uruguay 6/7/8 Virus

Viruses and worms
1

Uruguay virus
I am running XP Media Home on my desk top. This morning when I turned on the monitor, there was a virus warning from Avast. The on-access protection found the virus in the following location:
C:\system volume information\catalog.wci\0001000F.ci
The virus is named Uruguay 6/7/8
Avast software advises to move it to “the chest”. I somehow managed to close the virus warning window, without cleaning the virus or putting it into the chest. I am currently running a thorough scan on the C: drive. Please advise what this virus/worm is and what its damage potential is. I want to know what I may have to look for in repairs. I want more info before I simply allow Avast to remove it.

2

The C:\system volume information folder is a part of the windows system restore and as such protected storage, so avast wouldn’t be able to remove it. Files that are removed from the system folders (even viruses) are usually copied into this location as a restore point, just in case you made an error/mistake.

This could simply be an old detection removed from the system folder, the only way to remove infected restore points is to disable system restore and reboot, this clears All restore points.

Win XP-ME - How to disable System Restore
Once you have disabled system restore, reboot, that should automatically delete the contents of the _Restore folders. Scan your PC again and if clear enable system restore.

Not all infected files can be repaired for instance, Trojans generally can’t be repaired (either by the VRDB or avast virus cleaner), because the entire content of the file is malware, so it is either move to chest or delete, move to the chest being the best option (first do no harm). When a file is in the chest it can’t do any harm and you can investigate the infected warning.

The VRDB only protects certain files, .exe, dll and other system files, it doesn’t protect data files or all files, it is not a back-up program, so there are going to be many occasions where repair won’t be an option.

Only true virus infection can be repaired, e.g. when a virus infects a file it adds a small part to it, provided that file is one that avast’s VRDB would monitor and you have run the VRDB, then it may be possible to repair the file to its uninfected state.
However, for the most part so called viruses, trojans (adware/spyware/malware, etc.) can’t be repaired because the complete content of the file is malicious.

3

I am currently running the thorough scan, so I will wait till it is done to proceed. Thank you for the information on removal. Is there a danger that this virus has already done harm? What is the nature of this virus… ie what does it typically do to the system? Does it send itself to other PCs by way of e-mail, etc.

4

I’m not sure that there would have been a problem, files in the C:\system volume information folder can’t be run as it is protected by windows, so it won’t allow programs to place files in there only system restore can do that and I’m pretty sure the same would be true about letting programs be run from inside the folder either.

I can’t say what the virus may or may not have done, there simply isn’t any information to support a decision. The only to really confirm is what you are doing a full through scan.

It could even be a false positive detection, but there aren’t many ways to check this, so it is safest to simply clear them out so if you do a system restore at a later time that includes this you wouldn’t be restoring an infected file.

5

Good news, All scanned clean, even the boot-up scan. Must have been a false positive.

Thanks for your help.

6

If it had been a false positive, it would still have been incorrectly detected, so avast must have been able to take care of it previously, but I’m unsure of that since it was in the C:\system volume information folder, strange ?

However, the important thing is that you are showing up clean, welcome to the forums.