CeeCee Posted May 9, 2007 Share Posted May 9, 2007 I noticed that in Device Manager, under "non-plug and play drivers", there's entry named "oreans32" with exclamation mark on it. There's exclamation mark, because i don't got file oreans32.sys on System32/drivers folder. Anyway, there's still oreans32 service entries in registry. I read that this oreans32 might be spyware/virus. I just wonder that can i remove that entry from Device Manager and also those reg. entries? Path Copy TeraCopy Unlocker Link to comment Share on other sites More sharing options...
Humpty Posted May 10, 2007 Share Posted May 10, 2007 Had a google around as well Cee Cee but came up with nothing conclusive. If you post a Hijackthis log Andy or rridgely may be able sort it for you. Link to comment Share on other sites More sharing options...
CeeCee Posted May 10, 2007 Author Share Posted May 10, 2007 If you post a Hijackthis log Andy or rridgely may be able sort it for you. No, no. I know that my system is clean. I just wonder what that 'oreans32' is and that can i remove it's entries. Path Copy TeraCopy Unlocker Link to comment Share on other sites More sharing options...
MikeW Posted May 10, 2007 Share Posted May 10, 2007 This is the genuine software that set and uses oreans32. http://www.oreans.com/ And another user with the same = false posative http://forums.spybot.info/showthread.php?t=10762 Win 7 Home Premium 64 bit - IE11 - Nod32 - Mbam pro Link to comment Share on other sites More sharing options...
CeeCee Posted May 10, 2007 Author Share Posted May 10, 2007 This is the genuine software that set and uses oreans32. ?? Path Copy TeraCopy Unlocker Link to comment Share on other sites More sharing options...
MikeW Posted May 10, 2007 Share Posted May 10, 2007 ?? Woops, links there now Win 7 Home Premium 64 bit - IE11 - Nod32 - Mbam pro Link to comment Share on other sites More sharing options...
AndyManchesta Posted May 10, 2007 Share Posted May 10, 2007 oreans32 is part of Themida protection http://www.oreans.com/themida.php Its used in quite alot of programs such as games to prevent piracy, it is also being used by some trojans like backdoor IRCBots as they can make it alot harder for the files to be analysed by preventing people reverse engineering or dissembling the files and also by preventing them being run in a virtual environment If you do not still have the oreans32.sys file on your system then it's fine to remove its service but make sure the file doesnt exist first as the program that added it will not start if the service is missing, Goto Start > Run > Search Click All Files and Folders Then scroll down to More Advanced options and place a check next to Search system folders, Search hidden files and folders and Seach subfolders Then scroll back up to the All or part of the file name: area and enter this to be searched for then click Search oreans32.sys If its found then leave the service in place but if its not then goto start > run > and type sc delete oreans32 Press OK and you will just notice the cmd screen open then close and the service will be removed on the next reboot Andy Link to comment Share on other sites More sharing options...
CeeCee Posted May 11, 2007 Author Share Posted May 11, 2007 I still wonder why i got those entries, but NOT that oreans32.sys file...? Could it be that some spyware remover identified this oreans32 as spyware, and removed that oreans32.sys from my system and left those entries behind? Also wonder why this oreans32 was installed in first place? And what installed it? Does anyone else got this oreans32? Quote from another forum: service named "oreans32" with driver "C:\Windows\system32\drivers\oreans32.sys" can be found in "Non-Plug and Play Drivers" section of Device Manager (You have to check "Show hidden devices".) Screenshot from my system: http://xs315.xs.to/xs315/07195/oreans32.jpg Path Copy TeraCopy Unlocker Link to comment Share on other sites More sharing options...
AndyManchesta Posted May 11, 2007 Share Posted May 11, 2007 Its really not possible to say what installed it but it may of been a program or game you installed at some stage then removed and it may of left the oreans32 service behind, It's possible a spyware remover added it to their database so it was removed on your system but the file and service is harmless as its a genuine program, like alot of things though its starting to be abused by trojan writers as it also helps them to avoid being detected by Antivirus companies so some vendor may of added it by mistake. Here's an example of a backdoor IRCbot (rBot) I got yesterday thats packed with Themida STATUS: FINISHEDComplete scanning result of "lol.exe", received in VirusTotal at 05.10.2007, 21:56:38 (CET). Antivirus Version Update Result AhnLab-V3 2007.5.10.0 05.10.2007 no virus found AntiVir 7.4.0.15 05.10.2007 TR/Agent.1376901 Authentium 4.93.8 05.10.2007 no virus found Avast 4.7.997.0 05.10.2007 no virus found AVG 7.5.0.467 05.10.2007 no virus found BitDefender 7.2 05.10.2007 DeepScan:Generic.Malware.G!SKI!!FLMPWX!!BVPkprng.8F04B991 CAT-QuickHeal 9.00 05.10.2007 no virus found ClamAV devel-20070416 05.10.2007 no virus found DrWeb 4.33 05.10.2007 no virus found eSafe 7.0.15.0 05.10.2007 no virus found eTrust-Vet 30.7.3624 05.10.2007 no virus found Ewido 4.0 05.10.2007 no virus found FileAdvisor 1 05.10.2007 No threat detected Fortinet 2.85.0.0 05.10.2007 no virus found F-Prot 4.3.2.48 05.10.2007 no virus found F-Secure 6.70.13030.0 05.10.2007 no virus found Ikarus T3.1.1.7 05.10.2007 Backdoor.VB.EV Kaspersky 4.0.2.24 05.10.2007 no virus found McAfee 5028 05.10.2007 no virus found Microsoft 1.2503 05.10.2007 no virus found NOD32v2 2256 05.10.2007 no virus found Norman 5.80.02 05.10.2007 no virus found Panda 9.0.0.4 05.10.2007 no virus found Prevx1 V2 05.10.2007 no virus found Sophos 4.17.0 05.08.2007 no virus found Sunbelt 2.2.907.0 05.05.2007 VIPRE.Suspicious Symantec 10 05.10.2007 no virus found TheHacker 6.1.6.112 05.10.2007 no virus found VBA32 3.12.0 05.10.2007 no virus found VirusBuster 4.3.7:9 05.10.2007 no virus found Webwasher-Gateway 6.0.1 05.10.2007 Trojan.Agent.1376901 Aditional Information File size: 1376901 bytes MD5: 3bf608ac273c8df9d2dd66bd0040240f SHA1: 6fd719fd44de5d2a55be7bdd0bebe508423f1ebe Bit9 info: http://fileadvisor.bit9.com/services/extin...2dd66bd0040240f Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics. If you dont have the file though just delete its service to remove it from your system as its likely just a leftover entry from a program you have used in the past if the file doesnt exist. Andy Link to comment Share on other sites More sharing options...
1200 Posted May 12, 2007 Share Posted May 12, 2007 I don't get the hijack thingy. How do you read it and how to use it?- I never try it before though, maybe I should, when i am off from school:) Nlite Tutorial, Wireless Security Tutorial Link to comment Share on other sites More sharing options...
CeeCee Posted May 15, 2007 Author Share Posted May 15, 2007 I removed it. Path Copy TeraCopy Unlocker Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now