Avast WEBforum
Other => Viruses and worms => Topic started by: crofty59 on December 06, 2011, 12:16:32 PM
-
In C:\windows\system32\drivers\sfloppy.sys
Received warning from Avast about a Rootkit: hidden folder, was asked if i wanted to delete it which i did.
Then avast asked me if i wanted to do a boot scan, which i did came up clean. About 5 minutes later i received the same warning. This time i told avast to ignore it. I did a check using the right click feature with avast on the offending item came up clean.
Just curious if this is a false positive.
Cheers
using xp home Avast free
-
upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners
when you have the result, copy the url in the address bar and post it here for us to see
alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/
Metascan http://www.metascan-online.com/
Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm
-
Hi Pondus
Thanks for your reply, here's the copy of the url, which is clean
http://www.virustotal.com/file-scan/report.html?id=ceec0067514555d5ca489f50e3d7562fca8db8e952c3c878604c9277fc77959f-1323170093 (http://www.virustotal.com/file-scan/report.html?id=ceec0067514555d5ca489f50e3d7562fca8db8e952c3c878604c9277fc77959f-1323170093)
Cheers
-
I just got the same message - Rootkit alert, for sfloppy.sys. Happened today for the first time.
The file reported checks out fine. I checked its MD5 against known clean files:
MD5: 8E6B8C671615D126FDC553D1E2DE5562
C:\Windows\Drivers\sfloppy.sys
Seems like a false positive with the latest updates.
-
and remeber....if you delete,you have no options left...then you cant check the file
-
Had the same myself with boot. Looked at the file date and looked up the info about the file online. Looks like a false positive to me too, so I selected ignore.
I am also an Avast Home user.
-
Hello,
I have the same message, i just need to ignore it ?
-
you can report false positive here
http://www.avast.com/contact-form.php?loadStyles
you may add a link to this topic
-
I got the same warning.
-
Same thing here. Happened about an hour ago. I am using Avast Free on Windows XP SP3. I chose "delete" and then restarted the system. After the scan, Avast found nothing suspicious. Now I got the same alert again. Seeing that others have absolutely the same error at almost the same time and regarding the same sfloppy.sys file, I think that is probably something wrong with Avast itself. Although it is strange, that after choosing "delete", the file is still there.
PS: Already did a virus check with Jotti, VirSCAN and Metascan. All sites say the file is safe and found nothing wrong.
-
I got the same warning.
System Information:
Win XP Pro SP3
Avast! Free AV 6.0.1367 (Behaviour/Script Shield removed)
Online Armor Free 5.1.1.1395 (Web Shield disabled)
*Avast!/OA mutually excluded
-
you can report false positive here
http://www.avast.com/contact-form.php?loadStyles
you may add a link to this topic
Thanks Pondus
I have sent a report, but i forgot to put a link in for this topic.
cheers
-
Same here.
I renamed file before delete, and did the boot scan. Nothing found. When I log in I get same Sfloopy warning. Took option to delete, but it hasn't been deleted. The file is the correct size, and I feel this is a false positive.
-
i am also getting the same warning "sfloppy rootkit" iv scanned with rootkit killers malware scanners all are coming back clean but every few mins the message pops back up hope this is just a false posative has ignoring it is not something i like to do when i get warnings grrrrr
-
Exactly the same here with Windows XP Home SP3. Deleted the file, did boot time scan and restarted and now getting same notification that rootkit is still there. Scan says system is clean.
-
Exactly the same here with Windows XP Home SP3. Deleted the file, did boot time scan and restarted and now getting same notification that rootkit is still there. Scan says system is clean.
Exact sane thing here. Was having a mini freak out since I'm none too skilled with this sort of thing. I assume then the best idea is to simply ignore?
-
I got the same warning. :-[
-
Hello,
Same problem, avast detected sfloppy.sys today, for the first time.
From avast antivirus, it should be a rootkit.
My OS is Windows XP SP3.
The MD5 is exactly the same than spirits247 : 8e6b8c671615d126fdc553d1e2de5562.
In the property window :
The file size is 11 392 bytes.
The version of the file is 5.1.2600.5512 (xpsp.080413-2108).
The enterprise is Microsoft Corporation.
It seems that sfloppy.sys is a safe driver from Microsoft.
I chose to ignore.
Goodbye.
-
I got the same alert on win XP Pro and considering I'm pretty confident that my system is clean I choose Ignore. Having done that I assume that this decision on this anti-rootkit scan will get back to avast via the CommunityIQ feature. I have also reported this on the loadstyles page link above
Deletion is never a good first action in my opinion no matter how scary it might seem getting the alert.
Uploading the file to virustotal is unfortunately a waste of time as it can't replicate the anti-rootkit scan (which can only be done on a live system) as it can't compare what the windows API says is running against what is actually running (hidden).
-
Hi
I'm getting exactly the same detection. I'm using Avast! IS which is fully up to date.
I have scanned my computer(XP Home SP3) using malwarebytes, hitman pro, eset online scan , sophos antirootkit, panda antirootkit, kaspersky antirootkit and multi av scanning tool(hxxp://multi-av.thespykiller.co.uk/help.htm) which all came back clean. I also uploaded the file to virus total and everything came back clean and a bit of googling shows that the file is safe(as long as it is in windows/system32/drivers/)
I think that this has to be a false positive
-
Confirming the same experience here, on Win XP Pro SP3:
I just had avast [definitions 111206-0, program 6.0.1367] alert me to an alleged rootkit (hidden file) in c:\windows\system32\drivers\sfloppy.sys
given the choices of remove ("recommended") and ignore, I've opted to ignore [and furthermore, to bypass a bootup scan], so that I could investigate the matter further.
the file is identical in content to a copy located in c:\windows\system32\dllcache
the file appears "clean", per virus total http://www.virustotal.com/file-scan/report.html?id=ceec0067514555d5ca489f50e3d7562fca8db8e952c3c878604c9277fc77959f-1323172857
it's noted on that page that 3 other "anonymous" avast users have also reported this file as being detected as a rootkit today.
i will try to upload a copy to avast, if possible... though with all the "complaints", I have every reason to believe it's indeed a f/p.
EDIT: I believe it's been successfuly uploaded now...
-
Just keep monitoring this topic and I would suggest that you choose the Ignore option. Don't open the Advanced options and DON'T check the don't tell you about this again (or words to that effect).
As much of a pain in the rear that getting this alert 8 after boot, you want to know about it, as when avast clears this up (and I'm confident it is an FP), which should be quickly. Then you will notice that it is no longer being detected, if you chose Ignore and don't tell you about this again, you would never know.
It does appear that this is on XP systems as I haven't had any alert on my win7 netbook possibly it doesn't use sfloppy.sys in the same way (though there is a copy in the drivers folder).
-
Got the same rootkit warning about sfloppy.sys about an hour ago, which was the first time I ever got a rootkit warning from Avast.
I chose the delete option first time it happened, then ran the bootscan. Everything was clean. After rebooting, the same warning pops up; deleted it and rebooted. Warning pops up yet again; this time had to download a Kaspersky TDSSkiller app; my system passes with no infected file. After reading the posts here, I chose to ignore the last time the popup appeared.
My system is running Windows XP Home SP3.
-
I've checked myself and the file itself (along with a google) and it looks more like a false positive as other sites already say it's safe (since it's a required driver if you have a floppy disk drive).
-
I ignore it and the message comeback after restart ::)
-
Yeap, same here. I'm suspecting something messed up in a Avast update, because it happened after an update.
So, in my case, Windows XP Professional, copmputer witha a floppy disk drive. After startup rootkit warning appeared, and istead try to ask uncle Google what the hell is happening, I've chosen delete, and scan. Well, computer is still scanning right now (I'm writing from my second one, Windows XP HE (both are SP3), but without floppy drive , and no warning so far. Both of them are running Avast, latest version, free).
