I have a user that believes they have spy software installed on their computer and I need some help to determine if they do and possible track where its sending, if any data out. Usually, I would just either replace the machine or reimage but this has some legal ramifications if its true. The machine is running the latest version of KAS and is Win7 Ent. When I do a netstat -b with nothing running I see this. [lsass.exe] TCP 10.1.4.125:49355 tennesse-2f72ca:13000 TIME_WAIT TCP 10.1.4.125:49357 220.127.116.11:http TIME_WAIT TCP 10.1.4.125:49359 18.104.22.168:https ESTABLISHED after a few minutes it goes away. It always goes to that ip with I believe is Hotmail but the service using it changes. Last time it was outlook.exe and before then it was avp.exe. So now when I see that connection I start wireshark to capture the data but its going across https so it should be encrypted... Any advice?