There may still be a way to catch this critter...Do a scan of your registry... First start by looking for IEXPLORE.EXE. What you are looking for is an entry in your registry, followed by a secondary entry (may be an .exe, .pif., etc). That secondary entry should look pretty foreign. That may provide a clue as to what is still being used on your system to look for the .pif's and exe's you mention.This is how the Aureate spyware attaches itself to I.E. Adware catches the entry, but since Adaware only looks for known spyware, it's probably useless for this worm. Since you mentioned the worm seems to reactivate when email is opened, it may be using a similar vector w/Outlook.You are quite right about sys admins being stumped. I have a feeling that none of the major virus firms have considered that what I call the "tagalong" option may be in play. Most viruses stay present by using standard vectors--run, runonce, runservices, etc.... This one I suspect is attaching itself in the same way Aureate does...-John

And now another one to add to the Opserv list..aliver.exe, Norton caught this one, however same as the others, it catches but does not cleanse.Regards.. TrevVisit "The DC-3 Hangar"http://www.douglasdc3.comhttp://www.douglasdc3.com/1/dc3.jpg

Thanks John,And thanks for understanding a major problem here. It is hard convincing folks of the problem.I did search the registry and found stuff there which I have since deleted.scrsvrbrasil aliverThe most annoying virus I have ever seen in my life.Norton.. where are you with this? :-(Regards.. TrevVisit "The DC-3 Hangar"http://www.douglasdc3.comhttp://www.douglasdc3.com/1/dc3.jpg