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...
iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M8
3...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID
{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........
'u..140521222808Z0!......0..........I..130912181631Z0!.....1.;C,.. L..
0...141111073655Z0!....6e...~..T.......130131012247Z0!.....|.....t.l.o
....140827175301Z0!.........bD#*u......130226223939Z0!.......@..'$.).;
}\..130121172259Z0!....7.v..........n..120724160733Z0!....n[..P..a.y..
.p..141121045513Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!
....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....
@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,
.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|.
<<< skipped >>>

GET /pca3-g5.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "0eb6836c44430f9901d468ac9e53f3c4:1418965221"

Last-Modified: Fri, 19 Dec 2014 05:00:21 GMT

Date: Wed, 04 Mar 2015 15:39:38 GMT

Content-Length: 533

Connection: keep-alive

Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U
....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For aut
horized use only1E0C..U...<VeriSign Class 3 Public Primary Certific
ation Authority - G5..141210000000Z..150331235959Z0...*.H.............
.(.Y.&..-.f.....5uC..[..I/..S.....g...%#..M..... .#.1..:A#rrl9....nKA.
.....TP.....3......N.d5..Y......svZV..8..h..JV.#T..u..)=..i...d..]m.aS
Y....vu.p..K..G9=>.!LYh0yu.([email protected]'H..)...v..O/.....B.[j...%.xt
...-)"|..P...Q.......p..y..............q...&...t...

The Malware connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

SSSSh

@.text

Scheduler cannot stop operation on drive %1 because of higher priority operation is active.

Scheduler cannot start offline defragmentation of drive %1 because offline defrag of FAT is no longer supported and we cannot lock the drive.

Scheduler cannot start offline defragmentation of drive %1 because of higher priority operation is active.

Scheduler cannot start defragmentation of drive %1 because of higher priority operation is active.

Scheduler cannot start Zero Free Space operation on drive %1 because a higher priority operation is active.

Schedule (%1)(%2) execution status is (%3).

%3 %4 %5 %6 %7 %8

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

ManageOnPort

ImportantProcessList

ADODB.Connection

ADODB.Recordset

License key has been disabled

Invalid license key

Successfull operation

ProxyBypass

AutoConfigURL

RegOpenKeyTransactedW

advapi32.dll

license.raxco.com

secure/PDLicense/PDLicenseServer.dll

D:\PerfectDisk_v12.5\Dev\binaries\Win32\Release\PDAgent.pdb

WTSAPI32.dll

WinHttpReceiveResponse

WinHttpSetTimeouts

WinHttpSetOption

WinHttpSendRequest

WinHttpConnect

WinHttpCloseHandle

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpOpen

WinHttpOpenRequest

WinHttpReadData

WINHTTP.dll

WinHttpGetIEProxyConfigForCurrentUser

WinHttpGetProxyForUrl

SetNamedPipeHandleState

WaitNamedPipeW

PeekNamedPipe

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExW

RegEnumKeyExW

RegCreateKeyExW

RegDeleteKeyW

RegQueryInfoKeyW

ReportEventW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

pdh.dll

RPCRT4.dll

InternetCrackUrlW

InternetCanonicalizeUrlW

WININET.dll

USERENV.dll

VERSION.dll

WS2_32.dll

PSAPI.DLL

UrlUnescapeW

SHLWAPI.dll

MSVCP100.dll

MSVCR100.dll

_amsg_exit

_wcmdln

_crt_debugger_hook

POWRPROF.dll

GetProcessHeap

.?AUISupportErrorInfo@@

.?AVDriveSettingVolumePresenceOperator@@

.?AVVolumePresenceOperator@@

.?AVWipingOnVolumePresenceOperator@@

.?AVStandardVolumePresenceOperator@@

.?AVCTCPIPClient@@

.?AV?$CComObjectNoLock@V?$CComClassFactorySingleton@VCPDAgentSpaceReports@@@ATL@@@ATL@@

.?AV?$CComClassFactorySingleton@VCPDAgentSpaceReports@@@ATL@@

.?AV?$CComObject@VCPDAgentSpaceReports@@@ATL@@

.?AVCPDAgentSpaceReports@@

.?AV?$CComCoClass@VCPDAgentSpaceReports@@$1?CLSID_PDAgentSpaceReports@@3U_GUID@@B@ATL@@

.?AV?$IDispatchImpl@UIFileSpaceReports@@$1?IID_IPDAgentSpaceReports@@3U_GUID@@B$1?LIBID_PDAgentLib@@3U3@B$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@

.?AUIFileSpaceReports@@

.?AUIFileReports@@

.?AV?$IObjectSafetyImpl@VCPDAgentSpaceReports@@$02@ATL@@

.?AV?$CComAggObject@VCPDAgentSpaceReports@@@ATL@@

.?AV?$CComContainedObject@VCPDAgentSpaceReports@@@ATL@@

.?AV?$CComObjectCached@VCPDAgentSpaceReports@@@ATL@@

.?AVCTCPIPServer@@

.?AVCPipeClient@@

.?AVCMailSlotTransport@@

.?AVIMessageTransport@@

{E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F} = s 'PDAgent'

'PDAgent.EXE'

val AppID = s {E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F}

PDAgent.PDAgent.1 = s 'PDAgent Class'

CLSID = s '{CC5C2398-3512-464D-B59D-C9B85541AD50}'

PDAgent.PDAgent = s 'PDAgent Class'

CurVer = s 'PDAgent.PDAgent.1'

ForceRemove {CC5C2398-3512-464D-B59D-C9B85541AD50} = s 'PDAgent Class'

ProgID = s 'PDAgent.PDAgent.1'

VersionIndependentProgID = s 'PDAgent.PDAgent'

val AppID = s '{E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F}'

'TypeLib' = s '{2070972B-BE20-4395-9AC7-88A9CCF160BB}'

PDAgent.DuplicatesFinder.1 = s 'DuplicatesFinder Class'

CLSID = s '{35C6767E-B901-46A6-8203-30FCFFD4AB81}'

PDAgent.DuplicatesFinder = s 'DuplicatesFinder Class'

CurVer = s 'PDAgent.DuplicatesFinder.1'

ForceRemove {35C6767E-B901-46A6-8203-30FCFFD4AB81} = s 'DuplicatesFinder Class'

ProgID = s 'PDAgent.DuplicatesFinder.1'

VersionIndependentProgID = s 'PDAgent.DuplicatesFinder'

PDAgent.WebBrowserCleaner.1 = s 'WebBrowserCleaner Class'

CLSID = s '{2C67080E-6071-4777-AA16-CE4681DFB250}'

PDAgent.WebBrowserCleaner = s 'WebBrowserCleaner Class'

CurVer = s 'PDAgent.WebBrowserCleaner.1'

ForceRemove {2C67080E-6071-4777-AA16-CE4681DFB250} = s 'WebBrowserCleaner Class'

