The ORT Thread (aka Sea Turtle Thread)
- Thread starter OaksLabs
- Start date
Not currently...if you have a favorite that you'd like to suggest I can add it to the whitelist.
perhaps a prescan 'tick'/option by the tech to allow any one of either Teamviewer, LMI, IHC, SC, at the tech's choosing?
(I can't find any real data on this utility on Youtube or even Google, so, I will have to experiment with a VM; it's advisories make it sound rather 'Combofix'-like, and perhaps reserved for when other utilities/disinfection procedures aren't working, perhaps just before resorting to a N&P?)
(I can't find any real data on this utility on Youtube or even Google, so, I will have to experiment with a VM; it's advisories make it sound rather 'Combofix'-like, and perhaps reserved for when other utilities/disinfection procedures aren't working, perhaps just before resorting to a N&P?)
ORT is designed to run without the need for an internet connection, and it actually resets a lot of networking inside of Windows -- and even if I did not close the RAS tool, I think the connection to the PC would be lost or interrupted.
My original goal with ORT was to prepare a PC for malware removal by cleaning out temp files, removing common PUPs, and repairing network settings. Most techs don't do remote malware removals, but if the feature is in demand, I'll add accommodations for the most requested RAS tools first.
I put out heavy warnings because ORT doesn't have an "undo" button, it just deletes. As I mentioned above, it's niche is as a prep tool for other utilities. ORT should be a healthy blend of Rkill/Unhide/JRT functionality. I have added and will continue to add more advanced and specialized features to ORT, but preparing a PC for disinfection is always the focus.
Howdy!
ORT has some updates that will be coming out within a month, including a deeper cleaning of IE and definition updates (including updates for the annoying "windows.exe" fake BSoD malware).
In the mean time, I gave the www.oakslabs.com homepage a face lift. As much as I liked the 1995 feel of the old homepage, it was time for something new.
I've seen a few cases where AV's are actually blocking the whole www.oakslabs.com website. I believe I know the cause of this, and I'm working on a solution (which will involve changing how ORT is compiled). I'll keep everyone updated on this.
I'm also curious, how is everyone liking ORT? Does anyone have any feature suggestions? Has it been working well? I'd love to hear your thoughts!
ORT has some updates that will be coming out within a month, including a deeper cleaning of IE and definition updates (including updates for the annoying "windows.exe" fake BSoD malware).
In the mean time, I gave the www.oakslabs.com homepage a face lift. As much as I liked the 1995 feel of the old homepage, it was time for something new.
I've seen a few cases where AV's are actually blocking the whole www.oakslabs.com website. I believe I know the cause of this, and I'm working on a solution (which will involve changing how ORT is compiled). I'll keep everyone updated on this.
I'm also curious, how is everyone liking ORT? Does anyone have any feature suggestions? Has it been working well? I'd love to hear your thoughts!
fencepost
Well-Known Member
- Reaction score
- 2,314
- Location
- Schaumburg, IL
You might also be able to put the download behind password protection - even something as simple as a password of "ORT" to access a download page might help keep it from being picked up by google & other website scans.
I've thought of this -- but that would block automated downloads of ORT (which I use in a little utility called AMR: The Automatic Malware Removal, which will become public soon!).
The main thing that is not liked by AV/Heuristics is how my compiler compresses and packs the executable. I plan on doing this manually, which has a much lower detection rate.
Otherwise, I plan on creating a "wrapper" for ORT, where I'll encrypt the application ORT.exe, and roll the decryption tool, key, and the encrypted version of ORT into a new .exe (also called ORT.exe) and keep the same icon. The end users won't see a difference, but it will look a lot less suspicious to AV's, because the AV won't see anything besides a data file and a decryption tool.
fencepost
Well-Known Member
- Reaction score
- 2,314
- Location
- Schaumburg, IL
Wouldn't have to block automated downloads from your own tool at all - the file would still be there. All it'd do is get rid of any direct crawlable links to the file.
