I went through this with another virus - groupshield did a scheduled scan of mailboxes and found 6 or so infected with the virus (it was the one that was a url and the infection happened only if you hit went to the url). They were from well-respected exchange admins and a Microsoft employee (exchange pss) - all people who would be least likely to be infected. Upon examining the messages (as text files) in quarantine, the best any of us could determine was the url and original message text were trapped by groupshield. To add to the weirdness, we could not repro it on new mail, only mailbox scans. Moral of the story? Is the filter is looking at text in the message body and reporting a false positive? Specifically, I see that Patrick included the js that is appended to all web pages by the virus and Mark copied it in a reply. It's basically the exact same scenario with all the messages I had marked as infected. -----Original Message----- Well, accept my humblest apologies, I did not mean to be condescending. Attached are the log files from Scanmail. The only mail that has been Identified by scanmail are patricks@xxxxxxxxxxxxxxxxxx and Mark Strangways. Either way someone is infected.