ProgID = s 'PDAgent.WebBrowserCleaner.1'

VersionIndependentProgID = s 'PDAgent.WebBrowserCleaner'

val AppID = s '{2B6C1FB1-B230-4080-8A36-87883698C408}'

'TypeLib' = s '{877723D5-D216-4DB9-A8B3-61692B96DC2B}'

PDAgent.SpaceRecycler.1 = s 'SpaceRecycler Class'

CLSID = s '{18EC0531-7D75-46E7-8869-384AEDB699C9}'

PDAgent.SpaceRecycler = s 'SpaceRecycler Class'

CurVer = s 'PDAgent.SpaceRecycler.1'

ForceRemove {18EC0531-7D75-46E7-8869-384AEDB699C9} = s 'SpaceRecycler Class'

ProgID = s 'PDAgent.SpaceRecycler.1'

VersionIndependentProgID = s 'PDAgent.SpaceRecycler'

PDAgent.FileShredder.1 = s 'FileShredder Class'

CLSID = s '{0DC8D89E-EB99-4B77-88D3-03E207AA8738}'

PDAgent.FileShredder = s 'FileShredder Class'

CurVer = s 'PDAgent.FileShredder.1'

ForceRemove {0DC8D89E-EB99-4B77-88D3-03E207AA8738} = s 'FileShredder Class'

ProgID = s 'PDAgent.FileShredder.1'

VersionIndependentProgID = s 'PDAgent.FileShredder'

PDAgent.PDAgentFileSet.1 = s 'PDAgentFileSet Class'

CLSID = s '{B83F237B-81DD-4C3F-87FF-E7A534D221CA}'

PDAgent.PDAgentFileSet = s 'PDAgentFileSet Class'

CurVer = s 'PDAgent.PDAgentFileSet.1'

ForceRemove {B83F237B-81DD-4C3F-87FF-E7A534D221CA} = s 'PDAgentFileSet Class'

ProgID = s 'PDAgent.PDAgentFileSet.1'

VersionIndependentProgID = s 'PDAgent.PDAgentFileSet'

PDAgent.PDAgentFileOp.1 = s 'PDAgentFileOp Class'

CLSID = s '{997E2C76-4654-41A6-ABCB-C169E72CBFC5}'

PDAgent.PDAgentFileOp = s 'PDAgentFileOp Class'

CurVer = s 'PDAgent.PDAgentFileOp.1'

ForceRemove {997E2C76-4654-41A6-ABCB-C169E72CBFC5} = s 'PDAgentFileOp Class'

ProgID = s 'PDAgent.PDAgentFileOp.1'

VersionIndependentProgID = s 'PDAgent.PDAgentFileOp'

PDAgent.PDAgentSpaceReports.1 = s 'PDAgentSpaceReports Class'

CLSID = s '{63056E08-D7A8-486B-BF99-DD6FA63C0018}'

PDAgent.PDAgentSpaceReports = s 'PDAgentSpaceReports Class'

CurVer = s 'PDAgent.PDAgentSpaceReports.1'

ForceRemove {63056E08-D7A8-486B-BF99-DD6FA63C0018} = s 'PDAgentSpaceReports Class'

ProgID = s 'PDAgent.PDAgentSpaceReports.1'

VersionIndependentProgID = s 'PDAgent.PDAgentSpaceReports'

PDAgent.PDAgentFileBrowser.1 = s 'PDAgentFileBrowser Class'

CLSID = s '{DF274096-221E-4244-8967-5378E36A9E11}'

PDAgent.PDAgentFileBrowser = s 'PDAgentFileBrowser Class'

CurVer = s 'PDAgent.PDAgentFileBrowser.1'

ForceRemove {DF274096-221E-4244-8967-5378E36A9E11} = s 'PDAgentFileBrowser Class'

ProgID = s 'PDAgent.PDAgentFileBrowser.1'

VersionIndependentProgID = s 'PDAgent.PDAgentFileBrowser'

stdole2.tlbWWW@"

AutoUpdateUrlWWW

urlW

ProxyPasswordWWW

ProxyServerPortW

port

passwordd

%VirtualHostSensingPasswordWWd

$=SetKeyValueW

.UnSubscribeW

WebBrowserCleanerWWW(

IRx2WebBrowserCleanerWWW(

vPDAgentSpaceReportsW

8cBIPDAgentSpaceReportst

property AutoUpdateUrl

property ProxyPassword

property ProxyServerPortWW

property VirtualHostSensingPasswordWWW

method SetKeyValue

property PasswordW

WebBrowserCleaner ClassWWW

IRx2WebBrowserCleaner InterfaceWWW

PDAgentSpaceReports ClassW

IPDAgentSpaceReports Interface

Created by MIDL version 7.00.0555 at Thu Oct 04 17:23:56 2012

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="11.0.0.0" processorArchitecture="X86" name="PDAgent" type="win32"></assemblyIdentity><description>PerfectDisk is a disk defragmenter, thus it needs low level access to system</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="sqlceoledb35.raxco" version="1.0.0.0"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

16267#8)8

8%9S9

3$3/3:3^3

6o6

="><>\>|>

8$8(8,80848<9@9

> >$>(>,>0>4>8>

7 7(707<7`7

6,686@6`6

9 9(949\9

ClientConsolePort

hiberfil.sys

?:\hiberfil.sys

Win32_OperatingSystem

Software\Microsoft\Windows\CurrentVersion\Uninstall

%s-%s

\StringFileInfo\xx\%s

SOFTWARE\Classes\CLSID\{CC5C2398-3512-464D-B59D-C9B85541AD50}\LocalServer32

PerfectDisk.exe

ControlLogicReport.cpp

LicenseKey

127.0.0.1

.Software\Raxco\PerfectDisk\12.5

PerfectDisk.exe /autonag

.pd_schedule_data.cpp

pd_schedule_data.cpp

2pd_schedule_data.cpp

AutoUpdGui.exe

.online-part

PDAgentS1.exe

F6C76BD7-43ED-45EC-A273-C4773238908A

{92EA7FF7-DE29-4E91-A2B1-FD9E58CD485D}

{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}

Call to TalkToConsole failed. Returned buffer size is 0. Console name: %s, port %d

Call to TalkToConsole failed. HRESULT=%u. Console name: %s, port %d

d:\perfectdisk_v12.5\dev\pdframework\..\PDAgent\talk_to_console.hpp

/#%d)

_d-d-d ddd d

%s %s %s %s d u %s/d (%s) %s

d:d:d.d

Call to tcpip(msg_in,msg_out) failed. HRESULT=0x%8.8X (%lu). Console name=%s

Call to tcpip(msg_in,msg_out) was successful

GetIpAddressesByNameHRESULT found no IP addresses. Console name=%s

Call to GetIpAddressesByNameHRESULT failed. HRESULT=0x%8.8X (%lu). Console name=%s

