Dr-Web Scan Results

Discussion in 'other anti-virus software' started by theshadow247, Jul 24, 2006.

Thread Status:
Not open for further replies.
  1. theshadow247

    theshadow247 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    323
    Location:
    ontario.canada
    iam using drweb 4.33.2 with look-n-stop 205p3.while scanning with drweb i get process in memory looknstop win32sql slammer 376. action eradicated. this doesn't happen every time i do a scan but it happens enough to need fixing.this disables my firewall.and leaves me without a firewall untill i restart it.or do a system restart.eny help would be appreciated...
     
  2. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,304
    Location:
    Location Unknown
    Well I would do a full scan in safe-mode. If that doesn't cure the problem than I would scan with a trial version of another AV, such as NOD32. If the safe-mode thing doesn't work report the issue to Dr Web. Than you can use LnS.

    Nate
     
    Last edited: Jul 24, 2006
  3. theshadow247

    theshadow247 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    323
    Location:
    ontario.canada
    thanks for the reply.n8chavez.i already did the safe mode scan and drweb still said it was eradicated.and i did a scan with kav 6.0.300.and kav never had a problem with looknstop.iam waiting for a reply from drweb support.thanks again...
     
  4. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,304
    Location:
    Location Unknown
    I've used that combination before so I think I might be able to help you. But your problem, or the way you described it seems a little ambigious. Can you please try and explain it more clearly? What did Dr Web say was eradicated? What really is the problem with LnS?

    I can tell you based on what you said that you need to look at this page from diologue science (Dr Web). Also block UDP port 1434.

    Nate
     
    Last edited: Jul 24, 2006
  5. theshadow247

    theshadow247 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    323
    Location:
    ontario.canada
    when drweb starts to scan the memory it finds the win32sql slammer 376.and the action drweb does is to eradicate it.but every so often it comes back.i just tryed to scan in safe mode and noticed that looknstop doesn't load in safe mode the first time i didnt notice it.so drweb can't find the virus without looknstop running.i also looked for the port 1434 but i cant find it.kaspersky is my main av that i have used for years.and like i said kav has never found the virus.but in the short time i have been using drweb i have seen this happen alot.i also scanned with nod32 and no viruses found.
     
  6. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,304
    Location:
    Location Unknown
    Please go to the page in my previous post. There is an explaination there as well sa instructions that I think would help you. Then report your difficulties and/or findings here.

    Also, you might want to try Ewido micro here
     
  7. Serge Popov

    Serge Popov AV Expert

    Joined:
    Feb 10, 2006
    Posts:
    41
    This may be regarded as a feature, it depends. This issue has been observed with many different firewalls and proxies (ISA Server, for instance). The infected code is really present in memory, in some buffer inside firewall as plain bytes just received. Most likely its inactive and harmless at this moment if a firewall does its job well. We have no way to distinguish safe and dangerous cases, we just found infected code in memory.

    Different AVs use various methods hence the distinction in detection results. Inability to detect infected code (albeit stone cold) can be regarded as problem as well.

    As n8chavez already pointed out, check this for additional information about Slammer worm.
     
  8. theshadow247

    theshadow247 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    323
    Location:
    ontario.canada
    ok i found port 1434.and the rule is block all other packets.but i dont know how to block it....
     
  9. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,304
    Location:
    Location Unknown
    Just import this rule in your LnS ruleset. Rename to an .rie extension first. Import it towards the top. That should block the UDP port.
     

    Attached Files:

  10. theshadow247

    theshadow247 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    323
    Location:
    ontario.canada
    thanks.n8chavez.for all your help and the rule.i changed the extension and inported it.and placed the rule at the top.i just did a scan and the same problem is still there.i added the rule the rite way...
     
    Last edited: Jul 25, 2006
Loading...
Thread Status:
Not open for further replies.