程序名字：NewTemp.dll （没有程序，只有一个.DLL文件）

具体怎么中招得目前不清楚，但是~有可能是网络感染的！！
因为~我的杀毒~提示局域网病毒感染我的共享文件夹的程序，之后发现的
这是~每次开机~杀毒软件出现的提示：

2007-6-12 23:43:13 1092 SERVER\Administrator C:\WINNT\~Temp903.tmp C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewTemp.dll 通用最大保护:禁止在 Program Files 文件夹中创建新的可执行文件 
2007-6-12 23:43:14 1092 SERVER\Administrator C:\WINNT\~Temp1067.tmp C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewTemp.dll 通用最大保护:禁止在 Program Files 文件夹中创建新的可执行文件 
2007-6-12 23:43:14 1092 SERVER\Administrator C:\WINNT\~Temp586.tmp C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewTemp.dll 通用最大保护:禁止在 Program Files 文件夹中创建新的可执行文件 
2007-6-12 23:43:15 1092 SERVER\Administrator C:\WINNT\~Temp283.tmp C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewTemp.dll 通用最大保护:禁止在 Program Files 文件夹中创建新的可执行文件 

----------------------------------------------------------------------
去C:\Program Files\Common Files\Microsoft Shared\MSINFO\目录下面找不见NewTemp.dll 这个文件~~（郁闷）

但是有一个NewTemp.BAK

在搜索注册表~NewTemp.dll~之后~有2-3个~~我已经删除了，现在还没有重启，不知道管不管用。
哦~对了进程里面，找不见相关的程序。模块里面也找不见：NewTemp.dll这个文件！！（郁闷）

开机启动启里面也找不见相关的程序！！

在补充一下，我用的是WIN2000 SERVER
C:\下面是没有WINDOWS的~而是WINNT

记得~发现的时候~C:\下面居然有一个WINDOWS~文件夹~可惜~我没有看里面的内容直接删除了

重新开机~没有出现过。

----------------------------------
在补充，好像只要运行bt程序~就会启动病毒。。。。。

我已经把原来的bt删除了，又下载安装了一次~还是不行。。。。

杀毒也差不出来！！

100 - 未知 - Process: FrameworkService.exe [Framework Service] - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
100 - 未知 - Process: Mcshield.exe [On-Access Scanner service] - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
100 - 未知 - Process: VsTskMgr.exe [Task Manager] - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
100 - 未知 - Process: naPrdMgr.exe [NAI Product Manager] - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
100 - 未知 - Process: shstat.exe [VirusScan tray icon] - C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
100 - 未知 - Process: UdaterUI.exe [Common User Interface] - C:\Program Files\McAfee\Common Framework\UdaterUI.exe
100 - 未知 - Process: movieservice.exe [] - E:\8mov\movieservice.exe
100 - 未知 - Process: Antiarp.exe [] - E:\TOOL\ARP保护软件\Antiarp.exe
100 - 未知 - Process: Mctray.exe [McAfee Security Agent Taskbar Extension] - C:\Program Files\McAfee\Common Framework\McTray.exe
100 - 未知 - Process: MovieNoExit.exe [] - E:\8mov\MovieNoExit.exe
100 - 未知 - Process: QQ.exe [QQ] - D:\netgame\Program Files\qq\QQ.exe
100 - 未知 - Process: BitComet.exe [BitComet - a BitTorrent Client] - E:\BitComet\BitComet.exe
O2 - 未知 - BHO: (ThunderAtOnce Class) - [迅雷浏览器高级特性支持模块] - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - 未知 - BHO: (Thunder Browser Helper) - [XunLeiBHO] - {39F7E361-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O4 - 未知 - HKLM\..\Run: [H8MovAutoRun] [] e:\8mov\movieservice.exe
O4 - 未知 - Startup folder: [ARP.BAT] [] C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\ARP.BAT
O4 - 未知 - Startup folder: [快捷方式 Antiarp.exe.lnk] [] C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\快捷方式 Antiarp.exe.lnk
O4 - 未知 - Startup folder: [快捷方式 ARP.txt.lnk] [] C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\快捷方式 ARP.txt.lnk
O8 - 未知 - Extra context menu item: &使用BitComet下载 - res://E:\BitComet\BitComet.exe/AddLink.htm
O8 - 未知 - Extra context menu item: &使用BitComet下载全部链接 - res://E:\BitComet\BitComet.exe/AddAllLink.htm
O8 - 未知 - Extra context menu item: &使用BitComet下载本页视频 - res://E:\BitComet\BitComet.exe/AddVideo.htm
O8 - 未知 - Extra context menu item: 上传到QQ网络硬盘 - D:\netgame\Program Files\qq\AddToNetDisk.htm
O8 - 未知 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - 未知 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - 未知 - Extra context menu item: 添加到QQ自定义面板 - D:\netgame\Program Files\qq\AddPanel.htm
O8 - 未知 - Extra context menu item: 添加到QQ表情 - D:\netgame\Program Files\qq\AddEmotion.htm
O8 - 未知 - Extra context menu item: 用QQ彩信发送该图片 - D:\netgame\Program Files\qq\SendMMS.htm
O9 - 未知 - Extra button: 启动迅雷5(HKLM) - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - 未知 - Extra button: 访问瑞星网站(HKLM) - http://www.rising.com.cn/?u=RSTB
O9 - 未知 - Extra button: 访问卡卡社区(HKLM) - http://www.ikaka.com/?u=RSTB
O23 - 未知 - Service: McShield [为计算机系统提供 McAfee 按访问扫描保护。] - "C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe" - (error)
O23 - 未知 - Service: McTaskManager [允许计划 McAfee 扫描和更新活动。] - "C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe" - (error)
O23 - 未知 - Service: tlWindows3 [Windows SystemDown] - C:\WINNT\system32\tlservet3.exe - (not running)
O23 - 未知 - Service: TrkSvr [保存文件在域中卷之间移动的信息。] - C:\WINNT\system32\services.exe - (not running)