Call to CreateMutex failed. Microsoft Error Code=%u

_##_%d

Call to rpc_client.CallServer(byte_buff_in,byte_buff_out) failed. status=%u

CTalkToConsoleViaTCPIP::operator ()

Call to rpc_client.Connect(m_IpAddress,m_Port) failed. status=%u

pd_scheduler.cpp

PerfectDisk.exe /nag

PDAgent.exe

PDEngine.exe

PDExchange.exe

PDVMDefrag.exe

1pd_scheduler.cpp

1pd_scheduler_operations.cpp

.\\.\

cscript.exe /B /NoLogo

\cmd.exe /C

{E97AD3D1-2EA3-47CD-A26E-ABC491F8CF5F}

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

J\\.\pipe\

\pipe\

NTDLL.DLL

\\.\LCD

explorer.exe

Wtsapi32.dll

pdagent_module.cpp

user32.dll

SELECT MAX(StatsDefragOffline.StatsDate),

Volumes.VolumeName

LEFT OUTER JOIN Volumes

ON Volumes.VolumeId = StatsDefragOffline.VolumeId

GROUP BY Volumes.VolumeName ;

P\\.\mailslot\

SELECT TemporaryStalledAlerts.AlertsId FROM TemporaryStalledAlerts INNER JOIN Alerts

ON TemporaryStalledAlerts.AlertsId = Alerts.AlertsId

OLEAUT32.DLL

config.ini

23:00:00

AUURL

ManageViaTCPIPEnable

AutoScreenSaverImportantProcesses

AutoScreenSaverSSHours

PDAgentOp.cpp

WHERE Logs.LogTime <= %1%

AND Logs.LogTime >= %2%;

SELECT TOP(%3%) Logs.LogTime ,

Logs.Source ,

Logs.EventType,

Logs.EventId ,

Logs.Message

WHERE Logs.LogTime <= %1%

AND Logs.LogTime >= %2% ;

SELECT StatsDefragOnline.StatsDate ,

StatsDefragOnline.FileFragmentationBefore ,

StatsDefragOnline.FileFragmentationAfter ,

StatsDefragOnline.FreeSpaceFragmentationBefore ,

StatsDefragOnline.FreeSpaceFragmentationAfter ,

StatsDefragOnline.DrivePerformanceBefore ,

StatsDefragOnline.DrivePerformanceAfter

INNER JOIN Volumes

ON StatsDefragOnline.VolumeId = Volumes.VolumeId

WHERE (UPPER(Volumes.VolumeName) = UPPER(%1%) AND

StatsDefragOnline.StatsDate <= %2% )

ORDER BY StatsDefragOnline.StatsDate DESC;

PDComputerInfo.cpp

SELECT StatsFreeSpaceClean.StatsDate ,

StatsFreeSpaceClean.TotalSize ,

StatsFreeSpaceClean.FreeSpaceBefore ,

StatsFreeSpaceClean.RecycleBinBefore ,

StatsFreeSpaceClean.TempFilesBefore ,

StatsFreeSpaceClean.FreeSpaceAfter ,

StatsFreeSpaceClean.RecycleBinAfter ,

StatsFreeSpaceClean.TempFilesAfter

INNER JOIN Volumes

ON StatsFreeSpaceClean.VolumeId = Volumes.VolumeId

WHERE (UPPER(Volumes.VolumeName) = UPPER(%1%) AND

StatsFreeSpaceClean.StatsDate <= %2% )

ORDER BY StatsFreeSpaceClean.StatsDate DESC;

PTF://

PDConfiguration.cpp

B45EFD40-2FD3-49EC-9495-87AC9CF11686

6272517F-F036-4EF6-85C2-F9082F248FA4

\\?\Volume{

db_manager.cpp

Return code: 0x%8.8X (%lu) (%s/#%d)

ado_implement.cpp

SQL Query:

Advapi32.dll

Software\Microsoft\Windows\CurrentVersion\Controls Folder

%SystemDrive%

12, 5, 0, 312

PDAgent.EXE

PDEngine.exe_744:

.text

`.rdata

@.data

.rsrc

@.reloc

SSSSSh

SSSSSh

}=SSSSSh

u7SSSSSh

2SSSShH9

PSShl9

88888888888888

RegOpenKeyTransactedW

kernel32.dll

-d 

d:d:d.d

RegCreateKeyTransactedW

Offline defragmentation does not support the file system on drive %1.

Drive %1 is marked dirty. The offline defragmentation pass of your system files cannot continue. Please run CHKDSK on the drive.

During the Offline line defragmentation pass PerfectDisk was unable to verify drive %1 because the user stopped the operation.

RegDeleteKeyExW

RegDeleteKeyTransactedW

LogInformationMessages

advapi32.dll

An error occurred trying to read new drive information S.M.A.R.T. web service.

An error occurred trying to save new drive information from the S.M.A.R.T. web service into the database.

An error occurred while submitting data to the S.M.A.R.T. web service.

This parameter displays the average time to spin up the drive spindle (from zero RPM to fully operational [milliseconds]).

This parameter specifies an average performance of seek operations of the magnetic heads.

This parameter shows the total count of retry of spin start attempts to reach the fully operational speed (under the condition that the first attempt was unsuccessful).

This parameter value indicates uncorrected read errors reported to the operating system.

This parameter displays the total count of aborted operations due to HDD timeout. This value should be equal to zero. If the value is too high, then most likely there will be some serious problems with power supply or an oxidized data cable.

This parameter displays a total count of high fly write errors over the lifetime of the drive. Additional protections for write operations are provided by HDD producers by implementing a Fly Height Monitor which detects when a recording head is flying outside its normal operating range. In the process of detecting an unsafe fly height condition, the write process is stopped, and the information is rewritten or reallocated to a safe region of the hard drive. The errors detected over the lifetime of a drive are then counted and displayed in this parameter.

This parameter displays a count of remap operations i.e., the total count of attempts to transfer data from reallocated sectors to a spare area. Both successful & unsuccessful attempts are counted.

This parameter shows the amount of vibration encountered during write operations.

This parameter shows the amount of shock encountered during write operations.

This parameter shows the rate of friction between mechanical parts of the hard disk while operating. Only the time when heads were in the operating position is counted. When the value increases, it indicates that there is a problem with the mechanical subsystem of the drive.

This parameter specifies a count of head moving distances between operations.

