Reprinted from the original forum jakee’s post:
Recently, many netizens have reported that their machine has a * virus called Gray Pigeon. This virus is very naughty and has different names on different killing software, such as: Gpigeon, Huigezi, and Feutel. It is very troublesome to clear it in the computer, especially in 2005, which just developed. It realizes program file hiding, process hiding, and service hiding. Generally, Killing software cannot find its virus file in normal mode, let alone the matter of killing software. Even Killing software is difficult to deal with, which is even more troublesome for users. This article briefly introduces the operating principle of the gray pigeon virus, manual detection methods, manual removal methods, precautions for preventing infection, etc. Most of the content comes from the Internet and is collected, organized and processed by me. If it infringes on your interests, please point me out and correct it immediately.
1. Introduction to the Gray Pigeon Virus
Gray Pigeon is a famous backdoor in China. Compared with the predecessors, Grey Pigeons can be said to be the master of the domestic backdoor. Its rich and powerful functions, flexible and varied operation and good hiding make other backdoors dwarf. The simple and convenient operation of the client allows beginners to act as hackers. When used in legal situations, Gray Pigeon is an excellent remote control software. But if you do something illegal with it, the gray pigeon will become a very powerful hacker tool. This is like gunpowder, used in different occasions, and has different impacts on humans. Perhaps only the author of the gray pigeon can explain the complete introduction of the gray pigeon, so we can only give a brief introduction here.
The Gray Pigeon client and server are both written in Delphi. The hacker uses the client program to configure the server program. The configurable information mainly includes the online type (such as waiting for a connection or active connection), the public network IP (domain name) used when actively connecting, the connection password, the port used, the startup item name, the service name, the process hiding method, the shell, the agent, the icon, etc.
There are many ways to connect to clients on the server side, which makes users in various network environments likely to be poisoned, including local area network users (surfing the Internet through proxy), public network users and ADSL dial-up users.
The server is introduced below:
The configured server file file name is G_Server.exe (this is the default, of course it can also be changed). Then the hacker used all methods to trick users into running the G_Server.exe program. Readers can fully utilize their imagination to what specific methods are used, so I will not go into details here.
After running G_Server.exe, copy itself to the Windows directory (98/xp is the Windows directory of the system disk, and at 2k/NT is the Winnt directory of the system disk), and then release G_Server.dll and G_Server_Hook.dll from the body to the Windows directory. The three files G_Server.exe, G_Server.dll and G_Server_Hook.dll cooperate with each other to form the gray pigeon server, and G_Server_Hook.dll is responsible for hiding the gray pigeon. The API calls to hide the file, the registry key of the service, and even the module name in the process. The intercepted functions are mainly used to traverse files, registry entries, and process modules. Therefore, sometimes users feel that they have been poisoned, but after careful inspection, they cannot find any abnormalities. Some gray pigeons will release an extra file called G_ServerKey.dll to record keyboard operations. Note that the name G_Server.exe is not fixed, it can be customized. For example, when the custom server file name is, the generated file is, and A_Hook.dll.
The G_Server.exe file in the Windows directory registers itself as a service (9X system writes the registry startup key), and it can run automatically every time it is turned on. After running, it starts G_Server.dll and G_Server_Hook.dll and automatically exit. The G_Server.dll file implements the backdoor function and communicates with the control client; the G_Server_Hook.dll hides viruses through the intercept API call. Therefore, after being poisoned, we cannot see the virus file or the service items registered by the virus. With the settings of the Gray Pigeon server file, G_Server_Hook.dll is sometimes attached to the process space, and sometimes it is attached to all processes.
The author of Gray Pigeon has spent a lot of effort on how to escape the detection of anti-virus software. Since some API functions are intercepted, it is difficult to traverse Gray Pigeon's files and modules in normal mode, resulting in difficulty in detecting and killing. It is also troublesome to uninstall the gray pigeon dynamic library and ensure that the system process does not collapse, which has led to the recent flood of gray pigeons on the Internet.
2. Manual inspection of gray pigeons
Because Gray Pigeon intercepts API calls, both the server program files and the service items it registers are hidden in normal mode, which means that you cannot see them even if you set "Show all hidden files". In addition, the file name of the Gray Pigeon server can also be customized, which brings certain difficulties to manual detection.
