Malware Simple Analyzing and Removal Guide

[superhacker]

                                      Manual cleaning routines:
nowadays malware are more complicated and not all cleaning routines success perfectly and sometimes it dont work

at all,so when your pc got infected you should be patient,and cooperator with the people who want to help you so what

to do:
A.anti malware:
there are a plenty of good anti malware tools and cleaners like:
1.Malware byte anti malware:code name mbam is a good tool for detecting and cleaning malware"file infectors not

included"
2.Super anti spyware:another good tool for detecting and removing malwares,code name sas.it has an advantge over

mbam that it a separate "system and browser repairs"
3.Dr.web cure it!:my favourite tool for totally get rid of file infectors like sality,alman,........and other malwares.its

cleaning routines are so poweful,and its advantge over mbam and sas that it can handle viruses

after cleaning may some files of registry keys still in the system so you should repair them by system cleaners and

fixer
B.System cleaners:
1.ccleaner:a good freeware to clean junk files,registry errors.It has also a uninstaller"some or a lot of spyware has an

uninstall entry so removing by uninstaller is more easier"
2.dial a fix:good powerful tool for xp users can fix policies and had a good arsenal of fixes.
3.glary utilities:another good tool.and there is hunderds of freeware to do such mission.

may you have got a rootkit,so you should check for rootkits:
C.Anti rootkits:
1.avast! anti rootkit:simple anti rootkit,it has some false positives in registry,and system restore folder,any way we need

the log created by it not its removal"sorry alwil"
2.Panda anti rootkit:another simple UI anti rootkit"it is good but last time i run it i got an olly debug window tell me that

an Access violation occur,but dont worry my pc is a freak for anti malware"
3.Radix antirootkit:a very helpful tool generate a few FP and its clean is wonderful,it compains ease of use and power

of another advanced tools like GMER,or RKU.
4.GMER:advanced tool so use it to analyze the system then give the report to a professional then follow his guides"my

favorite anti rootkit"
5.RKU:another good analyzer but like gmer dont take decision if you dont know about what you do
6.rootkit revealer:good tool to analyze files and registry keys that hide from your eyes.
enogh anti rootkits
CAUTION:RUNNING MORE ONE ANTI ROOTKIT IN THE SAME TIME MAY CAUSE PROBLEMS INCLUDING

BSoDs




                                          Manual analyzing cleaning
Sometimes YOU NEED to analyze the system and clean it by your self because the anti malware dont catch or cant

remove the malware"we are not going to teach you here how to analyze malware but will give you some basics so the

word"analyzing malware" is a big section and you should know you are going to learn THE BASICS,i.e:what you

need,like the mobile phone player it is good but the pc media player is better,but for the mobile a small media player is

so good,you know about what i am talking...i wish.
A.Processes managers:we will use it to know the malware processes and to kill it
1.procexp:the best task manager i had ever seen give you a very good image of what running with high lighting and it is

co-operate with his brother autoruns to catch malware"highlighting explore the packed processes running so you

should suspect it first"because the professional in making viruses protect their viruses by packing it"in the photo you

see hijack free is a packed process"packed with upx1.01 MB,after unpacking 2.75MB and it is programmed with

Borland Delphi"
2.APT"Advanced Process Termination":good in one thing killing process,you will use it to kill malware processes.
3.GMER:yep again we will use GMER but the processes section,expand tabs and go Processes,here is the magic

until now no one program stand against the termination of GMER,firewalls and anti viruses

like:comodo,avast,avira,outpost,eset,.....................so the malware will terminated for ever by GMER because it will not

contain a powerful self-defense as power as anti virus,so bye bye .

B.Overall system analyzer:it can give you an overall view of your system
1.Eset Sysinspector:ESET SysInspector is an application that thoroughly inspects your computer and displays

gathered data  in a comprehensive way. Information like installed drivers and applications, network connections or

important registry entries can help you to investigate suspicious system behavior be it due to software or hardware

incompatibility or malware infection.////thats why they say"the geeks in robot man company eset",and i like to analyze its

log more than HJT.but you need to upload files to an uploading website since we cant upload zip files into the forum.
2.autoruns:the best tool in the world to determine the startups,and it can work with procexp.easy thing to work with it

after some tweaking:from options menu check"hide Microsoft and windows entries"then check "verify code

signatures",the unverified entries thet come from unknown publisher may be suspect and need to be investigated.we

will use autoruns to disable the malware start up entries after terminate it"so it not re-enable it self after terminating"
3.Hijack this:simple tool to do simple logs"really i hate them",and no updates for the current version and some malware

