Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: fixbo20.txt

How to remove Back Orifice 2.0 from your system BKI:




BackOrifice2_FIX.txt (Rev 1.0) 4/28/1999



This guide will describe how to remove the Back Orifice Backdoor
Version 2 (also referred to as  BO) from your system.
Brought to you by #hackfix @EFNet, written by Disturbed and Snowz.


==+==  Introduction  ==+==

  Removing Back Orifice is a 3 step process.

    1) Edit registry so that BO cannot load on start up.
    2) reboot to purge BO from memory.
    3) Delete the program on disk to prevent reinfection.

  Windows 95 will not let you delete or modify a program on disk which is 
  running.  This is why the first 2 steps are needed, because there is no 
  easy way to force the BO application to quit running.

  New in version 2 of the server, which was created by OPC, is the default
  exe name, registry key, and port are different.
  These items are also very easy to edit to hide the server.



==+==  Step 1  -=-  Edit the Registry  ==+==

  These instructions are for the Default program vaules, most of which
  remain the same (only the port and/or passwords are changed so only the
  person whom infected you can hack you.)

  To remove it you will need to use a program called RegEdit.  You can go to 
  the Run command in your Start menu, and type regedit there to start the 
  program. If you are familiar with regedit, the key to edit is as follows:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
   System Tray = "SysTry.ocx"

   You are Safe to delete that line.      System Tray = "SysTry.ocx"

   Delete the file in c:\windows\system\
   called "systry.ocx"


Step by Step :

  When you run regedit, it looks alot like Windows Explorer, however this 
  isn't to work with files on the disk.  Regedit has two panels.  
  The panel on the left displays all the keys in your registry.  
  The panel on the right displays the values in those keys.

Looking at the left hand panel, you will see a list of items.
One should say "HKEY_LOCAL_MACHINE" with a little box containing a '+'.
Click on that +, and it will display more items under it.
Then find the item marked "SOFTWARE", and click on the box next to it.
Continue this process going down each of these items :

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

You will notice there is no '+' box next to the item  RunServices.
This item, just click on it.  This will display the items in that key
on the panel to your Right.

The right hand panel, among other things, will list one item that will be 
similar to :

  System Tray = "SysTry.ocx"


This is the line that is loading BO, and must be removed.
Be careful not to disturb any other items in this key, all of the items 
here will be run at start up, and is most likely valid software that Needs 
to load.

You can right-click on "System Tray" and choose 'delete'.


Edit/delete this line ONLY... Do NOT edit ANYTHING else in the registry if
you are not familiar with it.



==+==  Step 2/3  -  Reboot n Delete BO ==+==

Reboot is self explanatory...
But after you reboot, do not run anything except a Windows Explorer.
Go into the directory

  C:\WINDOWS\SYSTEM\

The filename is  systry.ocx

DON'T RUN THIS.. This is the actual BO program.
If you do run it, it will edit the registry and you must start at step #1.
Delete this file and empty the recycling bin.

You should also delete the file c:\windows\windll.dll as well.

At this point you are no longer infected.  However there is no telling 
how BO got there in the first place, or who has done what damage since it 
has been there.  Our recommended action would be to backup your hard
disks and format them, installing any programs or applications from
original disks / setup programs.



==+==  References and more information  ==+==

The home page of the creators of this document can be found at
  http://www.hackfix.org/

Or you can always visit the channel #hackfix on the EFNet irc network, 
the place where it all began.

Working together to make irc a better and safer place for everyone.....



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH