Manually clear pigeon

It is not difficult to manually clear the gray pigeon. What is important is that we must understand its operating principles.

Running principle of gray pigeon

The remote monitoring software is divided into two parts: client and server. Hackers manipulate the client and use the client configuration to generate a server program. The service end file is named g_server.exe, and then hackers spread the server (commonly known as a Trojan) through various channels ). There are many ways to use Trojans. For example, a hacker can bind the Trojan to an image and impersonate a shy mm to send the Trojan to you through QQ to trick you into running the Trojan; you can also create personal webpages to trick you into clicking and use the IE vulnerability to download Trojans to your machine and run them. You can also upload files to a software download site, impersonate an interesting software to trick users into downloading ......, This is against the purpose of developing the gray pigeon. Therefore, this article applies to users who illegally install the gray pigeon server and helps users Delete the service program of the gray pigeon VIP 2005. Most of the content in this article is taken from the Internet.
If you are not interested in reading the following articles, please download our cleaning tool: Click here to download

G_server.exe copy itself to the Windows directory after running (98/XP is the Windows directory of the system disk, 2 k/NT is the WINNT directory of the System Disk ), then release g_server.dll and g_server_hook.dll from the body to the Windows directory. G_server.exe, g_server.dll, and g_server_hook.dll are combined to form the gray pigeon server. Some gray pigeons release a file named g_serverkey.dll to record keyboard operations. Examples, A. dll, and a_hook.dll.

The g_server.exe file in the Windows directory registers itself as a service (the 9x system writes the Registry Startup item), and runs automatically every time it is started. After running, start g_server.dll and g_server_hook.dll and exit automatically. The g_server.dll file implements the backdoor function and communicates with the control client. g_server_hook.dll hides viruses by blocking API calls. Therefore, after virus poisoning, we cannot see the virus file or the service items registered with the virus. With the different settings of the gray Pigeon Service end file, g_server_hook.dllsometimes comes in the process space of assumer.exe, and sometimes is attached to all processes.

Manual inspection of gray pigeon

Because the gray pigeon intercepts API calls, the server program files and the service items it registers are hidden in normal mode, that is, even if you set "show all hidden files", you cannot see them. In addition, the file names on the gray pigeon server can be customized, which makes manual detection difficult.

However, after careful observation, we found that the detection of gray pigeons is still regular. According to the operating principle analysis, no matter what the custom Server File name is, a file ending with "_ hook. dll" is usually generated under the installation directory of the operating system. Through this, we can more accurately manually detect the gray pigeon server.

In normal mode, the gray pigeon will hide itself, so the operation to detect the gray pigeon must be performed in safe mode. To enter safe mode, start the computer and press F8 before the system enters the Windows Startup screen (or press Ctrl when the computer is started ), select "safe mode" or "safe mode" from the menu that appears ".

1. Because the gray pigeon file has hidden properties, you must set windows to display all files. Open "my computer", select "Tools"> "Folder Options", and click "View" to cancel the check before "Hide protected operating system files, select "show all files and folders" in "hide files and folders" and click "OK ".

2. Open "search file" in windows and enter "_ hook" in the file name. find the location and select the Windows Installation Directory (default 98/XP is C:/Windows, 2 k/NT is C:/WINNT ).

3. After searching, we found a file named game_hook.dll in the Windows directory (excluding subdirectories.

Secret and game. DLL files. Open the windows directory, and there are these two files, and a gamekey. dll file used to record keyboard operations.

After these steps, we can basically confirm that these files are the gray pigeon server. Then we can manually clear them.

Manual removal of gray pigeon

After the above analysis, it is easy to clear the pigeon. To clear the gray pigeon program files, you still need to operate in safe mode. There are two main steps: 1. Clear the service of the gray pigeon; 2. Delete the program files of the gray pigeon.

Note: To prevent misoperation, make sure to back up the data before clearing it.

I. Service for clearing gray pigeons

2000/XP system:

1. Open the Registration Table Editor (click "Start time", click "run", and enter "regedit.exe", OK .), Open the HKEY_LOCAL_MACHINE/system/CurrentControlSet/services registry key.

2. Click the Navigation Pane to edit "audio-extract", click "search target", and enter "“game.exe". Click "OK" to find the service items (in this example, game_server ).

3. Delete the entire game_server item.

98/me system:

In 9x, there is only one startup item for the gray pigeon, so clearing is easier. Run the Registry Editor and open the HKEY_CURRENT_USER/software/Microsoft/Windows/CurrentVersion/runitem. You can delete the game.exe item after you see the item named game.exe.

Ii. Delete the gray pigeon program file

Deleting a program file is very simple. You can only delete the game.exe, game. dll, game_hook.dll, and gamekey. DLL files in the Windows directory in a security mode, and then restart the computer. So far, the VIP 2005 server has been cleared.