Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

OTL Tutorial - How to use OldTimer ListIt

- - - - - OTL oldtimer tutorial how-to scan

  • Please log in to reply
182 replies to this topic

#16
HiddenIE

HiddenIE

    New Member

  • Member
  • Pip
  • 5 posts
Ahhh, yes. Rookie f-up :)
  • 0

Advertisements


#17
TheToker

TheToker

    Member

  • Member
  • PipPip
  • 19 posts
Hi folks. I've downloaded OTL but can not get it to install on my laptop.
I've tried the three different extensions but to no avail.
Anyone got any pointers or ideas? It would be much appreciated..
Sorry if this is posted in the wrong place.

Regards, Toker
  • 0

#18
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,984 posts
Hi Toker,

Might be malware preventing it. If you think it is, go to this link:

http://www.geekstogo...uide-t2852.html

follow the actions there and post a new topic here (with the relevant scan logs) if the problem persists.
  • 0

#19
TheToker

TheToker

    Member

  • Member
  • PipPip
  • 19 posts

Hi Toker,

Might be malware preventing it. If you think it is, go to this link:

http://www.geekstogo...uide-t2852.html

follow the actions there and post a new topic here (with the relevant scan logs) if the problem persists.



High emeraldnzl..

Over the last few hours i've run lots of malware scans but everything is clean.
I've used both on and off line scans along with MBAM, SAS and Spybot.
I've even tried starting OTL in safe mode but to no avail.

Thank you for your reply..
  • 0

#20
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,984 posts
From your reply it seems you were able to download it but are unable to run OTL.

This is not the place to pursue this.

My previous suggestions stand. Something is preventing it running, this could be malware or your own anti-malware programs although I think that unlikely.

Why don't you post a topic in the malware forum with what logs you can provide... Malwarebytes etc. and see if someone can help you there. :)
  • 0

#21
lialiem

lialiem

    Member

  • Member
  • PipPip
  • 14 posts
removed log

Edited by Rorschach112, 21 August 2010 - 11:11 AM.

  • 0

#22
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE.

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post an OTListIt log in THAT forum.
  • 0

#23
fjk61011

fjk61011

    New Member

  • Member
  • Pip
  • 3 posts
How do I set OTL to generate an Extras.txt file on susequent runs. I have read the tutorial and can't find the instructions.

Edit: I've run OTL on another machine and made a note of the settings. Extras Registry needs to be set to Use Safe List.

Edited by fjk61011, 12 September 2010 - 07:29 AM.

  • 0

#24
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
You have answered your own question, this is what it says in the tutorial about that though

Extra Registry - separate log automatically run on first OTL scan. Carries out the following scans and places the output in the Extras.txt log. This will only be automatically run the first time an OTL.exe scan is performed. After that, if you want to see this output you will need to instruct the user to select either the Use SafeList or All option in the Extra Registry group before performing the next scan:


  • 0

#25
fjk61011

fjk61011

    New Member

  • Member
  • Pip
  • 3 posts
Oops! Missed that. Must be getting old.
  • 0

Advertisements


#26
fjk61011

fjk61011

    New Member

  • Member
  • Pip
  • 3 posts

Extra Registry - separate log automatically run on first OTL scan. Carries out the following scans and places the output in the Extras.txt log. This will only be automatically run the first time an OTL.exe scan is performed. After that, if you want to see this output you will need to instruct the user to select either the Use SafeList or All option in the Extra Registry group before performing the next scan:



Re-read the tutorial again. Found your quote.

Thanks for your help.
  • 0

#27
bigtrucks

bigtrucks

    Member

  • Member
  • PipPipPip
  • 275 posts
HI there OT. Just some questions I would like to ask. I'm in GU and just past Underclass now waiting to enter Upper. I was directed here to start on some reading while waiting (was told there was a LOT of reading and my comprehension is not all that fast). So please bare with me. I will be doing a lot of questions as so to maybe get a better understanding and help someone to whom,(as I use to be), are afraid to ask for fear they may be seen as being dumb. I learned a long time ago there are no dumb/stupid questions.


OTL adds notations to certain log entries:

[2008/01/20 21:52:15 | 01,216,000 | ---- | M - the last character inside the brackets will either be M or C standing for Created or Modified.

All of the scans except the Files Created scan and the Files Created No Company Name scans will show the last modified date of the files. The two Created scans will show the file or folder's created date. A lot of malware will adjust the modified date to try and hide or blend in with other files or folders so seeing the created date helps in determining potential malware. If the file or folders shows a modified date in 2003 but was created in 2010 then it is an indication that it should be looked at a bit more closely. Look at the created scans very closely because they tend to quickly point out malware.


