Hi,
last days I did some routine scans with various progs (Kaspersky, a-squared, AVG Anti Rootkit, Bitdefender, McAffee Stinger, rootkitbuster, rootkitrevealer, sophos anti rootkit and finally spybot S&D).
No program found anything suspicious, but SS&D found win32.downloaderx.hav in 7 files named 1.tmp to 7.tmp, which are in folder windows/system32.
I checked the tmp-files at virustotal.com and they are totally clean.
I checked the properties of the tmp-files and it says "memsweep kernel driver" and "1989 - 2005 Sophos Plc, www.sophos.com"
So I did some google about it and found out it seems to be part of sophos anti-rootkit.
I moved the files to another folder and scanned again with SS&D and it found nothing. Then I put the files back to system32 and it found win32.downloaderx.hav again.
How does SS&D work? It doesn't seem scan files by signatures, because it finds something in system 32 and nothing when the files are anywhere else.
I looked at the manual removing guide for win32.downloaderx.hav and I didn't find any file or registry entry shown there on my pc.
Can anyone help? Is it false positive? I sent the files to the admins, but have no answer yet.
thanks