So, if you guys are writing, that warning reapears after rebooting, I will just ignore it.
Avast had a similar problem months ago (the reason why I have eastablished an account here), suddenly everything got marked as a virsu, because of faulty update.
-
Getting same warning on XP after updating Avast program and reboot. I don't normally read avast forum; does Avast reply to the forum?
-
does Avast reply to the forum?
normally not....but sometimes they give a statment when they release the fix
-
I got the same just now.
Well, I don't use a floppy. Don't mind if it gets deleted.
-
Same issue here, I'm also using XP.
-
Oh great - so I got the same warning and told Avast it was okay to delete the file. Unlike others using XP SP3, Avast very successfully deleted the file - it's gone.
So, okay, how do I get it back?
-
Same problem.
Additionally:
Made a memory scan an got two warnings
- avastsvc.exe !!
- freecommander.exe
Scanning these files with shell context menu and virustotal say they're clean
https://www.virustotal.com/file-scan/reanalysis.html?id=28f9c25205d8908e87efc75300045fa990e84acba992db69354ab792137a6a8c-1323175762
https://www.virustotal.com/file-scan/reanalysis.html?id=f2c387c76b52c9d2ae3f97824108e0ccb389b376c0276e57ed23f3385d064ea0-1323175262
Is there a context between these three (false?) warnings?
-
;D I just did copy file c:\WINDOWS\system32\drivers\sonydcam.sys to c:\WINDOWS\system32\drivers\sfloppy.sys
And now its everything ok and I do not get any stupid messages from avast system :D
And sfloppy.sys is now sonydcam.sys :D :D
-
Oh great - so I got the same warning and told Avast it was okay to delete the file. Unlike others using XP SP3, Avast very successfully deleted the file - it's gone.
So, okay, how do I get it back?
Check in \WINDOWS\Driver Cache\i386 directory. There should be a sp3.cab file. You can open it with Winrar, find sfloppy.sys and extract it to \WINDOWS\system32\drivers. If you don't have sp3.cab, use driver.cab instead. It will probably contain an older version of the sfloppy.sys, but still better than not having it at all (if you need it).
-
Check in \WINDOWS\Driver Cache\i386 directory. There should be a sp3.cab file. You can open it with Winrar, find sfloppy.sys and extract it to \WINDOWS\system32\drivers. If you don't have sp3.cab, use driver.cab instead. It will probably contain an older version of the sfloppy.sys, but still better than not having it at all (if you need it).
Just the type of response I was hoping for - thanks very much - to the point, thorough, a solution.
Appreciated.
[and a quickie followup - as easy as double-clicking the cab file, right-clicking the "sfloppy.sys" file and selecting "extract", tell it a location to extract to, and done - perfect. Thanks again]
-
(actually, zing, I think the file just comes back of its own accord.)
I'm a newbie here, so don't know how one interacts with the avast people direct, but if this problem is real we need help fixing it, and if it's harmless then it really is proving a huge timewaster. I went through the process described on the other posts (deleted the file, ran a boot scan, got the same message again etc). The boot scan on my machine takes ages ... lost a morning's work ...
Can we get some feedback from the avast team??
-
Im getting the same message on Windows XP SP3 and i ran the full scan + malwarebytes and it didnt find anything so i suppose im safe and i can go play normally?
-
This has happened on all virus checkers one time or another (ie a major false positive).
Looking at the response above, I think you are 99.99% safe this is a false positive and will be fixed soon.
-
Appreciated.
You are welcome.
(actually, zing, I think the file just comes back of its own accord.)
Right. At first, I was wondering how come the file is still there, when Avast said it deleted it, but after searching for sfloppy.sys and found a copy of it in the .cab file, I realised, that Windows probably extracts it from the .cab file, when it senses that the file is missing from system32\drivers directory. It seems that in some cases it doesn't do it automatically, or probably needs a system restart.
-
It seems that in some cases it doesn't do it automatically, or probably needs a system restart.
Either that or users in a rush like available only looked in system32 rather than the correct system32/drivers.
