Windows 9x Systems with NAV Installed
Note the name of the file NAV detects as the BackOrifice2k.Trojan. Reboot the machine to a clean DOS boot or Windows Startup floppy disk. Go to the \WINDOWS\SYSTEM directory on the drive where Windows is installed. Delete the file NAV detected as the BackOrifice2k.Trojan. Remove the floppy disk and restart the system. Edit the Windows registry using REGEDIT.EXE. Go to the following registry key:
Delete the value that contains the name of the file NAV detected as the BackOrifice2k.Trojan.
Windows NT Systems with NAV Installed
Note the name of the file NAV detects as the BackOrifice2k.Trojan. Edit the Windows registry using REGEDIT.EXE. If you have Administrator access, go to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
Press
CTRL+F and enter the name of the file NAV detected as the BackOrifice2k.Trojan. Delete the entire registry key that contains this value. This will delete the key from all
ControlSet registry keys (i.e.,
ControlSet01,
ControlSet02, etc.). Then, restart the system. Once Windows has started, go into the Command Prompt in the
Start/Programs... menu, and delete the file NAV detected as the BackOrifice2k.Trojan. Check the registry again to make sure the trojan did not reinstall itself. Follow the instructions below to check if the trojan was installed without Administrator access. For users without Administrator access, go to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Check if the name of the file NAV detected as the BackOrifice2k.Trojan appears in this key. If so, delete that value from the registry. Then, restart the system. Once Windows has started, go into the Command Prompt in the
Start/Programs... menu, and delete the file NAV detected as the BackOrifice2k.Trojan. Check the registry again to make sure that the trojan did not reinstall itself.
Windows 9x Systems without NAV Installed
If you do not have an antivirus product that detects this trojan, search through the following Windows 9x registry keys for any unusual entries:
The default server file name will start with
UMGR32, but it can be any name. The data value will have
\WINDOWS\SYSTEM\ followed by the file name in the string. Note the name of the file. Delete this value from the registry. Then, reboot the system to a clean DOS boot or Windows Startup floppy disk. Go to the
\WINDOWS\SYSTEM directory on the drive where Windows is installed. Delete the file with the same name as the deleted registry value. Remove the floppy disk and restart the system. Check the registry again to make sure the trojan did not reinstall itself.
Windows NT Systems without NAV Installed
If you do not have an antivirus product that detects this trojan, you must search through the registry manually. For users with Administrator access, run REGEDIT.EXE, and look for unusual entries in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services
The default key is
Remote Administration Service nested in the key listed above, but it can have any key name. Note the name of the file listed for
ImagePath. Delete the entire key. This will delete the key from all
ControlSet registry keys (i.e.,
ControlSet01,
ControlSet02, etc.). Then, restart the system. Once Windows has started, go into the Command Prompt in the
Start/Programs... menu, and delete the file listed for
ImagePath in the deleted registry key. Restart the system, and check the registry again to make sure the trojan did not reinstall itself. Follow the instructions below to check if the program was installed without Administrator access. For users without Administrator access, run
REGEDIT.EXE, and look in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Search for any unusual entries that have
\WINNT\SYSTEM32\ in the data field. Note the name of the file that follows
\WINNT\SYSTEM32\. Delete this registry value. Then, restart the system. Once Windows has started, go into the Command Prompt in the
Start/Programs... menu, and delete the file listed in the deleted registry value. Restart the system, and check the registry again to make sure the trojan did not reinstall itself. Contact your administrator to check if the trojan horse program was installed with Administrator access.
