On the Internet recently a large number of rampant gray pigeon virus (Huigezi, Gpigeon) Introduction and killing the entire collection of special kill tools _ virus killings

Transfer from the original forum Jakee posts:
Recently many netizens reflect their machine is called a gray pigeon Trojan virus, this virus is very naughty, in different kill soft have different names such as: Gpigeon, Huigezi, Feutel, in the computer to clear it is very troublesome, especially its just opened issued 2005, Through the interception of Windows System API to achieve program file hiding, process hidden, the service hidden three hidden, general kill soft in the normal mode can not find its virus files, not to mention the killing of things, even kill soft are difficult to deal with, for users is more headaches, This paper briefly introduces the operation principle of the gray Pigeon virus, manual detection method, manual removal method, precautions to prevent infection, and so on, most of the content from the network, from my collection, collation, processing, if violated your interests please point out that I immediately corrected.
A brief introduction of the Grey Pigeon virus
Gray Pigeon is a famous back door in China. Compared to the predecessors of glaciers, black holes, gray pigeons can be said to be the home door of the synthesizer. Its rich and powerful functions, flexible operation, good concealment so that the other rear doors are dwarfed. The simple and convenient operation of the client allows beginners to act as hackers. When used in a legal situation, gray Pigeon is an excellent remote control software. But if you do something illegal with it, the gray pigeon becomes a powerful hacker tool. This is like gunpowder, used in different occasions, to bring different effects on human beings. The complete introduction of the gray pigeon may only be made by the author of the Gray Pigeon, and we can only make a brief introduction here.
Gray pigeon client and Server are written by Delphi. The hacker uses the client program to configure the server-side program. Configurable information mainly includes the type of on-line (such as waiting for a connection or active connection), the public network IP (domain name) used in the active connection, the connection password, the port used, the startup item name, the service name, the process hiding way, the shell used, the proxy, the icon and so on.
Server-side connection to the client a variety of ways, so that users in a variety of network environment may be poisoned, including local area network users (through proxy access), public network users and ADSL dial-up users.
The service side is described below:
The configured server-side file file name is G_server.exe (this is the default and of course can be changed). Hackers then use every means to trick users into running the G_server.exe program. Specifically, the reader can give full play to the imagination, and here is not to repeat.
G_server.exe copies itself to the Windows directory (the Windows directory under 98/XP as the system disk, 2K/NT under the Winnt directory of the system disk), and then releases G_server.dll and G_server_ from the body. Hook.dll to the Windows directory. The G_server.exe, G_server.dll and G_server_hook.dll three documents, which formed a gray pigeon service, g_server_hook.dll to hide the gray doves. The file that hides the gray pigeon, the registry key for the service, or even the module name in the process, is invoked by intercepting the process's API. The functions intercepted are primarily used to traverse files, traverse registry entries, and traverse process modules. So, sometimes users feel the poison, but careful examination is not found anything unusual. Some gray pigeons will release more than one file called G_serverkey.dll to record keyboard operations. Note that the name G_server.exe is not fixed, it can be customized, for example, when the custom server-side file name is A.exe, the resulting file is A.exe, A.dll, and A_hook.dll.
The G_server.exe file in the Windows directory will register itself as a service (9X system write Registry startup entry), each boot can automatically run, run after the start of G_server.dll and G_server_hook.dll and automatically exit. The G_server.dll file implements the Backdoor function, communicates with the control client, and g_server_hook.dll the blocking API to hide the virus. Therefore, after poisoning, we do not see the virus file, also do not see the virus registered service items. As the Gray Pigeon server file is set up differently, G_server_hook.dll is sometimes attached to the Explorer.exe process space, sometimes attached to all processes.
The Ash Pigeon's author has spent a lot of effort on how to escape the anti-virus software. Because some API functions are intercepted, the normal mode is difficult to traverse the gray pigeon files and modules, resulting in the difficulty of killing. To uninstall the Gray Pigeon Dynamic library and ensure that the system process does not crash is also very troublesome, resulting in the recent spread of gray pigeons on the internet situation.
Ii. manual detection of Grey Pigeon
Because gray pigeons intercept API calls, the server-side program files and its registered service items are hidden in normal mode, meaning that you do not see them even if you set the "Show All hidden Files". In addition, gray pigeon service end of the file name can also be customized, which has brought some difficulties to manual detection.
However, by careful observation, we found that the detection of gray pigeons is still a regular pattern to follow. From the above analysis of the operating principle can be seen, regardless of the custom server-side file name, generally will be in the operating system installation directory to generate a "_hook.dll" end of the file. Through this, we can be more accurate manual detection of gray pigeon service side.
Because the normal mode of gray pigeon will hide itself, so detection of gray pigeon operation must be in safe mode. Enter Safe Mode by starting your computer, pressing the F8 key (or holding down the CTRL key while you start the computer) before the system enters the Windows splash screen, and selecting "Safe Mode" or "safe modes" in the Startup options menu that appears.
1, because the gray pigeon file itself has hidden properties, so to set Windows display all files. Open "My Computer", select Menu "Tools"-"Folder Options", click "View", Cancel "Hide protected operating system files" check box, and in the "Hidden Files and Folders" Item select "Show All Files and folders", and then click OK.
2, open the Windows "search file", the file name entered "_hook.dll", search location Select the installation directory of Windows (the default 98/xp is c:\windows,2k/nt for C:\Winnt).
