電腦開機後,我的firefox會被自動開啟到http://open.369ip.com/union2.htm,試過好幾種掃毒.木馬程式(包括Spybot, ad-aware)都沒有用,也試過從登錄編輯器尋找http://open.369ip.com/union2.htm,但也找不到,請問板上的前輩們有什麼方法解決? 謝謝!

還要檢查幾個地方：

一、「所有程式」-->「啟動」裡面有沒有被寫入。
二、設定裡看一下「網路連線」-->「區域網路」的DNS有沒有被修改（這個很常見，被指向假的DNS）。
三、Hosts檔（沒副檔名的隱藏檔）有沒有被寫入不明IP。

查你電腦裡有沒有這個位址：85.10.194.170

試看看，我只想到這些…

糟糕...
火狐終於也被綁走了嗎...
這真是一個大警訊啊...

綁的方法很多，最通用的就是修改你系統裡的DNS指向一向虛設的服務器，那個DNS Server不是真的轉譯服務器，而是不管你什麼網址丟給它轉譯，它都把你轉成特定的幾個廣告IP位址。

這種綁法關鍵不是在瀏覽器本身，是系統的DNS被改寫，我排除過的個案中，這種情況是比較多。尤其XP有Hotfix，改完馬上就能用，也不必插入光碟，也不必重啟電腦，神不知鬼不覺。

請問各位大大，當我開機時，我的fx也會自動被開啟到這個網站;http://open.369ip.com/union2.htm 有沒有辦法有效的結決這個問題呀?

麻煩你們了，謝謝

前面也沒反饋消息。你還是先把HijackThis貼上來大伙瞧瞧吧！

修改Hosts檔，
加入 127.0.0.1 http://open.369ip.com/union2.htm
存檔後將該檔改成唯讀。
重開機。

_________________
Amauds's Firefox
曾經妳以為最可靠的依賴；其實從未曾真實的存在過。

請問hosts 檔要在哪裡修改呀?

開始 執行 %SystemRoot%\system32\drivers\etc\hosts 確定

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Colorful SmartVGA\Colordesk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\LSASS.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Documents and Settings\Rex\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_001.dll
O2 - BHO: DownloadBHO T2BHO - {B1D147E7-873E-4909-8127-695D9BB78728} - C:\WINDOWS\Downloaded Program Files\barhelp24.0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [colorful] C:\Program Files\Colorful SmartVGA\Colordesk.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O8 - Extra context menu item: &使用迅雷下載 - C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &使用迅雷下載全部鏈接 - C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {56A7DC70-E102-4408-A34A-AE06FEF01586} (天下搜索) - http://iebar.t2t2.com/iebar.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

進安全模式把這個砍掉：

C:\Program Files\AlienGUIse\fastload.dll

感謝各位大大，不過以上方法都不適用，呵呵....

我已重裝了，先謝謝了...

我沒有抓到fastload.dll的主控端執行檔吧…幸苦了！

我也中了相同的木馬
我用卡巴殺了64個木馬。
不過IE裡竟然有一個色情廣告,情況就像上方各位大大所講的差不多。我想應該也是DNS的關係(我曾經在QQ中透露了DNS )

HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 下午 11:42:16, on 2006/8/9
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\VTTimer.exe
D:\Program Files\Filseclab\xfilter\xfilter.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\Program Files\Raxco\PerfectDisk\PDSched.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Tencent\QQ\QQ.exe
D:\WINDOWS\system32\conime.exe
D:\Documents and Settings\Administrator\桌面\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CgaLcode Class - {8CAD8D13-4D40-3E10-03A1-D914E3494F49} - D:\WINDOWS\DOWNLO~1\rflcsez.dll (file missing)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: ALiBaBar_Helper - {CE439C63-384A-747A-A357-23D96B5D652B} - D:\PROGRA~1\ALiBaBar\ALiBaBar.dll
O2 - BHO: Plugin369 - {F52A94F5-A3CC-40DA-BCD7-222282E01406} - D:\WINDOWS\system32\369.dll
O3 - Toolbar: ALiBaBar - {0A1375E1-56C2-11D6-8E45-8933A0FB5235} - D:\PROGRA~1\ALiBaBar\ALiBaBar.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [XFILTER] "D:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kav] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: 上傳到QQ網路硬碟 - D:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用 FlashGet 下載 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://D:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://D:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 新增到QQ自定義面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://D:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://D:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cn_spi.dll
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {18226BF8-DC0B-4D81-80E9-A41AE37BB73A} (EWA Control) - http://hd.xhnet.tv/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D78DCE71-9609-4D0D-B7CA-4D17603D3613}: NameServer = 202.180.160.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - D:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: OPFSVC - Unknown owner - D:\Program Files\Omniquad Total Security\OPF\OPFSVC.exe (file missing)
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Personal Firewall - Unknown owner - D:\Program Files\Omniquad Total Security\OPF\pfsvc.exe (file missing)


THX!

向別人透露DNS並不會怎樣的你放心，任何DNS都可以透過被木馬或病毒加以改寫讓你正常的瀏覽被轉向。倒是觀看來路不明的rm檔要小心，我是不清楚real media對於rm可以夾帶木馬和毒病的這件事解決了沒有。



上面紅色那兩個是肯定要砍掉的。黃色的那個NameServer有點可疑，不清楚它是連到香港的哪一台服務器，看是不是把它單獨匯出備份後先砍掉。砍掉它可能會影響某個正常的CSS訂閱，但最好還是再重新建立一次新的訂閱會比較安全。

另外由於你的病毒被掃毒軟件砍殺過，reg裡面現在存有很多missing的連結，可以用超級兔子或是RegCleaner把它斷失的機碼做一次自動清理。

希望這樣能對你的問題有所改善。

對了…砍掉cn_spi.dll之前，建議要先在網路上找到Winsock修復器（例如WinsockXPFix），把修復器先下載下來，也把它的操作方法copy下來。cn_spi.dll被砍掉之後也有可能會造成Winsock受損無法連網。

還有一點，檢查一下你%Windir%\system32\Drivers\etc\hosts這個檔案。如果你先前有自己建立，用寫字版把它打開，看裡面除了127.0.0.1那行下面還有沒有寫上別的東西，把那些不是自己寫上的都清掉。如果你並不曾自己建立hosts檔，就把它整個砍掉，這個檔案所建立的解譯優先權，是高於DNS服務器提供的解譯。