The following instructions have been created to help you to get rid of "ProGroup.ProRat" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

  • trojan

ProGroup.ProRat provides full access to the resources of the remote computer.
Supposed Functionality:
To make process and connect to a PC with ProRat v2.0 you must create a server with your own properties by using the client. Send the server to the PC' you want to connect and be sure that he opened the server. IP address, port number and server password will be sent to the notification address you set when creating the server. Write all of the information we sent you to the client and then Click on the "Connect" button. You will be connected to the server. if you want to logoff from the server click on the "Disconnect" button.

ProRat is made for remoting your own computers from other computers.
Privacy Statement:
These secrecy principles where made by PRO Group to establish their responsibility. The substances listed below are for the rules of gathering knowledge and sharing information given when you register a program or web site.
Your IP Address will be used to fix up problems with our compere and to let us take the control of our website, also your IP address will be used to gather information about your demography while shopping.
We make use of your cookies to pursue your shopping basket and to show you different advertisements every time you visit the site and also we use them to make you login to our web site without repeating your password every time as your choice.
Users must give their communication and statistic information correctly (name, address, email address, age, language. ) so we can send news and materials to users also we need these information to get in contact with users in need. Users can delete and change their information from our web site whenever they want to. The information gathered will be used to identify the user when in need.
We may possibly have chat rooms, forms, message boards and news groups for users in our web site. Do not forget that the information there will be seen by everyone.
Our Company has security measures in our web site against loosing data, trying to change information with out our permission. All users communication information will be protected.
We attach importance to secrecy for all of our customers security and personal information. All customers special information is kept in a secret place where no unauthorized people can reach them. All users have a chance to change their personal information on our web site.
You might see links to other sites in our web site and PRO Group will not take any responsibility against the secrecy principles owned on these sites.
Removal Instructions:


Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$WINDIR>\ktd32.atm".
  • The file at "<$WINDIR>\services.exe".
  • The file at "<$WINDIR>\system\sservice.exe".
  • The file at "<$SYSDIR>\fservice.exe".
  • The file at "<$WINDIR>\services.exe".
  • The file at "<$WINDIR>\system\sservice.exe".
  • The file at "<$WINDIR>\ktd32.atm".
  • The file at "<$WINDIR>\services.exe".
  • The file at "<$WINDIR>\system\sservice.exe".
  • The file at "<$SYSDIR>\reginv.dll".
  • The file at "<$SYSDIR>\winkey.dll".
  • The file at "<$WINDIR>\system\sservice.exe".
  • The file at "<$SYSDIR>\fservice.exe".
  • The file at "<$SYSDIR>\reginv.dll".
  • The file at "<$SYSDIR>\winkey.dll".
Make sure you set your file manager to display hidden and system files. If ProGroup.ProRat uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.


You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry value "sr" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
  • Delete the registry value "sr" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
  • Delete the registry value "sr" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
  • Delete the registry value "LanguageId" at "HKEY_CURRENT_USER\Software\P®O Group\ProMessenger\".
  • Delete the registry key "Windows NT Script Host" at "HKEY_CURRENT_USER\Software\Microsoft\".
  • Delete the registry key "WinSettings" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\".
  • Delete the registry value "DirectX For Microsoft® Windows" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\".
If ProGroup.ProRat uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.