One or the other! ;D
-
Same problem.
Additionally:
Made a memory scan an got two warnings
- avastsvc.exe !!
- freecommander.exe
Scanning these files with shell context menu and virustotal say they're clean
https://www.virustotal.com/file-scan/reanalysis.html?id=28f9c25205d8908e87efc75300045fa990e84acba992db69354ab792137a6a8c-1323175762
https://www.virustotal.com/file-scan/reanalysis.html?id=f2c387c76b52c9d2ae3f97824108e0ccb389b376c0276e57ed23f3385d064ea0-1323175262
Is there a context between these three (false?) warnings?
No this is different....bc you used the "scan memory" setting
do not use the "scan memory" setting as this will give some strange scan results
the forum is full of this if you search
do not change the default scan settings if you do not know the result of it
-
Kind of weird. A person posted on Yahoo answers that Avira picked it up as a virus so they installed avast! and got the same problem. Shared database?
http://ph.answers.yahoo.com/question/index?qid=20111206051008AAFRO5q
-
I got it on one of my XP computers but, get this, I disabled Avast long ago.
Avast is listed as a startup program in msconfig but I'm fairly sure I disabled the item long ago.
Then again, it could be one of my senior moments.
-
Alright, if this is a false positive, can Avast please come up to the plate and hit the ball instead of wasting everybody's time?
-
I got it on one of my XP computers but, get this, I disabled Avast long ago.
Avast is listed as a startup program in msconfig but I'm fairly sure I disabled the item long ago.
Then again, it could be one of my senior moments.
you mean you have more then one AV installed ?
-
Alright, if this is a false positive, can Avast please come up to the plate and hit the ball instead of wasting everybody's time?
you can be 110% sure they are working on it....but the fix has to be tested before they release it
-
Kind of weird. A person posted on Yahoo answers that Avira picked it up as a virus so they installed avast! and got the same problem. Shared database?
<snip>
There is no shared database, coincidence yes, if both are doing a rootkit scan and this is a hidden process then there will be a possibility of a hidden driver being considered a rootkit incorrectly. Unfortunately, even though this is a system file is isn't digitally signed and that doesn't help if something is suspect.
I got it on one of my XP computers but, get this, I disabled Avast long ago.
Avast is listed as a startup program in msconfig but I'm fairly sure I disabled the item long ago.
Then again, it could be one of my senior moments.
Please don't change the topic title, just put that in the body of your post.
But to answer that NO it isn't a hoax, which is completely different from what it is likely to be a False Positive.
-
Sorry, I should not have said shared database but what about shared signatures on some malware? I think the Vendors do this correct?
-
I just got this same problem a couple of hours ago. I've now read through all the answers here, but as I'm completely inept with computers, let me get this straight: we're just to wait and hope Avast fixes this? To do nothing now?
-
Sorry, I should not have said shared database but what about shared signatures on some malware? I think the Vendors do this correct?
Same thing, no shared signatures, no all vendors don't do that. Some might be using their engine and database but that would be under a licensing agreement and nothing exists between Avast and Avira other than the coincidence they are both begin with the letter 'A.'
-
I just got this same problem a couple of hours ago. I've now read through all the answers here, but as I'm completely inept with computers, let me get this straight: we're just to wait and hope Avast fixes this? To do nothing now?
Select Ignore if the alert comes up again, monitor this forum, click the Notify button at the bottom of the page. You will get an email for new posts, as you might imaging you will probably get a lot as it is active. You could also bookmark this link http://forum.avast.com/index.php?topic=89963.msg716133;topicseen#new (http://forum.avast.com/index.php?topic=89963.msg716133;topicseen#new), which will open the topic for new replies that you haven't yet viewed.
-
Thanks DavidR! I will do as you suggested! :)
-
You're welcome.
