[Solved] Very suspicious network traffic

Hi All,

I am seeing a lot of very strange traffic from a couple of PC's on my network on a handful of ports.

Examples:
Source Port Destination port pkts bytes ttl
192.168.1.5 55933 216.156.213.178 80 tcp 98 25504 2:29:01
192.168.1.5 56035 208.48.161.101 80 tcp 56 23492 3:17
192.168.1.5 55895 72.36.210.254 80 tcp 32 22732 2:57
192.168.1.5 55431 72.247.217.43 80 tcp 46 22616 2:57
192.168.1.5 55447 72.247.217.43 80 tcp 42 19998 2:57
192.168.1.5 56101 74.217.240.83 80 tcp 22 19260 0:00
192.168.1.5 55063 174.129.3.105 80 tcp 32 18690 1:45
192.168.1.5 56103 74.217.240.80 80 tcp 20 18256 0:04
192.168.1.5 56069 184.84.244.89 80 tcp 276 17808 2:29:20
192.168.1.5 55669 74.120.140.21 80 tcp 28 17246 2:29
192.168.1.5 55976 74.125.226.122 80 tcp 34 15870 3:18
192.168.1.5 55053 72.247.217.73 80 tcp 24 15714 2:24
192.168.1.5 55019 74.120.140.21 80 tcp 22 15710 0:26
192.168.1.5 55035 74.120.140.21 80 tcp 22 15676 0:26
192.168.1.5 55947 74.120.140.21 80 tcp 22 15572 2:57
192.168.1.5 55964 72.247.217.73 80 tcp 20 15566 2:28:57
192.168.1.5 55401 72.247.217.58 80 tcp 32 15488 2:54
192.168.1.5 55692 72.247.217.73 80 tcp 20 15380 2:29

Source Port Dest Port pkts bytes ttl
192.168.1.5 56116 192.168.1.1 80 tcp 3 636 2:30:00
192.168.1.5 65151 192.168.1.1 53 udp 1 107 0:00
192.168.1.5 54151 192.168.1.1 53 udp 1 82 0:04
192.168.1.4 60126 192.168.1.1 53 udp 1 79 3:21
192.168.1.5 50815 192.168.1.1 53 udp 1 72 0:33
192.168.1.5 50263 192.168.1.1 53 udp 1 69 0:26
192.168.1.5 56470 192.168.1.1 53 udp 1 67 0:26
192.168.1.5 53325 192.168.1.1 53 udp 1 67 0:27
192.168.1.5 59982 192.168.1.1 53 udp 1 67 0:26
192.168.1.5 56813 192.168.1.1 53 udp 1 67 0:10
192.168.1.5 51393 192.168.1.1 53 udp 1 65 0:08
192.168.1.5 59604 192.168.1.1 53 udp 1 64 0:07
192.168.1.5 52334 192.168.1.1 53 udp 1 64 0:05

I also get a handful of connections on ports 443, and 1353. I've done some checking on some of these Ip's and some of them come back to google but alot of them come back to nothing specific. I also had a couple that I had previously blocked which were coming up Russian and Korean. I can't for the life of me figure out what is going on here. The above snapshots are not complete logs, there's a bunch more of these listed.

the PC with the 192.168.1.5 ip in the examples above (win 7 ultimate 64-bit) is running Avira antivirus (full scan, clean), and I have scanned it with sophos anti-rootkit (also clean), super antispyware (clean), spybot (clean), no suspicious processes are running, and running wireshark on this PC doesn't even show this traffic.

The second PC seems to be all quiet now that I blocked the Russian and Korean IP's, but this one still seems to be spitting out weird traffic.

I did also have a third PC exhibiting the same symptoms, but that one is due to be reformatted anyways, and it won't be reconnected to the network until I get this under control.

My firewall is a m0n0wall v1.32, which runs dyndns, and I have only specifically opened one port inbound, which is for SVN.

Has anyone seen anything like this and what the hell is it? More importantly, what would be the best course of action to straighten this out. I am wondering if these PC's are/were infected with a rootkit or a botnet client of some sort, neither of which I can definitively find.

Odd that the DNS requests don't originate on port 53 though, no?