Author Topic: Rootkit hidden filefloppy sys  (Read 94356 times)

0 Members and 1 Guest are viewing this topic.

MrScottyBear

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #15 on: December 06, 2011, 01:09:00 PM »
Exactly the same here with Windows XP Home SP3. Deleted the file, did boot time scan and restarted and now getting same notification that rootkit is still there.  Scan says system is clean.

Exact sane thing here.  Was having a mini freak out since I'm none too skilled with this sort of thing.  I assume then the best idea is to simply ignore?

loveme2

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #16 on: December 06, 2011, 01:10:03 PM »
I got the same warning. :-[

Laerian

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #17 on: December 06, 2011, 01:10:31 PM »
Hello,

Same problem, avast detected sfloppy.sys today, for the first time.
From avast antivirus, it should be a rootkit.

My OS is Windows XP SP3.
The MD5 is exactly the same than spirits247 : 8e6b8c671615d126fdc553d1e2de5562.

In the property window :
The file size is 11 392 bytes.
The version of the file is 5.1.2600.5512 (xpsp.080413-2108).
The enterprise is Microsoft Corporation.

It seems that sfloppy.sys is a safe driver from Microsoft.

I chose to ignore.

Goodbye.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89439
  • No support PMs thanks
Re: Rootkit hidden filefloppy sys
« Reply #18 on: December 06, 2011, 01:14:27 PM »
I got the same alert on win XP Pro and considering I'm pretty confident that my system is clean I choose Ignore. Having done that I assume that this decision on this anti-rootkit scan will get back to avast via the CommunityIQ feature. I have also reported this on the loadstyles page link above

Deletion is never a good first action in my opinion no matter how scary it might seem getting the alert.

Uploading the file to virustotal is unfortunately a waste of time as it can't replicate the anti-rootkit scan (which can only be done on a live system) as it can't compare what the windows API says is running against what is actually running (hidden).

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

hwedin

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #19 on: December 06, 2011, 01:15:13 PM »
Hi

I'm getting exactly the same detection. I'm using Avast! IS which is fully up to date.

I have scanned my computer(XP Home SP3) using malwarebytes, hitman pro, eset online scan , sophos antirootkit, panda antirootkit, kaspersky antirootkit and multi av scanning tool(hxxp://multi-av.thespykiller.co.uk/help.htm) which all came back clean. I also uploaded the file to virus total and everything came back clean and a bit of googling shows that the file is safe(as long as it is in windows/system32/drivers/)

I think that this has to be a false positive
  
« Last Edit: December 06, 2011, 01:33:25 PM by hwedin »

Offline ky331

  • Sr. Member
  • ****
  • Posts: 303
Re: Rootkit hidden filefloppy sys
« Reply #20 on: December 06, 2011, 01:22:12 PM »
Confirming the same experience here, on Win XP Pro SP3:

I just had avast [definitions 111206-0, program 6.0.1367] alert me to an alleged rootkit (hidden file) in c:\windows\system32\drivers\sfloppy.sys

given the choices of remove ("recommended") and ignore, I've opted to ignore [and furthermore, to bypass a bootup scan], so that I could investigate the matter further.

the file is identical in content to a copy located in  c:\windows\system32\dllcache

the file appears "clean", per virus total http://www.virustotal.com/file-scan/report.html?id=ceec0067514555d5ca489f50e3d7562fca8db8e952c3c878604c9277fc77959f-1323172857

it's noted on that page that 3 other "anonymous" avast users have also reported this file as being detected as a rootkit today.

i will try to upload a copy to avast, if possible... though with all the "complaints", I have every reason to believe it's indeed a f/p.


EDIT:  I believe it's been successfuly uploaded now...
« Last Edit: December 06, 2011, 01:36:55 PM by ky331 »
Lenovo T530 laptop, Intel Core i5-3320M @ 2.60 GHz, 8GB RAM, Windows 7 Pro SP1 (64-bit), avast! 17 Free, MBAM3 Pro, Windows Firewall, MVPS HOSTS file, OpenDNS Family Shield, Zemana AntiLogger Free, SpywareBlaster, IE11 & Firefox [both using WOT (IE set to WARN, FF set to BLOCK)], WinPatrol PLUS, uBlock Origin, MBAE, MCShield, CryptoPrevent, SAS (on-demand scanner). 
[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89439
  • No support PMs thanks
Re: Rootkit hidden filefloppy sys
« Reply #21 on: December 06, 2011, 01:26:44 PM »
Just keep monitoring this topic and I would suggest that you choose the Ignore option. Don't open the Advanced options and DON'T check the don't tell you about this again (or words to that effect).

As much of a pain in the rear that getting this alert 8 after boot, you want to know about it, as when avast clears this up (and I'm confident it is an FP), which should be quickly. Then you will notice that it is no longer being detected, if you chose Ignore and don't tell you about this again, you would never know.

It does appear that this is on XP systems as I haven't had any alert on my win7 netbook possibly it doesn't use sfloppy.sys in the same way (though there is a copy in the drivers folder).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Coriakin

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #22 on: December 06, 2011, 01:35:01 PM »
Got the same rootkit warning about sfloppy.sys about an hour ago, which was the first time I ever got a rootkit warning from Avast.

I chose the delete option first time it happened, then ran the bootscan. Everything was clean. After rebooting, the same warning pops up; deleted it and rebooted. Warning pops up yet again; this time had to download a Kaspersky TDSSkiller app; my system passes with no infected file. After reading the posts here, I chose to ignore the last time the popup appeared.

My system is running Windows XP Home SP3.




demonix00

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #23 on: December 06, 2011, 01:36:46 PM »
I've checked myself and the file itself (along with a google) and it looks more like a false positive as other sites already say it's safe (since it's a required driver if you have a floppy disk drive).

T.P

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #24 on: December 06, 2011, 01:37:49 PM »
I ignore it and the message comeback after restart  ::)

JH

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #25 on: December 06, 2011, 01:44:43 PM »
Yeap, same here. I'm suspecting something messed up in a Avast update, because it happened after an update.
So, in my case, Windows XP Professional, copmputer witha a floppy disk drive. After startup rootkit warning appeared, and istead try to ask uncle Google what the hell is happening, I've chosen delete, and scan. Well, computer is still scanning right now (I'm writing from my second one, Windows XP HE (both are SP3), but without floppy drive , and no warning so far. Both of them are running Avast, latest version, free).
So, if you guys are writing, that warning reapears after rebooting, I will just ignore it.
Avast had a similar problem months ago (the reason why I have eastablished an account here), suddenly everything got marked as a virsu, because of faulty update.

od1n

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #26 on: December 06, 2011, 01:46:51 PM »
Getting same warning on XP after updating Avast program and reboot.  I don't normally read avast forum; does Avast reply to the forum?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37644
  • F-Secure user
Re: Rootkit hidden filefloppy sys
« Reply #27 on: December 06, 2011, 01:55:40 PM »
Quote
does Avast reply to the forum?
normally not....but sometimes they give a statment when they release the fix

Offline Chris Thomas

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1936
  • Christian Geek - aka 'born again' Geek
Re: Rootkit hidden filefloppy sys
« Reply #28 on: December 06, 2011, 01:56:25 PM »
I got the same just now.

Well, I don't use a floppy. Don't mind if it gets deleted.

easypeasy72

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #29 on: December 06, 2011, 01:57:39 PM »
Same issue here, I'm also using XP.