=======================================

100 - 安全 - Process: smss.exe [该进程为会话管理子系统用以初始化系统变量，ms-dos驱动名称类似lpt1以及com，调用win32壳子系统和运行在windows登陆过程。] - C:\WINNT\System32\smss.exe
100 - 安全 - Process: csrss.exe [客户端服务子系统，用以控制windows图形相关子系统。] - C:\WINNT\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesr
100 - 安全 - Process: WINLOGON.EXE [windows nt用户登陆程序。] - C:\WINNT\system32\winlogon.exe
100 - 安全 - Process: services.exe [用于管理windows服务系统进程。] - C:\WINNT\system32\services.exe
100 - 安全 - Process: LSASS.EXE [本地安全权限服务控制windows安全机制。] - C:\WINNT\system32\lsass.exe
100 - 安全 - Process: svchost.exe [service host process是一个标准的动态连接库主机处理服务。] - C:\WINNT\system32\svchost -k rpcss
100 - 安全 - Process: msdtc.exe [microsoft distributed transaction coordinator控制多个服务器的传输，被安装在microsoft personal web server和microsoft sql server。] - C:\WINNT\system32\msdtc.exe
100 - 安全 - Process: svchost.exe [service host process是一个标准的动态连接库主机处理服务。] - C:\WINNT\system32\svchost.exe -k netsvcs
100 - 安全 - Process: llssrv.exe [windows自带的许可证日志记录服务。] - C:\WINNT\System32\llssrv.exe
100 - 安全 - Process: nvsvc32.exe [nvidia driver helper service在nvida显卡驱动中被安装。] - C:\WINNT\system32\nvsvc32.exe
100 - 安全 - Process: mstask.exe [windows计划任务用于设定继承在什么时间或者什么日期备份或者运行。] - C:\WINNT\system32\MSTask.exe
100 - 安全 - Process: winmgmt.exe [windows management service透过windows management instrumentation data (wmi)技术处理来自应用客户端的请求。] - C:\WINNT\System32\WBEM\WinMgmt.exe
100 - 安全 - Process: dfssvc.exe [管理分布于局域网或广域网的逻辑卷的程序。] - C:\WINNT\system32\Dfssvc.exe
100 - 安全 - Process: explorer.exe [windows program manager或者windows explorer用于控制windows图形shell，包括开始菜单、任务栏，桌面和文件管理。] - C:\WINNT\Explorer.EXE
100 - 安全 - Process: runiep.exe [卡卡上网安全助手IE防漏墙相关程序。] - C:\Program Files\Rising\AntiSpyware\runiep.exe
100 - 安全 - Process: 360tray.exe [360安全卫士实时保护模块] - E:\360safe\safemon\360Tray.exe
100 - 安全 - Process: svchost.exe [service host process是一个标准的动态连接库主机处理服务。] - C:\WINNT\System32\svchost.exe -k tapisrv
100 - 安全 - Process: internat.exe [输入控制图标用于更改类似国家设置、键盘类型和日期格式。] - C:\WINNT\system32\internat.exe
100 - 安全 - Process: conime.exe [console ime ime输入法控制台软件。] - C:\WINNT\system32\conime.exe
100 - 安全 - Process: inetinfo.exe [microsoft internet infomation services (iis)的一部分，用于debug调试除错。] - C:\WINNT\system32\inetsrv\inetinfo.exe
100 - 安全 - Process: taskmgr.exe [windows自带的任务管理器程序，用于察看系统中的进程信息。] - C:\WINNT\system32\taskmgr.exe
