Gray pigeon remote monitoring software is divided into two parts: client and server. The hacker (let's call it) manipulates the client and uses the client configuration to generate a server program. The name of the server file defaults to G_Server.exe, and then the hacker spreads the server through various channels (commonly known as Trojans). There are many ways to make a Trojan. For example, a hacker can bind it to a picture and then fake it into a shy MM to pass the Trojan to you via QQ to trick you into running. You can also create a personal web page to trick you into clicking. Use the IE vulnerability to download the Trojan to your machine and run it; you can also upload the file to a software download site, posing as a fun software to trick users into downloading ……, which is against the purpose of developing grey pigeons. Therefore, this article is applicable to users who illegally install the gray pigeon server to help users remove the gray pigeon service server program. Most of the content of this article is taken from the Internet. After running G_Server.exe, copy it to the Windows directory (the Windows directory of the system disk under 98/xp, the Winnt directory of the system disk under 2k/NT), and then release G_Server.dll and G_Server_Hook.dll from the body to Windows. Under contents. The three files G_Server.exe, G_Server.dll and G_Server_Hook.dll are combined to form the gray pigeon server. Some gray pigeons will release a file named G_ServerKey.dll to record the keyboard operation. Note that the name G_Server.exe is not fixed. It can be customized. For example, when the customized server file name is A.exe, the generated files are A.exe, A.dll and A_Hook.dll. The G_Server.exe file in the Windows directory registers itself as a service (9X system writes the registry startup item), and it runs automatically every time it is booted. After running, it starts G_Server.dll and G_Server_Hook.dll and automatically exits. The G_Server.dll file implements the backdoor function to communicate with the console client; G_Server_Hook.dll hides the virus by intercepting API calls. Therefore, after poisoning, we can't see the virus files, and we can't see the service items registered by the virus. With the setting of the gray pigeon server file, G_Server_Hook.dll is sometimes attached to the process space of Explorer.exe, and sometimes it is attached to all processes. Manual detection of gray pigeons Because the gray pigeons intercept API calls, in the normal mode, the server program files and the service items registered by them are hidden, which means that even if you set "Show all hidden files", you can't see them. they. In addition, the file name of the gray pigeon server is also customizable, which brings certain difficulties to manual detection. However, by careful observation, we found that the detection of gray pigeons is still regular. From the above operating principle analysis, it can be seen that no matter what the custom server-side file name is, a file ending with "_hook.dll" will be generated in the operating system installation directory. Through this, we can more accurately and manually detect the gray pigeon server. Since gray pigeons hide themselves in normal mode, the operation of detecting gray pigeons must be done in safe mode. To enter the safe mode, start the computer and press the F8 key (or hold down the Ctrl key while booting the computer) before the system enters the Windows splash screen. In the boot options menu that appears, select “Safe Mode” Or “safe mode”. 1. Since the gray pigeon's file itself has hidden attributes, it is necessary to set Windows to display all files. Open “My Computer”, select menu <;Tools”—" """""""""""""" And select "Show all files and folders" in the "Hidden files and folders" item, and then click “OK”. 2, open Windows "search file", file name input "_hook.dll", search location to select the Windows installation directory (default 98 /xp for C: \\ windows, 2k /NT for C: \\ Winnt). 3. After searching, we found a file named Game_Hook.dll in the Windows directory (without subdirectories). 4. According to the gray pigeon principle analysis, we know that if Game_Hook.DLL is a gray pigeon file, then the operating system There will also be Game.exe and Game.dll files in the installation directory. Open the Windows directory, and there are two files, there is also a GameKey.dll file for recording keyboard operations. After these steps, we can basically confirm that these files are gray pigeon server, and you can manually clear them below. Manual removal of gray pigeons After the above analysis, it is easy to remove gray pigeons. Clearing the gray pigeons still needs to operate in safe mode. There are two main steps: 1. Clearing the services of the gray pigeons; 2 Deleting the gray pigeon program files. Note: To prevent misuse, be sure to make a backup before cleaning. First, clear the service of the gray pigeons 2000/XP system: 1, open the registry editor (click "start" & rdquo;-" & ldquo; run & rdquo;, enter “Regedit.exe & rdquo;, OK.), open HKEY_LOCAL_MACHINE\\SYSTEM \\CurrentControlSet\\Services registry entry. 2. Click on the menu “Edit” & rdquo;-”“Find & rdquo;,&#&#&#"&#""""""""""""""""""""""""""" 3. Delete the entire Game_Server item. 98/me system: At 9X, there is only one starter for the gray pigeon, so the removal is simpler. Run the registry editor, open the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run item, we immediately see an item named Game.exe, delete the Game.exe item. Second, delete the gray pigeon program file Delete the gray pigeon program file is very simple, just need to delete the Game.exe, Game.dll, Game_Hook.dll and Gamekey.dll files in the Windows directory in safe mode, and then restart the computer. At this point, the gray pigeon server has been cleared.