MattyUSA

Forgive me if this is less than 'technical' response. I think you have your technical answers already. I use a virtual machine for customer supplied suspect files. not been burned yet. My initial thought response to reading the thread was "Sod the safety aspect, it's illegal, it's theft. Steal her stuff (some things that are noticeable) from around the house and ask what the fundamental difference in behavior is before handing it back." Would it be ok to steal these games off a store shelf?

I had the same issue and after some reading I noted that the versions of mstscax.dll and mstsc.exe were different. It looks like the exe was not updated alongside the dll. So the two file versions were different and the upgrade of RDPClient from 6.0 to 6.1 was failing since this was a requisit. belivakov: nailed one method for a solution. Uninstall 956744 (rolls back RDP to previous version so no mismatch?? I think). Worked for me. If you don't have the update folders then I wonder if you can get that update again and use a command line switch to uninstall rather install. There was obviously a (usually low) risk in deleting the update folders, its a shame this KB update catches it. I found this page that explained a lot and offered other methods forward: http://www.mskbarticles.com/index.php?kb=2481109 Essentially it only effects those that installed updates without using windows updates site. So for me it effected all those machines I slipstreamed updates into a custom build dvd.. I'm guessing that is what a lot of readers here are facing. Hope this help some. Matt

ADSSpy is excellent I use it a lot. ADS streams are noticeable by : in the path after the normal file. C:\normal.txt:adsfile.txt I don't think you have this. the : is simply the one after infected. Besides windows and other programs legitimately use ADS streams to store metadata about the file. I think what you have is simply the viruses hiding in the restore points. If Kaspersky had been scanning inside a zip file the path may have been: file.zip\virus.vrs If the virus has been in the ADS of the zip file the path might have been: file.zip:virus.vrs In your case if you simply put a new line before every Kaspersky states it becomes a lot easier to read: C:\System Volume Information\_restore{C42B6269-ABC7-4A34-A58A-AEA45D9A53E4}\RP246\A0305307.exe\stream Infected: not-a-virus:Adware.Win32.Mostofate.u skipped Like zip files EXE can contain other files so that is why they can have the \ after them in the path. System Volume Information in not usually accessible in Windows with default settings but it is there and does contain folders like that. My vote, like cluberti's, would simply be you have to disable system, restore to delete the restore points to kill the virus that are hiding in them. You can enable it again once you are sure you have a clean system. Best Wishes, Matt Glenn9999: Yeah. That's spot on. Without ADSSpy can you imagine the difficulty in removing thousands of random name 1mb ADS files from the root directory or Windows folder. Especially with no 'apparent' free space to work with a GUI. I've been there, wasn't fun at all.