Removing Back Orifice
There are three basic steps to removing Back Orifice from your computer, once you've found it.
Here it is step-by-step.
If you're a moderately skilled Windows user, and especially if you have followed the steps in Finding Your Back Orifice, I have already told you enough. You know what to do. BUT WAIT. Don't go do it quite yet. There's something you should know.
The BO program on your computer may contain information that could be useful in assessing the damage and/or revealing of its point of origin.
Many of the Orifices out there are simply in their default configuration, with no password and no special options. But some of them, probably most of them, have been configured by the originator and will contain potentially useful information. That configuration is rather easy to read from the file. If you have an editor that will read the file (Notepad/Wordpad won't do it), you'll find the config parameters at the very end.
If the BO program in your computer is in its default configuration:
... in which case, go ahead and delete it. It contains no information of any value.
... then you might be wasting valuable data if you simply discard the file.
If your BO fits these criteria, and you have no idea how to find or use the information it contains, I want you to email a copy of the file to me before you delete it. Send it as a file attachment to: firstname.lastname@example.org. Don't worry. It won't do you or me any harm to do that.
THEN go ahead and delete it. Again, here are the steps if you need them.
It's a risk to keep the BO server in your computer. Once you have removed BO's Registry entry AND restarted Windows, the program will no longer be activated and for the time being you're safe. But if anyone ever runs it again (if it is named as an executable they need only double-click its name in an Explorer window), it will reinstall itself instantly and run continuously until removed again.
I will examine any copy of BO sent to me and determine its configuration. This will include some or all of the following:
This information is of potential value for a lot of reasons.
So please: send me a copy!
With BO's Registry entry gone, and its program file deleted, you are definitely FREE of BO. If for some reason you wish to keep your BO program file, at LEAST rename it or tuck it away where it won't be inadvertently run.
As a final step, I recommend removing BO's companion DLL file from the System directory. By itself it does no harm, but the presence of this file, WINDLL.DLL, will cause a false alarm with at least one BO detection utility.
Also, this DLL provides a final and definitive test for BO's successful removal. Simply reboot after you've deleted it, and if it is still gone, you're OK. If it's back, you need to read More on Finding BO.