can now hide from it.
4.a2HijackFree:good tool give you an overall look for your processes,ports,autoruns,services,and some other places

where the malwares can hide.it has a good removal ability.
5.freeFixer:nice tool that polonus tell me about it"thanks polonus",work on it for some hours but it is good"even its GUI

not so good"
6.superhacker system analyzer:code name"NSA",I WIIL rename it to my love name after it done it still in developing

phase,scan for startups,then make a list of unverified entries,then scan HDD for files that has attribute of"hidden and

system"then compare the two lists,and give you a third list contain the file name ,its company,packed or not,and its

import/export table"it contain no resource sections since it drive me crazy to program it,any help welcome".i will

present it here in avast forum,it will be free software"free&open source"hey i use python for that,and i still in making

handler for registry reading and log saving.



C.files and registry removals:
1.unlocker:very good tool to delete malwares files sice it will remove it on the next start up if it dont remove now
2.FileASSASSIN:nice file deleter,it lack the riht click menu,so i prefer unlocker
3.RegASSASSIN:a tool to remove registry keys&values.

D.another tool&conclusion:
api guard a handy tool to run suspicious files without hurting your system"if your av dont catch a virus in a suspect file

you can run it from api guard"
My conclusion:anti malware nowadays are so good but always there are weak points so here those tools come,if you

have a problem with your infected pc make new topic and we will help you.if all fail i volunteer to make a remover for

your case by uploading the virus into upload website i will analyze it for you and make a cleaner"if there is no clenaer

available in the net,why?i am sure my program will be good but it will not be tested like the other tools and it will be

programmed in a windows xp,may you use vista or win 98".
a very big thanks from me to the best malware fighter i have ever seen "polonus".



refrences:
www.freedrweb.com/cureit/?lng=en‏
www.malwarebytes.org/mbam.php
www.superantispyware.com/
www.ccleaner.com/
www.glaryutilities.com/
download.cnet.com/Panda-Anti-Rootkit/3000-8022_4-10717196.html
www.gmer.net/
technet.microsoft.com/en-us/.../bb897445.aspx
technet.microsoft.com/en-us/.../bb896653.aspx
www.diamondcs.com.au/advancedseries/apt.php
www.eset.com/download/sysinspector.php
technet.microsoft.com/en-us/.../bb963902.aspx
www.hijackfree.com/en/hijackfree/
www.freefixer.com/
ccollomb.free.fr/unlocker/
I PREFER GOOGLING
http://wiki.lunarsoft.net/wiki/PC_Security

[polonus]

@superhacker,

Thank you so much superhacker, if users that come here regularly start to follow these routines methods to gradually learn more about malware and malware cleansing and that is what this is all about.

One thing one should always prevent is to delete malware when it is flagged, one exclusion is when a very dangerous file-infector like virut is found, all at once start cleansing in SafeMode and then in most case we are beyond help, superhacker told us that DrWeb av CD might be some help, but there is no cure there, allas. In other cases it is best to see what kind of virus is found, it could be a real virus then the best thing is to quarantine it and it is completely secure in the avast chest or in mbam quarantine etc, it can be let out in case of a real False Positive and especially if that file is a system file that is needed to let your OS work. So what next we gonna upload our alleged malware file to virustotal.com or jotti. If the scanners there find only one example that could mean two things, it is a probable False Positive (always ask on the forums) or a new undetected zero-day virus (you were so lucky it was found). If we know the name of the malware we gonna look on google like "malware so-and-so removal" and we get a malware cleansing routine from geeks2go or an analysis from Prevx or a write up of the virus from Sophos, best thing if we find an analysis and a malware cleansing instruction what to delete (files), what processes to halt and delete (if malware) and what to alter in the registry (values and keys). Always make a copy of the registry if something goes wrong, so you can put that back. Sometimes you cannot eliminate the malware just like that because the malware is put back by the inner workings of a process on Windows or every time at reboot or by System restore and you have to try in SafeMode or with a temporal disabling of System Restore (this works on most trojans). Sometimes really effective process and BHO and dll-killers are necessary (as help from people that know here). Give them logs from Freefixer and ComboScript and MBAM etc.

