Rootkit hidden filefloppy sys

Viruses and worms
1

In C:\windows\system32\drivers\sfloppy.sys
Received warning from Avast about a Rootkit: hidden folder, was asked if i wanted to delete it which i did.
Then avast asked me if i wanted to do a boot scan, which i did came up clean. About 5 minutes later i received the same warning. This time i told avast to ignore it. I did a check using the right click feature with avast on the offending item came up clean.
Just curious if this is a false positive.

Cheers
using xp home Avast free

2

upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners
when you have the result, copy the url in the address bar and post it here for us to see

alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/
Metascan http://www.metascan-online.com/

Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

3

Hi Pondus
Thanks for your reply, here’s the copy of the url, which is clean
http://www.virustotal.com/file-scan/report.html?id=ceec0067514555d5ca489f50e3d7562fca8db8e952c3c878604c9277fc77959f-1323170093

Cheers

4

I just got the same message - Rootkit alert, for sfloppy.sys. Happened today for the first time.

The file reported checks out fine. I checked its MD5 against known clean files:

MD5: 8E6B8C671615D126FDC553D1E2DE5562
C:\Windows\Drivers\sfloppy.sys

Seems like a false positive with the latest updates.

5

and remeber…if you delete,you have no options left…then you cant check the file

6

Had the same myself with boot. Looked at the file date and looked up the info about the file online. Looks like a false positive to me too, so I selected ignore.

I am also an Avast Home user.

7

Hello,

I have the same message, i just need to ignore it ?

8

you can report false positive here
http://www.avast.com/contact-form.php?loadStyles

you may add a link to this topic

9

I got the same warning.

10

Same thing here. Happened about an hour ago. I am using Avast Free on Windows XP SP3. I chose “delete” and then restarted the system. After the scan, Avast found nothing suspicious. Now I got the same alert again. Seeing that others have absolutely the same error at almost the same time and regarding the same sfloppy.sys file, I think that is probably something wrong with Avast itself. Although it is strange, that after choosing “delete”, the file is still there.

PS: Already did a virus check with Jotti, VirSCAN and Metascan. All sites say the file is safe and found nothing wrong.

11

I got the same warning.

[i]System Information:

Win XP Pro SP3
Avast! Free AV 6.0.1367 (Behaviour/Script Shield removed)
Online Armor Free 5.1.1.1395 (Web Shield disabled)

*Avast!/OA mutually excluded
[/i]

12

Thanks Pondus
I have sent a report, but i forgot to put a link in for this topic.

cheers

13

Same here.
I renamed file before delete, and did the boot scan. Nothing found. When I log in I get same Sfloopy warning. Took option to delete, but it hasn’t been deleted. The file is the correct size, and I feel this is a false positive.

14

i am also getting the same warning “sfloppy rootkit” iv scanned with rootkit killers malware scanners all are coming back clean but every few mins the message pops back up hope this is just a false posative has ignoring it is not something i like to do when i get warnings grrrrr

15

Exactly the same here with Windows XP Home SP3. Deleted the file, did boot time scan and restarted and now getting same notification that rootkit is still there. Scan says system is clean.

16

Exact sane thing here. Was having a mini freak out since I’m none too skilled with this sort of thing. I assume then the best idea is to simply ignore?

17

I got the same warning. :-[

18

Hello,

Same problem, avast detected sfloppy.sys today, for the first time.
From avast antivirus, it should be a rootkit.

My OS is Windows XP SP3.
The MD5 is exactly the same than spirits247 : 8e6b8c671615d126fdc553d1e2de5562.

In the property window :
The file size is 11 392 bytes.
The version of the file is 5.1.2600.5512 (xpsp.080413-2108).
The enterprise is Microsoft Corporation.

It seems that sfloppy.sys is a safe driver from Microsoft.

I chose to ignore.

Goodbye.

19

I got the same alert on win XP Pro and considering I’m pretty confident that my system is clean I choose Ignore. Having done that I assume that this decision on this anti-rootkit scan will get back to avast via the CommunityIQ feature. I have also reported this on the loadstyles page link above

Deletion is never a good first action in my opinion no matter how scary it might seem getting the alert.

Uploading the file to virustotal is unfortunately a waste of time as it can’t replicate the anti-rootkit scan (which can only be done on a live system) as it can’t compare what the windows API says is running against what is actually running (hidden).

20

Hi

I’m getting exactly the same detection. I’m using Avast! IS which is fully up to date.

I have scanned my computer(XP Home SP3) using malwarebytes, hitman pro, eset online scan , sophos antirootkit, panda antirootkit, kaspersky antirootkit and multi av scanning tool(hxxp://multi-av.thespykiller.co.uk/help.htm) which all came back clean. I also uploaded the file to virus total and everything came back clean and a bit of googling shows that the file is safe(as long as it is in windows/system32/drivers/)

I think that this has to be a false positive