tuctaxi Posted October 28, 2006 Hello. Everytime I run a scan after using AVS DVD Player I keep getting detections of Unclassified.Oreans32 both in registry and files. It is more than obvious that these detections have something to do with the use of this program. I have also sent the possible detections via SAS's reporting utility over a week ago but I didn't get any response or notice any change at my scanning results. AVS DVD Player seem quite serious a program to me and I doubt that it is carrying some sort of bad software or code. Are you sure that something is wrong with it? Share this post Link to post Share on other sites
nosirrah Posted October 28, 2006 I am glad that you brought this up . This file was part of an infection here : http://www.castlecops.com/postx162898-0-15.html . It turned out to be a normal file being exploited by malware . There does appear to be a lot of conflicting information about this file . It may indeed be malware . Where does SAS say the file is located ? Is it C:\WINDOWS\system32\drivers\oreans32.sys ? That is where I found it . Share this post Link to post Share on other sites
SUPERAntiSpy Posted October 28, 2006 If you know that file is part of your DVD software, you can just add it to the trusted/allowed list when it is detected - it IS used by many infections - we find it on many systems that have nothing but infections. Share this post Link to post Share on other sites
tuctaxi Posted October 28, 2006 So it may be a legitimate file but it may be a malware also. How can I be sure that it is part of AVS DVD Player and not a malware? Can we get any clue from a scans log file? SUPERAntiSpyware Scan Log Generated 10/28/2006 at 10:45 PM Application Version : 3.3.1020 Core Rules Database Version : 3115 Trace Rules Database Version: 1139 Scan type : Quick Scan Total Scan Time : 00:05:34 Memory items scanned : 393 Memory threats detected : 0 Registry items scanned : 550 Registry threats detected : 25 File items scanned : 6164 File threats detected : 1 Unclassified.Oreans32 HKLM\System\ControlSet001\Services\oreans32 C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS HKLM\System\CurrentControlSet\Services\oreans32 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#*NewlyCreated* HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0 HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance Share this post Link to post Share on other sites
nosirrah Posted October 28, 2006 Use this site to see what the current consensus is : http://www.virustotal.com/en/indexf.html . Browse to C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS and click submit . Share this post Link to post Share on other sites
tuctaxi Posted October 29, 2006 It's seems that my PC is not infected! Thank you all! Share this post Link to post Share on other sites
nosirrah Posted October 30, 2006 This : http://www.oreans.com/themida.php seems to be the source of the file in question . It is a file used in both legit and malicious decompilation prevention . We are seeing it a lot because the bad guys know that we (the good guys) like to hex-edit their malware . This prevents us from getting much out of that . That is why we do memory snapshot hex-editing . Share this post Link to post Share on other sites