You could also analyze an executable (best done within a sandbox with a computer that is not connected to the Internet). Learn to analyze a file with sysinternal's tool FileAlyzer or know all about the inner workings of a file with a hex editor like Hexview from Fundux software, open the file for forensics.
Also very good for analyzing executables is a nice resource analyzing program like the Australian tool from 2002 ResHacker : http://rpi.net.au/~ajohnson/resourcehacker, with resource hacker you could even take the bad bits out of the malware or the malcode out of all of the code....
To maneuver files out,  use a proggie like replacer,
Always communicate with people here that are " in the know", then also update your suspect and questionable  files to the avast developers to better detect and make their product even better, so we can help each other fighting malicious code and the makers thereof the malcreant,

polonus

[superhacker]

thanks for you polonus,without you i would not be able to write those instruction.
can i call my self now Malware fighter?

[polonus]

Hi malware fighters,

And that is also meant for you, superhacker. I always start my posts that way. So that is obvious, I always wrote for the malware fighters here. The nicest thing about all the activities here is that you inspire others, I had some forum members that I inspired and then they went to a malware cleansing Universities to be a trained as trained eliminator. Some learned to work online analysis on their own at http://www.hijackthis.de/
and then looked up all processes and items there individually they got from Freefixer logs. Also someone learned to analyze process tasks from online evaluation here: http://www.backgroundtask.eu/Systeemtaken/Scan.php (It is in English, and you should try it out, mind to check all the processes with hashes online to be absolutely certain you have the right evaluation. Use this program to deeply check on all that starts up on your comp: http://www.niksoft.at/download/startdreck.htm
But I really like the manual cleansing routines, write them out in Notepad, then print them and have them next to the infested computer to do the manual cleansing step by step, keep up the good work folks,

polonus

[superhacker]

Use this program to deeply check on all that starts up on your comp: http://www.niksoft.at/download/startdreck.htm

Is it get more than autoruns?i think autoruns is the best in this area

[polonus]

Hi superhacker,

It is different and then the two are additional. The tool was made by a malware fighter actually. Try it out, I always say: "The proof of the pudding is in the eating". This tool is only meant to be used by Professionals, because we hope Professionals may know what they are doing. It shows you a really Awful Long List of Windows AutoStart methods' ;-)"

polonus

[superhacker]

so i will consider this topic to be for both professional and newbies,so now i will talk about some analyzer tools that come from safer networking company www.safer-networking.org
safer networking tools
we wont talk about s&d,but about filealyzer,regalyzer,runalyzer
A.FileAlyzer:very good tool for static analyzing,why?
1.MD5,CRC32,SHA1 CHECKSUMS:all those checksums located in the general tab
2. possibility of knowing the programming language that the malware programmed in
3.simple resource editor:and its good that have a separate sections md5 and crc32
4.PE Header:should used by Geeks programmer"the assembler guys,i love you assembly"
5.simple disassembler:i prefer using Olly Debugger.
6.import/export table:show you what are the used system API that the malware use,and what"if founded"the functions that the malware export"we see that in case of rogue av"
7.Hex editor:we use hex editor to get more information about the created files names and registry keys,websites that the malware update it self from,......we will talk in detail about Hex Editors later.
8.ini viewer:really good it remove the the confusion about the ini files,and .inf files.i.e.:
the file autorun.inf for a malware contain a lot of characters"to confuse the analyzer"so filealyzer remove confusion
9.those are the most important things
give me an example,please:
ok here is an example



the win32:nebuler-h[trj] static analyzing:winwrv32.dll
1.the file programmed with VC++6 SO it is high level language virus,more important the file is not packed
2.we will not enter the disassembler section sice we say it is a static analysis
3.resource editor:dont help here
4.import/export table:the file import functions from:advapi32.dll/kernel32.dll/shlwapi.dll/user32.dll
5.HEX EDITOR:press list strings and six tab will appear:we need GIDs,URLs,FileName,Registry Locations
by comparing I/E Table with the contetnent of tabs we will know the malware behavior"not in detail"but an overall image will created in our mind so another image of objects that require repairs.


