Deleting NetBus and Back Orifice

  1. Ask user if they have experienced any peculiarities with their computers recently to get an idea of what you are looking for.
  2. It is a very good idea to backup the registry before altering it to protect from costly mistakes.
  3. Check registry autostart settings for rogue files.
    1. Go to the Start menu, select Run, and type in: regedit
    2. Expand HKEY_LOCAL_MACHINE
    3. Expand SOFTWARE
    4. Expand Microsoft
    5. Expand Windows
    6. Expand Current Version
    7. Left-click once on:
      1. Run Services to find the BO autostart setting -
        By default, the program will be named as a blank line, and the data would say " .exe". However, the file may have been configured with different name and data values. Only a few applications are usually listed in this key, so you can probably figure out which one doesn't belong.
        1. Take note of directory that the executable is stored in for when you go to delete it. If there is no directory listed, then it is located in the windows\system\ directory.
        2. Delete the setting
      2. Run to find the NetBus autostart setting -
        By default, it will be patch.exe (though the file may have been renamed before it was installed). There should be a message that says /nomsg for that entry.
        1. Take note of directory that the executable is stored in for when you go to delete it. If there is no directory listed, then it is located in the windows\system\ directory.
        2. Delete the setting
  4. Either restart the computer, or for each occurance of NetBus and/or BO, use the command, "kill /f filename.exe" which kills the program so that you have the ability to delete it.
  5. Search for and delete the actual server executable files (e.g., "patch.exe") which can be found in the directories noted in step 3.G. This cannot be done until you have completed step 4.

Last Revised: 2/22/99