This version of the Readme.txt file is only for use on my website!
The REG Check Batch File
===============================
Copyright(C)1999 by The Starman
A Windows 95/98(TM) REGISTRY Aid
(Useful for Discovering Trojans)
[ The .ZIP file list and INSTALL instructions were REMOVED ...
download REGCheck.zip if you really want to see them. ]
Introduction
============
This little (batch file) program will list out
on your screen all of the Name/Data values in your
Registry's "Run" and "RunServices" Keys, and also
save the output to a text file called _RunKeys.txt_
(which will be created in the same folder you ran
the batch file in).
Successive runs of the batch file will overwrite the
text file from previous saves. (An intermediate file,
RegChk1, is used during each run, and then deleted.)
REGCheck is useful for finding programs that are
started by the Registry at bootup instead of by your
Windows StartUp Directory, autoexec.bat, or win.ini
files. Some people don't even realize that their
Registry file is used to execute programs in this
manner. Others probably don't know about the "run="
and "load=" lines in the old win.ini file that can
still be used to start files in Windows 95/98(TM)!
I wrote this program mainly for people who want
to check their Registry for what I call the "generic
form" of the _Back Orifice_ trojan. BO allows anyone
with a BO 'client' program, who happens to find you
on the Internet (by scanning for the BO-server) to do
most of the same things YOU can at your OWN keyboard,
and _even_ some things YOU CAN'T DO there! It is very
scary to find this thing lurking on your computer!
If you want to know more about the BO-trojan, or
similar programs, you can begin with my page at:
< http://www.geocities.com/Athens/6939/thebop.html >
THE OUTPUT SCREENS
========================
(They are also saved as "RunKeys.txt")
The Output Screen from the "Run" Key will look similar to this:
=======================================================================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"Dunce"="C:\\PROGRAM FILES\\DUNCE\\DUNCE.EXE"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
-----------------------------------------------------------------------
(The programs listed above often vary for different computers.)
Press any key to continue . . .
=======================================================================
Of course, you may have more or less programs listed
on your own computer than I have here. As a minimum, you
should have the "SystemTray" listed. The latest versions of
Anti-Virus programs are usually listed here as well.
NOTE that pathways to a program are listed with TWO
backslashes ("\\") instead of just one!
The Output Screen from the "RunServices" Key will look similar to this:
==========================================================================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
--------------------------------------------------------------------------
(Note: There may not be any programs under this key.)
Press any key to continue . . .
=======================================================================
As you can see, I didn't have any values listed above
on my own computer; it is possible, however, that YOU may have
a legitimate program started by this Key.
[NOTE: IF YOU DO NOT HAVE a RunServices key in your Registry, then
REGCheck will display your "Run" key a SECOND time. This is true
for the next key as well!] -- This note added 01/27/99 The Starman.
And finally, the screen from the HKEY_CURRENT_USER...\Run Key:
========================================================================
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Mirabilis ICQ"="C:\\Program Files\\ICQ\\NDetect.exe"
----------------------------------------------------------------------
(Note: There may not be any programs under this key.)
Press any key to continue . . .
========================================================================
Information on the Back Orifice (Trojan) Program
================================================
_IF_ there is a line under ANY of these Keys like this:
@=" .exe"
then your PC is infected with the Back Orifice trojan! The
@ symbol means "Default" (no Name), and the Data entry is a
single space followed by [ .exe ] This is the usual "name"
for the "generic form" of the BO trojan ('server') program.
IF YOU are an EXPERT at using the Registry Editor, then delete
this entry from the Key, REBOOT your computer, and check again
to make sure it is gone BEFORE going back onto the Internet!
MOST of you, however, will either have to go back online or
have a friend download a BO-removal program for you. There is
a fantastic shareware program (still free to use for 30-days)
available for downloading which kills the BO trojan _while it
is still running in Memory_ !!
This excellent program, written by Chris Benson, is called
_BoDetect_ (Get v2.5 or higher). I highly recommend it. You
can find an up-to-date copy from Chris' website at:
http://www.spiritone.com/~cbenson/
==================================
This is the only program I know of that does NOT require you
to reboot your computer! Once again, BoDetect is FREE to use
for 30-days at this time.
I infected my own computer with the BO-trojan 'server' many
times while testing removal programs, and this is the only one
that I found both very easy to use AND effective. It also
PROTECTS against MANY Non-generic FORMS of Back Orifice as
well!
(Another free program I tested caused my computer to 'lock up'
during a reboot, not nice at all since I was forced to do a
'scandisk' on every file on my drive because of this!)
==================================================================
The Starman. 03/28/99. This text version is for my website only!
EOF. (
geocities.com/thestarman3/avt) (
geocities.com/thestarman3)