瑞星防火墙里总是有个svchost进程连接1027灰鸽子端口

瑞星防火墙里总是有个svchost进程连接1027灰鸽子端口，不知道是不是病毒，最近把能结束的进程都结束了，玩游戏还是不时就那么一段时间卡，怀疑是在被截取屏幕，请各位高手指点一下

svchost.exe[pid=880]
    cmdline=c:\windows\system32\svchost.exe -k netsvcs
        UDP
            local    127.0.0.1:123
            local    127.0.0.1:1026
            local    127.0.0.1:1027[灰鸽子]
            local    192.168.1.3:123

这是瑞星防火墙的信息

瑞星18.42.40杀毒没有结果，如果是病毒还请说明下应该怎么清除

这个现象是不是中了传说中的
baohe斑竹
主题：“新版灰鸽子”的一些特点及手工查杀举例
http://forum.ikaka.com/topic.asp?board=28&artid=7156227

引用:

【mopery的贴子】http://forum.ikaka.com/topic.asp?board=28&artid=8105899 下载HijackThis...把日志帖上来.. ………………

不知道怎么帖

引用:

【yangmanman的贴子】我和LS遇到的问题是一样的，都是用WINDOWS优化大师的进程管理查看进程发现的，可是有时候查又没有，所以搞不懂 ………………

兄弟,你会不会复制日志?

Logfile of HijackThis v1.99.1
Scan saved at 13:44:51, on 2006-9-1
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Rising\Rav\Ravmond.exe
d:\program files\rising\rfw\rfwsrv.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Rising\Rav\RavStub.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Rising\Rav\RavTask.exe
D:\Program Files\Rising\Rav\Ravmon.exe
D:\Program Files\Rising\Rfw\rfwmain.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\软件\ha_hijackthis_1991\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - D:\PROGRA~1\KuGoo3\KUGOO3~1.OCX
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\KakaTool.dll
O4 - HKLM\..\Run: [RavTask] "D:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [RfwMain] "d:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: 使用KuGoo3下载(&K) - D:\Program Files\KuGoo3\KuGoo3DownX.htm
O8 - Extra context menu item: 使用网际快车下载 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - D:\Program Files\FlashGet\jc_all.htm
O14 - IERESET.INF: START_PAGE_URL=http://tomatolei.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F0C597C-7754-4844-A003-74BDFB6A1E2A}: NameServer = 61.166.150.101
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Rising Proxy  Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - d:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - d:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - D:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\Program Files\Rising\Rav\Ravmond.exe

引用:

【mopery的贴子】修复 R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file) 没发现鸽子.. ………………

多谢斑竹
但是这个SVCHOST.EXE  1027端口的问题怎么解决?

引用:

【mopery的贴子】你重启一个应该就不见了.. ………………

重启后还是有上面那个端口
这个是开机后的任务管理器

未知家族病毒分析
扫描结果:
无可疑文件


系统活动进程
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM32\ATI2EDXX.DLL

C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM32\ACSIGNICON.DLL
C:\WINDOWS\SYSTEM32\RAVEXT.DLL
C:\PROGRAM FILES\COMMON FILES\AUTODESK SHARED\ACSIGNCORE16.DLL
C:\WINDOWS\SYSTEM32\MSACM32.DRV
D:\PROGRAM FILES\TENCENT\QQ\QDSHM.DLL
D:\PROGRAM FILES\TENCENT\QQ\MFC42.DLL
D:\PROGRAM FILES\WINRAR\RAREXT.DLL
D:\PROGRAM FILES\RISING\RAV\RSCOMMON.DLL

C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SMSS.EXE
C:\WINDOWS\SYSTEM32\CTFMON.EXE
C:\WINDOWS\SYSTEM32\CSRSS.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
D:\PROGRAM FILES\RISING\RFW\RFWMAIN.EXE
D:\PROGRAM FILES\RISING\RFW\RSGUILIB.DLL
D:\PROGRAM FILES\RISING\RFW\RSCOMMON.DLL
D:\PROGRAM FILES\RISING\RFW\PNGDLL.DLL
D:\PROGRAM FILES\RISING\RFW\PSAPI.DLL

C:\WINDOWS\SYSTEM32\WINLOGON.EXE
C:\WINDOWS\SYSTEM32\ATI2EVXX.DLL
C:\WINDOWS\SYSTEM32\MSACM32.DRV

C:\WINDOWS\SYSTEM32\SERVICES.EXE
C:\WINDOWS\SYSTEM32\LSASS.EXE
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM32\ATI2EDXX.DLL

