

              The  REG Check  Batch  File
	    ===============================
	    Copyright(C)1999 by The Starman


           A Windows 95/98(TM) REGISTRY Aid
	   (Useful for Discovering Trojans)



    File List
  ================
  REGCheck.bat     -- The only program; a BATCH file.
  REGCheck.pi      -- Stored DOS PIF file (See NOTE * below)
  Readme.txt       -- This (text) file.
 
  RunKeys.txt      -- Will BE CREATED by REGCheck.

     These are for PGP file verification only:

  SigFiles.txt     -- All about the PGP .sig files.
  REGCheck.bat.sig -- A PGP Signature file.
  REGCheck.pi.sig  -- A PGP Signature file.



      INSTALLATION Instructions -- READ Carefully
      -------------------------------------------

     To INSTALL, simply place the first two files in the
  same directory anywhere on your computer, execute the
  batch file (.bat) and it will install the .pi file on
  its first run. (*NOTE: Do _NOT_ change the .pi to .pif;
  the batch file will do this itself.  There is a further
  explanation about the PIF file and its icon at the end
  of this document.)
  When you run REGCheck.bat for the first time, you may
  only see a momentary _black flash_ on your screen _if_
  your DOS window was set to 'auto exit when finished.'
  This is OK, the next time you run REGCheck the program
  should work just fine...

     You MAY want to change the name of the text file;
  for example, from "Readme.txt" to "REGCheckReadme.txt"
  making it easier to find later.
     For the ambitious among you:  Feel free to use my
  batch file as a template for listing other Registry
  Keys. If you make any changes, please remove my name
  as the file's creator; however, a standard reference
  to my work would be appreciated.
 


                      Introduction
                      ============

	This little (batch file) program will list out
   on your screen all of the Name/Data values in your
   Registry's "Run" and "RunServices" Keys, and also save
   the output to a text file called _RunKeys.txt_ (which
   will be created in the same folder that you run the
   batch file in).
   Successive runs of the batch file will overwrite the
   text file from previous saves. (An intermediate file,
   RegChk1, is used during each run, and then deleted.)

      REGCheck is useful for finding programs that are
   started by the Registry at bootup instead of by your
   Windows StartUp Directory, autoexec.bat, or win.ini
   files.  Some people don't even realize that their
   Registry file is used to execute programs in this
   manner.  Others probably don't know about the "run="
   and "load=" lines in the old win.ini file that can
   still be used to start files in Windows 95/98(TM)!

	I wrote this program mainly for people who want
   to check their Registry for what I call the "generic
   form" of the _Back Orifice_ trojan.  BO allows anyone
   with a BO 'client' program, who happens to find you
   on the Internet (by scanning for the BO-server) to do
   most of the same things YOU can at your OWN keyboard,
   and _even_ some things YOU CAN'T DO there! It is very
   scary to find this thing lurking on your computer!
	If you want to know more about the BO-trojan, or
   similar programs, you can begin with my page at:

   < http://www.geocities.com/Athens/6939/thebop.html >



		   THE  OUTPUT  SCREENS
		 ========================
          (They are also saved as "RunKeys.txt")


 The Output Screen from the "Run" Key will look similar to this:
==========================================================================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"Dunce"="C:\\PROGRAM FILES\\DUNCE\\DUNCE.EXE"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"

--------------------------------------------------------------------------
(The programs listed above often vary for different computers.)

Press any key to continue . . .

==========================================================================

	Of course, you may have more or less programs listed
  on your own computer than I have here.  As a minimum, you 
  should have the "SystemTray" listed.  The latest versions of
  Anti-Virus programs are usually listed here as well.
	NOTE that pathways to a program are listed with TWO 
  backslashes ("\\") instead of just one!


 The Output Screen from the "RunServices" Key will look similar to this:
==========================================================================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

--------------------------------------------------------------------------
 (Note: There may not be any programs under this key.)

Press any key to continue . . .

==========================================================================

	As you can see, I didn't have any values listed above 
  on my own computer; it is possible, however, that YOU may have 
  a legitimate program started by this Key.


     [NOTE: IF YOU DO NOT HAVE a RunServices key in your Registry, then
      REGCheck will display your "Run" key a SECOND time. This is true
      for the next key as well!] -- This note added 01/27/99 The Starman.


 And finally, the screen from the HKEY_CURRENT_USER...\Run Key:
==========================================================================

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Mirabilis ICQ"="C:\\Program Files\\ICQ\\NDetect.exe"

------------------------------------------------------------------------
 (Note: There may not be any programs under this key.)

Press any key to continue . . .

==========================================================================



	Information on the Back Orifice (Trojan) Program
	================================================


     _IF_ there is a line under ANY of these Keys like this:

            @=" .exe"
  
   then your PC is infected with the Back Orifice trojan! The 
   @ symbol means "Default" (no Name), and the Data entry is a 
   single space followed by [ .exe ]  This is the usual "name" 
   for the "generic form" of the BO trojan ('server') program.

   IF YOU are an EXPERT at using the Registry Editor, then delete 
   this entry from the Key, REBOOT your computer, and check again
   to make sure it is gone BEFORE going back onto the Internet!

   MOST of you, however, will either have to go back online or 
   have a friend download a BO-removal program for you.  There is 
   a fantastic shareware program (still free to use for 30-days)
   available for downloading which kills the BO trojan _while it
   is still running in Memory_ !!
   This excellent program, written by Chris Benson, is called
   _BoDetect_ (Get v2.5 or higher).  I highly recommend it.  You 
   can find an up-to-date copy from Chris' website at: 

              http://www.spiritone.com/~cbenson/
              ==================================

     This is the only program I know of that does NOT require you
   to reboot your computer!  Once again, BoDetect is FREE to use
   for 30-days at this time.
     I infected my own computer with the BO-trojan 'server' many 
   times while testing removal programs, and this is the only one 
   that I found both very easy to use AND effective.  It  also 
   PROTECTS against MANY Non-generic FORMS of Back Orifice as 
   well!
    (Another free program I tested caused my computer to 'lock up' 
   during a reboot, not nice at all since I was forced to do a 
   'scandisk' on every file on my drive because of this!) 

   ----------------------------------------------------------------

      If you wish to contact me (The Starman) for any further 
   assistance, please use the feedback form at my website 
   "The Starman's Realm" here:

       http://www.geocities.com/Athens/6939/Feedback.html
       ==================================================


 =========================================================================


	        * A NOTE About the .PI file
	        ===========================

	When you run either a batch file or an old style 
   DOS program, Windows95 first looks to see if there is
   an existing .PIF file associated with it.  Win95 does
   not allow the extension to be shown for this type of 
   file.  In order to make sure that my program runs in 
   full-screen DOS without having to explain how to do 
   this to novices, I configured a PIF file.  But Win 95 
   won't allow PIF's to be copied like this.  So, I just 
   changed the extension.

	You will know that my batch file installed the PIF
   file correctly, if the icon becomes a purple colored 
   shield with a cross on it, and the .pi extension either 
   disappears (for standard configured views) or changes 
   to .PIF for those who checked view ALL extensions.

 =========================================================================

    REGCheck.bat is Copyright(C)1999 by The Starman.

 =========================================================================

   The Starman.  03/28/99.  01:23:00.


 EOF.