Hi everyone, This is regarding Returnil System Safe 2011 Version 3.2.10351.5418-REL3. I noticed my INTERNET connection was slow and something was taking a huge amount of my processing power while my fan kicked on high. Looking at the network connections in my firewall, I had what I thought was suspicious downloading activity via svchost.exe I had thought I had deactivated the automatic updates function of returnil but apparently I had not. The program would seem to download around 17 MB of data, then change ports, and start all over again. Also, each time, it would upload over 1 MB of data. What I don't understand is why the destination IP address shown by the firewall for this connection was the IP address of my own ISP ? It's as if returnil was hiding it's IP address behind the IP of my ISP. You should be able to open your firewall and tell where data is coming from and where it is going. In this case it appeared something was being downloaded from my ISP to my computer and uploaded from my computer to my ISP. However, the data was really being downloaded from returnil's IP and uploaded to returnil's IP. Here are two of the IP addresses I found.. 188.8.131.52 184.108.40.206 It was hard to track down what was going on with this connection. I used various tools, process explorer, currports, and finally had to use a tool to capture the actual packets, the free version of the program "network miner" http://www.netresec.com/?page=NetworkMiner in order to see the actual IP address that was behind this uploading and downloading via svchost.exe, since it "appeared" that data was being uploaded and downloaded to and from my own ISP. I also think uploading over 1MB of data to returnil each time, seems a little strange. The downloads themselves also seemed large, they were over 17 MB each time, unless it was trying to download a whole new program version. I also had the virus definition updates turned off, and the remote control turned off. Based on size, what was likely being downloaded and uploaded ? Also, to what directory does returnil download it's updates ? Microsoft needs to change the way svchost.exe works so that it does not hide or mask what is really going on with downloads and uploads. IMHO, it would be too easy for malware to use the legitimate svchost.exe program to download and upload things and most people would never even notice. With all of my other programs, I can easily see the IP of the company who's program is updating. However, with returnil, it was hard to track down. I think this should change.