Avast antivirus - rootkit false positive? - sfloppy.sys

After a reboot, I got a warning popup from Avast reporting that it had found a Hidden Rootkit:
C:\WINDOWS\system32\drivers\sfloppy.sys

It recommended Deleting the file immediately, followed by a boot time scan.
The boot scan did not find any problems.
Within two minutes after the automatic reboot, the same message appeared.

I have checked the file visually and it appears normal.
A manual scan of the file with Malwarebytes Anti-Malware shows No Threat.
A manual scan of the file with Avast shows No Threat.

Avast! version 6.0.1367
Auto updating is ON and definitions are up to date.

I found a report of this behavior at Yahoo Answers which was posted about an hour before I had the same.

 

Looks to be a glitchy Avast update. Rootkit false positive ... Eeeks!!
Also some news here.
http://forum.avast.com/index.php?topic=89963.0

VirusTotal come up clean. Though I believe VT does not necessarily have the latest definitions, in this case faulting one (s).

May be run a Kaspersky online and Kas's TDSSKiller for clearing up doubts.

Does look like a FP to me though.

Edit to add: looks like this thread is gonna get a bazillion hits- 902 guests viewing this thread as of now. LOL

Cheers..

 

I got the same thing and as soon as I saw it, I suspected it was a false positive. What is kind of strange was a post on Yahoo answers that said Avira also detected it as a virus. I wonder if some of these definition databases are shared between vendors? I can't even access the avast! forum. It always times out.

I can imagine there is going to be a tremendous number of people who actually deleted this file. This has happened a number of times with avast!. I would think they would have their Quality Control fixed by now.

 

Yes, checked the link I posted a bit ago and got timed out.
They already had 5555 views then. Now up to 6444. Annnnddd counting.

 

Same here ! Just ,next couple boot scans ended with shutting down of my pc on the half of scannings. Manual avast scan shows virus every time .Son says to wait ,but I am afraid to use my email not to infect others . ( I am not geek :wave ,I will keep this thread on eye .
Regards

 

In the Avast thread(now up to 5 pages), the consensus of opinion is to ignore for now and submit to virus lab. Seems all the effected machines are running XP. I've not had the message yet, xing fingers, and this machine is running XP. Suspect this will be corrected shortly.

Edit:
Update, evidently the issue has been resolved and a VPS will be released shortly.

 

I was having this same on 2 of my systems, both which run Windows XP. I followed the deletion process but it remained on my systems, during the boot scan I hit the esc key and finished loading windows, I then went to uninstall avast but there was a repair option so I did that and I have had no probelms since doing the repair on both systems.

Hope this helps any of you and anyone who comes looking for ideas

 

Fixed in the latest definition. Update to VPS 111206-2 and reboot.

 

Well, this little glitch certainly caused a stir.

To anyone who has received this Warning, do not be concerned; it is a false positive.

Since the definitions were automatically updated, I have not received another warning.

I had already determined that the file was probably OK, since doing a selective scan of the file with Avast,
from the right click context menu, reported No Threat.

If anyone has Deleted the file, check your Recycle Bin to see if it is possibly there, and Restore the file.
Otherwise, check the Avast Virus Chest on the Maintenance tab.

Don't know if that is good or bad, or a mix of both.

 

I asked that question about shared databases over at the avast forum and it was confirmed they do not. Also asked about shared signatures and that was also said to be not the case.

 

Look: Avast! keeps trying to eradicate this file "sfloppy.sys", and fails to do it? That is the mark of a false positive? I think not. I run (among other things) Win XP. This file keeps reappearing after being comprehensively eradicated by Avast! Hmm. And in "system32" of all places, so it would be expected to appear elsewhere, but where? In fact, it keeps reappearing in "service pack 3". What? That's weird! I don't know for sure if you can wipe the rootkit itself, but you can safely remove "sfloppy.sys". I will assume from now we are dealing with a real rootkit!

Programs needed:

Agent_Ransack_FileLocator_Lite_2010

http://majorgeeks.com/Agent_RansackFileLocator_Lite_d6762.html

7-Zip_9-2_Beta (Not Beta, really)

http://majorgeeks.com/7-Zip_d4603.html

Normally, you could just use the Windows "Search" operation, but I use Agent Ransack (works better). Most people would advise using Safe Mode for this, but plain Administrator Mode worked just fine for me. So download these two programs (in limited mode, if you know how), and physically disconnect from the Internet to run them. (You first must (temporarily!) cancel the Avast! warning.) Then install them.

Now, use Agent Ransack to find every instance of "sfloppy.sys" on your system. It's easy! Now, right-click on each instance (right within Agent Ransack), and use 7-zip to "Add To Archive" with simple "Zip compression" but also with a simple encryption password (say, "jj"). All the instances are now preserved, but encrypted, thus useless to any rootkit. Now delete every original unencrypted instance of "sfloppy.sys" really fast! Now, SIMPLY REACH BEHIND AND TURN OFF THE POWER SWITCH, OR JUST PULL THE DANG PLUG! No more memory of the files in RAM! (Windows will survive this.) Leave it off for five or ten minutes. Reboot.

No more warnings from Avast! HAHAHA!!!!!

 

I have another problem after this FP issue .
First boot scan went ok (no virus found,btw)-but next few didn't.Almost at the end of scan -my pc shut down all on sudden and I was not able to turn it on for some time .(Always boot scan,normal avast scan didn't do that)

Had no problems with Malwarebytes scanning that day. But the same thing happened with Malwarebytes scan today- almost on the end-pc shuted down .

I am afraid to scan my pc now,lol.

What that could be ?

 

maybe hardware related as far as an overly dusty case(fans,cpu,heatsinks)or a failing power supply, symptomatic of a case not responding to a power on restart immediately.try a thorough internal case cleaning with canned air and fine grade brushes.

 

Lol !
Thank you very much for your reply ! (I got accient pc ,and could be overheating ) Thank you !