Running principle of gray pigeon
The gray pigeon Trojan is divided into two parts: the client and the server. Attackers manipulate the client and use the client configuration to generate a server program. The service end file name is g_server.exe. G_Server.exe copy itself to the Windows directory after running (98/xp is the windows directory of the system disk, 2 k/NT is the Winnt directory of the System Disk ), then release G_Server.dll and G_Server_Hook.dll from the body to the windows directory. G_Server.exe, G_Server.dll, and G_Server_Hook.dll are combined to form the gray pigeon server. Some gray pigeons release a file named G_ServerKey.dll to record keyboard operations. Examples, A. dll, and A_Hook.dll.
The g_server.exe file in the Windows directory registers itself as a service (the 9X system writes the Registry Startup item), and runs automatically every time it is started. After running, start G_Server.dll and G_Server_Hook.dll and exit automatically. The G_Server.dll file implements the backdoor function and communicates with the control client. G_Server_Hook.dll hides viruses by blocking API calls. Therefore, after virus poisoning, we cannot see the virus file or the service items registered with the virus. With the different settings of the gray Pigeon Service end file, g_server_hook.dllsometimes comes in the process space of assumer.exe, and sometimes is attached to all processes.
Because the gray pigeon intercepts API calls, the trojan file and its registered service items are hidden in normal mode, that is, even if you set "show all hidden files", you cannot see them. In addition, the file names on the gray pigeon server can be customized, which makes manual detection difficult.
However, after careful observation, we found that the detection of gray pigeons is still regular. According to the operating principle analysis, no matter what the custom Server File name is, a file ending with "_ hook. dll" is usually generated under the installation directory of the operating system. Through this, we can more accurately and manually detect the gray pigeon Trojan.
In normal mode, the gray pigeon will hide itself, so the operation to detect the gray pigeon must be performed in safe mode. To enter safe mode, start the computer and press F8 before the system enters the Windows Startup screen (or press Ctrl when the computer is started ), select "Safe Mode" or "Safe Mode" from the menu that appears ".
1. Because the gray pigeon file has hidden properties, you must set Windows to display all files. Open "my computer", select "Tools"-"Folder Options", and click "View" to cancel the check before "Hide protected operating system files, select "show all files and folders" in "hide files and folders", and click "OK ".
2. Open "search file" in Windows and enter "_ hook" in the file name. dll ", select the Windows Installation Directory (default 98/xp is C: windows, 2 k/NT is C: Winnt ).
3. After searching, we found a file named Game_Hook.dll in the Windows directory (excluding subdirectories.
Secret and Game. dll files. Open the Windows directory, and there are these two files, and a GameKey. dll file used to record keyboard operations.
After these steps, we can basically confirm that these files are gray pigeon Trojans, And we can manually clear them below.
Manual removal of gray pigeon
After the above analysis, it is easy to clear the pigeon. To clear the gray pigeon, you still need to perform the following operations in safe mode:
1. Clear the service of the gray pigeon; 2. Delete the program file of the gray pigeon.
Note: To prevent misoperation, make sure to back up the data before clearing it.
I. Service for clearing gray pigeons
2000/XP system:
1. Open the Registry Editor (click "start"-"run", enter "Regedit.exe", and click "OK .), Open the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices registry key.
2. Click "edit"-> "Search", "search target", enter "G_Server.exe", and click "OK" to find the service items of the gray pigeon. _ + Q _ & S2p ^) Pg
3. Delete the entire G_Server entry.
98/me system:
In 9X, there is only one startup item for the gray pigeon, so clearing is easier. You can delete the lifecycle item.
Ii. Delete the gray pigeon program file
Deleting the gray pigeon program file is very simple. Just delete the g_server.exe, G_Server.dll, G_Server_Hook.dll, and G_Serverkey.dll files in the Windows directory in a security mode, and then restart the computer. So far, the gray pigeon has been cleared.
Precautions for preventing the gray pigeon Virus
1. Install patches for the system. Install system patches (critical updates, security updates, and Service packs) through Windows Update, where MS04-011, MS04-012, MS04-013, MS03-001, MS03-007, MS03-049, MS04-032, etc are widely used by viruses, is a necessary patch.
2. Set a complex and strong enough password for the system administrator account, preferably a combination of over 10 characters, letters, numbers, and other symbols. You can also disable/delete unused accounts.
3. The anti-virus software (virus database) is updated frequently and can be set to automatically updated on a daily basis. Install and use the network firewall software properly. The network firewall can also play a crucial role in the anti-virus process and effectively block attacks and virus intrusions from the self-built network. Some Pirated Windows users cannot install patches normally, which is also helpless. This part of users may wish to use the network firewall for some protection.
4. disable unnecessary services. If conditions permit, you can disable unnecessary sharing, such as C $ and D $. A single-host user can directly shut down the Server service.
Download HijackThis Scan System
Http://www.skycn.com/soft/15753.html zww3008 Simplified Chinese version
Http://www.merijn.org/files/hijackthis.zip
5. Items in the HijackThis log O23 can be used to find the items in the service.
For example:
O23-Service: SYSTEM $ (SYSTEM $ Server)-Unknown owner-C: WINDOWSsetemy. bat
O23-Service: Network Connections Manager (NetConMan)-Unknown owner-C: WINDOWSuinstall.exe x
O23-Service: winServer-Unknown owner-C: WINDOWSwinserver.exe
O23-Service: Gray_Pigeon_Server (GrayPigeonServer)-Unknown owner-C: WINDOWSG_Server.exe
Use HijackThis to select O23 and then select "repair item" or "Fix checked"
6. Use Killbox to delete the trojan file corresponding to the gray pigeon. You can download Killbox from here.
Http://yncnc.onlinedown.net/soft/37257.htm
Use the Registry to kill the gray pigeon
1. Disable System Recovery
Use Group Policy Editor
1. Click Start, click Run, type gpedit. msc, and click OK.
2. Expand "Computer Configuration", expand "management template", expand "system", and then click system recovery.
3. Double-click "Disable System Recovery". On the settings tab, select disable.
4. Double-click "Disable configuration" and select "enable" on the settings tab.
For more information about the roles of these settings, click the interpretation tab in the Properties dialog box.
5. Click application, and then click OK.
Ii. Update the virus definition Library
Symantec can LIVEUPDATE, NORTON can do bbs. abcbit. comk % Iif s $ wo
3. Scan and delete infected files in Safe Mode
After the operation, you can leave the security mode and go to step 4.
4. Delete the registry key value
Symantec strongly translates the backup registry.
Click Start> Run -- enter regedit, and enter
Hkey_users.defasoftsoftwaremicrosoftinternet Connection Wizard
Delete the right value: "Compleated" = "1"
Go to and delete the following keys)
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesGrayPigeonServer
7Q
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_GRAYPIGEONSERVER
Exit Registry Editor
5. find and stop the service
Click Start> Run -- enter services. msc, and enter
Locate and select the detected Trojan. Feutel Service
Actions> Properties
Change the Startup Type to manual
Click "OK" to close the service window.
Restart