-
i already did as AVAST suggested , to delete and reboot bootscan, but no threat found.
so what about the file i have lost ? and the alert is still popping
-
got the message too..must be a false positive..
hope fix comes soon
-
Check in \WINDOWS\Driver Cache\i386 directory. There should be a sp3.cab file. You can open it with Winrar, find sfloppy.sys and extract it to \WINDOWS\system32\drivers. If you don't have sp3.cab, use driver.cab instead. It will probably contain an older version of the sfloppy.sys, but still better than not having it at all (if you need it).
I did this and now I get 2 infections instead of 1. :-\
-
100% false !!!!
-
i already did as AVAST suggested , to delete and reboot bootscan, but no threat found.
so what about the file i have lost ? and the alert is still popping
Same here, just how badly have we fucked up due to this s**t?
-
same thing has happened in my computer, which is windows xp with sp3.
but when i manually scanned sfloppy.sys with avast, nothing suspicious was reported. this is very strange.
so i personally think sfloppy.sys is clean, but is it possible that specific action such as one API inside sfloppy.sys is being called by another process may cause this symptom?
i am looking forward to official answer from avast.
-
I did this and now I get 2 infections instead of 1. :-\
What do you mean, you have 2 infections? Did you check if sfloppy.sys is really gone from system32\drivers directory (hope you are not checking just system32 directory, as available implied earlier :))?
If sfloppy.sys file is really deleted from the system32\drivers directory, doing what I mentioned earlier, will just place a copy of this file (the file from sp3.cab should be the same as the original one in system32\drivers) in system32\drivers. If the file is there, you should be asked to replace it.
PS: I restarted the system a few times and everytime after Windows started, Avast showed the same warning about sfloppy.sys. Checked manually for updates and the virus definitions updated from Current Version: 111206-0 to 111206-1. Rebooted again and the problem is still there, so as others suggested, I just ignored it and now am waiting for a new update, that will hopefully fix that.
-
All my friends, whom I've instaleed Avast have such problem.
sfloppy.sys - System file
avast made a mistake, please fix it.
-
All my friends, whom I've instaleed Avast have such problem.
sfloppy.sys - System file
avast made a mistake, please fix it.
Hello, I'm from Brazil and the same thing is happening with my PC. Also I'm using XP.
I think it's a false positive.
-
I have that also!
False positive.
-
Same problem here, from Chile, 3 PC with Windows XP and Avast:
(http://img685.imageshack.us/img685/6318/8522e80086834fe4815a53f.png)
-
I have just received 6 calls from various customers that I support who have been trying in vain to resolve what appears to be a False / Positive error purporting to detect a rootkit in the C:\windows\system32\drivers\sfloppy.sys directory.
Thay all possess Windows XP machines. I have just completed the remote scan of a workgroup server which has the alleged rootkit and despite Avast Boot Scans it still exists.
I have not experienced a problem with Windows 7 machines.
I have now informed all of my users to ignore the threat in the hope that AVAST will be updated in the near future to resolve this unusual gliche.
Please DO NOT BLAME AVAST - I have had similar experiences with NORTON / MACFEE / KAPERSKY in the past.
-
it is strange that my scan report of c:\windows\system32\drivers is OK, but Avast is always reporting such error after rebooting the computer, only once every reboot. maybe some conflicts exist between Avast and other specfic programs.
I have that also!
(http://i1216.photobucket.com/albums/dd376/sanjoseparaiso/fp.jpg)
(http://i1216.photobucket.com/albums/dd376/sanjoseparaiso/floppy-1.jpg)
-
Well I had the same issue on ONE of my two laptops (XP SP3 Home) - deleted it - did the recommended reboot and boot scan then when PC booted up completely found the "regenerated" C:\Windows\System\Drivers\Sfloppy.sys as expected. Its a protected file which means Windows will reinstall the backup (from dllcache if I recall correctly if its found to be missing). Ran the Avast Home scanner specifically on this file and got a clean result.
During the long boot scan I also checked my other PC (XP SP3 Pro) which has same virus definition files (111206-1) and also specifically checked this file and again got a clean result.