However, through careful observation, we found that the detection of gray pigeons is still regular. From the above analysis of the operating principle, we can see that no matter what the custom server-side file name is, a file ending with "_hook.dll" will generally be generated in the operating system installation directory. Through this, we can more accurately detect gray pigeons on the server.
Since gray pigeons hide themselves in normal mode, the operation of detecting gray pigeons must be carried out in safe mode. The method to enter safe mode is: start the computer, press the F8 key before the system enters the Windows boot screen (or hold down the Ctrl key when starting the computer), and select "Safe Mode" or "Safe Mode" in the startup options menu that appears.
1. Since the file itself has hidden properties, you need to set Windows to display all files. Open "My Computer", select "Folder Options" in the menu "Tools" -> Click "View", uncheck the checkmark before "Hide protected operating system files", and select "Show all files and folders" in the "Hide Files and Folders" item, and then click "OK".
2. Open Windows' "Search File", enter "_hook.dll" in the file name, and select the Windows installation directory (default 98/xp is C:\windows, 2k/NT is C:\Winnt).
3. After searching, we found a file named Game_Hook.dll under the Windows directory (not including subdirectories).
4. According to the analysis of the principle of gray pigeon, we know that if Game_Hook.DLL is a gray pigeon's file, there will be a and file in the operating system installation directory. When you open the Windows directory, there are indeed these two files, and there is also a file for recording keyboard operations.
After these steps, we can basically confirm that these files are on the server side, and we can manually clear them.
3. Manual removal of gray pigeons
After the above analysis, it is easy to remove gray pigeons. To clear gray pigeons, you still need to operate in safe mode. There are two main steps: 1. Clear gray pigeon services; 2. Delete gray pigeon program files.
Note: To prevent misoperation, be sure to make a backup before clearing.
(I) Services for removing gray pigeons
Note that the service to clear gray pigeons must be completed in the registry. Netizens who are not familiar with the registry, please find familiar people to help. The service to clear gray pigeons must first back up the registry, or go to the pure DOS to change the registry file, and then go to the registry to delete gray pigeons' service. Because the virus will be associated with the EXE file
2000/XP system:
1. Open the Registry Editor (click "Start" - "Run", enter "" and OK.), and open the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry key.
2. Click on the menu "Edit" - "Find", enter "" in "Find Target", click OK, and we can find the service item of Gray Pigeon (this example is Game_Server, and the service item name for each person is different).
3. Delete the entire Game_Server item.
98/me system:
Under 9X, there is only one gray pigeon starter, so it is easier to clear. Run the Registry Editor, open the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run item, and we immediately see the item named and delete it.
(II) Delete the Gray Pigeon Program File
Deleting the Gray Pigeon program file is very simple. You only need to delete the , Game_Hook.dll and files in the Windows directory in safe mode, and then restart the computer. At this point, the server of Gray Pigeon VIP 2005 has been cleared.
The method described above applies to most of the gray pigeon *s and their variants we see, but there are still a very small number of variants that cannot be detected and cleared using this method. At the same time, with the continuous launch of new versions of Gray Pigeon, the author may add some new hidden methods and anti-deletion methods, and manual detection and removal will become increasingly difficult.
4. Things to note when preventing the virus of medium-gray pigeons
1. Install patches on the system. Install system patches (critical updates, security updates and service packs) through Windows Update. Among them, MS04-011, MS04-012, MS04-013, MS03-001, MS03-007, MS03-049, MS04-032, etc. are widely used by viruses, which are very necessary patches.
2. Set a password that is complex and strong enough to the system administrator account, preferably a combination of more than 10 digits, letters + numbers + other symbols; you can also disable/delete some unused accounts
3. Update antivirus software (virus library) frequently, and the settings allowable can be set to be updated automatically every day. Install and use network firewall software reasonably. Network firewall can also play a crucial role in the anti-virus process and can effectively block attacks from networks and virus invasion. Some pirated Windows users cannot install patches normally, which is helpless. These users may wish to use network firewalls to provide certain protection.