Reported Uncorrectable Errors

hXXp://schemas.xmlsoap.org/soap/envelope/

hXXp://VVV.w3.org/*/soap-envelope

hXXp://schemas.xmlsoap.org/soap/encoding/

hXXp://VVV.w3.org/*/soap-encoding

hXXp://VVV.w3.org/2001/XMLSchema-instance

hXXp://VVV.w3.org/*/XMLSchema-instance

hXXp://VVV.w3.org/2001/XMLSchema

hXXp://VVV.w3.org/*/XMLSchema

hXXp://web.services.raxco.com/smart/1.0/SMARTModelUpdatesSoap

hXXp://web.services.raxco.com/smart/1.0/

hXXp://web.services.raxco.com/smart/1.0/SMARTModelUpdatesSoap12

ns1:KBArticleURL

ns1:ManufacturerURL

ns1:ThresholdComparisonOperator

ns1:MinOperatingTemperature

ns1:MaxOperatingTemperature

hXXp://web.services.raxco.com/smart/1.0/SubmitDrive

hXXp://sandbox.development.raxco.com:8383/SMARTModelUpdates.asmx

hXXp://web.services.raxco.com/smart/1.0/SubmitDrives

hXXp://web.services.raxco.com/smart/1.0/GetDrivesByLastTransactionId

hXXp://web.services.raxco.com/smart/1.0/GetAttributesByLastTransactionId

hXXp://web.services.raxco.com/smart/1.0/GetAttributeTypesByLastTransactionId

hXXp://web.services.raxco.com/smart/1.0/GetAttributeDescriptionsByLastTransactionId

hXXp://web.services.raxco.com/smart/1.0/GetDriveIssuesByLastTransactionId

hXXp://VVV.w3.org/2003/05/soap-envelope

hXXp://VVV.w3.org/2003/05/soap-encoding

hXXp://VVV.w3.org/2003/05/soap-rpc

!"#$%&'()* ,-./0123

Unsupported Media Type

HTTP Version not supported

%s[%d

TCP/UDP IP error %d

TCP init failed in tcp_connect()

socket failed in tcp_connect()

setsockopt SO_LINGER failed in tcp_connect()

setsockopt failed in tcp_connect()

setsockopt SO_KEEPALIVE failed in tcp_connect()

setsockopt SO_SNDBUF failed in tcp_connect()

setsockopt SO_RCVBUF failed in tcp_connect()

setsockopt TCP_NODELAY failed in tcp_connect()

setsockopt IP_MULTICAST_TTL failed in tcp_connect()

setsockopt IP_MULTICAST_IF failed in tcp_connect()

get proxy host by name failed in tcp_connect()

get host by name failed in tcp_connect()

connect failed in tcp_connect()

https:*

TCP init failed in soap_bind()

setsockopt TCP_NODELAY failed in soap_bind()

setsockopt TCP_NODELAY failed in soap_accept()

HTTP/

HTTP Error

hXXp://

HTTP/1.1 100 Continue

http:*

httpg:

%s %s HTTP/%s

%s /%s HTTP/%s

%s:%d

%s:%s

HTTP/%s %s

HTTP/%s %d %s

gSOAP Web Service

Basic realm="%s"

xmlns:xop="hXXp://VVV.w3.org/2004/08/xop/include" href

cid:id%d

xmlns:%s

hXXp://schemas.xmlsoap.org/soap/actor/next

hXXp://VVV.w3.org/2003/05/soap-envelope/role/next

xmlns:_%d

%Y-%m-%dT%H:%M:%SZ

%d-%d-%dT%d:%d:%d1s

M--T%d:%d:%d1s

M--T---1s

%d:%d

Content-Type: %s

Content-ID: %s

soap.udp:

multipart/related; charset=utf-8; boundary="%s"; type="

%s; action="%s"

Validation constraint violation: %s%s in element '%s'

Validation constraint violation: %s%s

The data in element '%s' must be understood but cannot be handled

Unsupported SOAP data encoding

Data required for operation

Method '%s' not implemented: method name or namespace not recognized

HTTP GET method not implemented

HTTP PUT method not implemented

HTTP method not implemented

Message too large for UDP packet

An HTTP processing error occurred

HTTP Error: %d %s

Error %d

Operation interrupted or timed out

(%d%cs receive delay)

(%d%cs send delay)

%s%d fault: %s [%s]

Detail: %s

ADODB.Connection

ADODB.Recordset

D:\PerfectDisk_v12.5\Dev\binaries\Win32\Release\PDEngine.pdb

ntdll.dll

SHFOLDER.dll

WTSAPI32.dll

USERENV.dll

PSAPI.DLL

WSOCK32.dll

FilterConnectCommunicationPort

FLTLIB.DLL

GetProcessHeap

SetThreadExecutionState

SetNamedPipeHandleState

WaitNamedPipeW

PeekNamedPipe

KERNEL32.dll

USER32.dll

RegOpenKeyExA

RegCloseKey

RegOpenKeyExW

RegFlushKey

RegCreateKeyExW

RegDeleteKeyW

RegEnumKeyExW

RegQueryInfoKeyW

ReportEventW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

RPCRT4.dll

WS2_32.dll

MSVCP100.dll

MSVCR100.dll

_amsg_exit

_wcmdln

_crt_debugger_hook

POWRPROF.dll

PDEngine.exe

.?AVCOperationBase@@

.?AUIOperation2@@

.?AUIOperation@@

.?AUISupportErrorInfo@@

.?AVCOperationCreator@@

.?AV?$CComObject@VCWiperOperation@@@ATL@@

.?AVCWiperOperation@@

.?AV?$CComCoClass@VCWiperOperation@@$1?CLSID_WiperOperation@@3U_GUID@@B@ATL@@

.?AV?$CComAggObject@VCWiperOperation@@@ATL@@

.?AV?$CComContainedObject@VCWiperOperation@@@ATL@@

.?AVCPipeClient@@

.?AVCMailSlotTransport@@

.?AVIMessageTransport@@

.?AVCTCPIPClient@@

.?AVSmartWebService@@

{3CD0151D-3AAA-41CB-8B05-FC809A228886} = s 'PDEngine'

'PDEngine.EXE'

val AppID = s {3CD0151D-3AAA-41CB-8B05-FC809A228886}

PDEngine.DriveManager.1 = s 'DriveManager Class'

CLSID = s '{5BBEF00D-06EF-47BE-AE47-3662B6BE78DC}'

PDEngine.DriveManager = s 'DriveManager Class'

CurVer = s 'PDEngine.DriveManager.1'

ForceRemove {5BBEF00D-06EF-47BE-AE47-3662B6BE78DC} = s 'DriveManager Class'

ProgID = s 'PDEngine.DriveManager.1'

VersionIndependentProgID = s 'PDEngine.DriveManager'

val AppID = s '{3CD0151D-3AAA-41CB-8B05-FC809A228886}'

'TypeLib' = s '{39633C4D-66C0-46E1-96E5-A1E3686F1FD7}'

PDEngine.Drive.1 = s 'Drive Class'

CLSID = s '{1CE95E9C-67E8-45F5-BEA9-E43E653F4CB2}'

PDEngine.Drive = s 'Drive Class'

CurVer = s 'PDEngine.Drive.1'

ForceRemove {1CE95E9C-67E8-45F5-BEA9-E43E653F4CB2} = s 'Drive Class'

ProgID = s 'PDEngine.Drive.1'

