I've been out of this for a couple of years. I used to allow myself a week or so to teach MCSE's how to interpret process stacks etc. There are a couple of process utilities at sysinternals apparently. The one I think gives the most information is Process Explorer. In that one you get a list of everything running on the machine and can select each process, open it and see what modules are running within , which are called it's threads, then open each of those and get details as to what they are doing, if they are accessing the internet or not and if they are what addresses they are accessing. Most will just be waiting or listening for something. What you're looking for are processes or threads that don't look "Normal" and that's the trick, to know what's "Normal" Each process or thread has properties which tell who wrote it, like Microsoft or Kapersky or Adobe etc. The bad ones generally don't have a writer listed. Legitimate threads are probably running from \system32 but the bad ones are frequently in a \temp folder, that's a flag that they came in from the Internet. It can take hours to look through the whole list and find something out of place if it's well hidden. That's why I said you needed a real geek to look at this. Sorry, if you have a "Root Kit" worm on your machine, and you aren't familiar with this, your odds are really bad of recognizing it.

There are other scanners besides the Microsoft one that may give you a clue. Trend Micro had a pretty good free PC scan on their website that might say something. The first trick is to get a clue as to where the offending thread is.