I am trying to get to grips with my new DCS software packages and have noticed through PE that local port 5000 is open. The PID is 1172 and is described as 'svchost.exe'. I know svchost.exe to be a windows system application but am concerned as Port 5000 is also a known Trojan port. In this instance the local and remote address is 0.0.0.0 with no data packets showing in sent/received. There are also two other running processes with the same PID (1172) which are connected thru local port 1900 to remote port 1035 (not known bu PE) with local and remote address of 127.0.0.1 showing 0 data sent but 3/399 received. As a total newby but wanting to learn, what further investigation can I undertake (I don't understand the results shown in data packets thru socket spy). I am worried about killing the process in case this is a legit windows system application. If I do kill the process will this prevent the process reappearing (I don't think so) if not, how would I go about this (assuming its a nasty)? Thanks again people. BTW I am running XP Pro.