100 - 安全 - Process: IEXPLORE.EXE [microsoft internet explorer浏览器用于浏览网页。] - C:\Program Files\Internet Explorer\iexplore.exe
100 - 安全 - Process: notepad.exe [notepad字符编辑器用于打开文档。在windows中附带。] - C:\WINNT\system32\NOTEPAD.EXE C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.tx
100 - 安全 - Process: 360Safe.exe [360安全卫士] - E:\360safe\360safe.exe
R1 - 安全 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\system32\blank.htm
R1 - 安全 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\system32\blank.htm
O2 - 安全 - BHO: (BitComet Helper) - [下载软件BitComet的相关程序。] - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\BitComet\tools\BitCometBHO_1.1.5.19.dll
O3 - 安全 - Toolbar: (@msdxmLC.dll,-1@2052,电台(&R)) - [是Windows Media Player播放器ActiveX控制相关文件。] - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - 安全 - Toolbar: (卡卡上网安全助手) - [卡卡安全助手工具条软件相关程序。] - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINNT\system32\kakatool.dll
O4 - 安全 - HKLM\..\Run: [NvCplDaemon] [是NVIDIA显示卡相关动态链接库文件。] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - 安全 - HKLM\..\Run: [nwiz] [是NVidia的Nview特性相关程序。该程序用于用户对其特性进行配置，将桌面扩展到多台显示器上。 ] nwiz.exe /install
O4 - 安全 - HKLM\..\Run: [NvMediaCenter] [是NVidia显示卡相关文件。] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - 安全 - HKLM\..\Run: [Cmaudio] [vxd驱动程序需要] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - 安全 - HKLM\..\Run: [ShStatEXE] [一款杀毒软件。] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - 安全 - HKLM\..\Run: [McAfeeUpdaterUI] [mcafee软件升级程序。] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - 安全 - HKLM\..\Run: [runeip] [卡卡上网安全助手相关程序。] C:\Program Files\Rising\AntiSpyware\runiep.exe
O4 - 安全 - HKLM\..\Run: [360Safetray] [360safe实时保护功能模块。] E:\360safe\safemon\360Tray.exe /start
O4 - 安全 - HKCU\..\Run: [Internat.exe] [输入法在任务栏里的图标] internat.exe
O9 - 安全 - Extra button: 电台(HKLM) - C:\WINNT\web\related.htm
O16 - 安全 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Flash播放器) - http://fpdownload.macromedia.com ... s/flash/swflash.cab
O23 - 安全 - Service: Fax [微软Microsoft传真服务相关程序，该服务允许用户创建和发送传真到微软Office组件中。] - C:\WINNT\system32\faxsvc.exe - (not running)
O23 - 安全 - Service: McAfeeFramework [是Network Associates公司的E-policy反病毒套装的一部分。] - "C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart - (error)
O23 - 安全 - Service: NtFrs [在多个服务器间维护文件目录内容的文件同步。] - C:\WINNT\system32\ntfrs.exe - (not running)
O23 - 安全 - Service: NVSvc [是NVIDIA显示卡相关程序。] - C:\WINNT\system32\nvsvc32.exe - (running)