Came onto here to check and looked back at the XP Home PC and found its triggered AGAIN - even though a short while ago it said it was clean - going to ignore warning this time, not do a reboot & boot scan... and guess what: a scan of the file (right click from explorer) still thinks it is clean...
The properties panal suggests that this is a "SCSI Floppy Driver" - so I guess its only vital to Jazz ZIP drive users???
I suppose that it is the in-memory image that is triggering Avast's alert - and don't forget a floppy driver as this is, is going to be able to format boot sectors of a potentially bootable device when presented with blank media for instance, so there is bound to be some code in it that could be viewed as dodgy if taken out of context!
-
Hello,
the issue (causing false positive) was resolved. VPS will be released asap.
Milos
-
Some years back I had a much worse experience with Norton, it damaged files. And they kept pretty quiet about it. And when they put out a fix, the fix that people in California downloaded kept causing damage for about 2 hours, until they did another fix! Like I say, Norton did not advertise this! I'll stay with Avast, but they sure gave me a scare today! But when I put in the hard drive that I cloned 4 days ago, and it had the same problem, I started to figure things out, and now at this forum I get re-assured that it is just a fake positive! I feel much better! Thanks, forum!
Stan
-
I just installed windows xp on a laptop this morning. I'm a computer tech, and there's no way that this file is a rootkit unless it's from Microsoft. I recommend you ignore it.
-
Hello,
the issue (causing false positive) was resolved. VPS will be released asap.
Milos
Thank you very much!
-
Hello,
the issue (causing false positive) was resolved. VPS will be released asap.
Milos
Nice one. Thanks for the quick fix! :)
-
Thank you for the info, Milos.
Stan
-
I hate rootkits!
Earlier i am deciding to format my OS because of this luckily i visited avast forum.
I think plenty Avast users reformatted their system. :'(
-
OK, so now we know (and so does Avast) - it is a false positive. Just for curiosity, how long should it take for Avast to correct the situation?
-
>:(
The update 1) did not fix the problem - I am still getting the false positive and 2) it rebooted my computrer WITHOUT asking me while I was in the middle of writing an important work email!!!
-
Time now 1630 gmt English time.
Still getting message re rootkit kidden sfloppy/sys.
How soon before false positive fixed. any ideas??? >:(
-
Hi
In Poland I have the same problem now. It started 30 minutes ago...
-
Be sure you have the VPS 111206-2 or late
-
With this update 111206-2 Avast fix the problem. :)
-
As mentioned ensure you have the latest VPS update 111206-2 and reboot 8 minutes after the boot the rootkit happens and you shouldn't get an alert.
See image extract of the end of the aswAR.log file run after a reboot on my system with that VPS.
-
Yep, updated to VPS 111206-2 and it's fixed. No more rootkit messages about sfloppy.sys, after rebooting.
-
Cześć bombeczkaATgmail.com,
You do not want spammers on your back, then give your nick "bez małpy"
Did you update to the last engine and virus definitions?
pozdrawiam,
polonus
-
Had the same problem 5 minutes ago...I was about to press "delete" but then I figured out something's not right...no viruses, no dangerous websites, no anything, nothing dangerous...using loads of precautions and antimalware engines I freaked out..Thank you Avast! for the quick update!
So I assume it is safe to "ignore" the notice?
-
Yes, and ensure you have VPS 111206-2 as mentioned earlier and reboot.
-
Well that seems to have sorted that OK , once I updated VPS manually to 111206-2.
What I don't understand it that on the first indication today after PC started, Avast recommended Delete followed by boot scan. The latter was clean and PC continued to start with no further warnings. I turned pc off again about an hour later, and later still I started up to the same warning, with the same recommendation. It appeared not to have deleted the file. It was at that point I consulted this thread whilst I still had the warning up, and took the advice to 'Ignore'.
-
Hi all. Having the same issue this morning. Using Avast Free version on windows XP (man..i need to upgrade ;) ). I did the same thing at first and chose delete (which did not happen).
I see in the engine and definitions update that version 111206-2 is out, however my system will not update the latest definitions for some reason. it's still stuck on 111206-0. I've been trying to update for over 2 hours now.
anyone else having this issue?
