I don't suppose any of the effected systems was covered by Tripwire? If there was a real virus (or other trojan type activity), Tripwire would expose what files were altered.... If any of the systems are Suns, it would help to run the md5check software from the CIAC & CERT, assuming the systems weren't running Tripwire (or ATP or Fortress etc.). --spaf