185 replies to this topic

[HiddenIE]

Ahhh, yes. Rookie f-up

[TheToker]

Hi folks. I've downloaded OTL but can not get it to install on my laptop.
I've tried the three different extensions but to no avail.
Anyone got any pointers or ideas? It would be much appreciated..
Sorry if this is posted in the wrong place.

Regards, Toker

[emeraldnzl]

Hi Toker,

Might be malware preventing it. If you think it is, go to this link:

http://www.geekstogo...uide-t2852.html

follow the actions there and post a new topic here (with the relevant scan logs) if the problem persists.

[TheToker]

Hi Toker,

Might be malware preventing it. If you think it is, go to this link:

http://www.geekstogo...uide-t2852.html

follow the actions there and post a new topic here (with the relevant scan logs) if the problem persists.

High emeraldnzl..

Over the last few hours i've run lots of malware scans but everything is clean.
I've used both on and off line scans along with MBAM, SAS and Spybot.
I've even tried starting OTL in safe mode but to no avail.

Thank you for your reply..

[emeraldnzl]

From your reply it seems you were able to download it but are unable to run OTL.

This is not the place to pursue this.

My previous suggestions stand. Something is preventing it running, this could be malware or your own anti-malware programs although I think that unlikely.

Why don't you post a topic in the malware forum with what logs you can provide... Malwarebytes etc. and see if someone can help you there.

[lialiem]

removed log

Edited by Rorschach112, 21 August 2010 - 11:11 AM.

[Rorschach112]

Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE.

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post an OTListIt log in THAT forum.

[fjk61011]

How do I set OTL to generate an Extras.txt file on susequent runs. I have read the tutorial and can't find the instructions.

Edit: I've run OTL on another machine and made a note of the settings. Extras Registry needs to be set to Use Safe List.

Edited by fjk61011, 12 September 2010 - 07:29 AM.

[Rorschach112]

You have answered your own question, this is what it says in the tutorial about that though

Extra Registry - separate log automatically run on first OTL scan. Carries out the following scans and places the output in the Extras.txt log. This will only be automatically run the first time an OTL.exe scan is performed. After that, if you want to see this output you will need to instruct the user to select either the Use SafeList or All option in the Extra Registry group before performing the next scan:

[fjk61011]

Oops! Missed that. Must be getting old.

[fjk61011]

Extra Registry - separate log automatically run on first OTL scan. Carries out the following scans and places the output in the Extras.txt log. This will only be automatically run the first time an OTL.exe scan is performed. After that, if you want to see this output you will need to instruct the user to select either the Use SafeList or All option in the Extra Registry group before performing the next scan:

Re-read the tutorial again. Found your quote.

Thanks for your help.

[bigtrucks]

HI there OT. Just some questions I would like to ask. I'm in GU and just past Underclass now waiting to enter Upper. I was directed here to start on some reading while waiting (was told there was a LOT of reading and my comprehension is not all that fast). So please bare with me. I will be doing a lot of questions as so to maybe get a better understanding and help someone to whom,(as I use to be), are afraid to ask for fear they may be seen as being dumb. I learned a long time ago there are no dumb/stupid questions.

OTL adds notations to certain log entries:

[2008/01/20 21:52:15 | 01,216,000 | ---- | M - the last character inside the brackets will either be M or C standing for Created or Modified.

All of the scans except the Files Created scan and the Files Created No Company Name scans will show the last modified date of the files. The two Created scans will show the file or folder's created date. A lot of malware will adjust the modified date to try and hide or blend in with other files or folders so seeing the created date helps in determining potential malware. If the file or folders shows a modified date in 2003 but was created in 2010 then it is an indication that it should be looked at a bit more closely. Look at the created scans very closely because they tend to quickly point out malware.

What you're saying is, it "could be" malware if the folder/file has a modified date that is older then the created date? Asking that, would the above example if changed to; [2008/01/20 21:52:15 | 2010/01/20 21:52:15 | 01,216,000 | ---- | M | C | , be condidered a possible malware?(Did I write that line Properly?) Am I correct in saying this is a modified file ?

