iam using drweb 4.33.2 with look-n-stop 205p3.while scanning with drweb i get process in memory looknstop win32sql slammer 376. action eradicated. this doesn't happen every time i do a scan but it happens enough to need fixing.this disables my firewall.and leaves me without a firewall untill i restart it.or do a system restart.eny help would be appreciated...

Well I would do a full scan in safe-mode. If that doesn't cure the problem than I would scan with a trial version of another AV, such as NOD32. If the safe-mode thing doesn't work report the issue to Dr Web. Than you can use LnS.

Nate

thanks for the reply.n8chavez.i already did the safe mode scan and drweb still said it was eradicated.and i did a scan with kav 6.0.300.and kav never had a problem with looknstop.iam waiting for a reply from drweb support.thanks again...

{QUOTE-> thanks for the reply.n8chavez.i already did the safe mode scan and drweb still said it was eradicated.and i did a scan with kav 6.0.300.and kav never had a problem with looknstop.iam waiting for a reply from drweb support.thanks again... <-QUOTE}

I've used that combination before so I think I might be able to help you. But your problem, or the way you described it seems a little ambigious. Can you please try and explain it more clearly? What did Dr Web say was eradicated? What really is the problem with LnS?

I can tell you based on what you said that you need to look at this (http://old.antivir.ru/english/inf/news.php?id=293) page from diologue science (Dr Web). Also block UDP port 1434.

Nate

when drweb starts to scan the memory it finds the win32sql slammer 376.and the action drweb does is to eradicate it.but every so often it comes back.i just tryed to scan in safe mode and noticed that looknstop doesn't load in safe mode the first time i didnt notice it.so drweb can't find the virus without looknstop running.i also looked for the port 1434 but i cant find it.kaspersky is my main av that i have used for years.and like i said kav has never found the virus.but in the short time i have been using drweb i have seen this happen alot.i also scanned with nod32 and no viruses found.

Please go to the page in my previous post. There is an explaination there as well sa instructions that I think would help you. Then report your difficulties and/or findings here.

Also, you might want to try Ewido micro here (http://download.ewido.net/ewido_micro.exe)

{QUOTE-> iam using drweb 4.33.2 with look-n-stop 205p3.while scanning with drweb i get process in memory looknstop win32sql slammer 376. action eradicated. this doesn't happen every time i do a scan but it happens enough to need fixing.this disables my firewall.and leaves me without a firewall untill i restart it.or do a system restart.eny help would be appreciated... <-QUOTE}

This may be regarded as a feature, it depends. This issue has been observed with many different firewalls and proxies (ISA Server, for instance). The infected code is really present in memory, in some buffer inside firewall as plain bytes just received. Most likely its inactive and harmless at this moment if a firewall does its job well. We have no way to distinguish safe and dangerous cases, we just found infected code in memory.

{QUOTE-> thanks for the reply.n8chavez.i already did the safe mode scan and drweb still said it was eradicated.and i did a scan with kav 6.0.300.and kav never had a problem with looknstop.iam waiting for a reply from drweb support.thanks again... <-QUOTE}

Different AVs use various methods hence the distinction in detection results. Inability to detect infected code (albeit stone cold) can be regarded as problem as well.

As n8chavez already pointed out, check this (http://old.antivir.ru/english/inf/news.php?id=293) for additional information about Slammer worm.

ok i found port 1434.and the rule is block all other packets.but i dont know how to block it....

{QUOTE-> ok i found port 1434.and the rule is block all other packets.but i dont know how to block it.... <-QUOTE}

Just import this rule in your LnS ruleset. Rename to an .rie extension first. Import it towards the top. That should block the UDP port.

thanks.n8chavez.for all your help and the rule.i changed the extension and inported it.and placed the rule at the top.i just did a scan and the same problem is still there.i added the rule the rite way...