4. Close some unnecessary services. If conditions permit, unwanted sharing can be turned off, including management sharing such as C$ and D$. Users who are completely stand-alone can directly shut down the Server service. These can be closed using winxp host and other optimization software.
Reposted. Original post by Bon Jovi posted in Feifan Virus Rescue Area
Gray Pigeon Vip 2005 Clearer
/2005/07/
BlackHole&Gray Pigeon Backdoor Special Killing Tool
/articles/tools/common/
If the special killing tool does not find gray pigeons, please refer to the following method to delete it manually
Follow the following instructions, you can completely delete the gray pigeon and * in the system in 3 steps.
1. Download HijackThis scanning system
Download address:
/soft/ zww3008 Chinese version
/files/ English version
2. From the O23 item in HijackThis log, you can find the service items of gray pigeons.
As popular recently:
O23 - Service: SYSTEM$ (SYSTEM$Server) - Unknown owner - C:\WINDOWS\
O23 - Service: Network Connections Manager (NetConMan) - Unknown owner - C:\WINDOWS\
O23 - Service: winServer - Unknown owner - C:\WINDOWS\
O23 - Service: Gray_Pigeon_Server (GrayPigeonServer) - Unknown owner - C:\WINDOWS\G_Server.exe
Use HijackThis to select the above O23 item, and then select "Fix this item" or "Fix checked"
3. Use Killbox to delete the * corresponding * file. You can download Killbox from here
/soft/
Copy the file path directly to Killbox to delete
Usually the following file is determined by HijackThis
C:\windows\service name.dll
C:\windows\service name.exe
C:\windows\service name.bat
C:\windows\service name
C:\windows\service name_hook.dll
C:\windows\service name_hook2.dll
Give an example:
C:\WINDOWS\
C:\WINDOWS\
C:\WINDOWS\
C:\WINDOWS\setemy_hook.dll
C:\WINDOWS\setemy_hook2.dll
Use Killbox to delete those * files. Since the files have hidden attributes, they may not be able to be directly seen, but Killbox can be deleted directly. The above files may not exist. If Killbox prompts that the file does not exist or has been deleted, it doesn't matter.
Recently, many netizens have reported that their machine has a * virus called Gray Pigeon. This virus is very naughty and has different names on different killing software, such as: Gpigeon, Huigezi, and Feutel. It is very troublesome to clear it in the computer, especially in 2005, which just developed. It realizes program file hiding, process hiding, and service hiding. Generally, Killing software cannot find its virus file in normal mode, let alone the matter of killing software. Even Killing software is difficult to deal with, which is even more troublesome for users. This article briefly introduces the operating principle of the gray pigeon virus, manual detection methods, manual removal methods, precautions for preventing infection, etc. Most of the content comes from the Internet and is collected, organized and processed by me. If it infringes on your interests, please point me out and correct it immediately.
1. Introduction to the Gray Pigeon Virus
Gray Pigeon is a famous backdoor in China. Compared with the predecessors, Grey Pigeons can be said to be the master of the domestic backdoor. Its rich and powerful functions, flexible and varied operation and good hiding make other backdoors dwarf. The simple and convenient operation of the client allows beginners to act as hackers. When used in legal situations, Gray Pigeon is an excellent remote control software. But if you do something illegal with it, the gray pigeon will become a very powerful hacker tool. This is like gunpowder, used in different occasions, and has different impacts on humans. Perhaps only the author of the gray pigeon can explain the complete introduction of the gray pigeon, so we can only give a brief introduction here.
The Gray Pigeon client and server are both written in Delphi. The hacker uses the client program to configure the server program. The configurable information mainly includes the online type (such as waiting for a connection or active connection), the public network IP (domain name) used when actively connecting, the connection password, the port used, the startup item name, the service name, the process hiding method, the shell, the agent, the icon, etc.
There are many ways to connect to clients on the server side, which makes users in various network environments likely to be poisoned, including local area network users (surfing the Internet through proxy), public network users and ADSL dial-up users.
The server is introduced below:
The configured server file file name is G_Server.exe (this is the default, of course it can also be changed). Then the hacker used all methods to trick users into running the G_Server.exe program. Readers can fully utilize their imagination to what specific methods are used, so I will not go into details here.
