Hi, I did a tcpdump of network traffic and noticed traffic to a dsl address belonging to my ISP. This is upon starting up of my Windows 7 machine, without logging in. And the traffic is outgoing. I phoned my ISP and asked and they don't run any proxy servers. Here is what I saw: 2015-07-16 23:49:23.500883 IP cde.myboxes.box.49186 > 206-248-168-168.dsl.teksavvy.com.http: Flags seq 3554008527, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 So, I assume that this is an attack that has installed something. I downloaded gnu grep onto the Windows 7 box and did a search for "206.248" and found nothing. And foolishly, I assumed at first that it might have something to do with my accounts and rebuilt them; deleting old account contents. So I might have erased some evidence. And I watched tcpdump again and found the same traffic again. This is getting serious, and looks like a root kit. So I booted with a Linux LIveCD and did a grep for the same thing and found nothing.Unfortunately I couln't search System Volume Info, as my LiveCD ran out of memory. So I cleared all the restore points. And I did a tcpdump again. The traffic still there. That was the snippet I have shown above. At this point I am at a loss of what to try next.