"File is not packed", but could it be related to an earlier Trojan

[hawker]

Avast identified five files infected with WIN32 Trojan-gen(UPX) and WIN32 Trojan-gen(Other). Three of them included “digitalriver” in the file name and were located in C:\WINDOWS files; the other two were located in C:\System Volume Information_restore. I moved them all to the chest. The next scan identified the Trojan in a different file in C:\System Volume Information_restore, so I flushed System Restore (as recommended in other threads). The next scan was clear.

However, a scan today has shown as “Unable to Scan” two files in C:\System Volume Information_restore. Although other threads have said that “Unable to scan” is usually not suspicious, I was worried about these two files since they had names very similar to the ones containing the Trojan. For example, one of the original infected files was named “C:\System Volume Information\_restore{D6CCD645-9008-4178-9EDA-C25D0D93F525}\RP4 \A0000149.exe”; the names of the two “Unable to scan” files (and what I did with them) were:

C:\System Volume Information\_restore{D6CCD645-9008-4178-9EDA-C25D0D93F525}\RP4\A0000149.exe\lnno0001.bin (this one I moved to the chest without problem)

C:\System Volume Information\_restore{D6CCD645-9008-4178-9EDA-C25D0D93F525}\RP4\A0000149.exe\lnno0003.bin  (this one I tried to move to the chest, but got the message “Error occurred during moving file to chest. File is not packed”).

Do you think I need to take further action on this, and, if so, what action should I take?

(As I’m writing this, it’s just struck me that in the same scan there were two Firefox profiles files with “bin” extensions, with the same “Unable to scan” messages as the two files I’m worried about; do you think they are related? Sorry, haven’t kept a note of the file names)

Grateful for any help anybody can offer.

[Lisandro]

I don't think the files into Firefox profile are related to the ones on system restore.
Anyway, can you try boot time scanning? Access rights won't be a problem then.

[hawker]

Tech - thanks for your reply. I've now done boot-time scanning on C:\System Volume Information, but the report just said the number of files scanned and no infections, ie didn't say "unable to scan" for anything.

[Lisandro]

Tech - thanks for your reply. I've now done boot-time scanning on C:\System Volume Information, but the report just said the number of files scanned and no infections, ie didn't say "unable to scan" for anything.

So, is everything ok now?

[hawker]

Well, I don't know. My concern is what has happened to that suspicious file in C:\System Volume Information\_restore that Avast was unable to scan. Any ideas as to how I can reassure myself? (Excuse my ignorance, but I can't find C:\System Volume Information to see if that suspicious file is actually shown there).

[Lisandro]

Any ideas as to how I can reassure myself? (Excuse my ignorance, but I can't find C:\System Volume Information to see if that suspicious file is actually shown there).

You have nothing to be excused... If you don't ask, you won't learn.
System Volume Information is a hidden folder that belongs to system (and not to the user). Files inside it are restore points. avast can't scan some of them because they're protected by Windows. There isn't anything wrong on this. Boot time scanning should do the work, or, like you've done, flushing the restore points.