After running G_Server.exe, copy itself to the Windows directory (98/xp is the Windows directory of the system disk, and at 2k/NT is the Winnt directory of the system disk), and then release G_Server.dll and G_Server_Hook.dll from the body to the Windows directory. The three files G_Server.exe, G_Server.dll and G_Server_Hook.dll cooperate with each other to form the gray pigeon server, and G_Server_Hook.dll is responsible for hiding the gray pigeon. The API calls to hide the file, the registry key of the service, and even the module name in the process. The intercepted functions are mainly used to traverse files, registry entries, and process modules. Therefore, sometimes users feel that they have been poisoned, but after careful inspection, they cannot find any abnormalities. Some gray pigeons will release an extra file called G_ServerKey.dll to record keyboard operations. Note that the name G_Server.exe is not fixed, it can be customized. For example, when the custom server file name is, the generated file is, and A_Hook.dll.
The G_Server.exe file in the Windows directory registers itself as a service (9X system writes the registry startup key), and it can run automatically every time it is turned on. After running, it starts G_Server.dll and G_Server_Hook.dll and automatically exit. The G_Server.dll file implements the backdoor function and communicates with the control client; the G_Server_Hook.dll hides viruses through the intercept API call. Therefore, after being poisoned, we cannot see the virus file or the service items registered by the virus. With the settings of the Gray Pigeon server file, G_Server_Hook.dll is sometimes attached to the process space, and sometimes it is attached to all processes.
The author of Gray Pigeon has spent a lot of effort on how to escape the detection of anti-virus software. Since some API functions are intercepted, it is difficult to traverse Gray Pigeon's files and modules in normal mode, resulting in difficulty in detecting and killing. It is also troublesome to uninstall the gray pigeon dynamic library and ensure that the system process does not collapse, which has led to the recent flood of gray pigeons on the Internet.
2. Manual inspection of gray pigeons
Because Gray Pigeon intercepts API calls, both the server program files and the service items it registers are hidden in normal mode, which means that you cannot see them even if you set "Show all hidden files". In addition, the file name of the Gray Pigeon server can also be customized, which brings certain difficulties to manual detection.
However, through careful observation, we found that the detection of gray pigeons is still regular. From the above analysis of the operating principle, we can see that no matter what the custom server-side file name is, a file ending with "_hook.dll" will generally be generated in the operating system installation directory. Through this, we can more accurately detect gray pigeons on the server.
Since gray pigeons hide themselves in normal mode, the operation of detecting gray pigeons must be carried out in safe mode. The method to enter safe mode is: start the computer, press the F8 key before the system enters the Windows boot screen (or hold down the Ctrl key when starting the computer), and select "Safe Mode" or "Safe Mode" in the startup options menu that appears.
1. Since the file itself has hidden properties, you need to set Windows to display all files. Open "My Computer", select "Folder Options" in the menu "Tools" -> Click "View", uncheck the checkmark before "Hide protected operating system files", and select "Show all files and folders" in the "Hide Files and Folders" item, and then click "OK".
2. Open Windows' "Search File", enter "_hook.dll" in the file name, and select the Windows installation directory (default 98/xp is C:\windows, 2k/NT is C:\Winnt).
3. After searching, we found a file named Game_Hook.dll under the Windows directory (not including subdirectories).
4. According to the analysis of the principle of gray pigeon, we know that if Game_Hook.DLL is a gray pigeon's file, there will be a and file in the operating system installation directory. When you open the Windows directory, there are indeed these two files, and there is also a file for recording keyboard operations.
After these steps, we can basically confirm that these files are on the server side, and we can manually clear them.
3. Manual removal of gray pigeons
After the above analysis, it is easy to remove gray pigeons. To clear gray pigeons, you still need to operate in safe mode. There are two main steps: 1. Clear gray pigeon services; 2. Delete gray pigeon program files.
Note: To prevent misoperation, be sure to make a backup before clearing.
(I) Services for removing gray pigeons
Note that the service to clear gray pigeons must be completed in the registry. Netizens who are not familiar with the registry, please find familiar people to help. The service to clear gray pigeons must first back up the registry, or go to the pure DOS to change the registry file, and then go to the registry to delete gray pigeons' service. Because the virus will be associated with the EXE file
2000/XP system:
1. Open the Registry Editor (click "Start" - "Run", enter "" and OK.), and open the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry key.
2. Click on the menu "Edit" - "Find", enter "" in "Find Target", click OK, and we can find the service item of Gray Pigeon (this example is Game_Server, and the service item name for each person is different).
3. Delete the entire Game_Server item.
98/me system:
Under 9X, there is only one gray pigeon starter, so it is easier to clear. Run the Registry Editor, open the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run item, and we immediately see the item named and delete it.
(II) Delete the Gray Pigeon Program File
Deleting the Gray Pigeon program file is very simple. You only need to delete the , Game_Hook.dll and files in the Windows directory in safe mode, and then restart the computer. At this point, the server of Gray Pigeon VIP 2005 has been cleared.
The method described above applies to most of the gray pigeon *s and their variants we see, but there are still a very small number of variants that cannot be detected and cleared using this method. At the same time, with the continuous launch of new versions of Gray Pigeon, the author may add some new hidden methods and anti-deletion methods, and manual detection and removal will become increasingly difficult.
4. Things to note when preventing the virus of medium-gray pigeons
1. Install patches on the system. Install system patches (critical updates, security updates and service packs) through Windows Update. Among them, MS04-011, MS04-012, MS04-013, MS03-001, MS03-007, MS03-049, MS04-032, etc. are widely used by viruses, which are very necessary patches.
2. Set a password that is complex and strong enough to the system administrator account, preferably a combination of more than 10 digits, letters + numbers + other symbols; you can also disable/delete some unused accounts
3. Update antivirus software (virus library) frequently, and the settings allowable can be set to be updated automatically every day. Install and use network firewall software reasonably. Network firewall can also play a crucial role in the anti-virus process and can effectively block attacks from networks and virus invasion. Some pirated Windows users cannot install patches normally, which is helpless. These users may wish to use network firewalls to provide certain protection.
4. Close some unnecessary services. If conditions permit, unwanted sharing can be turned off, including management sharing such as C$ and D$. Users who are completely stand-alone can directly shut down the Server service. These can be closed using winxp host and other optimization software.
Reposted. Original post by Bon Jovi posted in Feifan Virus Rescue Area
Gray Pigeon Vip 2005 Clearer
/2005/07/
BlackHole&Gray Pigeon Backdoor Special Killing Tool
/articles/tools/common/
If the special killing tool does not find gray pigeons, please refer to the following method to delete it manually
Follow the following instructions, you can completely delete the gray pigeon and * in the system in 3 steps.
1. Download HijackThis scanning system
Download address:
/soft/ zww3008 Chinese version
/files/ English version
2. From the O23 item in HijackThis log, you can find the service items of gray pigeons.
As popular recently:
O23 - Service: SYSTEM$ (SYSTEM$Server) - Unknown owner - C:\WINDOWS\
O23 - Service: Network Connections Manager (NetConMan) - Unknown owner - C:\WINDOWS\
O23 - Service: winServer - Unknown owner - C:\WINDOWS\
O23 - Service: Gray_Pigeon_Server (GrayPigeonServer) - Unknown owner - C:\WINDOWS\G_Server.exe
Use HijackThis to select the above O23 item, and then select "Fix this item" or "Fix checked"
3. Use Killbox to delete the * corresponding * file. You can download Killbox from here
/soft/
Copy the file path directly to Killbox to delete
Usually the following file is determined by HijackThis
C:\windows\service name.dll
C:\windows\service name.exe
C:\windows\service name.bat
C:\windows\service name
C:\windows\service name_hook.dll
C:\windows\service name_hook2.dll
Give an example:
C:\WINDOWS\
C:\WINDOWS\
C:\WINDOWS\
C:\WINDOWS\setemy_hook.dll
C:\WINDOWS\setemy_hook2.dll
Use Killbox to delete those * files. Since the files have hidden attributes, they may not be able to be directly seen, but Killbox can be deleted directly. The above files may not exist. If Killbox prompts that the file does not exist or has been deleted, it doesn't matter.