=======================================

O31 - 未知 - SEApproved: {42071714-76d4-11d1-8b24-00a0c9068ff3} - deskpan.dll -  -  -  - 0 -
O31 - 未知 - SEApproved: 无效的CLSID：Shell extensions for file compression -  -  -  -  - 0 -
O31 - 未知 - SEApproved: 无效的CLSID：加密上下文菜单 -  -  -  -  - 0 -
O31 - 未知 - SEApproved: {88895560-9AA2-1069-930E-00AA0030EBC8} - hticons.dll -  -  -  - 0 -
O31 - 未知 - SEApproved: {B41DB860-8EE4-11D2-9906-E49FADC173CA} - C:\Program Files\WinRAR\rarext.dll -  -  -  - 129024 - de449c94c4c9e3db84e32029f20dd989
O31 - 未知 - SEApproved: {1CDB2949-8F65-4355-8456-263E7C208A5D} - C:\WINNT\system32\nvshell.dll - NVIDIA Corporation - NVIDIA Desktop Explorer, Version 66.93  - 6.14.10.6693 - 462848 - 02394ea57fa965fc300786c2b5f7489f
O31 - 未知 - SEApproved: {1E9B04FB-F9E5-4718-997B-B8DA88302A47} - C:\WINNT\system32\nvshell.dll - NVIDIA Corporation - NVIDIA Desktop Explorer, Version 66.93  - 6.14.10.6693 - 462848 - 02394ea57fa965fc300786c2b5f7489f
O31 - 未知 - SEApproved: {1E9B04FB-F9E5-4718-997B-B8DA88302A48} - C:\WINNT\system32\nvshell.dll - NVIDIA Corporation - NVIDIA Desktop Explorer, Version 66.93  - 6.14.10.6693 - 462848 - 02394ea57fa965fc300786c2b5f7489f
O31 - 未知 - Directory Menu: {B41DB860-8EE4-11D2-9906-E49FADC173CA} - C:\Program Files\WinRAR\rarext.dll -  -  -  - 129024 - de449c94c4c9e3db84e32029f20dd989
O31 - 未知 - BootExecute: fsInit -  -  -  - 0 -
O31 - 未知 - LSA: Notification Packages - ASSFM.dll -  -  -  - 0 -
O31 - 未知 - LSA: Notification Packages - DCSVC.dll -  -  -  - 0 -
O31 - 未知 - LSA: Notification Packages - cecli.dll -  -  -  - 0 -
O31 - 未知 - LSA: Security Packages - sv1_0.dll -  -  -  - 0 -
O31 - 未知 - LSA: Security Packages - channel.dll -  -  -  - 0 -

=======================================

O40 - Explorer.EXE - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\AntiSpyware\ieprot.dll - IE Protector - 369c1d78953b00cf8306e7028654092d
O40 - Explorer.EXE - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\JrMac.dll - McAfee Security Agent Taskbar Extension Library - c8ff7b6c7ed409ce91f8b495e1840ae5
O40 - Explorer.EXE - NVIDIA Corporation - C:\WINNT\system32\nvshell.dll - NVIDIA Desktop Explorer, Version 66.93  - 02394ea57fa965fc300786c2b5f7489f

=======================================

O41 - ADM9X - ADMtek AN983/AN985/ADM951X NDIS5 Driver - C:\WINNT\system32\drivers\ADM9X.sys - (running) - ADMtek AN983/AN985/ADM951X NDIS5 Driver - ADMtek Incorporated. - 76f2471c56abbcccc4eaffda56e2e4e9
O41 - cmuda - C-Media Audio WDM Driver - C:\WINNT\system32\drivers\cmuda.sys - (running) - C-Media Audio WDM Driver - C-Media Inc - 9776539378fd13c76c8dc982ed8608e3
O41 - npkcrypt - nProtect KeyCrypt Driver - D:\netgame\Program Files\qq\npkcrypt.sys - (running) - nProtect KeyCrypt Driver - INCA Internet Co., Ltd. - 8bcb281a2540e7aff0cd00f9878fe21f
O41 - QKeyService - KeyCrypt Device Driver - C:\WINNT\system32\KeyCrypt.sys - (running) - KeyCrypt Device Driver - Tencent Technology (Shenzhen) Company Limited - 184c25ef0595c06c8a3f3c2fd584d891
O41 - RsAntiSpyware - RsBoot - C:\WINNT\system32\drivers\RsBoot.sys - (running) - RsBoot - Beijing Rising - ee9f8ad9e3ab3ef3a3c8437388aa5e65
O41 - dump_wmimmc - dump_wmimmc - C:\WINNT\system32\drivers\dump_wmimmc.sys - (not running) -  -  -
O41 - EagleNT - EagleNT - C:\WINNT\system32\drivers\EagleNT.sys - (not running) -  -  -
O41 - NPPTNT2 - nProtect NPSC Kernel Mode Driver for NT - C:\WINNT\system32\npptNT2.sys - (not running) - nProtect NPSC Kernel Mode Driver for NT - INCA Internet Co., Ltd. - 9131fe60adfab595c8da53ad6a06aa31
O41 - TesSafe - TesSafe - C:\WINNT\system32\TesSafe.sys - (not running) -  -  - 4a70c520709cf3efc131ee8664c27aac

