Rootkit hidden filefloppy sys

[MrScottyBear]

Exactly the same here with Windows XP Home SP3. Deleted the file, did boot time scan and restarted and now getting same notification that rootkit is still there.  Scan says system is clean.

Exact sane thing here.  Was having a mini freak out since I'm none too skilled with this sort of thing.  I assume then the best idea is to simply ignore?

[loveme2]

I got the same warning.

[Laerian]

Hello,

Same problem, avast detected sfloppy.sys today, for the first time.
From avast antivirus, it should be a rootkit.

My OS is Windows XP SP3.
The MD5 is exactly the same than spirits247 : 8e6b8c671615d126fdc553d1e2de5562.

In the property window :
The file size is 11 392 bytes.
The version of the file is 5.1.2600.5512 (xpsp.080413-2108).
The enterprise is Microsoft Corporation.

It seems that sfloppy.sys is a safe driver from Microsoft.

I chose to ignore.

Goodbye.

[DavidR]

I got the same alert on win XP Pro and considering I'm pretty confident that my system is clean I choose Ignore. Having done that I assume that this decision on this anti-rootkit scan will get back to avast via the CommunityIQ feature. I have also reported this on the loadstyles page link above

Deletion is never a good first action in my opinion no matter how scary it might seem getting the alert.

Uploading the file to virustotal is unfortunately a waste of time as it can't replicate the anti-rootkit scan (which can only be done on a live system) as it can't compare what the windows API says is running against what is actually running (hidden).

[hwedin]

Hi

I'm getting exactly the same detection. I'm using Avast! IS which is fully up to date.

I have scanned my computer(XP Home SP3) using malwarebytes, hitman pro, eset online scan , sophos antirootkit, panda antirootkit, kaspersky antirootkit and multi av scanning tool(hxxp://multi-av.thespykiller.co.uk/help.htm) which all came back clean. I also uploaded the file to virus total and everything came back clean and a bit of googling shows that the file is safe(as long as it is in windows/system32/drivers/)

I think that this has to be a false positive
  

[ky331]

Confirming the same experience here, on Win XP Pro SP3:

I just had avast [definitions 111206-0, program 6.0.1367] alert me to an alleged rootkit (hidden file) in c:\windows\system32\drivers\sfloppy.sys

given the choices of remove ("recommended") and ignore, I've opted to ignore [and furthermore, to bypass a bootup scan], so that I could investigate the matter further.

the file is identical in content to a copy located in  c:\windows\system32\dllcache

the file appears "clean", per virus total http://www.virustotal.com/file-scan/report.html?id=ceec0067514555d5ca489f50e3d7562fca8db8e952c3c878604c9277fc77959f-1323172857

it's noted on that page that 3 other "anonymous" avast users have also reported this file as being detected as a rootkit today.

i will try to upload a copy to avast, if possible... though with all the "complaints", I have every reason to believe it's indeed a f/p.


EDIT:  I believe it's been successfuly uploaded now...

[DavidR]

Just keep monitoring this topic and I would suggest that you choose the Ignore option. Don't open the Advanced options and DON'T check the don't tell you about this again (or words to that effect).

As much of a pain in the rear that getting this alert 8 after boot, you want to know about it, as when avast clears this up (and I'm confident it is an FP), which should be quickly. Then you will notice that it is no longer being detected, if you chose Ignore and don't tell you about this again, you would never know.

It does appear that this is on XP systems as I haven't had any alert on my win7 netbook possibly it doesn't use sfloppy.sys in the same way (though there is a copy in the drivers folder).

[Coriakin]

Got the same rootkit warning about sfloppy.sys about an hour ago, which was the first time I ever got a rootkit warning from Avast.

I chose the delete option first time it happened, then ran the bootscan. Everything was clean. After rebooting, the same warning pops up; deleted it and rebooted. Warning pops up yet again; this time had to download a Kaspersky TDSSkiller app; my system passes with no infected file. After reading the posts here, I chose to ignore the last time the popup appeared.

My system is running Windows XP Home SP3.

[demonix00]

I've checked myself and the file itself (along with a google) and it looks more like a false positive as other sites already say it's safe (since it's a required driver if you have a floppy disk drive).

[T.P]

I ignore it and the message comeback after restart 

[JH]

Yeap, same here. I'm suspecting something messed up in a Avast update, because it happened after an update.
So, in my case, Windows XP Professional, copmputer witha a floppy disk drive. After startup rootkit warning appeared, and istead try to ask uncle Google what the hell is happening, I've chosen delete, and scan. Well, computer is still scanning right now (I'm writing from my second one, Windows XP HE (both are SP3), but without floppy drive , and no warning so far. Both of them are running Avast, latest version, free).
So, if you guys are writing, that warning reapears after rebooting, I will just ignore it.
Avast had a similar problem months ago (the reason why I have eastablished an account here), suddenly everything got marked as a virsu, because of faulty update.

[od1n]

Getting same warning on XP after updating Avast program and reboot.  I don't normally read avast forum; does Avast reply to the forum?

[Pondus]

does Avast reply to the forum?

normally not....but sometimes they give a statment when they release the fix

[Chris Thomas]

I got the same just now.

Well, I don't use a floppy. Don't mind if it gets deleted.

[easypeasy72]

Same issue here, I'm also using XP.