VersionIndependentProgID = s 'PDEngine.Drive'

PDEngine.Analyze.1 = s 'Analyze Class'

CLSID = s '{65F863A6-74A8-4604-83A2-59E013826C1B}'

PDEngine.Analyze = s 'Analyze Class'

CurVer = s 'PDEngine.Analyze.1'

ForceRemove {65F863A6-74A8-4604-83A2-59E013826C1B} = s 'Analyze Class'

ProgID = s 'PDEngine.Analyze.1'

VersionIndependentProgID = s 'PDEngine.Analyze'

PDEngine.SmartPlacement.1 = s 'SmartPlacement Class'

CLSID = s '{FE4CFAFE-910B-49E4-A581-D2B5B335250A}'

PDEngine.SmartPlacement = s 'SmartPlacement Class'

CurVer = s 'PDEngine.SmartPlacement.1'

ForceRemove {FE4CFAFE-910B-49E4-A581-D2B5B335250A} = s 'SmartPlacement Class'

ProgID = s 'PDEngine.SmartPlacement.1'

VersionIndependentProgID = s 'PDEngine.SmartPlacement'

PDEngine.DefragOnly.1 = s 'DefragOnly Class'

CLSID = s '{6A2448B5-6D47-4927-A429-89466114489E}'

PDEngine.DefragOnly = s 'DefragOnly Class'

CurVer = s 'PDEngine.DefragOnly.1'

ForceRemove {6A2448B5-6D47-4927-A429-89466114489E} = s 'DefragOnly Class'

ProgID = s 'PDEngine.DefragOnly.1'

VersionIndependentProgID = s 'PDEngine.DefragOnly'

PDEngine.ConsolidateFreeSpace.1 = s 'ConsolidateFreeSpace Class'

CLSID = s '{14AE005C-338A-4C5F-B9B0-2C7CD2F077EE}'

PDEngine.ConsolidateFreeSpace = s 'ConsolidateFreeSpace Class'

CurVer = s 'PDEngine.ConsolidateFreeSpace.1'

ForceRemove {14AE005C-338A-4C5F-B9B0-2C7CD2F077EE} = s 'ConsolidateFreeSpace Class'

ProgID = s 'PDEngine.ConsolidateFreeSpace.1'

VersionIndependentProgID = s 'PDEngine.ConsolidateFreeSpace'

PDEngine.DefragFiles.1 = s 'DefragFiles Class'

CLSID = s '{0E733394-7AE3-40A3-B43A-FEAFC2FF1FF7}'

PDEngine.DefragFiles = s 'DefragFiles Class'

CurVer = s 'PDEngine.DefragFiles.1'

ForceRemove {0E733394-7AE3-40A3-B43A-FEAFC2FF1FF7} = s 'DefragFiles Class'

ProgID = s 'PDEngine.DefragFiles.1'

VersionIndependentProgID = s 'PDEngine.DefragFiles'

PDEngine.PDEngineConfig.1 = s 'PDEngineConfig Class'

CLSID = s '{7C8C9637-5840-4647-8F3B-B08A6D06454A}'

PDEngine.PDEngineConfig = s 'PDEngineConfig Class'

CurVer = s 'PDEngine.PDEngineConfig.1'

ForceRemove {7C8C9637-5840-4647-8F3B-B08A6D06454A} = s 'PDEngineConfig Class'

ProgID = s 'PDEngine.PDEngineConfig.1'

VersionIndependentProgID = s 'PDEngine.PDEngineConfig'

PDEngine.OfflineDefrag.1 = s 'OfflineDefrag Class'

CLSID = s '{CB212A1F-2B9E-4A67-BC26-88A4059AFF16}'

PDEngine.OfflineDefrag = s 'OfflineDefrag Class'

CurVer = s 'PDEngine.OfflineDefrag.1'

ForceRemove {CB212A1F-2B9E-4A67-BC26-88A4059AFF16} = s 'OfflineDefrag Class'

ProgID = s 'PDEngine.OfflineDefrag.1'

VersionIndependentProgID = s 'PDEngine.OfflineDefrag'

PDEngine.PDEngineLicense.1 = s 'PDEngineLicense Class'

CLSID = s '{E5BFC15E-3DC6-4B0A-B577-59F5F7FFD0F1}'

PDEngine.PDEngineLicense = s 'PDEngineLicense Class'

CurVer = s 'PDEngine.PDEngineLicense.1'

ForceRemove {E5BFC15E-3DC6-4B0A-B577-59F5F7FFD0F1} = s 'PDEngineLicense Class'

ProgID = s 'PDEngine.PDEngineLicense.1'

VersionIndependentProgID = s 'PDEngine.PDEngineLicense'

PDEngine.ConsolidateFreeSpaceNoDefrag.1 = s 'ConsolidateFreeSpaceNoDefrag Class'

CLSID = s '{B4FE62FF-AA05-444f-AA6A-719AF3CF41A6}'

PDEngine.ConsolidateFreeSpaceNoDefrag = s 'ConsolidateFreeSpaceNoDefrag Class'

CurVer = s 'PDEngine.ConsolidateFreeSpaceNoDefrag.1'

ForceRemove {B4FE62FF-AA05-444f-AA6A-719AF3CF41A6} = s 'ConsolidateFreeSpaceNoDefrag Class'

ProgID = s 'PDEngine.ConsolidateFreeSpaceNoDefrag.1'

VersionIndependentProgID = s 'PDEngine.ConsolidateFreeSpaceNoDefrag'

PDEngine.ConsolidateFreeSpaceArbitraryRegion.1 = s 'ConsolidateFreeSpaceArbitraryRegion Class'

CLSID = s '{45A03850-8EAF-4ffe-B18A-5A17333795A7}'

PDEngine.ConsolidateFreeSpaceArbitraryRegion = s 'ConsolidateFreeSpaceArbitraryRegion Class'

CurVer = s 'PDEngine.ConsolidateFreeSpaceArbitraryRegion.1'

ForceRemove {45A03850-8EAF-4ffe-B18A-5A17333795A7} = s 'ConsolidateFreeSpaceArbitraryRegion Class'

ProgID = s 'PDEngine.ConsolidateFreeSpaceArbitraryRegion.1'

VersionIndependentProgID = s 'PDEngine.ConsolidateFreeSpaceArbitraryRegion'

PDEngine.CFreeChunksDefrag.1 = s 'CFreeChunksDefrag Class'

CLSID = s '{3FD132FE-8062-4285-81A2-66244463C3DA}'

PDEngine.CFreeChunksDefrag = s 'CFreeChunksDefrag Class'

CurVer = s 'PDEngine.CFreeChunksDefrag.1'

ForceRemove {3FD132FE-8062-4285-81A2-66244463C3DA} = s 'CFreeChunksDefrag Class'

ProgID = s 'PDEngine.CFreeChunksDefrag.1'