-
Well that seems to have sorted that OK , once I updated VPS manually to 111206-2.
What I don't understand it that on the first indication today after PC started, Avast recommended Delete followed by boot scan.
<snip>
Certain detections will suggest doing a boot-time scan, rootkit based detections would be one area were boot-time scan would be suggested as by their nature rootkits seek to hide something (other malware). The boot-time scan operating before windows is running may well be able to see what would otherwise have been hidden if windows was running.
-
Hi all. Having the same issue this morning. Using Avast Free version on windows XP (man..i need to upgrade ;) ). I did the same thing at first and chose delete (which did not happen).
I see in the engine and definitions update that version 111206-2 is out, however my system will not update the latest definitions for some reason. it's still stuck on 111206-0. I've been trying to update for over 2 hours now.
<snip>
What errors are you getting when you try to update ?
- Try a repair of avast:
XP - Add Remove programs, select 'avast! Anti-Virus,' click the Change/Remove button and scroll down to Repair, click next and follow.
-
The same as everybody else and on both computers.
Deleted and did the scan.
Vanished.
XP and Free Avast.
Henry
-
What errors are you getting when you try to update ?
- Try a repair of avast:
XP - Add Remove programs, select 'avast! Anti-Virus,' click the Change/Remove button and scroll down to Repair, click next and follow.
David,
The only error I get, is one from avast that my virus definitions are out of date. I go into the user interface and click on update virus definitions and it begins the download, but then just shows a time "9s" or something. When I got back into the user interface to the update section, it still says my virus definitions are out of date and shows the old version.
I tried the repair and get an error message. It tells me to use the full the update. I tried doing an update through the add/remove program feature and microsoft told me that avast encountered an error and must shut down.
This all happened this morning when the rootkit problem started. Perhaps just uninstall and reinstall the program completely?
-
Certain detections will suggest doing a boot-time scan, rootkit based detections would be one area were boot-time scan would be suggested as by their nature rootkits seek to hide something (other malware). The boot-time scan operating before windows is running may well be able to see what would otherwise have been hidden if windows was running.
Thanks David for that. What I didn't understand (and probably didn't make clear) was that having followed Avast's 'Delete' recommendation, the file was still there when it re-detected it. It didn't delete. Which was perhaps just as well! But why?
I did the apparent 'Delete' before I saw this thread after the repeat detection, where you and other's recommended not deleting.
-
Thanks David for that. What I didn't understand (and probably didn't make clear) was that having followed Avast's 'Delete' recommendation, the file was still there when it re-detected it. It didn't delete. Which was perhaps just as well! But why?
I did the apparent 'Delete' before I saw this thread after the repeat detection, where you and other's recommended not deleting.
It didn't delete as it's a genuine XP system file and Windows SFS (System File Protection) put it straight back after deletion.
-
<snip>
David,
The only error I get, is one from avast that my virus definitions are out of date. I go into the user interface and click on update virus definitions and it begins the download, but then just shows a time "9s" or something. When I got back into the user interface to the update section, it still says my virus definitions are out of date and shows the old version.
That is where the repair generally resolves this out of synch condition.
I tried the repair and get an error message. It tells me to use the full the update. I tried doing an update through the add/remove program feature and microsoft told me that avast encountered an error and must shut down.
Unfortunately something broken meaning that the standard repair isn't enough.
Double unfortunate, is that the full manual update of the VPS isn't an option as the file has been temporarily pulled from the location it can be downloaded.
This all happened this morning when the rootkit problem started. Perhaps just uninstall and reinstall the program completely?
So yes, a clean reinstall will be required as whatever is broken/corrupt is also effectine the uninstall function:
- Clean reinstall, see instructions here http://forum.avast.com/index.php?topic=84558.msg687478#msg687478 (http://forum.avast.com/index.php?topic=84558.msg687478#msg687478).