=======================================
360Safe.exe=3.5.0.1001
AntiAdwa.dll=3.5.0.1001
AntiEng.dll=3.5.0.1001
AntiActi.dll=2.0.0.3000
CleanHis.dll=3.0.2.1000
live.dll=1.0.1.1016

=======================================

这是杀毒软件的日志
===========================================

2007-6-13    1:09:26                                               =    5100.0194
2007-6-13    1:09:26                                               =    5047.0000
2007-6-13    1:09:26                                               =   
2007-6-13    1:09:26                                               =   
2007-6-13    1:09:53    1059    SERVER\Administrator    System:Remote       
2007-6-13    1:12:48                                               =    5100.0194
2007-6-13    1:12:48                                               =    5051.0000
2007-6-13    1:12:48                                               =   
2007-6-13    1:12:48                                               =   
2007-6-13    1:14:18    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell    PWS-QQPass ()
2007-6-13    1:14:18    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit    PWS-QQPass ()
2007-6-13    1:14:18    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    c:\program files\common files\microsoft shared\msinfo\newtemp.bak    PWS-QQPass ()
2007-6-13    1:14:18    1027    SERVER\Administrator    C:\WINNT\Explorer.EXE    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\NEWTEMP.BAK    PWS-QQPass ()
2007-6-13    1:14:18    1027    SERVER\Administrator    C:\WINNT\Explorer.EXE    C:\Program Files\Common Files\Microsoft Shared\MSInfo\NewTemp.bak    PWS-QQPass ()
2007-6-13    1:14:54    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell    PWS-QQPass ()
2007-6-13    1:14:54    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit    PWS-QQPass ()
2007-6-13    1:14:54    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    c:\winnt\~temp1081.tmp    PWS-QQPass ()
2007-6-13    1:14:54    1027    SERVER\Administrator    C:\WINNT\Explorer.EXE    C:\WINNT\~TEMP1081.TMP    PWS-QQPass ()
2007-6-13    1:14:54    1027    SERVER\Administrator    C:\WINNT\Explorer.EXE    C:\WINNT\~Temp1081.tmp    PWS-QQPass ()
2007-6-13    1:15:26    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell    PWS-QQPass ()
2007-6-13    1:15:26    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit    PWS-QQPass ()
2007-6-13    1:15:26    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    c:\winnt\~temp307.tmp    PWS-QQPass ()
2007-6-13    1:15:26    1027    SERVER\Administrator    C:\WINNT\Explorer.EXE    C:\WINNT\~TEMP307.TMP    PWS-QQPass ()
2007-6-13    1:15:26    1027    SERVER\Administrator    C:\WINNT\Explorer.EXE    C:\WINNT\~Temp307.tmp    PWS-QQPass ()
2007-6-13    1:15:48    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell    PWS-QQPass ()
2007-6-13    1:15:48    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit    PWS-QQPass ()
2007-6-13    1:15:48    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    c:\winnt\~temp722.tmp    PWS-QQPass ()
2007-6-13    1:15:48    1027    SERVER\Administrator    C:\WINNT\Explorer.EXE    C:\WINNT\~TEMP722.TMP    PWS-QQPass ()
2007-6-13    1:15:48    1027    SERVER\Administrator    C:\WINNT\Explorer.EXE    C:\WINNT\~Temp722.tmp    PWS-QQPass ()
2007-6-13    1:16:52    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell    PWS-QQPass ()
2007-6-13    1:16:52    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit    PWS-QQPass ()
2007-6-13    1:16:52    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    c:\winnt\~temp356.tmp    PWS-QQPass ()
2007-6-13    1:16:52    1027    SERVER\Administrator    C:\WINNT\Explorer.EXE    C:\WINNT\~TEMP356.TMP    PWS-QQPass ()
2007-6-13    1:16:52    1027    SERVER\Administrator    C:\WINNT\Explorer.EXE    C:\WINNT\~Temp356.tmp    PWS-QQPass ()
2007-6-13    1:17:03    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell    PWS-QQPass ()
2007-6-13    1:17:03    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit    PWS-QQPass ()
2007-6-13    1:17:03    1025    SERVER\Administrator    C:\WINNT\Explorer.EXE    c:\winnt\~temp729.tmp    PWS-QQPass ()
2007-6-13    1:17:03    1027    SERVER\Administrator    C:\WINNT\Explorer.EXE    C:\WINNT\~TEMP729.TMP    PWS-QQPass ()
2007-6-13    1:17:03    1027    SERVER\Administrator    C:\WINNT\Explorer.EXE    C:\WINNT\~Temp729.tmp    PWS-QQPass ()
