OTL

1. Introduction

OTL by OldTimer is the alternative for HijackThis. OTL is a freeware malware removal tool for Microsoft Windows. OTL supports both 32bit and 64bit functionality. It will work with all Windows OS NT and later, from Microsoft Windows 2000 through to Windows 7. However, it does not support Windows 9x machines.

The software can be downloaded from these websites:

Please refer to the MD5 for verification :
MD5 (OTL.exe) = db1dc82216059f7c3ea9acbb3aa720c4

At the time of this write-up, the latest OTL version is 3.2.17.3.
This article will cover basic scanning and removal steps for end users.

2. Installation Process

As OTL is a stand-alone application, installation is not required.  Please download and place it on your desktop.  Make sure you execute the application using user privileges (approve any UAC warnings on Windows Vista or 7).


Figure 1 - OTL icon

3. OTL Interface
Explanation on OTL interface

Located at the top of the OTL interface are number of options on the type of scan and fix to be conducted as shown in Figure 2. The Run Scan option will thoroughly scan the system, and this is usually time-consuming if compared to the Quick Scan option. If multiple users use the computer, there is an option to scan all users. The CleanUp option will automatically remove many of the malware removal tools that are commonly used from the user's machine.


Figure 2- OTL scan options

Below the scan and fix options are the filter options as shown in Figure 3.


Figure 3 - OTL filter options

Process - Shows processes running on the machine.
Services - Shows services running on the machine.
Drivers - Shows drivers running on the machine.
Extra Registry-This will separate log and places the output in the Extras.txt log automatically when running first OTL scan.
Safe List option is a list of 600+ Microsoft files that are deemed safe which will be filtered out of all scans if the scan includes a Safe List option and that option is chosen for the scan.
Choosing the All option for any of these scans option will turn the filter off and the output will include all items for that scan.
More details can be viewed at the OTL support forums.

4. Using OTL

After the software has been downloaded, double click to run the application. OTL does not need to be installed, simply click the OTL icon to run.


(i) The first step in analyzing the machine is to scan the system and registry. The purpose of the scan is to detect any anomaly known by the OTL. To scan, click on the Run Scan option :



(ii) Once the scan finishes, it will open two notepad windows, OTL.Txt and Extras.Txt. These files are saved in the location where the OTL file is kept. The main file is OTL.Txt while Extras.Txt is a file which contains extra information on the scan conducted.


Figure 4 - OTL Scan Outputs

(iii) Copy the contents of OTL.Txt and Extras.Txt and send it to MyCERT for analysis. If you're an advanced user and have read the tutorial, you can analyze the output on your own. If you're looking for a different opinion/input or help, you may share your result by pasting it to the OTL forum. However, please be aware on the potential of information leaks occurring when sharing information on a public forum.

In this example, we demonstrated the deletion/removal of an unwanted program. An advanced user can go through the log files and identify the unwanted program for example in this case: C:\WINDOWS\System32\a.exe.


Figure 5 - Identifying unwanted program

(iv) Below are some of the OTL scripts that can be done. As shown in Figure 6, under the 'Custom Scans/Fixes' box at the bottom, paste in the following :


:OTL
:Services
:Reg
:Files
C:\WINDOWS\System32\a.exe
:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]

(v) Click 'Run Fix'. OTL will then try to fix the file(s). For example in this case, we suspected that an unusual file resides within C:\WINDOWS\System32\.


Figure 6 - Custom scan/fixes

OTL will take a couple of seconds to do the fixing. Once finished, it will prompt a message box with instructions to reboot the computer. Click 'OK' to complete the process as in Figure 7.


Figure 7 - OTL finishes and requires reboot

(vi) Once booted, you will get a log that shows the results of the fix. Figure 8 and Figure 9 shows the output of the log.


Figure 8 - Output of the fix log


Figure 9 – Full output of the fix log

This tells that the unwanted program has been moved successfully. OTL will create a directory that stores the log of the fixes in C:\_OTL\MovedFiles\ together with the moved program as shown in Figure 8.


Figure 10 - Moved directory and file(s)

5) Should a user be unsure whether to delete or fix entry(s), please do seek for professional advice to avoid deleting good entry(s) that may render the computer inoperable. To seek MyCERT's advice, please attach the log file that OTL produced upon scanning your system and send it to the following email address, cyber999 [at] cybersecurity.my.

Last update : 4 May 2011