Author Topic: F/P: cercsr6.sys as Sirefef-AAP [Rtk]  (Read 5461 times)

Offline ky331

  • Sr. Member
  • ****
  • Posts: 210
  • Gender: Male
    • Personal Message (Offline)
F/P: cercsr6.sys as Sirefef-AAP [Rtk]
« on: June 29, 2012, 09:40:49 PM »
avast definition 12 06 29 - 2  is [falsely] detecting

c:\windows\system32\drivers\cercsr6.sys

this file is the DELL CERC SATA1.5/6ch Miniport Driver (Dell RAID Controller)

VirusTotal shows 2 [of 42] anti-virus company detections, alleging Win32:Sirefef-AAP [Rtk]

--- the two being avast, and GDATA.   [Note:  GDATA is a superset of Avast... so any problem found by avast will also be reported by GDATA.   Hence, it's really only 1 detection].

https://www.virustotal.com/file/65cacfa643e52a0c0e6b2d901228a8a0ad4993cafa3c287e65395f4b7c521089/analysis/1341004628/

I have uploaded this file to avast for analysis, via my virus vault.

« Last Edit: June 29, 2012, 11:04:52 PM by ky331 »
Lenovo T530 laptop, Intel Core i5-3320M @ 2.60 GHz, 8GB RAM, Windows 7 Pro SP1 (64-bit), avast! v8 Free, MBAM Pro, Windows Firewall, MVPS HOSTS file, OpenDNS Family Shield, SpywareBlaster, IE11 & Firefox [both using WOT (set to BLOCK); KeyScrambler for IE], WinPatrol PLUS, EMET3+MBAE, MCShield, CryptoPrevent, SAS (on-demand scanner), Secunia PSI. 
[I am experimenting with Sandboxie, and believe computer-users who sandbox are acting prudently.]

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21658
  • Gender: Male
    • Personal Message (Offline)
Re: F/P: cercsr6.sys as Sirefef-AAP [Rtk]
« Reply #1 on: June 29, 2012, 11:11:52 PM »
Sigcheck
publisher................: Adaptec, Inc.
product..................: Dell RAID Controller
internal name............: cercsr6.sys.B7405
copyright................: Copyright 2003 Adaptec, Inc. All rights reserved.
original name............: cercsr6.sys
file version.............: 4.1.0.7405
description..............: DELL CERC SATA1.5/6ch Miniport Driver


First seen by VirusTotal
2009-03-20 08:21:56 UTC ( 3 år, 3 måneder ago )


o yes........sure looks as  FP






Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline ferngon2012

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: F/P: cercsr6.sys as Sirefef-AAP [Rtk]
« Reply #2 on: June 30, 2012, 01:00:36 AM »
hi, i too am having this type of problem, i am not savvy when it comes to technology, and would like to know if my computer is in danger.  everything described on your post is the same thing happening to me, should i be worried.

Offline ky331

  • Sr. Member
  • ****
  • Posts: 210
  • Gender: Male
    • Personal Message (Offline)
Re: F/P: cercsr6.sys as Sirefef-AAP [Rtk]
« Reply #3 on: June 30, 2012, 01:06:07 AM »
FP (or F/P) means False Positive... a SAFE file, which Avast is erronesly detecting as being a virus.

If you have EXACTLY the same file/version being detected on your system, I'd say you're safe [as I believe I am].   If you're saying you have something "similar"... or perhaps ANOTHER file being detected as Sirefef... I can't make any such assertion.

Officially, we have to wait for avast to concur... to see if they adjust their database to no longer detect this file in the future.   When/if they do, i'll report back here.
« Last Edit: June 30, 2012, 01:08:10 AM by ky331 »
Lenovo T530 laptop, Intel Core i5-3320M @ 2.60 GHz, 8GB RAM, Windows 7 Pro SP1 (64-bit), avast! v8 Free, MBAM Pro, Windows Firewall, MVPS HOSTS file, OpenDNS Family Shield, SpywareBlaster, IE11 & Firefox [both using WOT (set to BLOCK); KeyScrambler for IE], WinPatrol PLUS, EMET3+MBAE, MCShield, CryptoPrevent, SAS (on-demand scanner), Secunia PSI. 
[I am experimenting with Sandboxie, and believe computer-users who sandbox are acting prudently.]