VersionIndependentProgID = s 'PDEngine.CFreeChunksDefrag'

PDEngine.CChunkSensativeDefragOnly.1 = s 'CChunkSensativeDefragOnly Class'

CLSID = s '{77499A0B-E5FE-4db5-A490-ADF727549681}'

PDEngine.CChunkSensativeDefragOnly = s 'CChunkSensativeDefragOnly Class'

CurVer = s 'PDEngine.CChunkSensativeDefragOnly.1'

ForceRemove {77499A0B-E5FE-4db5-A490-ADF727549681} = s 'CChunkSensativeDefragOnly Class'

ProgID = s 'PDEngine.CChunkSensativeDefragOnly.1'

VersionIndependentProgID = s 'PDEngine.CChunkSensativeDefragOnly'

PDEngine.SmartDrive.1 = s 'SmartDrive Class'

CLSID = s '{01B47415-0E1E-412d-87F2-CF50AF49856E}'

PDEngine.SmartDrive = s 'SmartDrive Class'

CurVer = s 'PDEngine.SmartDrive.1'

ForceRemove {01B47415-0E1E-412d-87F2-CF50AF49856E} = s 'SmartDrive Class'

ProgID = s 'PDEngine.SmartDrive.1'

VersionIndependentProgID = s 'PDEngine.SmartDrive'

PDEngine.SmartSettings.1 = s 'SmartSettings Class'

CLSID = s '{D8727363-34CE-4E79-8B84-1986D941371E}'

PDEngine.SmartSettings = s 'SmartSettings Class'

CurVer = s 'PDEngine.SmartSettings.1'

ForceRemove {D8727363-34CE-4E79-8B84-1986D941371E} = s 'SmartSettings Class'

ProgID = s 'PDEngine.SmartSettings.1'

VersionIndependentProgID = s 'PDEngine.SmartSettings'

PDEngine.WWSettings.1 = s 'WWSettings Class'

CLSID = s '{E81DE8EC-17C9-4F1D-B3B7-CD9CDED9CD7A}'

PDEngine.WWSettings = s 'WWSettings Class'

CurVer = s 'PDEngine.WWSettings.1'

ForceRemove {E81DE8EC-17C9-4F1D-B3B7-CD9CDED9CD7A} = s 'WWSettings Class'

ProgID = s 'PDEngine.WWSettings.1'

VersionIndependentProgID = s 'PDEngine.WWSettings'

PDEngine.WWGlobalSettings.1 = s 'WWGlobalSettings Class'

CLSID = s '{F01E003F-2784-4178-9209-5128ED010A65}'

PDEngine.WWGlobalSettings = s 'WWGlobalSettings Class'

CurVer = s 'PDEngine.WWGlobalSettings.1'

ForceRemove {F01E003F-2784-4178-9209-5128ED010A65} = s 'WWGlobalSettings Class'

ProgID = s 'PDEngine.WWGlobalSettings.1'

VersionIndependentProgID = s 'PDEngine.WWGlobalSettings'

PDEngine.WiperOperation.1 = s 'WiperOperation Class'

CLSID = s '{62DBE6CE-65DF-4704-921E-52D17B77D391}'

PDEngine.WiperOperation = s 'WiperOperation Class'

CurVer = s 'PDEngine.WiperOperation.1'

ForceRemove {62DBE6CE-65DF-4704-921E-52D17B77D391} = s 'WiperOperation Class'

ProgID = s 'PDEngine.WiperOperation.1'

VersionIndependentProgID = s 'PDEngine.WiperOperation'

PDEngine.GlobalAlertSettings.1 = s 'GlobalAlertSettings Class'

CLSID = s '{30E9EF1B-8E5F-48B4-919C-940FC938443E}'

PDEngine.GlobalAlertSettings = s 'GlobalAlertSettings Class'

CurVer = s 'PDEngine.GlobalAlertSettings.1'

ForceRemove {30E9EF1B-8E5F-48B4-919C-940FC938443E} = s 'GlobalAlertSettings Class'

ProgID = s 'PDEngine.GlobalAlertSettings.1'

VersionIndependentProgID = s 'PDEngine.GlobalAlertSettings'

PDEngine.VolumeAlertSettings.1 = s 'VolumeAlertSettings Class'

CLSID = s '{681FCBAE-D536-4083-9D76-E4D91644B755}'

PDEngine.VolumeAlertSettings = s 'VolumeAlertSettings Class'

CurVer = s 'PDEngine.VolumeAlertSettings.1'

ForceRemove {681FCBAE-D536-4083-9D76-E4D91644B755} = s 'VolumeAlertSettings Class'

ProgID = s 'PDEngine.VolumeAlertSettings.1'

VersionIndependentProgID = s 'PDEngine.VolumeAlertSettings'

stdole2.tlbWWW

8-sEDriveOperationW

0F=Operation_IdleWW

Operation_AnalyzeWWW

COperation_DefragSmartPlacementWW

HOperation_DefragOnly

Operation_ConsolidateFreeSpaceWW

Operation_DefragFilesWWW

Operation_DefragOfflineW

Operation_ConsolidateFreeSpaceNoDefragWW

Operation_ConsolidateFreeSpaceArbitraryRegionWWW

Operation_FreeChunks

Operation_DefragWithChunksWW

Operation_WipeFreeSpaceW,

yOperationWWW

grfLocksSupportedWWW

.UnSubscribeW`

password`

8}CEOperationPriorityWWT

SupportedFeaturesWWW

IssueKBArticleURLWWW

kb_article_urlWW

IssueManufacturerURL

manufacturer_url

?.serialized_log_dataW

keyW

]GetCurrentOperationW

drive_operationW4

ISupportErrorInfoWWW

HInterfaceSupportsErrorInfoWW

IOperation2W

8;qIOperationWW

8[{WiperOperationWW

property Operation

property SupportedFeatures

property IssueKBArticleURL

property IssueManufacturerURLW

method GetCurrentOperation

IOperation2 InterfaceW

IOperation InterfaceWW

WiperOperation ClassWW

Created by MIDL version 7.00.0555 at Thu Oct 04 17:22:47 2012

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="11.0.0.0" processorArchitecture="X86" name="PDEngine" type="win32"></assemblyIdentity><description>PerfectDisk is a disk defragmenter, thus it needs low level access to system</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="sqlceoledb35.raxco" version="1.0.0.0"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING

808;8[8}8

2M4

?$?*?<?]?

= >4>:>}>

5 5$5(5,5054585

6 6$6(6,6

= = =8=^=

"0'040}0

? ?$?(?,?0?4?8?<?@?

:$:*:0:@:

9 9$9(9,9094989

4$4,444<4

<$<,<8<\<|<

7 747<7\7

9$9,989\9|9

0(040<0\0

< <(<0<<<`<

=(=4=<=\=

>,>8>@>\>|>

AllocationBitmap.cpp

ClientInterface.cpp

Advapi32.dll

eClusApi.dll

ResUtils.Dll

\\?\Volume

DiskOb.cpp

%s$Mft

.CVarLenArray<T>: Deallocating page pointer array.

