OTL by OldTimer is the alternative for HijackThis. OTL is a freeware malware removal tool for Microsoft Windows. OTL supports both 32bit and 64bit functionality. It will work with all Windows OS NT and later, from Microsoft Windows 2000 through to Windows 7. However, it does not support Windows 9x machines.
The software can be downloaded from these websites:
Please refer to the MD5 for verification :
MD5 (OTL.exe) = db1dc82216059f7c3ea9acbb3aa720c4
At the time of this write-up, the latest OTL version is 184.108.40.206.
This article will cover basic scanning and removal steps for end users.
2. Installation Process
As OTL is a stand-alone application, installation is not required. Please download and place it on your desktop. Make sure you execute the application using user privileges (approve any UAC warnings on Windows Vista or 7).
Figure 1 - OTL icon
3. OTL Interface
Explanation on OTL interface
Figure 2- OTL scan options
Below the scan and fix options are the filter options as shown in Figure 3.
Figure 3 - OTL filter options
Process - Shows processes running on the machine.
Services - Shows services running on the machine.
Drivers - Shows drivers running on the machine.
Extra Registry-This will separate log and places the output in the Extras.txt log automatically when running first OTL scan.
Safe List option is a list of 600+ Microsoft files that are deemed safe which will be filtered out of all scans if the scan includes a Safe List option and that option is chosen for the scan.
Choosing the All option for any of these scans option will turn the filter off and the output will include all items for that scan.
More details can be viewed at the OTL support forums.
4. Using OTL
After the software has been downloaded, double click to run the application. OTL does not need to be installed, simply click the OTL icon to run.
(i) The first step in analyzing the machine is to scan the system and registry. The purpose of the scan is to detect any anomaly known by the OTL. To scan, click on the Run Scan option :
(ii) Once the scan finishes, it will open two notepad windows, OTL.Txt and Extras.Txt. These files are saved in the location where the OTL file is kept. The main file is OTL.Txt while Extras.Txt is a file which contains extra information on the scan conducted.
Figure 4 - OTL Scan Outputs
(iii) Copy the contents of OTL.Txt and Extras.Txt and send it to MyCERT for analysis. If you're an advanced user and have read the tutorial, you can analyze the output on your own. If you're looking for a different opinion/input or help, you may share your result by pasting it to the OTL forum. However, please be aware on the potential of information leaks occurring when sharing information on a public forum.
In this example, we demonstrated the deletion/removal of an unwanted program. An advanced user can go through the log files and identify the unwanted program for example in this case: C:\WINDOWS\System32\a.exe.
Figure 5 - Identifying unwanted program
(iv) Below are some of the OTL scripts that can be done. As shown in Figure 6, under the 'Custom Scans/Fixes' box at the bottom, paste in the following :
(v) Click 'Run Fix'. OTL will then try to fix the file(s). For example in this case, we suspected that an unusual file resides within C:\WINDOWS\System32\.
Figure 6 - Custom scan/fixes
OTL will take a couple of seconds to do the fixing. Once finished, it will prompt a message box with instructions to reboot the computer. Click 'OK' to complete the process as in Figure 7.
Figure 7 - OTL finishes and requires reboot
(vi) Once booted, you will get a log that shows the results of the fix. Figure 8 and Figure 9 shows the output of the log.
Figure 8 - Output of the fix log
Figure 9 – Full output of the fix log
This tells that the unwanted program has been moved successfully. OTL will create a directory that stores the log of the fixes in C:\_OTL\MovedFiles\ together with the moved program as shown in Figure 8.
Figure 10 - Moved directory and file(s)
5) Should a user be unsure whether to delete or fix entry(s), please do seek for professional advice to avoid deleting good entry(s) that may render the computer inoperable. To seek MyCERT's advice, please attach the log file that OTL produced upon scanning your system and send it to the following email address, cyber999 [at] cybersecurity.my.
Last update : 4 May 2011