False positive: sfloppy.sys

[kd5]

Full path: C:\Windows\System32\drivers\sfloppy.sys

OS: Windows XP SP3


I scanned this file at virusscan.jotti.org and 20 different AV scans (including Avast) said this file is safe.  Furthermore it is a part of the Microsoft Windows operating system so removing it will just screw up the OS, so removing this false positive just screwed up a lot of people's computers.  Seems Avast has had a few dangerously false positives lately, one of which I myself reported a couple of months ago.  I hope we're a little more careful in the future.       -kd5-  

[Pondus]

it is already posted in the Virus and Worms section

[DavidR]

See this topic, http://forum.avast.com/index.php?topic=89963.0, anti-rootkit detection in XP systems.

[whkrems]

How about this, could sfloppy be a rootkit type file by definition?
"A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications."

[DavidR]

Because it is  hidden driver and it isn't digitally signed, this has obviously cause confusion in the anti-rootkit scan. So something changed in the anti-rootkit scan as it wasn't previously detected, a classic sign of a possible false positive detection.

[direktx]

avastsvc.exe --> Alureon-AOR   

[jadinolf]

Good to know.  When I got it on three computers I became a little suspicious.

[Bart5]

I got the same FP on win XP SP3.

[Garrog]

@direktx: if you have a suspected infection, please read http://forum.avast.com/index.php?topic=14433.0 then post in the proper place.

To others...ok maybe it's unlikely the average user needs this driver but let's call me a completist, this is the inevitable question following this cock-up:

For those of us who blindly trusted the Avast recommended option to delete the sfloppy driver - can someone please provide instructions or *official* links to fix our now incomplete systems (I need XP 32b but mileage will vary)?!?  (Windows repair/hotfix/remove-re-install SP3??)

Thanks!

[falcon710]

same problem on windows xp SP3

[-Genesis-]

When i was innocent I try to remove but it need to bootscan for removal so i cancelled it.

I think Avast didnt remove the sfloppy.sys file because virus chest is empty.

[NON]

For those of us who blindly trusted the Avast recommended option to delete the sfloppy driver - can someone please provide instructions or *official* links to fix our now incomplete systems (I need XP 32b but mileage will vary)?!?  (Windows repair/hotfix/remove-re-install SP3??)

You can try System File Checker utility:

Code: [Select]

sfc /scannow
http://support.microsoft.com/kb/310747/

[antonpaco]

a lot of people followed the avast instructions that said " DELETE" and this create confusion and problems on the pc. I hope avast will be more carefull in the future in order to evoid false positive. I scan the file on some antivirus link and all, avast including said that file is safe.
Please make sure to fix the problem as soon as possible.

[Giraffe]

Avast has just popped up here telling me that this is a rootkit. Checking on line gives me the same size and the properties tell me that it's been here for over 3 years and is MS so I've left it.

Yesterday evening I did a full scan with SAS, MBAM, Malware Destroyer, Spybot S&D and a boot-time scan with Avast (I do this once a month) and there were no problems.

I don't know what deleting it would do...!

[xtinguish]

If you deleted the file in error, on rebooting, Windows should recreate the  file automatically. If it doesn't, there are instructions on how to recreate the file from within Windows if you look in the virus and worms section. http://forum.avast.com/index.php?topic=89963.0