oreans32

[CeeCee]

I noticed that in Device Manager, under "non-plug and play drivers", there's entry named "oreans32" with exclamation mark on it. There's exclamation mark, because i don't got file oreans32.sys on System32/drivers folder. Anyway, there's still oreans32 service entries in registry.

 

I read that this oreans32 might be spyware/virus. I just wonder that can i remove that entry from Device Manager and also those reg. entries?

[Humpty]

Had a google around as well Cee Cee but came up with nothing conclusive.

 

If you post a Hijackthis log Andy or rridgely may be able sort it for you.

[CeeCee]

If you post a Hijackthis log Andy or rridgely may be able sort it for you.

No, no. I know that my system is clean. I just wonder what that 'oreans32' is and that can i remove it's entries.

[MikeW]

This is the genuine software that set and uses oreans32.

 

http://www.oreans.com/

 

And another user with the same = false posative

 

http://forums.spybot.info/showthread.php?t=10762

[CeeCee]

This is the genuine software that set and uses oreans32.

??

[MikeW]

??

 

 

Woops, links there now

[AndyManchesta]

oreans32 is part of Themida protection

 

http://www.oreans.com/themida.php

 

Its used in quite alot of programs such as games to prevent piracy, it is also being used by some trojans like backdoor IRCBots as they can make it alot harder for the files to be analysed by preventing people reverse engineering or dissembling the files and also by preventing them being run in a virtual environment

 

If you do not still have the oreans32.sys file on your system then it's fine to remove its service but make sure the file doesnt exist first as the program that added it will not start if the service is missing,

 

Goto Start > Run > Search

Click All Files and Folders

Then scroll down to More Advanced options and place a check next to Search system folders, Search hidden files and folders and Seach subfolders

Then scroll back up to the All or part of the file name: area and enter this to be searched for then click Search

 

oreans32.sys

 

If its found then leave the service in place but if its not then goto start > run > and type

 

sc delete oreans32

 

Press OK and you will just notice the cmd screen open then close and the service will be removed on the next reboot

 

Andy

[CeeCee]

I still wonder why i got those entries, but NOT that oreans32.sys file...? Could it be that some spyware remover identified this oreans32 as spyware, and removed that oreans32.sys from my system and left those entries behind?

 

Also wonder why this oreans32 was installed in first place? And what installed it?

 

Does anyone else got this oreans32?

 

Quote from another forum: service named "oreans32" with driver "C:\Windows\system32\drivers\oreans32.sys" can be found in "Non-Plug and Play Drivers" section of Device Manager (You have to check "Show hidden devices".)

 

Screenshot from my system: http://xs315.xs.to/xs315/07195/oreans32.jpg

[AndyManchesta]

Its really not possible to say what installed it but it may of been a program or game you installed at some stage then removed and it may of left the oreans32 service behind,

 

It's possible a spyware remover added it to their database so it was removed on your system but the file and service is harmless as its a genuine program, like alot of things though its starting to be abused by trojan writers as it also helps them to avoid being detected by Antivirus companies so some vendor may of added it by mistake.

 

Here's an example of a backdoor IRCbot (rBot) I got yesterday thats packed with Themida

 

STATUS: FINISHEDComplete scanning result of "lol.exe", received in VirusTotal at 05.10.2007, 21:56:38 (CET).

 

Antivirus Version Update Result

AhnLab-V3 2007.5.10.0 05.10.2007 no virus found

AntiVir 7.4.0.15 05.10.2007 TR/Agent.1376901

Authentium 4.93.8 05.10.2007 no virus found

Avast 4.7.997.0 05.10.2007 no virus found

AVG 7.5.0.467 05.10.2007 no virus found

BitDefender 7.2 05.10.2007 DeepScan:Generic.Malware.G!SKI!!FLMPWX!!BVPkprng.8F04B991

CAT-QuickHeal 9.00 05.10.2007 no virus found

ClamAV devel-20070416 05.10.2007 no virus found

DrWeb 4.33 05.10.2007 no virus found

eSafe 7.0.15.0 05.10.2007 no virus found

eTrust-Vet 30.7.3624 05.10.2007 no virus found

Ewido 4.0 05.10.2007 no virus found

FileAdvisor 1 05.10.2007 No threat detected

Fortinet 2.85.0.0 05.10.2007 no virus found

F-Prot 4.3.2.48 05.10.2007 no virus found

F-Secure 6.70.13030.0 05.10.2007 no virus found

Ikarus T3.1.1.7 05.10.2007 Backdoor.VB.EV

Kaspersky 4.0.2.24 05.10.2007 no virus found

McAfee 5028 05.10.2007 no virus found

Microsoft 1.2503 05.10.2007 no virus found

NOD32v2 2256 05.10.2007 no virus found

Norman 5.80.02 05.10.2007 no virus found

Panda 9.0.0.4 05.10.2007 no virus found

Prevx1 V2 05.10.2007 no virus found

Sophos 4.17.0 05.08.2007 no virus found

Sunbelt 2.2.907.0 05.05.2007 VIPRE.Suspicious

Symantec 10 05.10.2007 no virus found

TheHacker 6.1.6.112 05.10.2007 no virus found

VBA32 3.12.0 05.10.2007 no virus found

VirusBuster 4.3.7:9 05.10.2007 no virus found

Webwasher-Gateway 6.0.1 05.10.2007 Trojan.Agent.1376901

 

Aditional Information

File size: 1376901 bytes

MD5: 3bf608ac273c8df9d2dd66bd0040240f

SHA1: 6fd719fd44de5d2a55be7bdd0bebe508423f1ebe

Bit9 info: http://fileadvisor.bit9.com/services/extin...2dd66bd0040240f

Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

 

If you dont have the file though just delete its service to remove it from your system as its likely just a leftover entry from a program you have used in the past if the file doesnt exist.

 

Andy

[1200]

I don't get the hijack thingy. How do you read it and how to use it?- I never try it before though, maybe I should, when i am off from school:)

[CeeCee]

I removed it.