snort wont be what you want, thats an intrusion detection system (assuming its the same thing we're talking about!) Try something like adaware or spybot search & destroy (this ones free). Could also try having a look at process explorer from sysinternals, and seeing if theres any odd looking processes knocking about. Give the ol gal a full virus scan too, to be on the safe side :) Andrew --o-- >>> Jon.Spriggs@xxxxxxxxxxxxxx 25/08/04 10:51:33 >>> "what happens after that time, or do you mean that it breaks at that time and stays broken til next reboot? and presumably it affects any user on the server at the time, ie another user logs in after its broken and its still broke?" As it's a server-in-use, if it's broken for too long, then the users start to complain! It's been down for approx. 1 hour before someone's rebooted it before, and yes - each user who logs in opens IE, and then IE locks. "perhaps something interacting with it - could potentially be spyware?" This was why I thought of running something like snort on the box, to identify if it's trying to talk to anything - perhaps matching that up against a process list of some description? This box is only designed to run two applications... IE and a client to a small off-machine SQL database. The database never has any problems (although I'm checking that out as well as at 7am, there isn't going to be much activity on it). Jon Spriggs -- The presence of a "Fujitsu" address does not imply or assume that Fujitsu Services, Fujitsu or any other company containing the Fujitsu name uses or endorses this product. This email is purely a personal opinion. -----Original Message----- From: Andrew Rogers [mailto:Andrew.Rogers@xxxxxxxxxxxxxxxxxx] Sent: 25 August 2004 10:34 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Windows 2k Terminal Server - Accessing Internet Problems Hmm, I was going to say look at the switch, but then sense came back to me, and realised this is a TS server :) I'd say try and grab something which will show you whats installed in IE.. If the TS sessions themselves are unaffected, and you can use the same proxy from another machine, then fingers are pointing at IE, or perhaps something interacting with it - could potentially be spyware? but it seems odd that its only at that time in the morning! what happens after that time, or do you mean that it breaks at that time and stays broken til next reboot? and presumably it affects any user on the server at the time, ie another user logs in after its broken and its still broke? Andrew --o-- >>> Jon.Spriggs@xxxxxxxxxxxxxx 25/08/04 10:10:17 >>> The users get no error messages, the browser locks up, part way through loading the internal intranet. I'm able to access pages OK through the proxy from a standalone machine. I'm also able to access the terminal server OK from my machine. The browser locks up for me as well though when I try and open it. I've not tested ping, telnet etc., although I'll check those out this coming Monday. Another interesting fact with this fault is that the machine that is there now was the replacement for another machine that was doing exactly the same thing - between 7 and 8 on Monday Morning, it'd lock out the browser. At that time in the morning, I've got maybe 5 users on the machine. Jon Spriggs -- The presence of a "Fujitsu" address does not imply or assume that Fujitsu Services, Fujitsu or any other company containing the Fujitsu name uses or endorses this product. This email is purely a personal opinion. -----Original Message----- From: Andrew Rogers [mailto:Andrew.Rogers@xxxxxxxxxxxxxxxxxx] Sent: 25 August 2004 09:36 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Windows 2k Terminal Server - Accessing Internet Problems what errors do the users on the server get when they try and access the internet? do they go through a proxy? can you try other internet apps (ping, telnet, tracert, etc) ? Andrew --o-- >>> Jon.Spriggs@xxxxxxxxxxxxxx 25/08/04 09:12:03 >>> Hi, Can anyone help me? I have a Windows 2000 Advanced Server with Terminal Services where every Monday between 7am and 8am its preventing my users from accessing the internet. A reboot seems to solve it once it's happened, but a reboot an hour before (6am) doesn't stop it from happening. Short of running Snort on the server and some form of keylogger to see what all the users are doing (which I don't think they'd be happy about), I'm stumped as to what I can do next. Any suggestions? Jon Spriggs -- The presence of a "Fujitsu" address does not imply or assume that Fujitsu Services, Fujitsu or any other company containing the Fujitsu name uses or endorses this product. This email is purely a personal opinion. ******************************************************** This Weeks Sponsor RTO Software Do you know which applications are abusing your CPU and memory? Would you like to learn? -- Free for a limited time! Get the RTO Performance Analyzer to quickly learn the applications, users, and time of day possible problems exist. http://www.rtosoft.com/enter.asp?id20 ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor RTO Software Do you know which applications are abusing your CPU and memory? Would you like to learn? -- Free for a limited time! Get the RTO Performance Analyzer to quickly learn the applications, users, and time of day possible problems exist. http://www.rtosoft.com/enter.asp?id=320 ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor RTO Software Do you know which applications are abusing your CPU and memory? Would you like to learn? -- Free for a limited time! Get the RTO Performance Analyzer to quickly learn the applications, users, and time of day possible problems exist. http://www.rtosoft.com/enter.asp?id20 ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor RTO Software Do you know which applications are abusing your CPU and memory? Would you like to learn? -- Free for a limited time! Get the RTO Performance Analyzer to quickly learn the applications, users, and time of day possible problems exist. http://www.rtosoft.com/enter.asp?id=320 ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor RTO Software Do you know which applications are abusing your CPU and memory? Would you like to learn? -- Free for a limited time! Get the RTO Performance Analyzer to quickly learn the applications, users, and time of day possible problems exist. http://www.rtosoft.com/enter.asp?id20 ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm