Full path: C:\Windows\System32\drivers\sfloppy.sys
OS: Windows XP SP3
I scanned this file at virusscan.jotti.org and 20 different AV scans (including Avast) said this file is safe. Furthermore it is a part of the Microsoft Windows operating system so removing it will just screw up the OS, so removing this false positive just screwed up a lot of people’s computers. Seems Avast has had a few dangerously false positives lately, one of which I myself reported a couple of months ago. I hope we’re a little more careful in the future. -kd5-
How about this, could sfloppy be a rootkit type file by definition?
“A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications.”
Because it is hidden driver and it isn’t digitally signed, this has obviously cause confusion in the anti-rootkit scan. So something changed in the anti-rootkit scan as it wasn’t previously detected, a classic sign of a possible false positive detection.
To others…ok maybe it’s unlikely the average user needs this driver but let’s call me a completist, this is the inevitable question following this cock-up:
For those of us who blindly trusted the Avast recommended option to delete the sfloppy driver - can someone please provide instructions or official links to fix our now incomplete systems (I need XP 32b but mileage will vary)?!? >:( (Windows repair/hotfix/remove-re-install SP3??)
a lot of people followed the avast instructions that said " DELETE" and this create confusion and problems on the pc. I hope avast will be more carefull in the future in order to evoid false positive. I scan the file on some antivirus link and all, avast including said that file is safe.
Please make sure to fix the problem as soon as possible.
Avast has just popped up here telling me that this is a rootkit. Checking on line gives me the same size and the properties tell me that it’s been here for over 3 years and is MS so I’ve left it.
Yesterday evening I did a full scan with SAS, MBAM, Malware Destroyer, Spybot S&D and a boot-time scan with Avast (I do this once a month) and there were no problems.
If you deleted the file in error, on rebooting, Windows should recreate the file automatically. If it doesn’t, there are instructions on how to recreate the file from within Windows if you look in the virus and worms section. http://forum.avast.com/index.php?topic=89963.0
Good to see Avast is back to computer killing false positives. There was another one just a few months ago deleting kernel files of x64 machines! Ever heard of QA Avast? (That aside over the years Avast has been pretty good; these kinds of issues tarnish the overall reputation!!!)
I didn’t immediately see info on the forum link from xtinguish, but there are now a bazillion pages and growing on that topic, so… Anyone following NON’s suggestion may want to note that the system file checker he refers to requires an installation disk (presumably an OEM rescue facility would also work, if you can find it).
However, fingers crossed for everybody to restore sfloppy.sys it through a straightforward re-boot!
Today I got this message too. It appears during antirootkit skan after turning PC on only. File scanning if sfloppy.sys by Avast! say nothing.
Previously I turned ny PC on in th middle of previous week, everything was fine.
aswMBR shows error too
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-06 20:07:02
20:07:02.875 OS Version: Windows 5.1.2600 Service Pack 3
20:07:02.875 Number of processors: 4 586 0xF0B
20:07:02.875 ComputerName: PSW UserName:
20:07:03.531 Initialize success
20:07:03.671 AVAST engine defs: 11120601
20:07:08.953 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
20:07:08.953 Disk 0 Vendor: WDC_WD3200AAKS-00VYA0 12.01B02 Size: 305115MB BusType: 3
20:07:10.953 Disk 0 MBR read successfully
20:07:10.953 Disk 0 MBR scan
20:07:10.953 Disk 0 Windows XP default MBR code
20:07:10.968 Disk 0 scanning sectors +624876202
20:07:10.984 Disk 0 scanning H:\WINDOWS\system32\drivers
20:07:16.250 File: H:\WINDOWS\system32\drivers\sfloppy.sys INFECTED Win32:Alureon-AOR [Rtk]
20:07:17.812 Service scanning
20:07:18.906 Modules scanning
20:07:38.000 Disk 0 trace - called modules:
20:07:38.015 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:07:38.015 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8b710ab8]
20:07:38.015 3 CLASSPNP.SYS[ba118fd7] → nt!IofCallDriver → \Device\0000007b[0x8b716940]
20:07:38.015 5 ACPI.sys[b9f7f620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x8b76fd98]
20:07:38.015 Scan finished successfully
20:07:51.296 Disk 0 MBR has been saved successfully to “C:\Archieve\Avir\Tools.new\aswMBR\MBR.dat”
20:07:51.296 The log file has been saved successfully to “C:\Archieve\Avir\Tools.new\aswMBR\aswMBR.txt”
