http://technet.microsoft.com/en-us/s.../bb842062.aspx

Download this. Every technician of any sort needs these utilities.


First, run TCPView as an administrator and grab the PIDs of any suspicious traffic source. Sometimes, the source is obvious (iexplore.exe, various updates, etc) other times you'll be stuck with svchost.exe with no way to know what is actually forcing connections.

Once you have the PIDs, you can use Process Explorer to check out the processes. If you locate the PID, and it's a nonsense process such as rundll or svchost, you can right click and hit properties to get the actuall command line that is/was used to load the process, including GUID and other relevant info.

Code:
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
There is an incredible amount of information available now, including how and where the process was launched, security tokens and permissions, environment data, threads, etc.