3. After searching, we found a file named Game_hook.dll under the Windows directory (not including subdirectories).
4, according to the Gray pigeon principle analysis we know that if Game_hook.dll is a gray pigeon file, the operating system installation directory will also have Game.exe and Game.dll files. Open the Windows directory, and it does have these two files, as well as a GameKey.dll file for recording keyboard actions.
　
After these steps we can basically determine that these files are gray pigeon service side, the following can be manually cleared.
Three, the Ash Pigeon's manual removal
After the analysis above, it is easy to remove the gray pigeon. Clear gray pigeons still need to operate in safe mode, there are two main steps: 1, the removal of gray pigeon service; 2 Remove gray pigeon program files.
Note: In order to prevent misoperation, be sure to do a backup before cleaning.
(i) Removal of Grey pigeon services
Note that the service of the Gray pigeon must be completed in the registration table. Not familiar with the registration form of netizens please find familiar people to help operate, clear the service of gray pigeon must first back up the registry, or to pure DOS under the registry file name renamed, and then go to the registry to delete the service of gray Pigeon. Because the virus will be associated with the EXE file
2000/XP System:
1, open Registry Editor (click "Start"-"" Run ", enter" Regedit.exe ", OK. To open the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry key.
2, click the Menu "edit"-"find", "Find the target" input "Game.exe", click OK, we can find gray pigeon service (This example is game_server, each person this service item name is different).
3, delete the entire game_server item.
98/me System:
Under 9X, there is only one boot for the gray pigeon, so it is simpler to clear it. Run Registry Editor, open the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run item, we immediately see an item named Game.exe, delete the Game.exe item.
(ii) Removal of Grey Pigeon program documents
Remove Gray Pigeon Program files are simple, simply remove the Game.exe, Game.dll, Game_hook.dll, and Gamekey.dll files in the Windows directory in Safe mode, and then restart the computer. At this point, Gray pigeon VIP 2005 service End has been cleared clean.
The methods described above apply to most of the grey pigeon Trojans and their variants that we see, but there are still a handful of variants that are not detectable and cleared by this method. At the same time, with the new version of the Gray Pigeon, the author may add some new hidden methods, anti-deletion means, manual detection and removal of its difficulty will become more and more.
Iv. precautions to be taken to prevent the Chinese-gray pigeon virus
1. Install patches to the system. Install system patches (critical updates, security updates, and service packs) through Windows Update, where ms04-011, ms04-012, ms04-013, ms03-001, ms03-007, ms03-049, ms04-032 and so on are widely used by viruses, is a very necessary patch
2. To the system administrator account to set enough complex enough strong password, preferably more than 10 digits, letters + numbers + other symbols of the combination; You can also disable/delete some unused accounts
3. Often update anti-virus software (virus library), set allowed to set to automatically update daily. Installation and rational use of network firewall software, network firewall in the anti-virus process can also play a crucial role, can effectively block the intrusion of the network and the virus. Some pirated Windows users can not properly install patches, this is also more helpless, this part of the user may wish to use the network firewall to carry out a certain protection
4. To close some unwanted services, the conditions allowed to be closed without the necessary sharing, but also include C $, d$ and other management shares. A completely stand-alone user can shut down the server service directly. These can be closed with optimized software such as WinXP Explorer.
Repost Originally posted as Bon Jovi published in the FEI-where virus rescue area
Grey Pigeon VIP 2005 Cleaner
Http://ftpe.ttian.net/2005/07/DelHgzvip2005Server.zip
blackhole& Gray pigeon back door kill tool
Http://www.cert.org.cn/articles/tools/common/2005051322256.shtml
If the Kill tool did not find the gray pigeon, please refer to the following method to delete manually
Follow the instructions below, 3 steps to completely remove the gray pigeon Trojan horse in the system
1. Download HijackThis Scanning system
Download Address:
http://www.skycn.com/soft/15753.html zww3008 version of Chinese
Http://www.merijn.org/files/hijackthis.zip English version
2. From the HijackThis log O23 items can be found in the gray pigeon from the service
As the recent popular:
o23-service:system$ (system$server)-Unknown Owner-c:\windows\setemy.bat
O23-service:network Connections Manager (Netconman)-Unknown Owner-c:\windows\uinstall.exe
O23-service:winserver-unknown Owner-c:\windows\winserver.exe
O23-service:gray_pigeon_server (graypigeonserver)-Unknown Owner-c:\windows\g_server.exe
Use HijackThis to select the O23 item above and choose Fix this or fix checked
3. Remove Gray pigeon with Killbox the corresponding Trojan file can be downloaded from here Killbox
Http://yncnc.onlinedown.net/soft/37257.htm
Copy the path of the file directly to the Killbox and delete it.
Usually the following file "service name" specific through HijackThis
C:\windows\ service name. dll
C:\windows\ service name. exe
C:\windows\ Service name. bat
C:\windows\ Service Name Key.dll
C:\windows\ Service Name _hook.dll
C:\windows\ Service Name _hook2.dll
An example is provided:
C:\WINDOWS\setemykey.dll
C:\WINDOWS\setemy.dll
C:\WINDOWS\setemy.exe
C:\WINDOWS\setemy_hook.dll
C:\WINDOWS\setemy_hook2.dll
With Killbox Delete those Trojan files, because the file has hidden properties, may not directly see, but Killbox can directly delete .  the above file does not all exist, if killbox hint file does not exist or has been deleted it doesn't matter.