I've been notified by Time Warner cable that we have a computer on our network that is infected with RDN/DNSChanger!g!D91863362239 or Alureon.GC as microsoft calls it. The only clue they can give me is that it has only shown up on the last three Fridays. It is in a different office in a different state. My first thought was that it is a contractor using our sonicwall vpn to submit his time. However, after thinking about it, it could be anyone accessing something on that subnet on Fridays. We have Webroot on the computers in that office and none of them have found any malware. Where I am now, we have Eset, as well as at our third office in another state. I scanned all the computers here that they remote into just in case, but still are at a loss as to where this rogue computer is. I sent out a couple of emails to our folks telling them about the virus and asking them to contact me if they have done anything different on Fridays, or if they used the VPN, or maybe a goto meeting with that office on Friday. Do you have any ideas as to determining which computer it is? We have Sonicwall NSA 2xx series firewalls at our offices, so it would seem to me that we would be able to look for a certain IP address to show up, or some kind of pattern. Any ideas?