Offline ferngon2012

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: F/P: cercsr6.sys as Sirefef-AAP [Rtk]
« Reply #4 on: June 30, 2012, 01:20:21 AM »
FP (or F/P) means False Positive... a SAFE file, which Avast is erronesly detecting as being a virus.

If you have EXACTLY the same file/version being detected on your system, I'd say you're safe [as I believe I am].   If you're saying you have something "similar"... or perhaps ANOTHER file being detected as Sirefef... I can't make any such assertion.

Officially, we have to wait for avast to concur... to see if they adjust their database to no longer detect this file in the future.   When/if they do, i'll report back here.

thanks alot for the fast response, i just posted a new topic asking for help, but now you answered my concern, again thanks and i'll be checking up on this every now and then.

Offline Wehrdo

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: F/P: cercsr6.sys as Sirefef-AAP [Rtk]
« Reply #5 on: June 30, 2012, 01:59:43 AM »
Just wanted to throw in Avast detected the same on my system. I found it hard to believe I had caught a rootkit, so a bit of searching brought me here.

It's detecting C:\\WINDOWS\system32\drivers\cercsr6.sys as Sirefef-AAP

I wasn't aware what that file was, but I do have a dell machine that came with a RAID setup, so it makes sense. Do I need to restore the file?

Offline Rick F

  • Poster
  • *
  • Posts: 411
  • Gender: Male
  • _______
    • Personal Message (Offline)
Re: F/P: cercsr6.sys as Sirefef-AAP [Rtk]
« Reply #6 on: June 30, 2012, 02:11:15 AM »
I just had this falsely detected too on my Dell PC (same definitions as OP).  It popped up in the 'rootkit' scan about 8 mins after boot this evening.  I wrote down the info before saying send it to virus chest.  I figured it was a FP (false positive). I just clicked 'stop' and not move to chest.  Then before I could go online to research, another pop-up said "Root kit detected, suggest you do a boot time scan".  So I did.

While it was scanning, I used my iPad to search and found it's a false positive reported here in the forum, so I stopped the boot time scan, booted and looked for the file, "Windows\System32\drivers\cercsr6.sys"  It's not there!  Avast must have deleted it. I never tell it to delete a file.  If I'm not sure, I send it to the chest and then research.  It's no in the chest either.   :o

Does anyone know where I can get this file?  Or... maybe I really don't need it?  Not sure.

Thanks.
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline Wehrdo

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: F/P: cercsr6.sys as Sirefef-AAP [Rtk]
« Reply #7 on: June 30, 2012, 02:24:42 AM »
Does anyone know where I can get this file?  Or... maybe I really don't need it?  Not sure.

I could send you mine, assuming it's the same version.

Offline Rick F

  • Poster
  • *
  • Posts: 411
  • Gender: Male
  • _______
    • Personal Message (Offline)
Re: F/P: cercsr6.sys as Sirefef-AAP [Rtk]
« Reply #8 on: June 30, 2012, 02:37:14 AM »
Thanks, but not sure what version I have... or had.  ::)  I'm still on running SP-2 on WinXP (media player). Long story... but I can't go to SP3 due to some hardware issue.

I found one here: http://www.runscanner.net/lib/cercsr6.sys.html, but not sure that's the correct version either.  It's an exe file and looks like it has to be installed by a driver agent.  Don't know if that site is reliable either. Plus, it probably won't work if I tried until after avast fixes the FP.  My PC seems to be working ok for now.  I do periodic image back-ups of my HDD so I know the file is somewhere (I use Symantec Live State Recovery or Live DeskTop).  Just can't find it yet.

Thanks for the offer.  I may take you up on it.