DriveManager.cpp

\\?\Volume{

%s\%s

BootExecute

PDBoot.exe

d:\perfectdisk_v12.5\dev\pdengine\CalculateAlertMessage.hpp

Software\Microsoft\Windows\CurrentVersion\Controls Folder

{92EA7FF7-DE29-4E91-A2B1-FD9E58CD485D}

{3AD3ED8F-FD98-4C2E-B5DD-E126F8061CC3}

/#%d)

.pd_wiper

\\.\PhysicalDrive%d

Sense key (bit 3)

Sense key (bit 2)

Sense key (bit 1)

Sense key (bit 0)

%d sectors

at LBA = 0xx = %u

-- -- -- -- -- -- --

-- -- -- == -- == == == -- -- -- -- --

[RESERVED FOR MEDIA CARD PASS THROUGH]

SECURITY SET PASSWORD

SECURITY DISABLE PASSWORD

SMART EXECUTE OFF-LINE IMMEDIATE

SMART ENABLE OPERATIONS

SMART DISABLE OPERATIONS

SET MAX SET PASSWORD

d-d 

%s\drivers\%s.sys

%s\*.nls

Software\Microsoft\Windows\CurrentVersion\OptimalLayout

1MonitoringWWClass.cpp

D:\PerfectDisk_v12.5\Dev\PDFramework\PDFsFilterInterface.hpp

1Unknown error: %d

OperationBase.cpp

{3808876B-C176-4E48-B7AE-04046E6CC752}

{3CD0151D-3AAA-41CB-8B05-FC809A228886}

PDAgentS1.exe

F6C76BD7-43ED-45EC-A273-C4773238908A

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

H\\.\pipe\

\pipe\

NTDLL.DLL

\\.\LCD

SOFTWARE\Classes\CLSID\{CC5C2398-3512-464D-B59D-C9B85541AD50}\LocalServer32

explorer.exe

Wtsapi32.dll

1pdengine_module.cpp

pdengine_module.cpp

PerfectDisk.exe

V\\.\mailslot\

ClientConsolePort

SELECT TemporaryStalledAlerts.AlertsId FROM TemporaryStalledAlerts INNER JOIN Alerts

ON TemporaryStalledAlerts.AlertsId = Alerts.AlertsId

OLEAUT32.DLL

Call to TalkToConsole failed. Returned buffer size is 0. Console name: %s, port %d

Call to TalkToConsole failed. HRESULT=%u. Console name: %s, port %d

d:\perfectdisk_v12.5\dev\pdframework\..\PDAgent\talk_to_console.hpp

_d-d-d ddd d

%s %s %s %s d u %s/d (%s) %s

Call to tcpip(msg_in,msg_out) failed. HRESULT=0x%8.8X (%lu). Console name=%s

Call to tcpip(msg_in,msg_out) was successful

GetIpAddressesByNameHRESULT found no IP addresses. Console name=%s

Call to GetIpAddressesByNameHRESULT failed. HRESULT=0x%8.8X (%lu). Console name=%s

Call to CreateMutex failed. Microsoft Error Code=%u

_##_%d

Call to rpc_client.CallServer(byte_buff_in,byte_buff_out) failed. status=%u

CTalkToConsoleViaTCPIP::operator ()

Call to rpc_client.Connect(m_IpAddress,m_Port) failed. status=%u

.midi

.mpeg

.jpeg

.html

.docx

PDLicenseKeyEnable

PDLicenseKey

config.ini

LicenseKey

SOFTWARE\Microsoft\Windows NT\CurrentVersion

{9307000D-38CF-4e9e-AB97-6AC9243AFB9C}

{E972C77D-BABA-4EA9-88D5-5AD6517EF444}

{5F79448F-AD6F-4931-B39D-13B5DFB34108}

SmartAlerting.cpp

SmartDatabaseBase.cpp

ThresholdOperator = %6%,

ThresholdOperator,

KBArticleURL = %6% ,

ManufacturerURL = %7%,

KBArticleURL ,

ManufacturerURL,

MinOperatingTemperature = %7% ,

MaxOperatingTemperature = %8% ,

MinOperatingTemperature ,

MaxOperatingTemperature ,

MinOperatingTemperature ,

MaxOperatingTemperature ,

ThresholdOperator,

SELECT TOP(%5%) SmartErrorLog.Timestamp ,

SmartErrorLog.Data

WHERE SmartErrorLog.Timestamp <= %1%

AND SmartErrorLog.Timestamp >= %2%

AND SmartErrorLog.ModelName = %3%

AND SmartErrorLog.SerialNumber = %4% ;

SELECT top(%6%) SmartHistory.Timestamp ,

SmartHistory.RawValue ,

SmartHistory.NormalizedValue

WHERE SmartHistory.Timestamp <= %1%

AND SmartHistory.Timestamp >= %2%

AND SmartHistory.ModelName = %3%

AND SmartHistory.SerialNumber = %4%

AND SmartHistory.AttributeID = %5% ;

SELECT SmartDriveMap.NameRegex,

SmartDriveMap.FirmwareRegex,

SmartDriveMap.SerialRegex,

SmartDriveIssues.Description,

SmartDriveIssues.LongDescription,

SmartDriveIssues.KBArticleURL,

SmartDriveIssues.ManufacturerURL

INNER JOIN SmartDriveIssues

ON SmartDriveMap.ID = SmartDriveIssues.DriveID

WHERE SmartDriveIssues.DisableSMART <> 0

AND SmartDriveIssues.Language = %1%;

1SmartDatabaseBase.cpp

\\.\PhysicalDrive

.Software\Raxco\PDCore\12.5

WebServiceEnabled

SmartDatabase.cpp

1SmartDatabase.cpp

SmartPollingClass.cpp

1SmartPollingClass.cpp

WebServiceUrl

B45EFD40-2FD3-49EC-9495-87AC9CF11686

6272517F-F036-4EF6-85C2-F9082F248FA4

e6272517F-F036-4EF6-85C2-F9082F248FA4

Windows NT

VssApi.dll

\PDFsFilterPort

2\\.\%s%u

db_manager.cpp

Return code: 0x%8.8X (%lu) (%s/#%d)

ado_implement.cpp

SQL Query:

boot.ini

ntdetect.com

ntbootdd.sys

drivers\diskdump.sys

Moving in %s

Moving out %s

Skipping %s

Skipping file %d, LCN=%d

Skipping file %s, LCN=%d

%s %s VCN=%d Size=%d to LCN %d (LastError=%d).

%s %d VCN=%d Size=%d to LCN %d (LastError=%d).

%s %s VCN=%d Size=%d from LCN=%d to LCN %d (LastError=%d).