B.RegAlyzer:advanced regedit tool
easy to understand what it is all about,but the really good thing is the bookmarks menu it lead you to areas you have to search a lot to find them like:internet settings,TCP/IP settings,MS configaration area,.......
it lack the reg back up function so you cant backup the registry

C.RunAlyzer:here the magic you can save the current system autoruns configuration to a .reg file,and its log very very good"i dont know why no one use this tool"
it give you:
1.processes list:
2.autorun entries:
3.advanced startups:
4.services:
5.Winsock LSPs:
6. scheduled tasks:
7.explorer plugins very hard to read,oh my God.
8.installed software:
9.HOSTs:
so as you can see it is one of the best tool you can use:in my arsenal its code name "the agent"

so as we see those tools provided for free from the safer networking company,
thanks Patrick Michael Kolla and we wish you a good luck with your love"he ask always to wish him and her good luck"
I wish that may help the people who want to be malware fighter,all welcome to put their knowledge

[polonus]

Hi superhacker,

What we should not forget to check online is a source for CLSIDs: http://www.sysinfo.org/bholist.php
http://www.autohotkey.com/docs/misc/CLSID-List.htm
http://www.systemlookup.com/lists.php?list=1
because there are over 6000 of them and which one is malware, we like to establish without one doubt?
So we have to go online, find a term, a name of a dll, an entry from a log, then see what there is written about it, what victims have reported and so we get more and more good information and real knowledge about the malware at hand and what it does and so how to remove it,

an example of some adware: http://www.systemlookup.com/lists.php?list=1&type=clsid&search={00000185-C745-43D2-44F1-01A1C789C738}%09&s=

polonus

[superhacker]

to effectively removing Trojans you should know how it work?so if you are a Trojan like to be bad and to hide from your enemy and be tricky to the anti malware what you do?


A.installation:
1.in general Trojans install it self in c:\windows or c:\windows\system32
2.if i am a dll Trojan it will probably named under a random name in every machine to hard the removal
3.if i am a .exe Trojan i will hide my self using attributes "hide" and "system"
4.i will drop my self in less suspected folders like c:\program files\windows media player
B.spreading:
1.i will copy my self to all available partitions and removable media  with autorun.inf files
C.payload:
i will name the payloads that don't go by removing the Trojans
1.compromises network security
2.compromises system security
3.disable services
4.modify HOSTS file
5.modify system registry
6.disable system restore
7..................................
D.protect my self:
yes some good guys like polonus or essexboy will be glad to remove me,so i will protect my self against them and their tools"i don't name superhacker because i am the Trojan now"
1.i will modify the HOSTS and registry to block the user from entering security vendors websites
2.i will terminate(or try to) the exist anti virus,or the analyzing tools"debuggers,monitor tools,......"
3.i will use root kits methods to hide my self
4.i will run my self as a service
5.change the policies on the system so the user wont be able to use system standard tools to get rid of me
6.i will pack my self"that comod cant mess any packed program flag as suspicious,but i don't think there is a any body running comodo anti virus"
7.i will make my self trusted for the great windows firewall
8.disable safeboot
9.so am i protected or not"there are more advanced things to do but the article for good guys and i don't like the bad guys to learn from here"
                                                                                           
                                                                     What should polonus and essexboy do?
after you give us some basic information they will ask you for more,in case of myself virus aka superhacker"i am kidding",we will make counter measures against my bad protection"yes you have to trust your self"
anti 1.i will try to do a scan for new modified files search for no name withe a date of modify just before the payload begin"if you are infected today search for files modified from one night later and more"
and if you cant enter avast.com remember you can enter softpedia or download.com,.....so you can download security tools"try to download files hosted by the download sites,for example if you have to choose between downloading avast from its website or from softpedia choose softpedia"
anti 2.the virus is not antivirus so it will not search the files like antivirus but it will scan for names"example gmer will be terminated by me but i will not terminate game.exe so renaming tools in a clean system then reuse in infected system will be good
anti 3.using game.exe to find rootkits"i mean gmer"
anti 4.you should terminate the Trojan then use a security tool like hijack free to disable service
anti 5.after terminating and disable my run on every boot you should fix the policies using dial a fix or spy
anti 6.no benefit of the packing as you don't know how to debug and any way i have been terminated and disabled
anti 7.you will need to modify windows firewall settings and remove my trust
anti 8.here polonus will give you a text and tell you that you need to save it as reg file under the name fixsafeboot.reg then run it
anti 9.you can do anything
                                                                                            Tools WE use in this case
i suggest that you have a security tools in one of your partitions named like "game,web,myself,folks,......."and make a text file that explain every name
1.procexp:to know the running executables
2.autoruns:to know where is the trojan launched"winlogon,Run,start up folder,........"
3.a good free windows explorer"coz the original explorer have some restrictions coz of me,so glary have a good file explorer integrated into it"
4.gmer:to reveal rootkits
5.FileASSASSIN:to delete my files
6.dial a fix or xpy:to fix the damages
7.may using sysinspector will ease the thing on you,but not hiajack free or otl since reading thier logs is hard to a normal user
8.reg assassin to delete my bad registey modifies
9.ccleaner to do a system cleaning
10.after all a dr.web scan will be good to ensure you are clean but wait you have to download dr.web from a download site and no download site offer you to download dr.web from the website server and you cant go to dr.web site so what to do what to do,what to do?
i found it fix your HOSTS file,there are a lot of them
11.now run dr.web scan
12.as you see my payloads trying to fix them will be good"spy ware blaster have a good tools to make a snap shot for the system settings so get it and make a clean snapshot"