« Last Edit: June 30, 2012, 02:38:58 AM by Rick F »
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline Wehrdo

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: F/P: cercsr6.sys as Sirefef-AAP [Rtk]
« Reply #9 on: June 30, 2012, 02:45:50 AM »
Thanks, but not sure what version I have... or had.  ::)  I'm still on running SP-2 on WinXP (media player). Long story... but I can't go to SP3 due to some hardware issue.

Thanks for the offer.  I may take you up on it.
To be perfectly honest, I don't know what version I have either!  ;)

I personally would be wary downloading system files from the internet. But maybe that's just me. Those sites always look shady to me.

Offline Rick F

  • Poster
  • *
  • Posts: 411
  • Gender: Male
  • _______
    • Personal Message (Offline)
Re: F/P: cercsr6.sys as Sirefef-AAP [Rtk]
« Reply #10 on: June 30, 2012, 02:54:17 AM »
Yes, I know what you mean. 

It's a "mini port driver" (DELL CERC SATA1.5/6ch Miniport Driver - Dell RAID Controller).  Everything I've tried seems to work, so not sure.  I think I can get it from my HDD backups though.  Just have to figure out how... and then after avast fixes their definitions.  Thanks.
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline Purplemuse

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: F/P: cercsr6.sys as Sirefef-AAP [Rtk]
« Reply #11 on: June 30, 2012, 05:17:23 AM »


Does anyone know where I can get this file?  Or... maybe I really don't need it?  Not sure.

Thanks.
[/quote]
I wrote down the location that Avast detected on my system and it wasn't in the windows driver folder, but the windows/dell folder. You might try looking for it there, or run a search for the file name (cercr6.svs)
here's the exact location I received. Hope yours is there!
windows/dell/adaptec/cercsr6.svs

Offline Milos

  • avast! team
  • Advanced Poster
  • *
  • Posts: 1081
  • Gender: Male
    • Personal Message (Offline)
Re: F/P: cercsr6.sys as Sirefef-AAP [Rtk]
« Reply #12 on: June 30, 2012, 07:19:39 AM »
Hello,
FP should be fixed in current VPS (120630-0).

Milos

Offline Plus8

  • Newbie
  • *
  • Posts: 16
    • Personal Message (Offline)
Re: F/P: cercsr6.sys as Sirefef-AAP [Rtk]
« Reply #13 on: June 30, 2012, 08:25:32 AM »
I had several files which I moved to chest during boot scans and one I deleted, sadly. How do I restore those files from the chest to my XP laptop?! One of them was that Dell file above. The restore option must be there but I'm missing it. Tried right-clicking, etc. Thanks!

Offline ky331

  • Sr. Member
  • ****
  • Posts: 210
  • Gender: Male
    • Personal Message (Offline)
Re: F/P: cercsr6.sys as Sirefef-AAP [Rtk]
« Reply #14 on: June 30, 2012, 10:22:27 AM »
CONFIRMING:   the F/P has been FIXED in definitions 12 06 30 - 0   :)

I thank avast for the timely response to my posting the F/P here... but feel bad about the others who have posted in this thread, who didn't realize it was (or know about) a F/P .  :(

Per a remark by Purplemuse, I just checked on my system, and discovered that I DO have a copy of that file in my
C:\WINDOWS\dell\cercsr6
subdirectory [and have compared with the system32\drivers file to confirm its the same version].  Hopefully, those who deleted theirs may be fortunate enough to find they do too.
Lenovo T530 laptop, Intel Core i5-3320M @ 2.60 GHz, 8GB RAM, Windows 7 Pro SP1 (64-bit), avast! v8 Free, MBAM Pro, Windows Firewall, MVPS HOSTS file, OpenDNS Family Shield, SpywareBlaster, IE11 & Firefox [both using WOT (set to BLOCK); KeyScrambler for IE], WinPatrol PLUS, EMET3+MBAE, MCShield, CryptoPrevent, SAS (on-demand scanner), Secunia PSI. 
[I am experimenting with Sandboxie, and believe computer-users who sandbox are acting prudently.]

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now