[2010/03/15 18:25:02 | 1609,916,416 | -HS- | M] () -- C:\hiberfil.sys - the four designators after the file size can be RHSD and stand for:

R - Readonly
H - Hidden
S - System
D - Directory

SRV - (NMSAccessU) -- C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe () - denotes that there is not company name. The company name will appear inside the trailing parenthesis. Most malware will not have a company name (but some put one in there in an attempt to hide) but not all files without a company name are bad as this example shows.

Would you have to search the company name to be sure it isn't malware trying to hide, or is there a list of names that can be looked at to determine what is good and what is bad?

[2009/03/10 15:54:00 | 00,000,000 | ---D | M - this shows a Directory (D) that was Modified (M) on 2009/03/10.
In this case the example is a Directory and the date shown is the Modified date.

Directories will always have a file size of zero as this example shows. If it was a file then there would not be a D in that portion and the size of the file would normally be greater than zero although you may find files with a zero size as well, but in that case there still would not be a D value there. In this case the example is a Directory and the date shown is the modified date.

Is this technet.microsoft-library a good place for info for further questions I will have, as I'm not too clear on the "file/folder and Directory explaination above? I will have more questions as I read further and just wanted to try and find the answers on my own first before posting any more.
Thanks
Regards
BT

[OldTimer]

@bigtrucks:

What you're saying is, it "could be" malware if the folder/file has a modified date that is older then the created date? Asking that, would the above example if changed to; [2008/01/20 21:52:15 | 2010/01/20 21:52:15 | 01,216,000 | ---- | M | C | , be condidered a possible malware?(Did I write that line Properly?) Am I correct in saying this is a modified file ?

There are very few if any absolutes when dealing with malware.No matter what scanner you use, it will simply show you what is present. It is up to you to determine whether something should be there or not. There are legitimate reasons why a file/folder might have a modified date prior to a created date. When you see that, it should simply make you say "Hmmm, I better look at that a little closer." You will never see a line like you created in an OTL log. Any files/folders that show dates will either show a modified date or a created date, depending on what scan the line is part of. Bot modified and created will never show up in the same line.

Would you have to search the company name to be sure it isn't malware trying to hide, or is there a list of names that can be looked at to determine what is good and what is bad?

There are no certainties. A lot of malware has no company name, but not having a company name does not necesasrily mean a file is malware. Likewise, There is some malware that will use legitimate company names like Microsoft, or Intel, or IBM, or Real. And then there are patched files that have legitimate names, are in legitimate locations, but have different file sizes or MD5s. You'll get into all of that in your training.

Is this technet.microsoft-library a good place for info for further questions I will have, as I'm not too clear on the "file/folder and Directory explaination above? I will have more questions as I read further and just wanted to try and find the answers on my own first before posting any more.

For general computer questions it probably would be. I've never used it. But there are toms of sources on the Internet so if what you are looking for isn't there then Google is your friend.

Also, your PL Instructors are great resources for these questions.

Cheers.

OT

[bigtrucks]

For general computer questions it probably would be. I've never used it. But there are toms of sources on the Internet so if what you are looking for isn't there then Google is your friend.

Google has become my top best friend for searching and questions. We're getting Real chummy.

Also, your PL Instructors are great resources for these questions.

Cheers.

OT

I would but I'm waiting for the door to open. BUT, I'm in no hurry, have lots to read and try to comprehend right here.
Thank You so much for the explanations to my questions.

Regards
BT

[pradap]

Hi I am having issues with my computer, so I have been following the self-help steps posted in the forums (I've done them before, in the past) - I've got a question about running OTL, however, as I don't remember this occuring when I've done it before - when it reached the point in OTL where it says "creating restore point, do not interrupt..."... there suddenly ceased to be any HD activity... I let it sit for well over 20 minutes before I grew concerned. Is this length of time to create a restore point with OTL normal, or should I try running it again? Additionally, shortly after OTL began, an error window popped up with "Access violation at address 0040295b in module OTL.exe. Read of address 001D1000." Should I uninstall the current OTL I have on my machine and download a fresh copy, or do you think this is related to the trojan/malware issues I'm having with my computer right now?

thanks for your advance response......
_______________________________________________

Edited by sari, 24 December 2010 - 06:39 AM.
Deleted spam links