so the simple analyze and remove contain:
1.startup
2.files
3.processes
4.area of payload"you feel them when using pc so write them to a notepad file"





you finish ,congratulation you now remove a powerful virus programmed by superhacker"believe me if follow the steps you can really remove me from your system"and
as a Trojan i am not easy and mbam will not be able to delete me as you cant run it or even download mbam"so my powerful is more than kido worm,and you can simply remove me"
here i will be happy to give you a name"SH+ TROJAN REMOVER 3 STARS"
It mean that you can repair systems contain Trojans "of course not all of them,but day by day may you come better than me,who know?!"
hey there are other things to be RMF"real malware fighter"keep reading in security websites viruslist.com is so good symantec we site also good"every security vendor have a security site to talk about viruses"
and learning a programming language to apply your removal into a real simple anti malware will be so good"i advice at first python if the trojan is a user mode trojan"it is power ful easy,and  flexible
remember that you can remove a powerful trojan,and while you read this last line a cypercriminal has launch his trojan,and he think you cant remove it.
Of course you had a medium finger and what to say to the cypercriminal!!
"point at him and tell him he is a bad one "

[superhacker]

what about Threat Expert Memory Scanner?!
It is a tool to detect malwares"just detect until now it doesnt contain removal techniques"
you download the tool and you notice the small size of the downloaded file"1.44 MB"so you can download it even if you are on dial-up connection
you run the installer it take a second to install the program.
you launch the tool and you see a nice GUI,contain 3 tabs to control the whole program:
1.Memory scan:
here you can see the overall security level of your system,scan statics"the program scan only the system memory not the HDD or any thing else
,view report button show you a HTML page when the scan is finish the report give you summary about the scan
2.Submit Sample:
here you can submit the detected viruses in your system to the pc tools lab.
3.Settings:
there are 3 options one disabled and one enabled and one tell you you cant change it"coz it is beta yet"
the first options:
scan hidden process:
it will scan for malwares that depend on rootkit technology to hide itself"like kavos",BUT if it see a hidden process that contain no malicious code the tool wont tell you about it
i.e:when you have ashampoo firewall there is an option to hide the process of the firewall"Memory Scanner wont tell you about ashampoo firewall"
Comprehensive Heap Scan:PLEASE DISABLE THIS OPTION,WHY?
Because if you run windows defender or MSE you will get False Positives"not just Windows defender Or MSE but may be other anti malwares"

so where i can use this tool?
you use it to know if the system infected with a widespread malware"ofcourse not all malwares just the famous families of it"
you cant use this tool to remove viruses and it is a beta since"in your current version look to the Digital Signature"22 february 2008"
but it will guide you what malwares running and that good enough since there are multi removers for famous families

[polonus]

Hi malware fighters,

In the video below you are shown how to analyze the contents of an .exe file.
Why you should do such a thing? Because there are a lot of viruses that come protected against AV (Anti Virus) solutions, and therefore cannot be traced,
and then you still could establish yourself whether you deal with malcode or not.

http://scanner.novirusthanks.org
has an option to read the ASCII code of a particular.exe.

In the video here it is shown how to get to ASCII code of a particular trojan/worm:

http://www.security.nl/artikel/28318/1/De_inhoud_van_een_executeable_bekijken.html

The ASCII code also has a part that is non-crypted.
A malcreant crypter ("critter") does not always crypt all and every string.
And through ASCII one can find out what is non-crypted.
Here in this part the video is not particularly clear and this part was hidden
to see what part has been selected by the maker of it.

http://live.sysinternals.com/strings.exe < tool to watch strings inside a binary file.

But a real malware analyzer will use a hex viewer or a debugger.
Especially via a debugger one could also recognize strings that do not consist of ASCII.
With a bit of experience one soon will find the evil/suspicious bits.

This only goes for weak encrypted bits, because it is not possible to get readable code and data from an executable that uses a encryption mechanism by its own.
The only readable code is the encryption algorythm.

