Do you have any log files, traffic captures, etc? Email subject/attachment logs? Proxy logs? If not, it could be tough to trace this back without access to the box. I would start though, by posting the same question to the SecurityFocus Incidents list. Try searching the hard disk of one of your infected PCs (off network) for file creation/alteration times that are the same or within a few minutes of nortonav.exe. See if you can find any cached websites, history, inbox, etc. Is this program listening on any TCP/UDP ports? (fport.exe, from Foundstone) Are other files open by this application? (fscan.exe, from Foundstone) Good luck, John On Tue, 06 Jul 2004 15:01:18 -0500, Jason Sievert <jsievert at jsievert.net> wrote: > Hey guys, my company is getting blasted with a virus that I can find > nothing about. None of our latests virus scanners can seem to find it. > It looks to be a single file, nortonav.exe, that is run at startup via > the registry in windows. It is choking our network to the point that > nothing can be done at this point. The hardest hit seem to be windows > 2000. All of the computers do have the latest patches as of today. It > does show up under the task manager as nortonav.exe. I am still trying > to figure out how it gets in and what the traffic looks like. Has > anybody seen anything like this??? > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > Help beta test TCLUG's potential new home: http://plone.mn-linux.org > Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery > tclug-list at mn-linux.org > https://mailman.real-time.com/mailman/listinfo/tclug-list > _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list