sirefef:AAP[Rtk] found on cercsr6.sys

[ferngon2012]

Hi to all,

im having a big problem, just this afternoon avast detected a virus by the name of sirefef:AAP[Rtk] and it found it on cercsr6.sys

the thing is, i read another post with the same problem, and from what i read lead me to believe that there's a problem with avast and its falsely detecting said virus. i am not savvy when it comes to these things, can someone please explain this problem to me and what should be done in my behalf.

also if anyone would be so kind to explain what F/P stands for ,

i would highly appreciate it if someone can hlp me with issue, thank again.

[Strafe35]

Hey My Friend!

I'm having the same problem too, there was an earlier report on this and the program said to be infected was said to be a legit DELL driver (cercsr6) might probably be a FP.

So far what I did was check the Summary tab on Avast and found out that there was an software update available so I did, restart my computer and did a selected scan on areas said to be infected with the sirefef:[AAP]. Because I already scanned my pc almost twice with the same reult already and there was no need to scan everything just check your scan log to check out the locations to save time waiting lol;

After which I got a clean scan, now I decided to to a complete C: drive sweep just to be sure.

I'm not saying for certain yet but so far.

Good luck to both of us       

[Strafe35]

Small update after the full Drive c: scan...

Well the issue found on cercsr6.sys is no longer there but under the System information volume it was still detected, like you I'm not savvy with this but based from my reading observations files that fall under the Sys Inf (If not mistaken anyone please correct me) these are logs of previous undertakings. I will try to run ccleaner and again ugh! Try to do a scan for the nth time and hope that it will finally be put to rest.

 

[ky331]

As mentioned in another thread ( http://forum.avast.com/index.php?topic=100335.0 ), I am confident this will be deemed a False Positive.   Relax, do nothing about it, until we get an official verdict from avast.   [If you delete the file (for example, with CCleaner), and avast comes back to tell us it was a mistake, you may not be able to get the file back.]

I'm not exactly sure what you're referring to as "System Information Volume" --- but if that's the same as System Restore files, then yes, it could contain a backup copy of the file... which would explain why avast is picking up on it as well.

[Strafe35]

As mentioned in another thread ( http://forum.avast.com/index.php?topic=100335.0 ), I am confident this will be deemed a False Positive.   Relax, do nothing about it, until we get an official verdict from avast.   [If you delete the file (for example, with CCleaner), and avast comes back to tell us it was a mistake, you may not be able to get the file back.]

I'm not exactly sure what you're referring to as "System Information Volume" --- but if that's the same as System Restore files, then yes, it could contain a backup copy of the file... which would explain why avast is picking up on it as well.

Lol; Thanks for the clearing that up....yeah I was delete trigger happy during my boot scan that I deleted the said virus prior to my post here but after that I did another scan and it detected the cercsr6.sys file again because I was able to put it in the Chest box and restored it again after you mentioned to wait for avast. Fancy that, the Boot scan failed to delete it; so its really best to do a multiple scan lol;   

There finally! After the update I made, I deactivated my system restore, run ccleaner did another scan on the locations mentioned I come up clean after pondering for 2 hours on it lol;

Anyway everything I did I already mentioned and hope it works for you guys as well. I just hope turning on the system restore won't bring back that FP just being overly cautious. lol;

Btw I'm running an old DELL OPTIPLEX GX520 SFF, Winxp SP3, Windows Firewall, Ccleaner, Defraggler and Avast.

Strafe35

[Milos]

Hello,
http://forum.avast.com/index.php?topic=100335.msg801834#msg801834

Milos

[ky331]

CONFIRMING:   the F/P has been FIXED in definitions 12 06 30 - 0   

I thank avast for the timely response to my posting the F/P [in the other thread]... but feel bad about the others who have posted in this thread, who didn't realize it was (or know about) a F/P . 

Per a remark by Purplemuse [elsewhere], I just checked on my system, and discovered that I DO have a copy of that file in my
C:\WINDOWS\dell\cercsr6
subdirectory [and have compared with the system32\drivers file to confirm its the same version].  Hopefully, those who deleted theirs may be fortunate enough to find they do too.

==============================

to Strafe:
1) Being "delete trigger happy" is not a good thing.   As you've now experienced, anti-virus programs are ocassionally guilty of making False Positive detections --- it's a fact of life, and there's nothing that can be done about it.
I strive to keep my systems "squeaky clean", so ANY time I get a virus warning [which is extremely rare for me], I treat it as likely being a F/P.   First and foremost, NEVER DELETE files:  once deleted, it may be impossible to get it back.   QUARANTINE (VIRUS VAULT) is preferable, in that you can always restore it from the vault to your system.   However, even quarantine is not foolproof:   in the extreme case, if the F/P is for a critical WINDOWS SYSTEM FILE and you quarantine it, you may find that your system will not boot up again :-(   That's why I do my research, and posting, before quarantining.
A great place to start is by uploading the file to https://www.virustotal.com/ which will then have it analyzed by 42 different anti-virus companies.   in the case of cercsr6.sys , only 2 of 42 companies reported it infected.   [Note:  In order to be able to access/upload this file, I had to add it as an exclusion to avast's file system shield --- otherwise, I couldn't get near it.]
2) Be very careful with tinkering with System Restore:   when you disable it, you are REMOVING ALL of your restore information...  meaning when you re-enable it, it's starting with NO data there!   

