Author Topic: Rootkit hidden filefloppy sys  (Read 94358 times)

0 Members and 1 Guest are viewing this topic.

available

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #30 on: December 06, 2011, 02:00:16 PM »
Oh great - so I got the same warning and told Avast it was okay to delete the file. Unlike others using XP SP3, Avast very successfully deleted the file - it's gone.

So, okay, how do I get it back?

bege

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #31 on: December 06, 2011, 02:02:43 PM »
Same problem.
Additionally:
Made a memory scan an got two warnings
- avastsvc.exe !!
- freecommander.exe

Scanning these files with shell context menu and virustotal say they're clean

https://www.virustotal.com/file-scan/reanalysis.html?id=28f9c25205d8908e87efc75300045fa990e84acba992db69354ab792137a6a8c-1323175762

https://www.virustotal.com/file-scan/reanalysis.html?id=f2c387c76b52c9d2ae3f97824108e0ccb389b376c0276e57ed23f3385d064ea0-1323175262

Is there a context between these three (false?) warnings?
« Last Edit: December 06, 2011, 02:29:07 PM by bege »

LindaXXX

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #32 on: December 06, 2011, 02:09:37 PM »
;D I just did copy file c:\WINDOWS\system32\drivers\sonydcam.sys  to c:\WINDOWS\system32\drivers\sfloppy.sys
And now its everything ok and I do not get any stupid messages from avast system :D

And sfloppy.sys is now sonydcam.sys :D :D

zing

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #33 on: December 06, 2011, 02:10:33 PM »
Oh great - so I got the same warning and told Avast it was okay to delete the file. Unlike others using XP SP3, Avast very successfully deleted the file - it's gone.

So, okay, how do I get it back?

Check in \WINDOWS\Driver Cache\i386 directory. There should be a sp3.cab file. You can open it with Winrar, find sfloppy.sys and extract it to \WINDOWS\system32\drivers. If you don't have sp3.cab, use driver.cab instead. It will probably contain an older version of the sfloppy.sys, but still better than not having it at all (if you need it).

available

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #34 on: December 06, 2011, 02:16:24 PM »
Check in \WINDOWS\Driver Cache\i386 directory. There should be a sp3.cab file. You can open it with Winrar, find sfloppy.sys and extract it to \WINDOWS\system32\drivers. If you don't have sp3.cab, use driver.cab instead. It will probably contain an older version of the sfloppy.sys, but still better than not having it at all (if you need it).

Just the type of response I was hoping for - thanks very much - to the point, thorough, a solution.

Appreciated.

[and a quickie followup - as easy as double-clicking the cab file, right-clicking the "sfloppy.sys" file and selecting "extract", tell it a location to extract to, and done - perfect. Thanks again]
« Last Edit: December 06, 2011, 02:19:58 PM by available »

Martin P

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #35 on: December 06, 2011, 02:18:33 PM »
(actually, zing, I think the file just comes back of its own accord.)

I'm a newbie here, so don't know how one interacts with the avast people direct, but if this problem is real we need help fixing it, and if it's harmless then it really is proving a huge timewaster. I went through the process described on the other posts (deleted the file, ran a boot scan, got the same message again etc). The boot scan on my machine takes ages ... lost a morning's work ...

Can we get some feedback from the avast team??

Verxz

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #36 on: December 06, 2011, 02:19:18 PM »
Im getting the same message on Windows XP SP3 and i ran the full scan + malwarebytes and it didnt find anything so i suppose im safe and i can go play normally?

spirits247

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #37 on: December 06, 2011, 02:29:01 PM »
This has happened on all virus checkers one time or another (ie a major false positive).

Looking at the response above, I think you are 99.99% safe this is a false positive and will be fixed soon.

zing

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #38 on: December 06, 2011, 02:31:46 PM »
Appreciated.

You are welcome.

(actually, zing, I think the file just comes back of its own accord.)

Right. At first, I was wondering how come the file is still there, when Avast said it deleted it, but after searching for sfloppy.sys and found a copy of it in the .cab file, I realised, that Windows probably extracts it from the .cab file, when it senses that the file is missing from system32\drivers directory. It seems that in some cases it doesn't do it automatically, or probably needs a system restart.
« Last Edit: December 06, 2011, 02:33:25 PM by zing »

available

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #39 on: December 06, 2011, 02:36:55 PM »
It seems that in some cases it doesn't do it automatically, or probably needs a system restart.

Either that or users in a rush like available only looked in system32 rather than the correct system32/drivers.

One or the other! ;D


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37644
  • F-Secure user
Re: Rootkit hidden filefloppy sys
« Reply #40 on: December 06, 2011, 03:25:13 PM »
Same problem.
Additionally:
Made a memory scan an got two warnings
- avastsvc.exe !!
- freecommander.exe

Scanning these files with shell context menu and virustotal say they're clean

https://www.virustotal.com/file-scan/reanalysis.html?id=28f9c25205d8908e87efc75300045fa990e84acba992db69354ab792137a6a8c-1323175762

https://www.virustotal.com/file-scan/reanalysis.html?id=f2c387c76b52c9d2ae3f97824108e0ccb389b376c0276e57ed23f3385d064ea0-1323175262

Is there a context between these three (false?) warnings?
No this is different....bc you used the "scan memory" setting
do not use the "scan memory" setting as this will give some strange scan results
the forum is full of this if you search

do not change the default scan settings if you do not know the result of it


Tgell

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #41 on: December 06, 2011, 03:28:59 PM »
Kind of weird. A person posted on Yahoo answers that Avira picked it up as a virus so they installed avast! and got the same problem. Shared database?

http://ph.answers.yahoo.com/question/index?qid=20111206051008AAFRO5q

max1e6

  • Guest
could it be a hoax?
« Reply #42 on: December 06, 2011, 03:29:25 PM »
I got it on one of my XP computers but, get this, I disabled Avast long ago.

Avast is listed as a startup program in msconfig but I'm fairly sure I disabled the item long ago.

Then again, it could be one of my senior moments.

bigspanner

  • Guest
Re: Rootkit hidden filefloppy sys
« Reply #43 on: December 06, 2011, 03:32:34 PM »
Alright, if this is a false positive, can Avast please come up to the plate and hit the ball instead of wasting everybody's time?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37644
  • F-Secure user
Re: could it be a hoax?
« Reply #44 on: December 06, 2011, 03:34:46 PM »
I got it on one of my XP computers but, get this, I disabled Avast long ago.

Avast is listed as a startup program in msconfig but I'm fairly sure I disabled the item long ago.

Then again, it could be one of my senior moments.
you mean you have more then one AV installed ?