False positive: sfloppy.sys

[Abdul69]

Good to see Avast is back to computer killing false positives. There was another one just a few months ago deleting kernel files of x64 machines! Ever heard of QA Avast? (That aside over the years Avast has been pretty good; these kinds of issues tarnish the overall reputation!!!)  :'(

[Garrog]

Thanks to posters xtinguish and NON (above). 

What do you know, it did re-install on re-boot!

I didn't immediately see info on the forum link from xtinguish, but there are now a bazillion pages and growing on that topic, so... Anyone following NON's suggestion may want to note that the system file checker he refers to requires an installation disk (presumably an OEM rescue facility would also work, if you can find it).

However, fingers crossed for everybody to restore sfloppy.sys it through a straightforward re-boot!

[psw]

Today I got this message too. It appears during antirootkit skan after turning PC on only. File scanning if sfloppy.sys by Avast! say nothing.
Previously I turned ny PC on in th middle of previous week, everything was fine.

aswMBR shows error too
--
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-06 20:07:02
-----------------------------
20:07:02.875    OS Version: Windows 5.1.2600 Service Pack 3
20:07:02.875    Number of processors: 4 586 0xF0B
20:07:02.875    ComputerName: PSW  UserName:
20:07:03.531    Initialize success
20:07:03.671    AVAST engine defs: 11120601
20:07:08.953    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:07:08.953    Disk 0 Vendor: WDC_WD3200AAKS-00VYA0 12.01B02 Size: 305115MB BusType: 3
20:07:10.953    Disk 0 MBR read successfully
20:07:10.953    Disk 0 MBR scan
20:07:10.953    Disk 0 Windows XP default MBR code
20:07:10.968    Disk 0 scanning sectors +624876202
20:07:10.984    Disk 0 scanning H:\WINDOWS\system32\drivers
20:07:16.250    File: H:\WINDOWS\system32\drivers\sfloppy.sys  **INFECTED** Win32:Alureon-AOR [Rtk]
20:07:17.812    Service scanning
20:07:18.906    Modules scanning
20:07:38.000    Disk 0 trace - called modules:
20:07:38.015    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:07:38.015    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b710ab8]
20:07:38.015    3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> \Device\0000007b[0x8b716940]
20:07:38.015    5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8b76fd98]
20:07:38.015    Scan finished successfully
20:07:51.296    Disk 0 MBR has been saved successfully to "C:\Archieve\Avir\Tools.new\aswMBR\MBR.dat"
20:07:51.296    The log file has been saved successfully to "C:\Archieve\Avir\Tools.new\aswMBR\aswMBR.txt"
--

But I'm sure that it is FP.

TDSSKiller says nothing bad
AVZ says nothing bad

[xtinguish]

Avast have now confirmed it as a false positive and will be issuing an update soon.

[NON]

VPS Update was already issued. Please update your VPS.
Latest (fixed) VPS: 111206-2

1. Open avast window.
2. Choose "Maintenance" -> "Update".
3. Click "Update engine and virus definitions". Update will start.

[iyogisolutions1]

Please update the Virus definitons  to VPS 111206-2

[DavidR]

As mentioned ensure you have the latest VPS update 111206-2 and reboot 8 minutes after the boot the rootkit happens and you shouldn't get an alert.

See image extract of the end of the aswAR.log file run after a reboot on my system with that VPS.

[nord]

Got the same false positive on two separate computers.... luckily I did not delete ALL the sfloppy.sys files, as Windows keeps this stuff in more than one location. So it has been recreated when I booted back up.


XP PRO SP3

[DavidR]

Yes, there should be a copy in the driver cache.

[_level_]

I do understand that this is a FP and I did update to the current database. I did choice to delete the file but as it is a secure system file created by microsoft deleting the file does nothing. The file comes back each time because you cant really remove a system file unless you boot into safe mode and manually remove that file.
This issue I got today and to be most honest I do trust avast which I can now see that this type of situation can lead to a real bad problem. I hope that in future updates avast is more careful and test their updates more carefully so that in future updates it will not spot a virus problem on a major needed file and cause the computer to not boot or worse.
For those that do believe the file is infected i suggest using http://virusscan.jotti.org/en to make 100% sure that the file is infected and If so then boot into safe mode go into windows\system32\driver and delete it. I dont suggest doing this only because avast said it was virus file because as we now can see this has been the first FP in avast but then again whos to say it will be the last

[DavidR]

Using Virusscan or VirusTotal is if you excuse the pun a total waste of time. These multi engine scanning sites can't replicate the anti-rootkit scan, they can only do the basis bog standard on-demand scan.

The anti-rootkit scan can only be run on the live system as it is comparing what windows says is running against what is actually running (hidden processes, etc.), so that can't possibly be replicated on VT, etc.

So even when avast's anti-rootkit scan on your system might find something running as a possible rootkit, even avast won't find anything wrong with the file in isolation of a virustotal scan.

[bobo1]

And also came up on my computer.
Is def a false detection as malwarebytes reported clear. Oh dear! Switched off rootkit scanner now for a few hours after fixture by avast.
I remember avg antivirus sent out a false detection once and braught down good old windows operating systems by removing critical windows files??? to alot of worldwide users!