kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit?

[Chip <jeffschips () gmail com>]

I know this is not entirely along the lines of metasploit but knowing 
that almost all who subscribe to this list are network gurus I thought I 
would post my question here -- it may, in fact, have something to do 
with an exploit affecting the MBR of a host machine.

I have a windows xp machine which connects to a mail server with 
encrypted traffic before anyone logs in, right after start up and when 
the windows xp login splash screen comes up.   I know this is the case 
because I attached an inline tap to the network to watch traffic and see 
this activity every time the machine starts up.

Reading a lot recently about MBR exploits I'm wondering how I can track 
down what culprit is doing this?  Since it occurs ONLY prior to login, I 
cannot look at tasklist or netstat in a shell and see anything.  I'm 
hoping someone on this list could advise either in the list or off the 
list.

I do have some captured packets of the activity, but it is encrypted TLS 
traffic.

Thank you.
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework