This version of the Readme.txt file is only for use on my website! The REG Check Batch File =============================== Copyright(C)1999 by The Starman A Windows 95/98(TM) REGISTRY Aid (Useful for Discovering Trojans) [ The .ZIP file list and INSTALL instructions were REMOVED ... download REGCheck.zip if you really want to see them. ] Introduction ============ This little (batch file) program will list out on your screen all of the Name/Data values in your Registry's "Run" and "RunServices" Keys, and also save the output to a text file called _RunKeys.txt_ (which will be created in the same folder you ran the batch file in). Successive runs of the batch file will overwrite the text file from previous saves. (An intermediate file, RegChk1, is used during each run, and then deleted.) REGCheck is useful for finding programs that are started by the Registry at bootup instead of by your Windows StartUp Directory, autoexec.bat, or win.ini files. Some people don't even realize that their Registry file is used to execute programs in this manner. Others probably don't know about the "run=" and "load=" lines in the old win.ini file that can still be used to start files in Windows 95/98(TM)! I wrote this program mainly for people who want to check their Registry for what I call the "generic form" of the _Back Orifice_ trojan. BO allows anyone with a BO 'client' program, who happens to find you on the Internet (by scanning for the BO-server) to do most of the same things YOU can at your OWN keyboard, and _even_ some things YOU CAN'T DO there! It is very scary to find this thing lurking on your computer! If you want to know more about the BO-trojan, or similar programs, you can begin with my page at: < /homestead/Athens/6939/thebop.html > THE OUTPUT SCREENS ======================== (They are also saved as "RunKeys.txt") The Output Screen from the "Run" Key will look similar to this: ======================================================================= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemTray"="SysTray.Exe" "Dunce"="C:\\PROGRAM FILES\\DUNCE\\DUNCE.EXE" "Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" ----------------------------------------------------------------------- (The programs listed above often vary for different computers.) Press any key to continue . . . ======================================================================= Of course, you may have more or less programs listed on your own computer than I have here. As a minimum, you should have the "SystemTray" listed. The latest versions of Anti-Virus programs are usually listed here as well. NOTE that pathways to a program are listed with TWO backslashes ("\\") instead of just one! The Output Screen from the "RunServices" Key will look similar to this: ========================================================================== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] -------------------------------------------------------------------------- (Note: There may not be any programs under this key.) Press any key to continue . . . ======================================================================= As you can see, I didn't have any values listed above on my own computer; it is possible, however, that YOU may have a legitimate program started by this Key. [NOTE: IF YOU DO NOT HAVE a RunServices key in your Registry, then REGCheck will display your "Run" key a SECOND time. This is true for the next key as well!] -- This note added 01/27/99 The Starman. And finally, the screen from the HKEY_CURRENT_USER...\Run Key: ======================================================================== [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Mirabilis ICQ"="C:\\Program Files\\ICQ\\NDetect.exe" ---------------------------------------------------------------------- (Note: There may not be any programs under this key.) Press any key to continue . . . ======================================================================== Information on the Back Orifice (Trojan) Program ================================================ _IF_ there is a line under ANY of these Keys like this: @=" .exe" then your PC is infected with the Back Orifice trojan! The @ symbol means "Default" (no Name), and the Data entry is a single space followed by [ .exe ] This is the usual "name" for the "generic form" of the BO trojan ('server') program. IF YOU are an EXPERT at using the Registry Editor, then delete this entry from the Key, REBOOT your computer, and check again to make sure it is gone BEFORE going back onto the Internet! MOST of you, however, will either have to go back online or have a friend download a BO-removal program for you. There is a fantastic shareware program (still free to use for 30-days) available for downloading which kills the BO trojan _while it is still running in Memory_ !! This excellent program, written by Chris Benson, is called _BoDetect_ (Get v2.5 or higher). I highly recommend it. You can find an up-to-date copy from Chris' website at: http://www.spiritone.com/~cbenson/ ================================== This is the only program I know of that does NOT require you to reboot your computer! Once again, BoDetect is FREE to use for 30-days at this time. I infected my own computer with the BO-trojan 'server' many times while testing removal programs, and this is the only one that I found both very easy to use AND effective. It also PROTECTS against MANY Non-generic FORMS of Back Orifice as well! (Another free program I tested caused my computer to 'lock up' during a reboot, not nice at all since I was forced to do a 'scandisk' on every file on my drive because of this!) ================================================================== The Starman. 03/28/99. This text version is for my website only! EOF.