Needed experience

I have a user that believes they have spy software installed on their computer and I need some help to determine if they do and possible track where its sending, if any data out. Usually, I would just either replace the machine or reimage but this has some legal ramifications if its true. The machine is running the latest version of KAS and is Win7 Ent.

When I do a netstat -b with nothing running I see this.

[lsass.exe]
TCP 10.1.4.125:49355 tennesse-2f72ca:13000 TIME_WAIT
TCP 10.1.4.125:49357 65.55.53.190:http TIME_WAIT
TCP 10.1.4.125:49359 65.55.53.156:https ESTABLISHED

after a few minutes it goes away. It always goes to that ip with I believe is Hotmail but the service using it changes. Last time it was outlook.exe and before then it was avp.exe.

So now when I see that connection I start wireshark to capture the data but its going across https so it should be encrypted...

Any advice?

 

Does this situation allow for help from malware removal forums or is it an internal only issue (security concerns)?

Mike

 

if you suspect malware, ask for assistance from one of the sites listed
https://www.wilderssecurity.com/showpost.php?p=1533481&postcount=3

 

For now I think I'm ok reaching out. The security concerns would be personal not business related.