-
<snip>
Thanks David for that. What I didn't understand (and probably didn't make clear) was that having followed Avast's 'Delete' recommendation, the file was still there when it re-detected it. It didn't delete. Which was perhaps just as well! But why?
I did the apparent 'Delete' before I saw this thread after the repeat detection, where you and other's recommended not deleting.
You're welcome.
It may well have deleted initially, but it will normally have a copy in the driver cache so will be replaced as it is a required driver. If this system driver were digitally signed, I believe avast wouldn't have deleted it to start with.
-
Hello,
the issue (causing false positive) was resolved. VPS will be released asap.
Milos
Thanks very much Milos
Cheers
-
I have same warning in previous virus definitions but now with latest virus definition problem and message disappear.
Thank You.
-
Hi I had the same problem yesterday but unfortunately panicked and deleted the file before jotting down what it is. Performed a boot scan and everything seems fine. Ran a rootkit scan with an external system which was fine. I just wanna reassure myself but there doesn't seem to be a log on avast about the event yesterday? the file filefloppy.sys is back where it is too. Is there any way to confirm that the deleted file was in fact filefloppy?
-
As I mentioned 2 posts up from yours - The sfloppy.sys file should be in the windows\system32\drivers folder, since this is a required file on reboot it would be replaced with a copy from the driver cache location.
-
Yeah I read that, it's just that I can't find a trace of what happened yesterday on my computer. Avast did not log anything in the statistics and log, I looked through my event viewer on windows and there is no log of windows file protection replacing the file.
-
You need to have looked in the aswAr.log on the day of detection as that log gets overwritten on the next anti-rootkit scan.
-
I've just try it
http://virusscan.jotti.org/en/scanresult/7db1e683fdb727eff341bcaa14beada4b8666d04
I hope my problem will be done with this thing :)
-
As I have mentioned in other posts, for anti-rootkit detections it is a total waste of time uploading a file to a multi-engine scan site as they can't replicate the anti-rootkit scan. That scan can only be done on a live system.
That is why even on these scans you won't even see avast detect it. Not to mention this happened two days ago and was resolved later that day in a VPS update release.
So if you are still having a problem you haven't got your virus definitions updates set to Auto as it would be resolved already. Ensure that you have VPS version 111206-2 or later.
-
I have another problem after this FP issue .
First boot scan went ok (no virus found,btw)-but next few didn't.Almost at the end of scan -my pc shut down all on sudden and I was not able to turn it on for some time .(Always boot scan,normal avast scan didn't do that)
Had no problems with Malwarebytes scanning that day. But the same thing happened with Malwarebytes scan today- almost on the end-pc shuted down .
I am afraid to scan my pc now,lol.
What that could be ?
-
First it is unlikely to be related to this FP as A) it was resolved on the same day (reply #63 of this topic), B) the actual file is replaced by windows and C) I don't believe that even if this file were missing it would block the boot.
Second why are you running a boot-time scan more so a regular boot-time scan ?
The purpose of a boot-time scan is if a infection can't be dealt with with windows running normally or there may be hidden elements.
Since you are having the same issue with MBAM, that to me would indicate that this is something other than related to this FP, even if you had it.
-
I did that bc avast told me to do it(the very same day before it has been fixed , :o,untill my son didn't tell me to wait,could be FP)
But,I got interesting reply on some other Forum :
Default Re: Avast antivirus - rootkit false positive? - sfloppy.sys
maybe hardware related as far as an overly dusty case(fans,cpu,heatsinks)or a failing power supply, symptomatic of a case not responding to a power on restart immediately.try a thorough internal case cleaning with canned air and fine grade brushes.
;D :P
Thank you for your reply ! :)
-
But,I got interesting reply on some other Forum :
Default Re: Avast antivirus - rootkit false positive? - sfloppy.sys
maybe hardware related as far as an overly dusty case(fans,cpu,heatsinks)or a failing power supply, symptomatic of a case not responding to a power on restart immediately.try a thorough internal case cleaning with canned air and fine grade brushes.
;D :P
At least they didn't tell you to check if the power cord was properly connected...