Are you saying that you ran a packet sniffer on the network and you can only see outgoing packets, and nothing coming back?   What's going outbound?   Is there anything goofy running on the user's computer that is making this POST request?

It could be that the remote host is only available at certain times.

Did the machine your ran the packet sniffer on have the same public IP as the machine making these connections?   The remote host can be doing IP checking.  It could also be checking for user agents, referrers, etc.

Sounds like the user's PC is the best place to look.   Keeps us posted and let us know how you make out.   If you find anything strange, post it, and we will try to help.

I would also run a packet capture on this computer to see where else it may be connecting.   Also check the auto-run points in the registry and file systems to see what may be starting automatically that you are not aware of. 

If you do not trust this computer, I would rebuild it if I was in your shoes.   That's the only way to ensure that you wipe away any infection.   It may be overkill, but it's certainly safe. 

Thank's for all your feedback, got the exploit in C:\Document and Settings\user\Local Setting\Temp\jar_cache446947312547567613.tmp(Java.9357 exploit) and rootkit Bubnix.S rootkit C:\Windows\system32\drivers\zeepu.sys, got deleted it and now i see on my router box not have any connection from that user ip to suspect website.

You're right Ketchup, i don't trust the computer and i have told him to format the pc but he not yet give permission about that, i had told him if pc got rootkit the best way is format the pc and is there any network method to know how the rootkit and exploit got to the pc cause this is for information to users, cause if i setting firewall but users got the malware/virus/troj/rootkit from the file in internet like accidentally they download from internet or from software messenger like skype/yahoo messenger, how do i know or prevented this happen?

Thank's a lot guys,

Yes, you're right Equix3n, but this user of this pc wants he can do installation on pc he use and actually he is some kind general manager on office so, from the beginning my supervisor give full access on his pc and it's true like you said it's all about policy and honestly i don't have such as power to make decision and i've think about sudowin and want to give a shot about that, thank you for the feedback.