I read the earlier posts and am a bit confused. I have XP sp3 and avast Internet Security. I got a box/message saying that this RTK attacked a System Volume Information file and a file called cercsr6.sys. The computer rebooted and I did a boot time scan. It had found those files so I quarantined them to the virus chest. Afterwards, I rebooted-got what appeared to be BSOD. I didn’t do a restore because I was afraid of reactivating the virus. I then updated the avast program, ran another scan—full system scan and it found nothing. Has this been identified as a false positive? Or should I worry? I still have the files in the virus chest. Should I keep them there? I didn’t want to delete them in case they were important. Thanks for anybody that answers this.
What was detected on the boot-time scan as the cercsr6.sys detection I believe has been corrected as a false positive.
However, the chest is a protected area so if sent there it wouldn’t be detected on subsequent scans.
What are the file names and (original) location and malware name of the files in the chest ?
Ensure that your virus definitions are up to date and scan the cercsr6.sys file that is in the chest, it should show clean, right click on the file and select Restore. A copy of the file remains in the chest, after the avast restore confirm the file is back in its original location and you can delete the copy in the chest.
This is what shows in the scan log:
C:\WINDOWS\dell\CERCSR6\cercsr6.sys
C:\System Volume Information_restore (it then has over 30 letters and numbers behind it and ends in .sys
This is what shows in the virus chest:
A0014615.sys C:\System Volume Information_restore
cercsr6.sys C:\WINDOWS\system32\drivers
cercsr6.sys C:\WINDOWS\dell\CERCSR6
All three are labeled Win32:Sirefef-AAP [RTK]
PLease update the virus definitions as that has been determined to be a false positive
I updated the virus definitions. They are up to date. I scanned the 2 files that said cercsr6 and it said no virus. Should I scan the file that says system volume information? Do I restore all 3 files?
The system volume files can not be replaced
But restore from the chest the remaining files
Do I just leave the system volume information file in the virus chest if it can’t be replaced?
The second file was cercsr6.sys through C:\WINDOWS\system32\drivers. The restore function is not highlighted. It won’t let me.
The third file was cercsr6.sys through C:\WINDOWS\dell\CERCSR6. When I clicked restore, I got the following message:
You are trying to restore a file from the chest. The file already exists. Should the program overwrite the existing file?
The options are overwrite, skip, overwrite all, skip all or cancel
When I clicked restore, I got the following message: You are trying to restore a file from the chest. The file already exists. Should the program overwrite the existing file? The options are overwrite, skip, overwrite all, skip all or cancelThat means the file is still present at the correct location so that is OK
So do I do nothing?
No point in over writing the file if it is present in the original location (you may get a different error anyway, file in use possibly).
Essentially nothing to do; I would confirm that the cercsr6.sys file is present in the C:\WINDOWS\system32\drivers folder. If so the three copies in the chest can be removed, you can leave them there for a while if you wish and if no adverse effects (e.g. missing file in one of the original locations) then deletion from the chest shouldn’t be an issue.
Hi, I received this same virus message this morning, and I had Avast remove the three affected files. Hopefully, this won’t have adverse effects. Probably should have quarantined them…but obviously didn’t know any better >:(
I did a search for cercsr6.sys
The only place it was found on my computer was C:\WINDOWS\dell\CERCSR6
It shows as a system file
Search may not find it in the C:\WINDOWS\system32\drivers folder as it is normally a hidden folder, unless you change the windows explorer Tools, Folder Options, View, Hidden Files and Folders.
The only box I needed to uncheck was hide protected operating system files but the file still isn’t there. It is still in my C:\WINDOWS\dell file but not under drivers. How will this affect my computer?
Since avast won’t let me do a restore on the windows/system32/drivers file—If I do a restore on the first file: System Volume Information_restore…, will that restore the file to the drivers file?
I would say follow the guide in the image as the Show hidden files and folders and Hide extensions for known file types. Both of which have an impact on what can be view and why I suggested unchecking the options.
Doing a system restore can have unforeseen consequences and can mess up avast - it is likely to screw things up even more. So I certainly wouldn’t recommend it.
No due to the structure of system restore you are unable to replace it… For the missing file then just copy the one from C:\WINDOWS\dell\CERCSR6. To C:\WINDOWS\system32\drivers
How do I do that? In the virus chest, it does give me the option to extract. Is that easier?
Yes you could do that -
I just read another post that said I can go to C:\WINDOWS\dell and right click on the file and copy. Then I can go to WINDOWS\system32\drivers and right click and click on paste. Does that work? Is it that easy?