Jump to content
tuctaxi

Oreans32 and AVS DVD Player

Recommended Posts

Hello. Everytime I run a scan after using AVS DVD Player I keep getting detections of Unclassified.Oreans32 both in registry and files. It is more than obvious that these detections have something to do with the use of this program. I have also sent the possible detections via SAS's reporting utility over a week ago but I didn't get any response or notice any change at my scanning results. AVS DVD Player seem quite serious a program to me and I doubt that it is carrying some sort of bad software or code. Are you sure that something is wrong with it?

Share this post


Link to post
Share on other sites

I am glad that you brought this up .

This file was part of an infection here : http://www.castlecops.com/postx162898-0-15.html . It turned out to be a normal file being exploited by malware .

There does appear to be a lot of conflicting information about this file . It may indeed be malware .

Where does SAS say the file is located ?

Is it C:\WINDOWS\system32\drivers\oreans32.sys ?

That is where I found it .

Share this post


Link to post
Share on other sites

If you know that file is part of your DVD software, you can just add it to the trusted/allowed list when it is detected - it IS used by many infections - we find it on many systems that have nothing but infections.

Share this post


Link to post
Share on other sites

So it may be a legitimate file but it may be a malware also.

How can I be sure that it is part of AVS DVD Player and not a malware?

Can we get any clue from a scans log file?

SUPERAntiSpyware Scan Log

Generated 10/28/2006 at 10:45 PM

Application Version : 3.3.1020

Core Rules Database Version : 3115

Trace Rules Database Version: 1139

Scan type : Quick Scan

Total Scan Time : 00:05:34

Memory items scanned : 393

Memory threats detected : 0

Registry items scanned : 550

Registry threats detected : 25

File items scanned : 6164

File threats detected : 1

Unclassified.Oreans32

HKLM\System\ControlSet001\Services\oreans32

C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS

HKLM\System\CurrentControlSet\Services\oreans32

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#*NewlyCreated*

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService

HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type

HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start

HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl

HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath

HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Share this post


Link to post
Share on other sites

This : http://www.oreans.com/themida.php seems to be the source of the file in question .

It is a file used in both legit and malicious decompilation prevention .

We are seeing it a lot because the bad guys know that we (the good guys) like to hex-edit their malware . This prevents us from getting much out of that . That is why we do memory snapshot hex-editing .

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×