That's kind of spooky. You could try a tool like ActivePorts (or inside Spybot-S&D, Tools, Process List, the tab named Open Network Ports at the bottom, which does the same), to check which ports are opened in which application.

In theory, malware could easily inject a single thread into a different application to use that context for communicating with the outside. That's not an easy thing to code though, so quite rare.

If ZA shows no IP, did it open a port in "listen" mode maybe (trying to act as a server)? The above (ActivePorts or Spybot-S&D) would show that, and if not, possibly an IP or domain name which might help in finding out more (if something actually would go to the length of implementing such a method, it would be quite well hidden otherwise). Unless it's all a bug in ZA of course, haven't used that in a while and can't say anything about it, just mentioned to avoid imagining too many things on the possible rootkit side