%s %d VCN=%d Size=%d from LCN=%d to LCN %d (LastError=%d).

\Hiberfil.sys

%c:%s

Starting boot-time defragmentation pass.

Hit any key to restart immediately. Restarting in %d.

ERROR: Unable to open keyboard. Exiting.

ERROR: Invalid registry key. Exiting.

Could not gain exclusive access to drive %s (%d).

There is a possible driver conflict. (%s)

Unable to verify drive %s due to inconsistencies (%d, %d).

Please run 'chkdsk /r /f %s'.

File system on drive %s not supported.

Could not find the file pagefile.sys on drive %s.

Could not lock drive %s for exclusive access.

Drive %s is marked dirty.

Failed to read boot sector (pSector=0xx, bytes per sector=%d).

Failed to read FAT (FAT offset=%d, bytes per FAT=%d).

User specified PDBootNoKeyboardOK = %d.

Failed to create keyboard event #%d (%d).

User specified PDBiosGT8GBCapable = %d.

User specified PDUseDefragReboot = %d.

Pagefile Id = %d

Pagefile on FAT drive (%s)

Failed to open pagefile (%s) for File ID query (%d)

Hiberfil.sys id = %d

Found hiberfil.sys.

Failed to read state file signature and entries count (%d).

Incorrect state file signature - %X

Failed to read state file entries (%d)

DefragQueryDriverVersion() failed (%d,%d).

Failed to open volume using DefragFS (%d,%d).

Failed to verify volume using DefragFS (%d,%d).

Failed to wait for verify volume using DefragFS (%d,%d).

Failed to open state file (%d,%d).

DefragZeroFile() failed (%d,%d)

GetDiskFreeSpace() failed (%d).

GetVolumeInformation() failed (%d)

Invalid filesystem (%s).

Failed to query allocation bitmap using DefragFS (%d).

Failed to load unmovable files list from the registry (%d).

Failed to query volume state using DefragFS (%d,%d).

Failed to query DefragFS version (%d).

Failed to query NTFS info using DefragFS (%d,%d).

Failed to open volume using CreateFile (%d).

Failed to query FAT volume information (%d).

Check for volume dirty is failed: Failed to open volume online using DefragFS (%d,%d).

Num excluded entries = %d

Failed to query file '%s' id (%d).

Failed to open file "%s" for excluding (%d).

Failed to open create file 1 (%d). File name: %s

NtQueryVolumeInformationFile 1 failed (%d)(%x)

NtQueryVolumeInformationFile 2 failed (%d)(%d).

Failed to open Volume (%d).

Opening Volume Handle for %s

PDBoot.msg

Failed to read message file entries (%d).

\\.\C:

Unable to verify volume (%d,%d).

X:\System Volume Information

12, 5, 0, 312

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:448
   regedit.exe:432
   runonce.exe:436
   grpconv.exe:1316
   MsiExec.exe:1232
   MsiExec.exe:1100

3. Delete the original Malware file.
   
4. Delete or disinfect the following files created/modified by the Malware:
   

   %Documents and Settings%\All Users\Application Data\Raxco\PerfectDisk\12.5\pd_local.sdf (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcm80.dll (9364 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\English.tr (16110 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcr80.dll (11472 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\msxml6.dll (20729 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\DefragFS\defragfs.cat (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceqp35.dll (14043 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\Config.ini (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\PerfectDisk12_5.adm (1328 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVMDefrag.exe (10960 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchangePS.dll (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\English.tr (17101 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtCore4.dll (49418 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDExchange.exe (6471 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlcese35.dll (8130 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceoledb35.dll (2819 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\QtGui4.dll (180433 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\CommonAppData\Raxco\PerfectDisk\12.5\pd_local.sdf (30618 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDElevationWorker.exe (3236 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Win\System\msvcp100.dll (7538 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PerfectDisk.exe (149995 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\ssleay32.dll (5370 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\System32\Drivers\PDFsFilter.sys (1320 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\PerfectDisk_x86.msi (44286 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\System32\PDBoot.exe (4584 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\libeay32.dll (20429 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDAgent.tlb (236 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\qt_ja.qm (3005 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (27304 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Policies\2kfkwlwq.lm8\8.0.50727.42.policy (712 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceoledb35.dll (3996 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDState.dll (13708 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcp80.dll (10769 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (47091 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuestPS.dll (16 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Win\System\msvcr100.dll (13109 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\wainakh.bat (98 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\AutoUpdGui.exe (17623 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceqp35.dll (10442 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcp80.dll (8715 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDEngine.exe (34064 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDCmd.exe (7333 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgent.exe (20320 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\sqlceoledb35.raxco.manifest (753 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PdFsfilter.cat (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\3kfkwlwq.lm8\8.0.50727.42.cat (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\chartdir50.dll (35321 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\3kfkwlwq.lm8\8.0.50727.42.policy (712 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDUtils.dll (4772 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcr80.dll (12820 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\p6hpravq.lm8\msvcm80.dll (9223 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcr80.dll (9853 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlceoledb35.raxco.manifest (753 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PatchPDLocalDB.sql (1929 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\system32\msvcp80.dll (12030 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\AutoUpdDLL.dll (2104 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\sqlcese35.dll (6929 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\r6hpravq.lm8\msvcm80.dll (9530 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDFsPerf.dll (1062 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDAgentS1.exe (830 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\en-us\PerfectDisk12_5.adml (1047 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\DefragFS\DefragFS.inf (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\System32\Drivers\DefragFs.sys (2336 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Windows\winsxs\Policies\2kfkwlwq.lm8\8.0.50727.42.cat (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\wainakh.reg (592 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PDFsFilter.inf (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDEnginePS.dll (842 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\Common\Raxco\Shared\PDFSFilter\PDFsPerf.ini (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\GPO\PerfectDisk12_5.admx (1024 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\server\program files\Raxco\PerfectDisk\PDVmGuest.dll (24837 bytes)
   %System%\wbem\Repository\FS\OBJECTS.MAP (12 bytes)
   %System%\wbem\Logs (4 bytes)
   %System%\config\AppEvent.Evt (16 bytes)
   %WinDir%\Installer\{FD310764-B3E5-430F-980E-D6C0016B2660} (4 bytes)
   %WinDir%\Temp\Perflib_Perfdata_7b4.dat (4 bytes)
   %System%\config\SOFTWARE.LOG (78492 bytes)
   %Program Files%\Common Files (4 bytes)
   %WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
   %System%\wbem\Repository\FS\MAPPING2.MAP (192 bytes)
   C:\$Directory (1292 bytes)
   %System%\Microsoft\Protect\S-1-5-18\User (4 bytes)
   %System%\config\software (78350 bytes)
   %Program Files%\Common Files\Raxco\Shared (4 bytes)
   %WinDir%\MICROSOFT.NET (4 bytes)
   %Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (47 bytes)
   

5. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "GrpConv" = "grpconv -o"

6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.