Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

OTL Tutorial - How to use OldTimer ListIt

- - - - - OTL oldtimer tutorial how-to scan

  • Please log in to reply
182 replies to this topic

#151
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts
Hello CyrusMagnusX,

Welcome to Geekstogo.

I'm not really sure if ZeroAccess Check stuff is just "all bad" and should be safely added to an :OTL fix or if it's just informative. xD


The ZeroAccess Check is a scan of some registry items that the infection may show in. They are not in themselves bad.

ZeroAccess is constantly changing and difficult to nail down. It's difficult for experts to get a handle on it let alone a layman.

If you think you have a ZeroAccess infection I would strongly recommend starting a topic in the Virus, Spyware, Malware Removal forum.

Not one that you can formulate meaningful instructions for. :)
  • 1

Advertisements


#152
Garack

Garack

    New Member

  • Member
  • Pip
  • 4 posts
Hello,

When do a full scan with OTL (services,processes,modules@all;logged in as admin and started OTL@Admin under Win764Ultimate) not all services will be displayed.

heres a screenshot from procmon, the 2 services missing are Lcore.exe (logitec gaming keyboard) and the sandboxie process SbieCtrl.exe.

http://www.fotos-hoc...eb62t4ce53a.jpg

Log removed.

Edited by emeraldnzl, 08 November 2012 - 05:16 PM.
This is not the place to post logs

  • 0

#153
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts
Hello Garack,

Those two files are not services.

Moving to the jpg file, the process that you highlighted is located in the "c:\program files" folder, meaning that it should be a 64bit process.

OTL does not have the ability to list 64bit processes.

Logs should not be posted here.

If you believe that your machine is infected start a new topic here.

However your machine is showing some strange anomalies that may be related to something that has happened independant of malware.

Edited by emeraldnzl, 08 November 2012 - 05:14 PM.
correction

  • 0

#154
Garack

Garack

    New Member

  • Member
  • Pip
  • 4 posts
Thanks for the Infos emeraldnzl!

What anomalies you mean, you made me curious though i dont believe my machine is infected with malware.

Edited by Garack, 09 November 2012 - 09:33 AM.

  • 0

#155
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts
There is a strange mixture of German and American English going on. In fact, so much so that some items will not be working properly.
  • 0

#156
Garack

Garack

    New Member

  • Member
  • Pip
  • 4 posts
Languages can influence my system?
  • 0

#157
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts
When see both "c:\programme" and "c:\program files (x86)" folders... then my understanding is yes it would.
  • 0

#158
Garack

Garack

    New Member

  • Member
  • Pip
  • 4 posts
its a translation issue, on my computer both files are named in german language.
  • 0

#159
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts
:thumbsup:
  • 0

#160
sarvsammat

sarvsammat

    New Member

  • Member
  • Pip
  • 1 posts
:thumbsup: Good job and thanks to share this post .
  • 0

Advertisements


#161
thisisu

thisisu

    Visiting Teacher

  • Visiting Consultant
  • 31 posts
Hi,

Error here I believe:

Example of removing a bad value from the HKLM hive

:reg
[-hkey_local_machine\software\classes\"badfile"]


This isn't REGEDIT4 format.
I believe this used to say "Bad example of removing a value from the HKLM hive".
  • 0

#162
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts
Hello thisisu,

Nice to hear from you again.

This isn't REGEDIT4 format.


No not with that wording.

How about this?

Example of removing a bad shell spawning key and value from the HKLM hive

:reg
[-hkey_local_machine\software\classes\"badvalue"]
  • 0

#163
thisisu

thisisu

    Visiting Teacher

  • Visiting Consultant
  • 31 posts
Hi emeraldnzl :)

Nice to hear from you again as well.

Shell spawning and file associations are intimately intertwined. The O35 items show the shell spawning values (comfile and exefile) and the O37 items show the file associations (.com and .exe).


Since this example is provided under the O37 subsection of the tutorial; shouldn't these keys be referenced?

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.com

__

As hinted in the tutorial:

.exe's (Default) value should be exefile
.com's (Default) value should be comfile

__

To test what is mentioned in the tutorial, I opened regedit and changed HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.com 's (Default) value from comfile to c:\windows\reallybadfile.exe. Exit regedit.

Now I open OTL.exe and insert this script:

:reg
[-hkey_local_machine\software\classes\.com\"c:\windows\reallybadfile.exe"]

Now run Fix

Result is:

========== REGISTRY ==========
Registry key hkey_local_machine\software\classes\.com\"c:\windows\reallybadfile.exe"\ not found.

OTL by OldTimer - Version 3.2.69.0 log created on 01232013_145143


Can you review to see if it is working on your end?

Edited by thisisu, 23 January 2013 - 02:58 PM.

  • 0

#164
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts
Hello thisisu,

I just did a quick test on my VM and got this:

========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\classes\.com\Reallybadfile\ deleted successfully.

OTL by OldTimer - Version 3.2.69.0 Log created on 01252013_1252013_125715

Maybe not the same path or exactly the same syntax as yours?
  • 0

#165
Elise

Elise

    Emsisoft Research

  • Expert
  • 3,389 posts
Hi Alec and thisisu, I think the point is the following (bold mine):

Example of removing a bad value from the HKLM hive

:reg
[-hkey_local_machine\software\classes\"badfile"]

No matter how you put it, a value is not removed this way, a key is. :)

This is what OTL lists for an O35:
O35 - HKLM\..<extension>file [open] -- <file path> "%1" %*
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command]
@="<file path>\"%1\" %*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
@="<file path>\"%1\" %*"
And this is an O37:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.com]
@="<extension>file

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]
@="<extension>file"
In all cases values, not keys. :)

Other Classes keys will be for example CLSID's, which load a baddie via the inprocserver subkey. The only case in which you will actually see a bad file as subkey of Classes directly is for example in case of malware creating a malicious extension. A good example of this is the "secfile" extension used by old PolicePro rogue variants.


If you want to adapt the tutorial I'd suggest the following:

Example of removing a bad key from the HKLM hive

:reg
[-hkey_local_machine\software\classes\<bad key>]


  • 1





Also tagged with one or more of these keywords: OTL, oldtimer, tutorial, how-to, scan

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.