win32.downloaderx.hav or falsepositive?

**yellow33** · 2010-03-12, 10:03

Hi,

last days I did some routine scans with various progs (Kaspersky, a-squared, AVG Anti Rootkit, Bitdefender, McAffee Stinger, rootkitbuster, rootkitrevealer, sophos anti rootkit and finally spybot S&D).

No program found anything suspicious, but SS&D found win32.downloaderx.hav in 7 files named 1.tmp to 7.tmp, which are in folder windows/system32.

I checked the tmp-files at virustotal.com and they are totally clean.

I checked the properties of the tmp-files and it says "memsweep kernel driver" and "1989 - 2005 Sophos Plc, www.sophos.com"

So I did some google about it and found out it seems to be part of sophos anti-rootkit.

I moved the files to another folder and scanned again with SS&D and it found nothing. Then I put the files back to system32 and it found win32.downloaderx.hav again.

How does SS&D work? It doesn't seem scan files by signatures, because it finds something in system 32 and nothing when the files are anywhere else.

I looked at the manual removing guide for win32.downloaderx.hav and I didn't find any file or registry entry shown there on my pc.

Can anyone help? Is it false positive? I sent the files to the admins, but have no answer yet.

thanks

**yellow33** · 2010-03-12, 23:49

May this help someone helping me:

I moved the tmp files out of system32, THEN I started Spybot, THEN I moved the tmp files back to system32, THEN I started a scan AND Spybot found nothing

BUT

When I leave the tmp files in system32, THEN start Spybot, THEN start a scan it finds the Virus

So how does Spybot work? It seems sure that the tmp files are created by sophos anti rootkit, so how can Spybot say it's a virus?

can anyone help?

By the way: there is a Code above the message SBI $453531A6 , does this help?

**yellow33** · 2010-03-12, 23:53

something more: I copied the tmp files on my laptop, just put them into system32, started spybot and started a scan, and again spybot found win32.downloaderx.hav

If the files are from sophos, it must be a false positive

**tashi** · 2010-03-13, 01:49

Hello yellow33,

Please see How to report Possible False Positives

A detective would respond on Monday.

Best regards.

**yellow33** · 2010-03-13, 14:23

one question about reporting a false positive:

I sent the file at this link http://www.safer-networking.org/de/c...etections.html with a description and I wrote in german.

Is that ok or must it be in english? By the way I got no confirmation mail about the succesful transfer or something like that. Do they have request now or must I sent it again somewhere else?

**yellow33** · 2010-03-15, 22:10

ok, I'm almost sure now, that it's a false positive because:

I installed Sophos AR and Spybot S&D on a clean PC, then I renamed memsweep.sys (inside the program folder of Sophos AR) to 1.tmp and moved it into system32, then I did a scan with Spybot and it found 1.tmp as win32.downloaderx.hav

By the way, there is no answer from the experts yet...

**MisterW** · 2010-03-16, 12:25

Hello,
I can confirm that it is a false positive that will be fixed with the next update scheduled for Wednesday.

Best regards,
Markus
Team Spybot

Thread: win32.downloaderx.hav or falsepositive?

Thread Tools

Display

win32.downloaderx.hav or falsepositive?

Posting Permissions