Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How Can I Tell if OREANS32 Is Legitimate or Malware? 2

Status
Not open for further replies.
RexxSysProg

RexxSysProg

Programmer
Jul 2, 2004
205
US
Autoruns shows me that oreans32 is running on my system. When Autoruns searches online for information about it, it finds (at website bleepingcomputer.com): Legitimate file protection driver from Oreans Technology, that if disabled, will stop the correct operation of legitimate software. Unfortunately, this driver can also be installed by malware that is packed by it, so it should be judged on case by case basis. Can anyone advise me whether this is true and, if so, how can I tell whether this is legitimately on my machine? {perhaps it is being used in conjunction with: AVG Anti-Spyware (free), AVG anti-virus (free), Spy Sweeper and ZoneAlarm (free) which I am running}
 
Sort by date Sort by votes
You can tell if its legit or not by the location of where the file is supposed to be.

C:\Windows\System32\Drivers\oreans32.sys

If its in another location besides that, then its most likely bad.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
That's where Autoruns says it is. So that means it is legitimate and OK. Thanks electronicsfreak for your help.
 
Upvote 0 Downvote
n/p, and thanks for the star!!

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
A couple of other things you can do....

In Windows Explorer, find the file, right-click it, and choose "Properties". Click on the "Version" tab and look at the strings in the file. Typically, software provided by legitimate companies will have information about the company and malware won't. (That's no guarantee, though.)

Install Process Explorer (link). It provides an awful lot of information about running processes, including company name of the author, if known.

Google the filesname. For example, using a Google search term oreans32.sys, I discovered a Sophos antivirus page that says although oreans32.sys is itself benign, one trojan installs that software along with its other files. So although oreans32.sys isn't harmful, its unexpected presence may be indicative of a trojan infection.




Want to ask the best questions? Read Eric S. Raymond's essay "How To Ask Questions The Smart Way". TANSTAAFL!
 
Upvote 0 Downvote
Thank you, sleipnir214, for your suggestion. But this is getting more confusing (for me) as this goes along. When I wrote above that Autoruns showed that oreans32 was where it was supposed to be (i.e. where electronicsfreak said it should be) I was looking at Autoruns' image path column. After your post I went to look for it and it is not actually in that directory. The place where it is is in the Registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services with two folders under it: Enum and Security .
So now Idon't understand if this is right or wrong? Onemore point - Autoruns doesn't find oreans32 on my XP machine; only on my 2K machine
 
Upvote 0 Downvote
Along with eyec and sleipnir214's suggestions, do you have an antivirus program on your machine?

Granted, these aren't always the most reliable (as it seems all anti-virus programs have their downfalls), but you can try to scan your machine for free with:


Below has a review of anti-virus programs:


If you don't have an anti-virus program now, I suggest (as would most forum members) you invest in one (or 2, however many PC's you have).
 
Upvote 0 Downvote
Sorry, the above post was supposed to say electronicfreak instead of eyec.
 
Upvote 0 Downvote
Sorry, sleipnir214, I missed that Advanced Tab. I'll look at what else (besides the above) is in the registry when I get home.
As for looking at "properties" in Explorer, the file does not exist, at least as far as My Computer display tells me. I don't know what Autoruns means by showing that directory as an image path (can someone explain that to me?) My Computer display of that disk (C:\WinNT\System32\Drivers\) does not show oreans32.sys.

TFG13: I am running AVG (free version) (as well as Spy Sweeper and AVG anti-spyware). But I'll run Trend Micro as you suggested.
 
Upvote 0 Downvote
Nothing on Sophos Advanced Tab in in the machine, except for the oreans32 entry by itself as I said above (in the HKLM in the registry).

Couldn't get TrendMicro's Housecall to load and run. I seem to recall having this problem a year ago, which is why I stopped trying to use it. It just says it's "loading House Call kernel" but never loads.
 
Upvote 0 Downvote
Disable your antivirus and anti spyware while running it. It should run then

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
Disabling the anti-virus and anti-spyware made no difference. It starts the pre-scan and just loops. One time it made it to start the scan but then never finished it - just looped forever.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
236
2ffat
2ffat
iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
284
Oorde
Oorde
2ffat
  • Locked
  • News
MalwareBytes may have been hacked
Replies
0
Views
171
2ffat
2ffat
Olumighty
  • Locked
  • Question
BIOS PASSWORD WIPE OR CLEAR ON COMPUTER LAPTOP 1
Replies
1
Views
178
SamBones
SamBones
goombawaho
  • Locked
  • News
Malware Injected Into CCleaner 3
Replies
2
Views
161
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top