[ferngon2012]

Just did a full scan and it found no threats, but when i look into the virus chest cercsr6.sys still there with all the information from yesterday. should i do anything about this.

[DavidR]

Use the Restore function, right click on the file in the chest and select Restore, a copy remains in the chest. Confirm the file is back in its original location and you can delete the copy in the chest.

[puter illit]

Use the Restore function, right click on the file in the chest and select Restore, a copy remains in the chest. Confirm the file is back in its original location and you can delete the copy in the chest.

Hi David, appears my last issue has caused another, after using sytem restore to fix CV it appears Avast detected a FP for cerces6 from what I've read so now I'm having a problem restoring the file. 1st I have avast set to automaticly more anything suspecious to chest. but today I found 2 files the one from yesterday and another under Last changes dated 12/13/04? don't know where that one came from anyway - in chest I right clicked both to a scan and both came up "no virus" so now I'm trying to restore and getting mixed messages. Help please!

the 1 dated 12/13 has a retore when I right click however when I click it says a file already exist and gives me options? not sure which to do? override, delete etc.etc.

The 2nd file dated from yesterday 6/29 does not give me the option to restore?

[DavidR]

Whilst my post is directly for ferngon2012 and related to only the one file cercsr6.sys.

System Restore can have unforeseen consequences.

I suspect that the system restore (SR) may have restored that file already so you can't replace it with the one from the chest (file in use, etc.). If the file that you are trying to restore (is cercsr6.sys of this topic) already exists, leave it. I have no idea what the 2nd file is, its location or malware name.

SR has in the past also messed up avast - so a repair of avast may be advisable.

[puter illit]

Whilst my post is directly for ferngon2012 and related to only the one file cercsr6.sys.

System Restore can have unforeseen consequences.

I suspect that the system restore (SR) may have restored that file already so you can't replace it with the one from the chest (file in use, etc.). If the file that you are trying to restore (is cercsr6.sys of this topic) already exists, leave it. I have no idea what the 2nd file is, its location or malware name.

SR has in the past also messed up avast - so a repair of avast may be advisable.

Thanks for the quick response David, I did the SR "before" Avast triggered the cercsr6.sys  as a virus & moved it to the chect. Both files I'm refering to are indicated as cercsr6.sys
1. C:WINDOWS\dell\cercsr6              12/13/2004  (mostly like when it was created)
2. C:WINDOWS\system32\drivers       6/29/2012

As I have a split harddrive reconfirgured to except XP Pro I have some drivers not part of the original OS so I get a bit nervus when these kind of issue's arrise for fear of deleting or corrupting a shadow driver especially if I don't know if it's orginal Dell or a 3rd party add on.  So if I understand you correctly I should "DO NOTHING" and just leave it in chest?

I recieved a program update this morning, downloaded it but have not rebooted to install yet, waiting to resolve this issue first.

[DavidR]

I would confirm that the cercsr6.sys file/s are present in the C:\WINDOWS\system32\drivers and C:WINDOWS\dell\cercsr6 folders.

If so the two copies in the chest can be removed, or you can leave them there for a while if you wish and if no adverse effects (e.g. missing file in one of the original locations) then deletion from the chest shouldn't be an issue.

[Rick F]

What David suggests is spot on.  Don't worry about the ones in the chest as long as you have them present in 'windows\dell' and 'windows\system32\drivers'.

BTW, the date on my file (cercsr6.sys; 39k in size) is 12/13/2004, which must be the original build date.

[puter illit]

I would confirm that the cercsr6.sys file/s are present in the C:\WINDOWS\system32\drivers and C:WINDOWS\dell\cercsr6 folders.

If so the two copies in the chest can be removed, or you can leave them there for a while if you wish and if no adverse effects (e.g. missing file in one of the original locations) then deletion from the chest shouldn't be an issue.

Yikes this is a mess, I just hung up with Dell they found the C:WINDOWS\dell\cercsr6 was there. But In the C:\WINDOWS\system32\drivers it's missing and that's the file in the chest that won't let me restore. He said he copied the file and added it but wasn't sure if it was added completely and that they do not support Avast issue's so he could not do anything more. How do I confirm if he replaced the file correctly?