2007-6-13    1:29:50    1051    SERVER\Administrator    C:\Program Files\Rising\Rav\CopyRun\RavCopy.exe    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8V8N4XED\RsEngine_rp[1].zip1\RSENGINE.RP   
2007-6-13    1:29:50    1051    SERVER\Administrator    C:\Program Files\Rising\Rav\CopyRun\RavCopy.exe    C:\PROGRAM FILES\RISING\RAV\DownLoad\RsEngine\19_22_42\RsEngine_rp.zip1.rs\RSENGINE.RP   
2007-6-13    1:30:40    1051    SERVER\Administrator    C:\Program Files\Rising\Rav\CopyRun\RavCopy.exe    C:\PROGRAM FILES\RISING\RAV\DownLoad\RsEngine\19.20.42\RsEngine_rp.zip1\RSENGINE.RP   
2007-6-13    1:30:40    1051    SERVER\Administrator    C:\Program Files\Rising\Rav\CopyRun\RavCopy.exe    C:\PROGRAM FILES\RISING\RAV\DownLoad\RsEngine\19_22_42\RsEngine_rp.zip1\RSENGINE.RP   
2007-6-13    1:32:47    1051    SERVER\Administrator    C:\Program Files\Rising\Rav\CopyRun\RavCopy.exe    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8V8N4XED\RSVPATCH_rp[1].zip1\RSVPATCH.RP   
2007-6-13    1:32:47    1051    SERVER\Administrator    C:\Program Files\Rising\Rav\CopyRun\RavCopy.exe    C:\PROGRAM FILES\RISING\RAV\DownLoad\RSVPATCH\19_23\RSVPATCH_rp.zip1.rs\RSVPATCH.RP   
2007-6-13    1:33:36    1051    SERVER\Administrator    C:\Program Files\Rising\Rav\CopyRun\RavCopy.exe    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8V8N4XED\RSVPATCH_rp[1].zip1\RSVPATCH.RP   
2007-6-13    1:33:36    1051    SERVER\Administrator    C:\Program Files\Rising\Rav\CopyRun\RavCopy.exe    C:\PROGRAM FILES\RISING\RAV\DownLoad\RSVPATCH\19_24\RSVPATCH_rp.zip1.rs\RSVPATCH.RP   
2007-6-13    1:36:42    1051    SERVER\Administrator    C:\Program Files\Rising\Rav\CopyRun\RavCopy.exe    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8V8N4XED\RSVPATCH_rp[1].zip1\RSVPATCH.RP   
2007-6-13    1:36:42    1051    SERVER\Administrator    C:\Program Files\Rising\Rav\CopyRun\RavCopy.exe    C:\PROGRAM FILES\RISING\RAV\DownLoad\RSVPATCH\19_27\RSVPATCH_rp.zip1.rs\RSVPATCH.RP   
2007-6-13    1:37:25    1051    SERVER\Administrator    C:\Program Files\Rising\Rav\CopyRun\RavCopy.exe    C:\PROGRAM FILES\RISING\RAV\DownLoad\RSVPATCH\19_23\RSVPATCH_rp.zip1\RSVPATCH.RP   
2007-6-13    1:37:32    1051    SERVER\Administrator    C:\Program Files\Rising\Rav\CopyRun\RavCopy.exe    C:\PROGRAM FILES\RISING\RAV\DownLoad\RSVPATCH\19_24\RSVPATCH_rp.zip1\RSVPATCH.RP   
2007-6-13    1:40:06    1059    SERVER\Administrator    C:\Program Files\Rising\Rav\RAV.EXE    C:\boot\ghos\del_gho   
2007-6-13    1:40:06    1027    SERVER\Administrator    C:\Program Files\Rising\Rav\RAV.EXE    C:\BOOT\GHOS\DEL_GHO    PWS-Mmorpg.gen ()
2007-6-13    1:40:07    1027    SERVER\Administrator    C:\Program Files\Rising\Rav\RAV.EXE    C:\boot\ghos\del_gho    PWS-Mmorpg.gen ()
2007-6-13    1:41:13    1059    SERVER\Administrator    C:\Program Files\Rising\Rav\RAV.EXE    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8V8N4XED\down[1].exe   
2007-6-13    1:41:13    1025    SERVER\Administrator    C:\Program Files\Rising\Rav\RAV.EXE    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell    PWS-QQPass ()
2007-6-13    1:41:13    1025    SERVER\Administrator    C:\Program Files\Rising\Rav\RAV.EXE    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit    PWS-QQPass ()
2007-6-13    1:41:44    1025    SERVER\Administrator    C:\Program Files\Rising\Rav\RAV.EXE    c:\documents and settings\administrator\local settings\temporary internet files\content.ie5\8v8n4xed\down[1].exe    PWS-QQPass ()
2007-6-13    1:42:24                                               =    5100.0194
2007-6-13    1:42:24                                               =    5051.0000
2007-6-13    1:42:24                                               =   
2007-6-13    1:42:24                                               =   
2007-6-13    1:43:00    1059    SERVER\Administrator    C:\Program Files\Rising\Rav\RAV.EXE    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8V8N4XED\down[1].exe   
2007-6-13    1:43:30    1025    SERVER\Administrator    C:\Program Files\Rising\Rav\RAV.EXE    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell    PWS-QQPass ()
2007-6-13    1:43:30    1025    SERVER\Administrator    C:\Program Files\Rising\Rav\RAV.EXE    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit    PWS-QQPass ()
2007-6-13    1:43:30    1025    SERVER\Administrator    C:\Program Files\Rising\Rav\RAV.EXE    c:\documents and settings\administrator\local settings\temporary internet files\content.ie5\8v8n4xed\down[1].exe    PWS-QQPass ()