But again also when encryption of this form has been used one can trace what happens.
Remind that the code itself has to be encrypted to run and the application must read it
without further ado (only humans have a little trouble there).
By putting a breakpoint behind the decrypt routine or by reverse engineering the decrypt routine one could anlayze the remainder of the code.

But there are additional solutions/tools/apps, use Wireshark for instance to get info on a a particular botnet IP... manual and special filters for display and capture and how to save them:
http://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html
In Dutch, please translate with google translate....
http://www.ngn.nl/ngn/weblogs/joke-snelders/wireshark-wireless-display-en-capture-filters/?waxtrapp=jekrviBsHyoOtvOXEoBdBP

N.B. Explicit warning for those without some experience in this field. Running decompressors/decryptors and playing a debugger should be done in a special environment, for instance a virtual machine or sandboxed malzilla tool,
and one should never make any outside contact to a network e.g. Internet.

You see that most decompressors/decryptors will run the malcode live,
without letting you actually know,

polonus

[polonus]

Hi malware fighters,

Another posting on several process explorers. Browse processes with
process hacker: http://sourceforge.net/projects/processhacker/files/

Process Hacker is a free and open source process viewer and memory editor with unique features such as powerful process termination and a Regex memory searcher. It can show services, processes and their threads, modules, handles and memory regions.

Then combine this with the findings of this process scanner: ESET SysInspector:
http://www.eset.com/download/sysinspector.php
Ideal also to be run from a USB stick.... good logs to compare -

To see active processes and accompanying PIDS just use this command prompt
netstat - ano
How to: http://support.microsoft.com/kb/907980
Use Task Manager and/or ESET SysInspector to verify processes.
Also this tool can be used, Silent Runners
get here: http://www.silentrunners.org/Silent%20Runners.vbs
see use of it etc. here:
http://www.geekstogo.com/forum/Serious-Malware-Problems-Resolved-t188261.html
And Agics System Scan
http://www.backgroundtask.eu/Systeemscan/Index.php
download: http://www.backgroundtask.eu/Systeemscan/Setup.exe

For info on processes there are several online repositories, just google for the process name and use a hash and PID to verify the process and also the localization of the process gives away clues as to it being probable malware...

polonus

[polonus]

Hi malware fighters,

There is also a whole repository of specific anti-malware lore, especially on packers etc. to be found from the world of the reverse engineering community (I refrain to the late great F.RAVIA, Orc+, Woodman) to be found here: http://tsehp.cjb.net/

Fravia's (the master that taught polonus to search on the Internet) legacy can be found here:
http://www.searchlores.org/

Some of these gurus have really developed very important anti-malware tools, like Giorgio Maone:
http://forums.informaction.com/viewforum.php?f=3
On these forums polonus is active under the nick "luntrus"

As long as the knowledge/lore is online and accessible the malcreant can reckon he is not proceeding his malicious way unhindered,

polonus

[superhacker]

HijackFree tool:
it is a tool designed to help manual malware removal
in some area it is better than others and in other ares other tools become better
the GUI is some kind simple,contain:
processes:interactive show of currently running processes,with options to terminate,delete process file,....
ports:show you open ports used by applications
autoruns:show you the programs that start with your windows
services:show you services with detailes
others:IExplore addons,LSP,HOSTS,ActiveX
quarntine:the file you have quarntine


working with the program is easy for both advanced and novice users"who usually get infected",the interactive show make it simpler to fix than other tools,
there is option to analyze the report online"we miss this in the current tools",a button to make report of "processes,autoruns,comabitible HJT report,XML based report",


HijackFree better than OTL in the areas of:
1.ports:otl cant allow you to see open ports
2.IMPORTANT STARTUP METHOD USED BY REALLY TRICKY MALWARES:Active setup"when i was 16 years old i see this method used by malware for the first time and i gift my friend a simple trojan use this method and he fail to detect where the trojan start from""it is a test trojan and dont used for bad things as we are  malware fighters and we do some research by our selves"
3.winsock LSP files
4.more of tricky start up method forgotten by OTL
OTL better than HijackFree in:
1.files created modified show
2.show you installed apps in extra report
3.allowed programs to enter internet in the windows firewall"HijackFree cover that in ports section"

i think HijackFree is easier to use than OTL since the removing is so interactive,supported by very good company in fighting malwares,
so i recommend to replace OTL by this tool

[superhacker]

How to fix safe boot?
if you use"VISTA,XP,2000,SERVER 2003"
save the file to your desktop"or whatever"the rename it to .reg extension then launch it,click ok and you done