ADSSpy is excellent I use it a lot. ADS streams are noticeable by : in the path after the normal file. C:\normal.txt:adsfile.txt I don't think you have this. the : is simply the one after infected. Besides windows and other programs legitimately use ADS streams to store metadata about the file. I think what you have is simply the viruses hiding in the restore points. If Kaspersky had been scanning inside a zip file the path may have been: file.zip\virus.vrs If the virus has been in the ADS of the zip file the path might have been: file.zip:virus.vrs In your case if you simply put a new line before every Kaspersky states it becomes a lot easier to read: C:\System Volume Information\_restore{C42B6269-ABC7-4A34-A58A-AEA45D9A53E4}\RP246\A0305307.exe\stream Infected: not-a-virus:Adware.Win32.Mostofate.u skipped Like zip files EXE can contain other files so that is why they can have the \ after them in the path. System Volume Information in not usually accessible in Windows with default settings but it is there and does contain folders like that. My vote, like cluberti's, would simply be you have to disable system, restore to delete the restore points to kill the virus that are hiding in them. You can enable it again once you are sure you have a clean system. Best Wishes, Matt Glenn9999: Yeah. That's spot on. Without ADSSpy can you imagine the difficulty in removing thousands of random name 1mb ADS files from the root directory or Windows folder. Especially with no 'apparent' free space to work with a GUI. I've been there, wasn't fun at all.