C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
D:\PROGRAM FILES\RISING\RFW\RFWSRV.EXE
D:\PROGRAM FILES\RISING\RFW\RFWRULE.DLL
D:\PROGRAM FILES\RISING\RFW\RFWLOG.DLL
D:\PROGRAM FILES\RISING\RFW\RFWDRV.DLL
D:\PROGRAM FILES\RISING\RFW\PSAPI.DLL
D:\PROGRAM FILES\RISING\RFW\MONDRV.DLL
D:\PROGRAM FILES\RISING\RFW\PROCLIB.DLL

C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\SYSTEM32\CNBJMON2.DLL
C:\WINDOWS\SYSTEM32\MDIMON.DLL
C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\MDIPPR.DLL

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\2052\MDMUI.DLL

C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE
C:\WINDOWS\SYSTEM32\ALG.EXE
E:\软件\RSDETECT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM32\KAKATOOL.DLL
C:\WINDOWS\SYSTEM32\ACSIGNICON.DLL
D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\MSOHEV.DLL
D:\PROGRAM FILES\RISING\RAV\RAVSCRCH.DLL
C:\WINDOWS\SYSTEM32\MACROMED\FLASH\FLASH9.OCX
C:\WINDOWS\SYSTEM32\MSACM32.DRV
C:\WINDOWS\SYSTEM32\MACROMED\COMMON\SWSUPPORT.DLL
C:\WINDOWS\SYSTEM32\WINWB86.IME
C:\PROGRAM FILES\COMMON FILES\AUTODESK SHARED\ACSIGNCORE16.DLL
C:\WINDOWS\SYSTEM32\MSCOREE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\MSCORIE.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\MSVCR71.DLL
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\MSCORLD.DLL

普通自启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RavTask = "D:\PROGRAM FILES\RISING\RAV\RAVTASK.EXE" -SYSTEM
RfwMain = "D:\PROGRAM FILES\RISING\RFW\RFWMAIN.EXE" -STARTUP

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\SYSTEM32\CTFMON.EXE


AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs =


系统文件关联
.exe ==> exefile = "%1" %*
.com ==> comfile = "%1" %*
.cmd ==> cmdfile = "%1" %*
.bat ==> batfile = "%1" %*
.txt ==> txtfile = notepad.exe %1
.scr ==> scrfile = "%1" /S
.reg ==> regfile = regedit.exe "%1"
.doc ==> Word.Document.8 = "D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" /n /dde

其它启动项
WIN.INI
无信息

SYSTEM.INI
SHELL = Explorer.exe


Winlogon 启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
AtiExtEvent = ATI2EVXX.DLL
crypt32chain = CRYPT32.DLL
cryptnet = CRYPTNET.DLL
cscdll = CSCDLL.DLL
ScCertProp = WLNOTIFY.DLL
Schedule = WLNOTIFY.DLL
sclgntfy = SCLGNTFY.DLL
SensLogn = WLNOTIFY.DLL
termsrv = WLNOTIFY.DLL
wlballoon = WLNOTIFY.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = USERINIT.EXE
shell = EXPLORER.EXE

IE - BHO

Winsock SPI
MSAFD Tcpip [TCP/IP] = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD Tcpip [UDP/IP] = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD Tcpip [RAW/IP] = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
RSVP UDP Service Provider = C:\WINDOWS\SYSTEM32\RSVPSP.DLL
RSVP TCP Service Provider = C:\WINDOWS\SYSTEM32\RSVPSP.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{0BCC8B8A-D7A6-49EC-8042-16B733F8F681}] SEQPACKET 4 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{0BCC8B8A-D7A6-49EC-8042-16B733F8F681}] DATAGRAM 4 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{6F0C597C-7754-4844-A003-74BDFB6A1E2A}] SEQPACKET 0 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{6F0C597C-7754-4844-A003-74BDFB6A1E2A}] DATAGRAM 0 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{80B523B6-5A90-4619-8911-1F75B2EB5200}] SEQPACKET 1 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{80B523B6-5A90-4619-8911-1F75B2EB5200}] DATAGRAM 1 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{9E584498-F2FB-434D-B263-70CC66720B4D}] SEQPACKET 2 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{9E584498-F2FB-434D-B263-70CC66720B4D}] DATAGRAM 2 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{802D5477-0F89-4DC2-B7F0-0DCA28416CD4}] SEQPACKET 3 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{802D5477-0F89-4DC2-B7F0-0DCA28416CD4}] DATAGRAM 3 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{D6A44D16-9240-487A-8E37-A007B3BD2E0A}] SEQPACKET 5 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{D6A44D16-9240-487A-8E37-A007B3BD2E0A}] DATAGRAM 5 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{DEB6D611-FE66-4591-BBF2-82D0A6E167CB}] SEQPACKET 6 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{DEB6D611-FE66-4591-BBF2-82D0A6E167CB}] DATAGRAM 6 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL