Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: fixbo13.txt

How to remove Back Orifice 1.3 from your system BKI:




BackOrifice_FIX.txt   (Rev 1.3)
2/28/2000 - Covered v1.20 patch 8
2/27/2000 - Also covers v1.20 patch 7
1/20/1999 - Added LMBO info.
9/26/1998 - First writting.


This guide will describe how to remove the Back Orifice Backdoor 
(also referred to as  BO) from your system.
Brought to you by #hackfix @EFNet, written by Disturbed and Snowz.


==+==  Introduction  ==+==

  Removing Back Orifice is a 3 step process.

    1) Edit registry so that BO cannot load on start up.
    2) reboot to purge BO from memory.
    3) Delete the program on disk to prevent reinfection.

  Windows 95 will not let you delete or modify a program on disk which is 
  running.  This is why the first 2 steps are needed, because there is no 
  easy way to force the BO application to quit running.



==+==  Step 1  -=-  Edit the Registry  ==+==

  To do this you will need to use a program called RegEdit.  You can go to 
  the Run command in your Start menu, and type regedit there to start the 
  program. If you are familiar with regedit, the key to edit is as follows:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
   (Default) = " .exe"

   You are Safe to delete that line.      (Default) = " .exe"

   Delete the two files in c:\windows\
   " .exe" and "windll.dll"

   Also, a newer version of BO installs in the same key, shown as :

   WindowsTour ="Tour98.exe"

   You are Safe to delete that line as well (see below on LM BO.)


Step by Step :

  When you run regedit, it looks alot like Windows Explorer, however this 
  isn't to work with files on the disk.  Regedit has two panels.  
  The panel on the left displays all the keys in your registry.  
  The panel on the right displays the values in those keys.

Looking at the left hand panel, you will see a list of items.
One should say "HKEY_LOCAL_MACHINE" with a little box containing a '+'.
Click on that +, and it will display more items under it.
Then find the item marked "SOFTWARE", and click on the box next to it.
Continue this process going down each of these items :

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

You will notice there is no '+' box next to the item  RunServices.
This item, just click on it.  This will display the items in that key
on the panel to your Right.

The right hand panel, among other things, will list one item that will be 
similar to :

  (Default)     " .exe"

  -OR- if your infected with LM BO :

  WindowsTour ="Tour98.exe"

  -OR- if you see :

System Tray = "SysTry.ocx"

Then you may have Back Orifice 2, and should see the removal papers for it.

This is the line that is loading BO, and must be removed.
Be careful not to disturb any other items in this key, all of the items 
here will be run at start up, and is most likely valid software that Needs 
to load.

You can right-click on (Default) and choose 'delete'.


Edit/delete this line ONLY... Do NOT edit ANYTHING else in the registry if
you are not familiar with it.



==+==  Step 2/3  -  Reboot n Delete BO ==+==

Reboot is self explanatory...
But after you reboot, do not run anything except a Windows Explorer.
Go into the directory

  C:\WINDOWS\SYSTEM\

The original BO will be an icon that appears to be    .exe
The filename is  space dot exe
If your system is setup to not show extentions (such as .exe or .txt)
then this will appear to be a blank line (usually sorted so it falls
right after the folders, but before the first file.)

If you have the registry lines indicating LM BO, instead you will
need to find a program called  Tour98.exe, which will have a windows
logo icon (similar to the MS DOS Prompt icon.)
Please note this too is in C:\windows\system\tour98.exe.

There is a file c:\windows\tour98.exe, which for Windows 98 systems,
is a real system file, and can be left untouched.


DON'T RUN THIS.. This is the actual BO program.
If you do run it, it will edit the registry and you must start at step #1.
Delete this file and empty the recycling bin.

You should also delete the file c:\windows\windll.dll as well.

At this point you are no longer infected.  However there is no telling 
how BO got there in the first place, or who has done what damage since it 
has been there.  Our recommended action would be to backup your hard
disks and format them, installing any programs or applications from
original disks / setup programs.



==+==  References and more information  ==+==

The home page of the creators of this document can be found at
  http://www.hackfix.org/

Or you can always visit the channel #hackfix on the EFNet irc network, 
the place where it all began.

Working together to make irc a better and safer place for everyone.....



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH