Oreans32 and AVS DVD Player

[tuctaxi]

Hello. Everytime I run a scan after using AVS DVD Player I keep getting detections of Unclassified.Oreans32 both in registry and files. It is more than obvious that these detections have something to do with the use of this program. I have also sent the possible detections via SAS's reporting utility over a week ago but I didn't get any response or notice any change at my scanning results. AVS DVD Player seem quite serious a program to me and I doubt that it is carrying some sort of bad software or code. Are you sure that something is wrong with it?

[nosirrah]

I am glad that you brought this up .

This file was part of an infection here : http://www.castlecops.com/postx162898-0-15.html . It turned out to be a normal file being exploited by malware .

There does appear to be a lot of conflicting information about this file . It may indeed be malware .

Where does SAS say the file is located ?

Is it C:\WINDOWS\system32\drivers\oreans32.sys ?

That is where I found it .

[SUPERAntiSpy]

If you know that file is part of your DVD software, you can just add it to the trusted/allowed list when it is detected - it IS used by many infections - we find it on many systems that have nothing but infections.

[tuctaxi]

So it may be a legitimate file but it may be a malware also.

How can I be sure that it is part of AVS DVD Player and not a malware?

Can we get any clue from a scans log file?

SUPERAntiSpyware Scan Log

Generated 10/28/2006 at 10:45 PM

Application Version : 3.3.1020

Core Rules Database Version : 3115

Trace Rules Database Version: 1139

Scan type : Quick Scan

Total Scan Time : 00:05:34

Memory items scanned : 393

Memory threats detected : 0

Registry items scanned : 550

Registry threats detected : 25

File items scanned : 6164

File threats detected : 1

Unclassified.Oreans32

HKLM\System\ControlSet001\Services\oreans32

C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS

HKLM\System\CurrentControlSet\Services\oreans32

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#*NewlyCreated*

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService

HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type

HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start

HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl

HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath

HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

[nosirrah]

Use this site to see what the current consensus is : http://www.virustotal.com/en/indexf.html .

Browse to C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS and click submit .

[tuctaxi]

It's seems that my PC is not infected! Thank you all!

[nosirrah]

This : http://www.oreans.com/themida.php seems to be the source of the file in question .

It is a file used in both legit and malicious decompilation prevention .

We are seeing it a lot because the bad guys know that we (the good guys) like to hex-edit their malware . This prevents us from getting much out of that . That is why we do memory snapshot hex-editing .