2007-6-131:44:15                                        =5100.0194
2007-6-131:44:15                                        =5051.0000
2007-6-131:44:15                                        =
2007-6-131:44:15                                        =
2007-6-131:45:051059SERVER\AdministratorC:\WINNT\Explorer.EXEC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8V8N4XED\down[1].exe
2007-6-131:46:27                                        =5100.0194
2007-6-131:46:27                                        =5051.0000
2007-6-131:46:27                                        =
2007-6-131:46:27                                        =
2007-6-131:47:071059SERVER\AdministratorC:\PROGRAM FILES\RISING\RAV\Ravmond.exeC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8V8N4XED\down[1].exe
2007-6-131:47:381025SERVER\AdministratorC:\PROGRAM FILES\RISING\RAV\Ravmond.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|ShellPWS-QQPass ()
2007-6-131:47:381025SERVER\AdministratorC:\PROGRAM FILES\RISING\RAV\Ravmond.exeHKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|UserinitPWS-QQPass ()
2007-6-131:47:381025SERVER\AdministratorC:\PROGRAM FILES\RISING\RAV\Ravmond.exec:\documents and settings\administrator\local settings\temporary internet files\content.ie5\8v8n4xed\down[1].exePWS-QQPass ()
2007-6-131:48:33                                        =5100.0194
2007-6-131:48:33                                        =5051.0000
2007-6-131:48:33                                        =
2007-6-131:48:33                                        =
2007-6-131:49:521059SERVER\AdministratorC:\PROGRAM FILES\RISING\RAV\Ravmond.exeC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8V8N4XED\down[1].exe
2007-6-131:49:571025SERVER\AdministratorC:\PROGRAM FILES\RISING\RAV\Ravmond.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|ShellPWS-QQPass ()
2007-6-131:49:571025SERVER\AdministratorC:\PROGRAM FILES\RISING\RAV\Ravmond.exeHKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|UserinitPWS-QQPass ()
2007-6-131:49:571025SERVER\AdministratorC:\PROGRAM FILES\RISING\RAV\Ravmond.exec:\documents and settings\administrator\local settings\temporary internet files\content.ie5\8v8n4xed\down[1].exePWS-QQPass ()
2007-6-131:49:571027SERVER\AdministratorC:\PROGRAM FILES\RISING\RAV\Ravmond.exeC:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8V8N4XED\DOWN[1].EXEPWS-QQPass ()
2007-6-131:49:571027SERVER\AdministratorC:\PROGRAM FILES\RISING\RAV\Ravmond.exeC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8V8N4XED\down[1].exePWS-QQPass ()

