I have been working on a problem for the last few days that I can't seem to resolve. I'd like some help with this please- I have running AVG, Kerio firewall, Trojan Hunter Guard, SMC Barricade router with SPI, XP Pro SP2 patched. I have run scans with ewido 4.0,Pest Patrol, Hijackthis, AVG, Spybot S&D, Bluelight root kit finder, Ad-Aware. I have also gone over Hijack this log line by line, ran PurgeIE to delete all temp files, cookies, history, etc. I have seached the run area of registry, looked over running processes with a fine tooth comb, started and reviewed the windows firewall log. Here's the problem: Watching netstat and Kerio I can see that when I am surfing, especially certain sites, my machine will connect(establish) to various Ip's in the 220.127.116.11-70 domain port: 80 Process ID=iexplore.exe opening from one to many ports briefly send/receive some bytes then go into timewait and disconnect. The IP translates to: inetnum: 18.104.22.168 - 22.214.171.124 netname: HINET-NET country: TW descr: CHTD, Chunghwa Telecom Co.,Ltd. descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd. descr: Taipei Taiwan 100 admin-c: HN27-AP tech-c: HN28-AP status: ALLOCATED PORTABLE changed: **********@twnic.net 20030611 mnt-by: MAINT-TW-TWNIC source: APNIC This has got me very nervous. The machine even connects to this site when the browser is not open, though a lot more infrequently. This behavior has me thinking this is some kind of keylogger/spyware that is reporting my browsing and who knows what else. Have I found something that is perfectly innocuous or what do I do from here? Kerio doesn't seem to be concerned. I searched the registry for 220 and found nothing. I looked at hosts files and found them without entries. This connection opens the most ports and connections with sites like my.yahoo and New York Times. Although like I said sometimes a connection is opened when the browser is not even open. Kerio put the word "radius" next to the connection one of the times this IP (126.96.36.199) logged a connection, but the rest of the times it was in the log it just put "http" next to it. What is going on? ANY help would be appreciated, Thanks!