Removing Back Orifice

There are three basic steps to removing Back Orifice from your computer, once you've found it.

1. Remove its Registry entry;
2. Shut down/restart your system;
3. and then delete the actual program.

Here it is step-by-step.

If you're a moderately skilled Windows user, and especially if you have followed the steps in Finding Your Back Orifice, I have already told you enough. You know what to do. BUT WAIT. Don't go do it quite yet. There's something you should know.

The BO program on your computer may contain information that could be useful in assessing the damage and/or revealing of its point of origin.

Many of the Orifices out there are simply in their default configuration, with no password and no special options. But some of them, probably most of them, have been configured by the originator and will contain potentially useful information. That configuration is rather easy to read from the file. If you have an editor that will read the file (Notepad/Wordpad won't do it), you'll find the config parameters at the very end.

If the BO program in your computer is in its default configuration:

• it will be exactly 124,928 bytes long
• and it will be named " .exe"

... in which case, go ahead and delete it. It contains no information of any value.

But if:

• your BO is a larger file (usually slightly over 125,000 bytes, but it can grow to unknown size, depending upon attachments)
• and/or its name is something other than " .exe",
• and/or its Registry entry was something other than "(Default)"
• and/or it is not in the Windows\System directory

... then you might be wasting valuable data if you simply discard the file.

If your BO fits these criteria, and you have no idea how to find or use the information it contains, I want you to email a copy of the file to me before you delete it. Send it as a file attachment to: pchelp@pc-help.org. Don't worry. It won't do you or me any harm to do that.

THEN go ahead and delete it. Again, here are the steps if you need them.

It's a risk to keep the BO server in your computer. Once you have removed BO's Registry entry AND restarted Windows, the program will no longer be activated and for the time being you're safe. But if anyone ever runs it again (if it is named as an executable they need only double-click its name in an Explorer window), it will reinstall itself instantly and run continuously until removed again.

I will examine any copy of BO sent to me and determine its configuration. This will include some or all of the following:

• Its filename
• Its Registry description
• The TCP port number on which it communicates
• Its password
• Any "plugin" program filename (a specialized sub-program BO will run on startup)
• Parameters for running the plugin program

This information is of potential value for a lot of reasons.

• It may hold clues to the originator's identity
• It may lead to facts about when BO was installed
• It may give some indication how badly your security has been compromised
• It will give me data useful for finding others who received BO from the same source

So please: send me a copy!

With BO's Registry entry gone, and its program file deleted, you are definitely FREE of BO. If for some reason you wish to keep your BO program file, at LEAST rename it or tuck it away where it won't be inadvertently run.

As a final step, I recommend removing BO's companion DLL file from the System directory. By itself it does no harm, but the presence of this file, WINDLL.DLL, will cause a false alarm with at least one BO detection utility.

Also, this DLL provides a final and definitive test for BO's successful removal. Simply reboot after you've deleted it, and if it is still gone, you're OK. If it's back, you need to read More on Finding BO.

Back to the Basics
PCHelp Home
BO Home