Mickey,
Basic understanding and use of anchors should be a primary requirement of mod_rewrite.

1)begins with
2)ends with
3)contains
4) exactly as
5) any combination of the above

Regards your User-Agent inquiry (xpymep)
You may use the entire UA or any portion of the UA. You may also utilize anchors accordingly.

Your third example of xpymep.exe would either not work or generate a syntax error, as you failed to escape the period (see forum charter).

RewriteCond %{HTTP_USER_AGENT} ^109\.230\.246\.6

Needs to change to REMOTE_ADDR and the ends with anchor need to be added.

RewriteCond %{REMOTE_ADDR} ^109\.230\.246\.6$

Honing in on Class D's (in the above example "6") is a bad practice and the visitor will return almost immediately from another range within that same class.
One solution is to either deny the entire Class D, or the entire provider and/or backbone range.

You may also utilize multiple criteria in you denies.
EX:
# UA "contains and comes from IP
RewriteCond %{HTTP_USER_AGENT} ^xpymep\.exe [NC]
RewriteCond %{REMOTE_ADDR} ^109\.230\.246\.
RewriteRule .* - [F]

You may also include EXCEPTs in your primary data line:
# UA "contains and does NOT come from IP
RewriteCond %{HTTP_USER_AGENT} ^xpymep\.exe [NC]
RewriteCond %{REMOTE_ADDR} !^109\.230\.246\.
RewriteRule .* - [F]

Thanks wilderness.

I do still have a question about this:
202.43.74.178 - - [11/Apr/2011:21:01:41 -0400] "GET /index.php HTTP/1.1" 403 - example.com "http://example.com/index.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "109.230.246.6"
212.33.216.225 - - [11/Apr/2011:21:03:13 -0400] "GET / HTTP/1.1" 403 - example.com "http://example.com/index.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "109.230.246.6"

I made the issue in question bold. Would this be considered a User Agent or Remote Addr? Isn't the Remote Addr at the beginning of the line?

The data fields are separated as follows.

202.43.74.178 - -

[11/Apr/2011:21:01:41 -0400]

"GET /index.php

HTTP/1.1"

403 -

example.com

"http://example.com/index.php"

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

"109.230.246.6"

Your closing field (109) is something added by your server or host.
Whether it's a proxy or something else is unknown to me.
In any event it's certainly not the requesting IP (that is 202), and is what would normally focus on.

I recall seeing and an example to do "proxy checks" on "headers", however I've never used it.

Sorry can't be more help.

Here's a very OLD example from Apache on the fields in Combined full logs [httpd.apache.org]