2007-6-131:53:06
2007-6-131:53:06681
2007-6-131:53:067
2007-6-131:53:065
2007-6-131:53:062
2007-6-134:51:56                                        =5100.0194
2007-6-134:51:56                                        =5051.0000
2007-6-134:51:56                                        =
2007-6-134:51:56                                        =
2007-6-134:52:211059NT AUTHORITY\SYSTEMSystem:Remote
2007-6-134:56:201025SERVER\Administratore:\BitComet\BitComet.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|ShellPWS-QQPass ()
2007-6-134:56:201025SERVER\Administratore:\BitComet\BitComet.exeHKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|UserinitPWS-QQPass ()
2007-6-134:56:211025SERVER\Administratore:\BitComet\BitComet.exec:\winnt\~temp1007.tmpPWS-QQPass ()
2007-6-134:56:211027SERVER\Administratore:\BitComet\BitComet.exeC:\WINNT\~TEMP1007.TMPPWS-QQPass ()
2007-6-134:56:211027SERVER\Administratore:\BitComet\BitComet.exeC:\WINNT\~Temp1007.tmpPWS-QQPass ()
2007-6-134:56:231025SERVER\Administratore:\BitComet\BitComet.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|ShellPWS-QQPass ()
2007-6-134:56:231025SERVER\Administratore:\BitComet\BitComet.exeHKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|UserinitPWS-QQPass ()
2007-6-134:56:231025SERVER\Administratore:\BitComet\BitComet.exec:\winnt\~temp1016.tmpPWS-QQPass ()
2007-6-134:56:231027SERVER\Administratore:\BitComet\BitComet.exeC:\WINNT\~TEMP1016.TMPPWS-QQPass ()
2007-6-134:56:231027SERVER\Administratore:\BitComet\BitComet.exeC:\WINNT\~Temp1016.tmpPWS-QQPass ()
2007-6-134:56:261025SERVER\Administratore:\BitComet\BitComet.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|ShellPWS-QQPass ()
2007-6-134:56:261025SERVER\Administratore:\BitComet\BitComet.exeHKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|UserinitPWS-QQPass ()
2007-6-134:56:261025SERVER\Administratore:\BitComet\BitComet.exec:\winnt\~temp392.tmpPWS-QQPass ()
2007-6-134:56:261027SERVER\Administratore:\BitComet\BitComet.exeC:\WINNT\~TEMP392.TMPPWS-QQPass ()
2007-6-134:56:261027SERVER\Administratore:\BitComet\BitComet.exeC:\WINNT\~Temp392.tmpPWS-QQPass ()
2007-6-134:56:291025SERVER\Administratore:\BitComet\BitComet.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|ShellPWS-QQPass ()
2007-6-134:56:291025SERVER\Administratore:\BitComet\BitComet.exeHKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|UserinitPWS-QQPass ()
2007-6-134:56:291025SERVER\Administratore:\BitComet\BitComet.exec:\winnt\~temp514.tmpPWS-QQPass ()
2007-6-134:56:291027SERVER\Administratore:\BitComet\BitComet.exeC:\WINNT\~TEMP514.TMPPWS-QQPass ()
2007-6-134:56:291027SERVER\Administratore:\BitComet\BitComet.exeC:\WINNT\~Temp514.tmpPWS-QQPass ()
2007-6-134:56:311025SERVER\Administratore:\BitComet\BitComet.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|ShellPWS-QQPass ()
2007-6-134:56:321025SERVER\Administratore:\BitComet\BitComet.exeHKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|UserinitPWS-QQPass ()
2007-6-134:56:321025SERVER\Administratore:\BitComet\BitComet.exec:\winnt\~temp747.tmpPWS-QQPass ()
2007-6-134:56:321027SERVER\Administratore:\BitComet\BitComet.exeC:\WINNT\~TEMP747.TMPPWS-QQPass ()
2007-6-134:56:321027SERVER\Administratore:\BitComet\BitComet.exeC:\WINNT\~Temp747.tmpPWS-QQPass ()