I searched the forums and found several posts about svchost. I have a virus or unwanted piece of software. It is not dangerous or urgent, but I want it out of my computer. Mcafee, Sophos, and Trend scans don't find any problem. The details are thus: Active Ports says I have a connection to 220.127.116.11, my port 1814 and 1546, remote port 4600, and that it is established. It is established by svchost. That address is located in Thailand, according to APNIC NMAP probe does not show my ports are open. Ethereal does not show any packets sent to 18.104.22.168 at boot, so I'm thinking ActivePorts may not be accurate on the establishment of the connection. When I terminate the most recent svchost, the connection reported by ActivePorts disappears. Now the question: Is there any tool which can identify the PID or process name used to launch svchost? I think when searching for viruses, this would be a useful tool. I think I can very laborously do this using windeb, but that means I have to re-create a computer with the same OS as the one with the virus, which is very painful. Any knowledge on svchost out there?