Before you try scrubbing your server again I would recommend throughly checking your workstations. Nimda is not a server-only worm like some of it's predecessors, which took advantage of the same IIS vulnerabilities. There is a potent workstation component that spreads via email, network shares and infected web sites. If you have an infected desktop that accesses your server it could be dropping and/or modifying files on your server. here Network associates blurb on it: http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 Peter Chin Network Administrator Office of the Controller Michigan State University 146 Administration Building East Lansing, MI 48824 Ph. (517) 353-4443 Fx. (517) 353-1046