I have proved them wrong. They are monitoring pop3 traffic. In the log they had everything listed, right down to the virus and the filename used. On one of our pcs I found two virus infected emails (scanned and cleaned by our isp before they even got to us but they still contained a 1k empty zip file) in the trash and the zip file that was attached to the email had the same filename as the ones in the log they sent me.

I'm not very happy with them right now, first they had me scour the network for a nonexistant virus. Then they cut our access. All in all I have spent about 15-20 working hours and some overtime hours trying to find this. It really sucks having no options for broadband.

Thanks for the help with sniffing! I have learned a lot over the past two weeks.

Rene