Hi,

last days I did some routine scans with various progs (Kaspersky, a-squared, AVG Anti Rootkit, Bitdefender, McAffee Stinger, rootkitbuster, rootkitrevealer, sophos anti rootkit and finally spybot S&D).

No program found anything suspicious, but SS&D found win32.downloaderx.hav in 7 files named 1.tmp to 7.tmp, which are in folder windows/system32.

I checked the tmp-files at virustotal.com and they are totally clean.

I checked the properties of the tmp-files and it says "memsweep kernel driver" and "1989 - 2005 Sophos Plc, www.sophos.com"

So I did some google about it and found out it seems to be part of sophos anti-rootkit.

I moved the files to another folder and scanned again with SS&D and it found nothing. Then I put the files back to system32 and it found win32.downloaderx.hav again.

How does SS&D work? It doesn't seem scan files by signatures, because it finds something in system 32 and nothing when the files are anywhere else.

I looked at the manual removing guide for win32.downloaderx.hav and I didn't find any file or registry entry shown there on my pc.

Can anyone help? Is it false positive? I sent the files to the admins, but have no answer yet.

thanks

May this help someone helping me:

I moved the tmp files out of system32, THEN I started Spybot, THEN I moved the tmp files back to system32, THEN I started a scan AND Spybot found nothing

BUT

When I leave the tmp files in system32, THEN start Spybot, THEN start a scan it finds the Virus

So how does Spybot work? It seems sure that the tmp files are created by sophos anti rootkit, so how can Spybot say it's a virus?

can anyone help?

By the way: there is a Code above the message SBI $453531A6 , does this help?

something more: I copied the tmp files on my laptop, just put them into system32, started spybot and started a scan, and again spybot found win32.downloaderx.hav

If the files are from sophos, it must be a false positive

Hello yellow33,

Please see How to report Possible False Positives (http://forums.spybot.info/showthread.php?t=19117)

A detective would respond on Monday. :)

Best regards.

one question about reporting a false positive:

I sent the file at this link http://www.safer-networking.org/de/contact/detections.html with a description and I wrote in german.

Is that ok or must it be in english? By the way I got no confirmation mail about the succesful transfer or something like that. Do they have request now or must I sent it again somewhere else?

ok, I'm almost sure now, that it's a false positive because:

I installed Sophos AR and Spybot S&D on a clean PC, then I renamed memsweep.sys (inside the program folder of Sophos AR) to 1.tmp and moved it into system32, then I did a scan with Spybot and it found 1.tmp as win32.downloaderx.hav

By the way, there is no answer from the experts yet...

Hello,
I can confirm that it is a false positive that will be fixed with the next update scheduled for Wednesday.

Best regards,
Markus
Team Spybot