We have an installation of Exchange Enterprise 2003 SP2 with NOD32 for Exchange 2.7x (XMON) installed on it. The antivirus program has for some time been picking the same virus contained in a spreadsheet called either "Exp Diary 2007.xls" or "Copy of Exp Diary 2007 2.xls". The antivirus program identifies the virus as a "probably unknown POLY MACRO virus". Our antivirus software is configured to clean emails if possible and the virus is said to have been successfully removed the virus from the .xls file it infects. We are trying to identify which email account or accounts are repeatedly receiving this email however we are having zero luck identifying any further details about the infected emails. So far we have tried: 1) Enabling message and SMTP tracking to match up the times of emails being received and the AV log of viruses been cleaned but we have yet been able to match the two as none of the users who received emails during this time have any record of the .xls attachment. We are performing detailed synchronous logging. 2) Search all emails using exmerge. I have used all sorts of combo's but as yet no email account has been found with any of the .xls attachments the AV program says it has cleaned. Now if I understand the XMON product it is unable to tell us who was sent the infected email because the XMON product doesn't get handed the full email details, only the body and attachments. It scans both and sends it back to Exchange, not caring who it was to be sent to or from, only that it is clean. What we are looking for is if there is any log that Exchange produces, or any NOD32 utility that exists, that can record what emails Exchange is passing to external programs or that XMON is receiving. Does anyone know of such a log or program?