thanks for all the responses guys, as I look more and more at my log files, I see more stuff that looks questionable and peaks my interest. Also, lately I have found some very unusual traffic that will have to be looked into. I think with all the good links you guys have provided, I should be able to do the research.

Something unusual happened yesterday though, I saw a whole bunch of traffic outbound from my computer going to a few different IP addresses but on ports that kept going up.. (ie.. outbound to 66.94.xx.xxx on port 1066, then outbound to 209.54.xxx.xxx on port 1067, etc. etc..). My Link Logger was going nuts with all the traffic, so I did a netstat and an fport to find out what was going on, I had a whole bunch of 1000 number ports open ("established"), like 12 or 15 open ports in total, not including the "listening" ones (I had already closed all IM programs and anything else that would open a port). At this point I got a bit nervous and hit the Zonealarm "stop all internet traffic". I gave it a minute and did a netstat again and still had maybe 5 ports open. I ran netstat to see who these destination IP's belonged to, and I saw "gamespy" quite a bit, for those of you that don't know, gamespy is a program that many online games use to connect to their game servers and keep track of online players. I have used them in the past but when I upgraded to 2000 pro, I deleted the gamespy directory. When I ran an fport to see which program had these ports open, I saw "PC-illin" which is my antivirus software. I have run "the cleaner" and it did not locate any trojans.

Anyway, the main question here is how can I have ports open (in the "established" mode), after I told zonealarm to shut down all traffic?