What you're saying is, it "could be" malware if the folder/file has a modified date that is older then the created date? Asking that, would the above example if changed to; [2008/01/20 21:52:15 | 2010/01/20 21:52:15 | 01,216,000 | ---- | M | C | , be condidered a possible malware?(Did I write that line Properly?) Am I correct in saying this is a modified file ?


[2010/03/15 18:25:02 | 1609,916,416 | -HS- | M] () -- C:\hiberfil.sys - the four designators after the file size can be RHSD and stand for:

R - Readonly
H - Hidden
S - System
D - Directory

SRV - (NMSAccessU) -- C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe () - denotes that there is not company name. The company name will appear inside the trailing parenthesis. Most malware will not have a company name (but some put one in there in an attempt to hide) but not all files without a company name are bad as this example shows.

Would you have to search the company name to be sure it isn't malware trying to hide, or is there a list of names that can be looked at to determine what is good and what is bad?

[2009/03/10 15:54:00 | 00,000,000 | ---D | M - this shows a Directory (D) that was Modified (M) on 2009/03/10.
In this case the example is a Directory and the date shown is the Modified date.

Directories will always have a file size of zero as this example shows. If it was a file then there would not be a D in that portion and the size of the file would normally be greater than zero although you may find files with a zero size as well, but in that case there still would not be a D value there. In this case the example is a Directory and the date shown is the modified date.

Is this technet.microsoft-library a good place for info for further questions I will have, as I'm not too clear on the "file/folder and Directory explaination above? I will have more questions as I read further and just wanted to try and find the answers on my own first before posting any more.
Thanks
Regards
BT
  • 0

#28
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
@bigtrucks:

What you're saying is, it "could be" malware if the folder/file has a modified date that is older then the created date? Asking that, would the above example if changed to; [2008/01/20 21:52:15 | 2010/01/20 21:52:15 | 01,216,000 | ---- | M | C | , be condidered a possible malware?(Did I write that line Properly?) Am I correct in saying this is a modified file ?

There are very few if any absolutes when dealing with malware.No matter what scanner you use, it will simply show you what is present. It is up to you to determine whether something should be there or not. There are legitimate reasons why a file/folder might have a modified date prior to a created date. When you see that, it should simply make you say "Hmmm, I better look at that a little closer." You will never see a line like you created in an OTL log. Any files/folders that show dates will either show a modified date or a created date, depending on what scan the line is part of. Bot modified and created will never show up in the same line.

Would you have to search the company name to be sure it isn't malware trying to hide, or is there a list of names that can be looked at to determine what is good and what is bad?

There are no certainties. A lot of malware has no company name, but not having a company name does not necesasrily mean a file is malware. Likewise, There is some malware that will use legitimate company names like Microsoft, or Intel, or IBM, or Real. And then there are patched files that have legitimate names, are in legitimate locations, but have different file sizes or MD5s. You'll get into all of that in your training.

Is this technet.microsoft-library a good place for info for further questions I will have, as I'm not too clear on the "file/folder and Directory explaination above? I will have more questions as I read further and just wanted to try and find the answers on my own first before posting any more.

For general computer questions it probably would be. I've never used it. But there are toms of sources on the Internet so if what you are looking for isn't there then Google is your friend.

Also, your PL Instructors are great resources for these questions.

Cheers.

OT
  • 0

#29
bigtrucks

bigtrucks

    Member

  • Member
  • PipPipPip
  • 275 posts



For general computer questions it probably would be. I've never used it. But there are toms of sources on the Internet so if what you are looking for isn't there then Google is your friend.

Google has become my top best friend for searching and questions. We're getting Real chummy.;)

Also, your PL Instructors are great resources for these questions.

Cheers.

OT

I would but I'm waiting for the door to open. BUT, I'm in no hurry, have lots to read and try to comprehend right here.
Thank You so much for the explanations to my questions.:D

Regards
BT
  • 0

#30
pradap

pradap

    New Member

  • Member
  • Pip
  • 1 posts
Hi I am having issues with my computer, so I have been following the self-help steps posted in the forums (I've done them before, in the past) - I've got a question about running OTL, however, as I don't remember this occuring when I've done it before - when it reached the point in OTL where it says "creating restore point, do not interrupt..."... there suddenly ceased to be any HD activity... I let it sit for well over 20 minutes before I grew concerned. Is this length of time to create a restore point with OTL normal, or should I try running it again? Additionally, shortly after OTL began, an error window popped up with "Access violation at address 0040295b in module OTL.exe. Read of address 001D1000." Should I uninstall the current OTL I have on my machine and download a fresh copy, or do you think this is related to the trojan/malware issues I'm having with my computer right now?

thanks for your advance response......
_______________________________________________

Edited by sari, 24 December 2010 - 06:39 AM.
Deleted spam links

  • 0





Also tagged with one or more of these keywords: OTL, oldtimer, tutorial, how-to, scan

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.