• Home
• Security
• News
• Software
• Search
• Sitemap
• no link
• no link
• no link
• [ Shop ]

• Categories

  • Trojan Horses
  • Latest Trojan Horses
  • Screenshots
  • Removal Information
  •  

• Archives

  • 2009
  • 2008 - 2007
  • 2006 - 2005
  • 2004 - 2003
  • 2002 and before

BackOrifice 1.2 Removal

Step 1.
Click Start > Run and type Regedit.
Step 2.
Follow the paths using regedit and find:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Step 3.
In the right window, look for a key that loads a file called ".exe" (see NOTES below). or a key that loads WindowsTour ="Tour98.exe"
Step 4.
In the right window, highlight the key that loads the file and delete it (Right click and choose Delete). If you see a value that loads WindowsTour ="Tour98.exe", delete it as well.
Step 5.
Exit the Registry and reboot your computer.
Step 6.
After the computer has restarted, open only Windows Explorer. Make sure that your system is configured to show all registered extensions. Go to View > Options and check the appropriate settings.
Step 7.
Go to the WINDOWS\SYSTEM directory and look for the ".exe" file (see NOTES below). It will NOT have a name to it, just an extension. Once you've found the file, delete it. If you have the registry line WindowsTour ="Tour98.exe", instead, you will need to find a program called 'Tour98.exe'. This will have a windows logo icon (similar to the MS DOS Prompt icon.). This is the actual BO program. If you run it, it will edit the registry and you must start at step 1. Delete this file and empty the recycling bin.
Step 8.
Also in the WINDOWS\SYSTEM directory, look for a file called "windll.dll". DELETE it as well. It's a file that's created by specifically by BO.
Step 9.
Exit Windows Explorer and reboot your computer.

Congratulations, Back Orifice has now been removed from your system.

NOTES:
As mentioned above, Back Orifice can also be installed with a file name other than the ".exe" name. By default, BO uses ".exe", but it can also be configured by the hacker to be anything. The ability to determine if BO has been installed with a name other than the default ".exe" name, is to carefully examine the RunServices section of the registry. Look for a key that launches a suspicious file. If you find a file that deserves closer inspection, look in the WINDOWS\ SYSTEM directory for the same file name. If it's 122kb (or 123kb) in size, it's probably a renamed version of the "server" portion.

  Advertising

Use 'DHL for You' for easy package sending in the Netherlands!

Save 10% off top Norton Products with Coupon Code 10NAMNORTONSTORE

Save now - 25% off - 2 year license of ESET NOD32 Antivirus 4

Save 20% on Trend Micro™ Titanium™ Maximum Security! Coupon Code: titanium20

Norton 360 Version 5.0 3 Year Protection

ZoneAlarm Internet Security Suite 2012 - Save 50%

Copyright (c) 1997 - 2012 virusall.com. All rights reserved.