Logfile of HijackThis v1.99.1
Scan saved at 20:51:31, on 2009-3-16
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
e:\StormII\stormliv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\RTHDCPL.EXE
E:\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\GridService\peer.exe
D:\360\360safebox\safeboxTray.exe
D:\360\360Safe\safemon\360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
E:\Tencent\QQ\QQ.exe
E:\Tencent\QQ\TXPlatform.exe
d:\arswp\arswp.exe
D:\系列安装程序\HijackThis.exe
O1 - Hosts: 127.0.0.2 ymsdasdw1.cn
O1 - Hosts: 127.0.0.3 h96b.info
O1 - Hosts: 127.0.0.0 xxx.zttwp.cn
O1 - Hosts: 127.0.0.0 www.hackerbf.cn
O1 - Hosts: 127.0.0.0 geekbyfeng.cn
O1 - Hosts: 127.0.0.0 121.14.101.68
O1 - Hosts: 127.0.0.0 ppp.etimes888.com
O1 - Hosts: 127.0.0.0 www.bypk.com
O1 - Hosts: 127.0.0.0 CSC3-2004-crl.verisign.com
O1 - Hosts: 127.0.0.0 udp.hjob123.com
O1 - Hosts: 127.0.0.2 bnasnd83nd.cn
O1 - Hosts: 127.0.0.0 www.gamehacker.com.cn
O1 - Hosts: 127.0.0.0 gamehacker.com.cn
O1 - Hosts: 127.0.0.3 adlaji.cn
O1 - Hosts: 127.1.1.1 bnasnd83nd.cn
O1 - Hosts: 127.0.0.0 user1.12-27.net
O1 - Hosts: 127.0.0.0 fengent.cn
O1 - Hosts: 127.0.0.0 www.sony888.cn
O1 - Hosts: 127.0.0.0 user1.asp-33.cn
O1 - Hosts: 127.0.0.0 www.netkwek.cn
O1 - Hosts: 127.0.0.0 ymsdkad6.cn
O1 - Hosts: 127.0.0.0 www.lkwueir.cn
O1 - Hosts: 127.0.1.1 user1.23-17.net
O1 - Hosts: 127.0.0.0 upa.luzhiai.net
O1 - Hosts: 127.0.0.0 www.guccia.net
O1 - Hosts: 127.0.0.0 4m9mnlmi.cn
O1 - Hosts: 127.0.0.0 mm119mkssd.cn
O1 - Hosts: 127.0.0.0 61.128.171.115:8080
O1 - Hosts: 127.0.0.0 www.1119111.com
O1 - Hosts: 127.0.0.0 win.nihao69.cn
O1 - Hosts: 127.0.0.0 puc.lianxiac.net
O1 - Hosts: 127.0.0.0 pud.lianxiac.net
O1 - Hosts: 127.0.0.0 210.76.0.133
O1 - Hosts: 127.0.0.0 61.166.32.2
O1 - Hosts: 127.0.0.0 218.92.186.27
O1 - Hosts: 127.0.0.0 www.fsfsfag.cn
O1 - Hosts: 127.0.0.0 ovo.ovovov.cn
O1 - Hosts: 127.0.0.0 dw.com.com
O1 - Hosts: 127.0.0.0 t.myblank.cn
O1 - Hosts: 127.0.0.0 x.myblank.cn
O1 - Hosts: 127.0.0.0 qq-xing.com.cn
O1 - Hosts: 127.0.0.0 59.125.231.177:17777
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: SafeMon Class - {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - d:\360\360Safe\safemon\safemon.dll
O4 - HKLM\..\Run: [Vistadrv] C:\Program Files\vsdrv\vsdrv.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "E:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Grid Service] "C:\Program Files\GridService\peer.exe" -n Grid
O4 - HKLM\..\Run: [360Safebox] "d:\360\360safebox\safeboxTray.exe" /r
O4 - HKLM\..\Run: [360Safetray] d:\360\360Safe\safemon\360tray.exe /start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &使用BitComet下载 - res://E:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &使用BitComet下载全部链接 - res://E:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &使用BitComet下载本页视频 - res://E:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: 使用迅雷下载 - D:\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - D:\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: 浩方电竞平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - d:\Holdfast\platform 5.0\gameclient.exe
O9 - Extra button: 番茄花园 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.tomatolei.com (file missing)
O9 - Extra 'Tools' menuitem: 番茄花园 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.tomatolei.com (file missing)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://E:\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.icbc.com.cn
O16 - DPF: {A877BA28-1F7E-4876-B299-50B3199A1A5D} (UploadFilePartition Class) - http://m76.mail.qq.com/zh_CN/activex/TencentMailActiveX.cab
O16 - DPF: {BAEA0695-03A4-43BB-8495-C7025E1A8F42} (QQCertCtrl Class) - https://www.tenpay.com/download/qqedit.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{032C72A5-D2E5-45D4-AFF5-1A47A40376CF}: NameServer = 202.101.172.35 202.101.172.47
O17 - HKLM\System\CS1\Services\Tcpip\..\{032C72A5-D2E5-45D4-AFF5-1A47A40376CF}: NameServer = 202.101.172.35 202.101.172.47
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - e:\StormII\stormliv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

用户系统信息：Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

你的机有啥问题？先说说……

装了个IS 出现大量可疑进程 然后用360杀了11个木马，不知道 是不是删除彻底了。

IS是指什么？是冰刃么？

请导出360查杀日志发上来检验下……

HJ日志扫描项目已经严重不全，用SRENG扫描日志相对全面点……

[2.8.2.8.1115 - 2.8.78.9.0315]
2009-03-16 20:46
[nwiuu/dfssvrTrojan Horse]
C:\WINDOWS\66C.EXE
C:\WINDOWS\66M.EXE

[2.8.2.8.1115 - 2.8.78.9.0315]
2009-03-16 20:46
[Fake Shortcut]
D:\MY DOCUMENTS\FAVORITES\2345.COM-网址导航-实用查询.URL

[2.8.2.8.1115 - 2.8.78.9.0315]
2009-03-16 20:46
[Trojan.psw.avx]
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVCENTER.EXE

[2.8.2.8.1115 - 2.8.78.9.0315]
2009-03-16 20:46
[hijack.mmc]
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WSCNTFY.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WSCNTFY.EXE\DEBUGGER
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WUAUCLT.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WUAUCLT.EXE\DEBUGGER

[2.8.2.8.1115 - 2.8.78.9.0315]
2009-03-16 20:46
[Trojan.avkiller.b]
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RFWPROXY.EXE\DEBUGGER

[2.8.2.8.1115 - 2.8.78.9.0315]
2009-03-16 20:46
[TROJAN FILES 2]
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RFWPROXY.EXE

[2.8.2.8.1115 - 2.8.78.9.0315]
2009-03-16 20:46
[Trojan.msosiocp.dosjisn]
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISSVC.EXE

[2.8.2.8.1115 - 2.8.78.9.0315]
2009-03-16 20:46
[Trojan.ytewcxzsw.wrew2ds]
HKEY_CLASSES_ROOT\CLSID\{56BC86C7-0692-4F94-A2C1-6CF1DBF8096C}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{56BC86C7-0692-4F94-A2C1-6CF1DBF8096C}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVGUARD.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SCHED.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{56BC86C7-0692-4F94-A2C1-6CF1DBF8096C}

[2.8.2.8.1115 - 2.8.78.9.0315]
2009-03-16 20:46
[Trojan.mmhtml.error386]
HKEY_CLASSES_ROOT\CLSID\{201476D0-2B18-462E-AB9F-3E2B0CC8732B}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{201476D0-2B18-462E-AB9F-3E2B0CC8732B}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{201476D0-2B18-462E-AB9F-3E2B0CC8732B}

[2.8.2.8.1115 - 2.8.78.9.0315]
2009-03-16 20:46
[Trojan.sniu.JaNT64]
HKEY_CLASSES_ROOT\CLSID\{FA9B58AA-6759-4C02-B37F-572FC2F1A231}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{FA9B58AA-6759-4C02-B37F-572FC2F1A231}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{FA9B58AA-6759-4C02-B37F-572FC2F1A231}

[2.8.2.8.1115 - 2.8.78.9.0315]
2009-03-16 20:46
[Eyiruanjian Canliu]
C:\WINDOWS\SYSTEM32\1957817A.CFG
C:\WINDOWS\SYSTEM32\56BC86C7.CFG
C:\WINDOWS\SYSTEM32\704C3595.CFG
C:\WINDOWS\SYSTEM32\91C7DF6D.CFG
C:\WINDOWS\SYSTEM32\F71A67D5.CFG

[2.8.2.8.1115 - 2.8.78.9.0315]
2009-03-16 21:11
[Trojan]
C:\TEMP\ZTAWZ50JX3W.EXE

只找到清理助手的这个

用SRENG工具扫描系统日志发这论坛来
下载SRENG工具：http://bbs.ikaka.com/attachment.aspx?attachmentid=462487
操作方法可以看这贴2楼：http://bbs.ikaka.com/showtopic-8442813.aspx

日志上传了

该用户帖子内容已被屏蔽

下载XueTr0.22.zip

在注册表中HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services下找看有没有28484 找到的话双击之  在它下边每个子项对应的右边窗口的信息。你先说下 然后教你怎么做。

建议使用XDelBox删除以下文件
复制所有要删除文件的路径，在待删除文件列表里点击右键选择从剪贴板导入,重启删除

c:\windows\system32\nvapi.dll
c:\windows\system32\nvshell.dll
c:\windows\system32\pnkbstra.exe
c:\windows\system32\pnkbstrb.exe


2.删除重启后使用SREng修复下面各项：

    启动项目 －－ 服务－－ 驱动程序之如下项禁用：
[28484 / 28484]    <>
[28484 / 28484]    <>

修复映像劫持
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe]
    <IFEO[avast.exe]><IFEOFILE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe]
    <IFEO[guard.exe]><IFEOFILE>  [N/A]