Gray pigeon virus is a Trojan horse virus that spreads and infects quickly. You may ask, what are the dangers of gray pigeon virus? Most computers infected with the Gray Pigeon virus will be treated as chickens, quietly waiting for hackers to brutally ravage the user's computer. So how to clean the Gray Pigeon virus in Win7 environment? Today, the editor of Huajun brings you a simple and easy-to-understand cleaning method. I hope you will support and share the carefully selected content. If you like it, hurry up and get it!

Dangers of Gray Pigeon Virus:

Gray Pigeon is actually a remote control program that will generate a file with any name according to the intention of the producer, and then use various deceptions to allow you to open the file. Once opened, it will become a bot and can be forcibly controlled by hackers at any time.

How Gray Pigeon works

The Gray Pigeon Trojan is divided into two parts: client and server. The hacker (let's call it that) controls the client and uses the client configuration to generate a server program. The name of the server file defaults to G_Server.exe, and then hackers spread this Trojan through various channels (commonly known as planting Trojans or opening back doors). There are many ways to plant Trojans. For example, hackers can bind it to a picture, and then pretend to be a shy girl and pass the Trojan to you through QQ to trick you into running it; they can also create a personal webpage to trick you into clicking. Use IE vulnerabilities to download the Trojan horse to your machine and run it; you can also upload the file to a software download site and pretend to be an interesting software to trick users into downloading...

After running, G_Server.exe copies itself to the Windows directory (under Win98/WinXP/Win7, it is the Windows directory of the system disk, and under Win2000/WinNT, it is the Winnt directory of the system disk), and then releases G_Server.dll and G_Server_Hook.dll from the body. Go to the Windows directory. The three files G_Server.exe, G_Server.dll and G_Server_Hook.dll cooperate with each other to form the Gray Pigeon server. Some Gray Pigeons will release an additional file named G_ServerKey.dll to record keyboard operations.

Note: The name G_Server.exe is not fixed, it can be customized. For example, when the customized server file name is A.exe, the generated files are A.exe, A.dll and A_Hook.dll.

The G_Server.exe file in the Windows directory registers itself as a service (the 9X system writes the registry startup item) and runs automatically every time the computer is turned on. After running, G_Server.dll and G_Server_Hook.dll are started and exit automatically. The G_Server.dll file implements the backdoor function and communicates with the control client; G_Server_Hook.dll hides the virus by intercepting API calls. Therefore, after poisoning, we cannot see the virus file, nor can we see the service items registered by the virus. Depending on the settings of the Gray Pigeon server file, G_Server_Hook.dll is sometimes attached to the process space of Explorer.exe, and sometimes it is attached to all processes.

How to detect if your computer is infected with the Gray Pigeon virus?

Since Gray Pigeon intercepts API calls, the Trojan program files and its registered service items are hidden in normal mode, which means you cannot see them even if you set "Show all hidden files". In addition, the file name of the Gray Pigeon server can also be customized, which brings certain difficulties to manual detection.

However, through careful observation we found that the detection of gray pigeons is still regular. From the above analysis of the operating principle, it can be seen that no matter what the name of the customized server-side file is, a file ending with "_hook.dll" will generally be generated in the installation directory of the operating system. Through this, we can manually detect the Gray Pigeon Trojan more accurately.

Since gray pigeons will hide themselves in normal mode, the operation of detecting gray pigeons must be performed in safe mode. The method to enter safe mode is: start the computer, press the F8 key before the system enters the Windows startup screen (or hold down the Ctrl key when starting the computer), and select "Safe Mode" or "Safe Mode" in the boot options menu that appears. "Safe Mode".

1. Since the Gray Pigeon file itself has hidden attributes, you need to set Windows to display all files. Open "Computer", select the menu "Tools" -> "Folder Options", click "View", uncheck "Hide protected operating system files" and check "Show hidden files and folders" , and then click OK.

2. Open the "Search File" of Windows, enter "_hook.dll" as the file name, and select the Windows installation directory as the search location (the default is C:Windows for Win98/WinXP/Win7, and C:Winnt for Win2000/WinNT).

3. After searching, we found a file named Game_Hook.dll in the Windows directory (excluding subdirectories).

4. According to the analysis of the gray pigeon principle, we know that if Game_Hook.DLL is a gray pigeon file, there will also be Game.exe and Game.dll files in the operating system installation directory. Open the Windows directory, and sure enough there are these two files, as well as a GameKey.dll file used to record keyboard operations.

After these steps, we can basically determine that these files are Gray Pigeon Trojans, and we can manually remove them below.

How to clean up the gray pigeon virus?

After the above analysis, it is easy to remove gray pigeons. To remove gray pigeons, you still need to operate in safe mode. There are two main steps:

● Gray pigeon removal services;

● Delete the Gray Pigeon program files.

Note: To prevent misoperation, be sure to make a backup before clearing.

1. Gray pigeon removal service

Win2000/WinXP/Win7 system:

1. Open the Registry Editor (click "Start" -> "Run", enter "Regedit.exe", and confirm.) Open:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices.

2. Click the menu "Edit" -> "Search", enter "game.exe" in "Search Target", click OK, we can find the service item of Gray Pigeon (in this case, Game_Server).

3. Delete the entire Game_Server item.

Win98/WinME system:

Under 9X, there is only one Gray Pigeon startup item, so removal is simpler. Run the registry editor and open:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

We immediately see an item named Game.exe, just delete the Game.exe item.

2. Delete the Gray Pigeon program files

Deleting the Gray Pigeon program files is very simple. You only need to delete the Game.exe, Game.dll, Game_Hook.dll and Gamekey.dll files in the Windows directory in safe mode, and then restart the computer. At this point, the gray pigeons have been cleared away.

The method given in this article is suitable for most of the Gray Pigeon Trojans and their variants we have seen. However, there are still very few variants that cannot be detected and removed using this method. At the same time, with the continuous launch of new versions of Gray Pigeon, some new hiding methods and anti-deletion methods will become more and more difficult to detect and remove manually. When you are unable to do anything, please let professionals handle it, otherwise you can also choose to reinstall the system.