I have a client whose bradband useage went through the roof a few days ago and has continued to exceed 80MB per day (cp 8-10MB previously) It doesnt appear to be be anyone working there. Is it possible to locat where the traffic originated. SBS2K3 with 11 workstations. Fixed IP address. ADSL is linked through the server - all activity goes via server to ADSL.

What type of firewall is the system using? What antivirus program is being used?
My first suspicion would be that a trojan program has been planted on the network and some one is using one of the workstations as a  remote server. The fixed IP address would make this easy.

Windows firewall on all XP machines, ZA on W2K. McAfee AV. My thoughts as well. I have run Win Mal SW Rem tool on all, Spyware, AV and PUP searches but found nothing. I am absolutely certain it is an external program. Any fixes ??. I am thinking to change the IP and logon ID ??.

Try using a trojan search and removal program. I currently use Trojan Hunter, but there are other good ones.
The antivirus and spyware programs will catch trojans only in rare cases.
Since the invader is already on the network, changing the logon and IP address would most likely be ineffective.
You need to determine whether the server itself, or which workstation, is infected.

If enough computers are set to that website being the home page, then everytime someone opens their browser, bam, it's a hit. Sounds far-fetched, but I've seen it happen, personally.

You might need a packet sniffer to save packets to be checked for later. It sounds like one or more machines is a "zombie" machine that is being used as a relay station or is just sending out mindless spam due to a trojan infection. You will need to run a good spyware remover in addtion to Antivirus. we use SpySweeper by Webroot. sone sold on the internet can actually be spyware programs so be careful in your selection. also an education of your clients as to safe web surfing practices is warranted. good luck P

Thanks for all your replies. I set up a report just after the excess useage began and waited for a 7 day view. It appears a lot of the usage was from an online auction site that many of the staff had been using and which was set up for autorefresh. The next major site was (hold your breath) - hotmail.com. Blocking those sites has reduced the traffic by 60%. I am still not convinced that is the total answer. I run a number of AV and spyware programs. None have found any problems that could explain the jump in usage. I am preparing usage policy forms at the moment and will present them to the Directors (also part of the problem for receiving silly emails from "friends") for implementation.
Thanks again