Anyway, maybe something to keep in mind if there's a problem with future builds.
Anyway, maybe something to keep in mind if there's a problem with future builds.
Metanis
Well-Known Member
- Reaction score
- 876
- Location
- Medford, WI, USA
I used this tool yesterday for the first time. After running the tool I performed a repair re-installation of Win10. After that I reinstalled the user's Office client and Outlook could no longer find the user's PST files. Microsoft creates these by default in the user's \appdata\local\microsoft\outlook folder. When I checked manually that folder no longer contained the original outlook.pst file.
I don't know if the ORT tool or the Win10 reinstall (saving user files) caused the PST files to go missing. Before proceeding with the ORT tool I copied the entire user profile folder to an external hard disk so it was a simple matter to recover the files.
I just wanted to let you know that Outlook is a totally screwed up application and keeps all its settings and files in the appdata folder and none in the traditional user documents folder.
I don't know if the ORT tool or the Win10 reinstall (saving user files) caused the PST files to go missing. Before proceeding with the ORT tool I copied the entire user profile folder to an external hard disk so it was a simple matter to recover the files.
I just wanted to let you know that Outlook is a totally screwed up application and keeps all its settings and files in the appdata folder and none in the traditional user documents folder.
ORT does not remove anything from the Microsoft sub-folder in any of the Appdata folders. My main test location for ORT is my regular job, and over the past ~2 years ORT has been run on ~2,000-2,500 PC's, and no similar issues have been reported. While I don't want to blame Microsoft without a fair trial, I know of several computers that did not have any problems with Outlook after running ORT.
Backups are your friend!
Metanis
Well-Known Member
- Reaction score
- 876
- Location
- Medford, WI, USA
Thanks for the feedback! And yes, backups are mandatory when working with customer data! 
Slaters Kustum Machines
Well-Known Member
- Reaction score
- 2,496
- Location
- Iowa
Just went to check out the site and MaxFocus Web Protection is blocking it.
mrapoc
Well-Known Member
- Reaction score
- 105
- Location
- Shropshire
On the first page of this thread, I have a link to the Tor Browser. I host my own .exe files, and that causes issues with certain AV's and web filters (and it would block the .exe download even if you could see the page). I've tried to make everything less false-positive prone, but my best advice is to tunnel through your security applications (until I can get some magic solution working).
C
CyberGhosT
Guest
I was able to download the ort.exe through FireFox after some slight finagling
I can tell you now both VooDoo Shield and Emsisoft have issues with the lil tool.
Once white listed it refused to be moved to a thumb drive, strange, could be residual effects of being in quarantine though I will reboot and try to move it again. PeAcE
I can tell you now both VooDoo Shield and Emsisoft have issues with the lil tool.
Once white listed it refused to be moved to a thumb drive, strange, could be residual effects of being in quarantine though I will reboot and try to move it again. PeAcE
Build 124 is on www.oakslabs.com and is ready for download! This is a big UI overhaul, and it also includes 2k+ new definitions. I also added a new feature: ORT will now reset Windows services to their default settings (i.e. automatic, delayed, manual, etc).
I also removed the un-hiding of user data. It would take too long to run, and it would freeze in some circumstances. The tool Unhide.exe does a fine job of this, and if anyone is heart broken about this, I'll be releasing a beta of a new malware removal framework that does zero touch and lite touch malware removals.
As always, feel free to send feature requests and feedback my way.
I also removed the un-hiding of user data. It would take too long to run, and it would freeze in some circumstances. The tool Unhide.exe does a fine job of this, and if anyone is heart broken about this, I'll be releasing a beta of a new malware removal framework that does zero touch and lite touch malware removals.
As always, feel free to send feature requests and feedback my way.
Build 126 is published. It is a false positive fix; a .NET optimization service was being removed. From all the testing and research I've done, removing this service does not actually affect anything (which is why I'm not issuing a patch/fix/repair). Just to be on the safe side, please make sure to download the latest version of ORT!
Similar threads
