look'n'stop.exe = Win32.SQL.Slammer.376 (Dr.Web CureIt)

Discussion in 'LnS English Forum' started by fred22, Feb 11, 2008.

Thread Status:
Not open for further replies.
  1. fred22

    fred22 Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    229
    i recently reinstalled lns 2.06, downloaded from original site

    http://www.soft4ever.com/LooknStop/En/LooknStop_Setup_206.exe

    since i didn't have any AV scanner i tested Dr.Web.CureIt with latest updates
    and this came up:

    http://i32.tinypic.com/126fudw.jpg


    a scan @ virustotal comes up clean

    http://www.virustotal.com/analisis/99e498346bc41a18d48a3ac2ded465e9

    a scan @ virusscan.jotti also clean


    can anyone pls confirm its a FP or atleast try Dr.Web CureIt and test this

    thx in advance
     

    Attached Files:

    Last edited: Feb 11, 2008
    fred22, Feb 11, 2008
    #1
  2. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,887
    Location:
    Stockholm Sweden
    I had the same detection by Drweb cureit a couple of days ago but that was for PCtools firewall (which has Look´n´stop engine)
    I didnt remember the name of the malware reported by Cureit then, but now it all comes back to me reading your post.
    I didnt know for sure that it was a false positive or not, but I think it was a FP since I could not reproduce the alert with a snapshot taken a couple of hours before. And I dont know how I could have been infected within that time period.

    I now have LnS installed.
    I just downloaded the new Cureit and it did indeed find slammer.
    I notice that Drweb cureit finds the "malware" in memory, not the file.
    I did a custom scan with Cureit and looknstop.exe and it didnt find anything (neither does Avast antivirus or PrevxCSI.)
    I have not been warned that something is trying to modify looknstop.exe in memory.
    I think that it is a false positive. I am sure that if other LnS users did a scan with DRWeb cureit, their Looknstop.exe would also be "eradicated"
     
    Last edited: Feb 11, 2008
    sukarof, Feb 11, 2008
    #2
  3. fred22

    fred22 Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    229
    looks like they fixed it -- CureIt

    thx for reply sukarof,

    its CureIt for sure, i have a clean install here

    anyway i updated both cureit.exe and drweb-cureit.exe and its all good again :)

    check the virus definities

    previous screenshot ^^ = 2008-02-11(12:40) 301002

    updated cureit/drweb-cureit.exe = 2008-02-11(21:25) 302423

    all clean again
    :)
     

    Attached Files:

    fred22, Feb 11, 2008
    #3
  4. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    I used to get this fairly frequently. I run DrWEB and Look N Stop firewall side by side. It's something in memory which DrWEB picks up when I open the scanner and it does a memory scan. Even putting LooknStop's exe in the DrWEB exclude list doesn't stop this. The only solution I came up with was to uncheck memory scanning...:rolleyes: :D
     
    Mongol, Feb 12, 2008
    #4
  5. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,353
    Location:
    France
    Hi,

    The problem could come from blocked packets added to the log if these packets contain the signature of Win32.SQL.Slammer.376.

    You can try to purge the log, or to remove the alert attrubute on some rules to verify that.

    Regards,

    Frederic
     
    Frederic, Feb 12, 2008
    #5
  6. fred22

    fred22 Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    229
    i just ditched drweb, im not gonna test every single rule

    thanks anyway
     
    fred22, Mar 2, 2008
    #6
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...