look'n'stop.exe = Win32.SQL.Slammer.376 (Dr.Web CureIt)

Discussion in 'LnS English Forum' started by fred22, Feb 11, 2008.

Thread Status:
Not open for further replies.
  1. fred22

    fred22 Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    229
    i recently reinstalled lns 2.06, downloaded from original site

    http://www.soft4ever.com/LooknStop/En/LooknStop_Setup_206.exe

    since i didn't have any AV scanner i tested Dr.Web.CureIt with latest updates
    and this came up:

    http://i32.tinypic.com/126fudw.jpg


    a scan @ virustotal comes up clean

    http://www.virustotal.com/analisis/99e498346bc41a18d48a3ac2ded465e9

    a scan @ virusscan.jotti also clean


    can anyone pls confirm its a FP or atleast try Dr.Web CureIt and test this

    thx in advance
     

    Attached Files:

    Last edited: Feb 11, 2008
  2. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I had the same detection by Drweb cureit a couple of days ago but that was for PCtools firewall (which has Look´n´stop engine)
    I didnt remember the name of the malware reported by Cureit then, but now it all comes back to me reading your post.
    I didnt know for sure that it was a false positive or not, but I think it was a FP since I could not reproduce the alert with a snapshot taken a couple of hours before. And I dont know how I could have been infected within that time period.

    I now have LnS installed.
    I just downloaded the new Cureit and it did indeed find slammer.
    I notice that Drweb cureit finds the "malware" in memory, not the file.
    I did a custom scan with Cureit and looknstop.exe and it didnt find anything (neither does Avast antivirus or PrevxCSI.)
    I have not been warned that something is trying to modify looknstop.exe in memory.
    I think that it is a false positive. I am sure that if other LnS users did a scan with DRWeb cureit, their Looknstop.exe would also be "eradicated"
     
    Last edited: Feb 11, 2008
  3. fred22

    fred22 Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    229
    looks like they fixed it -- CureIt

    thx for reply sukarof,

    its CureIt for sure, i have a clean install here

    anyway i updated both cureit.exe and drweb-cureit.exe and its all good again :)

    check the virus definities

    previous screenshot ^^ = 2008-02-11(12:40) 301002

    updated cureit/drweb-cureit.exe = 2008-02-11(21:25) 302423

    all clean again
    :)
     

    Attached Files:

  4. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    I used to get this fairly frequently. I run DrWEB and Look N Stop firewall side by side. It's something in memory which DrWEB picks up when I open the scanner and it does a memory scan. Even putting LooknStop's exe in the DrWEB exclude list doesn't stop this. The only solution I came up with was to uncheck memory scanning...:rolleyes: :D
     
  5. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    The problem could come from blocked packets added to the log if these packets contain the signature of Win32.SQL.Slammer.376.

    You can try to purge the log, or to remove the alert attrubute on some rules to verify that.

    Regards,

    Frederic
     
  6. fred22

    fred22 Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    229
    i just ditched drweb, im not gonna test every single rule

    thanks anyway
     
Thread Status:
Not open for further replies.