Unable to track down source of FW alerts - possible compromise

We have a dozen or so 'identical' laptops in our network - two of these machines are attempting to reach our AD servers (running DNS and WINS) over port 1025. Our SonicWall E5500 NSA detects this traffic as 'eMule Obfuscated Protocol' and blocks the connection.

Earlier this week, we ran through the removal procedure here, but did not see anything that would indicate that the systems were compromised. As a precaution, one of the machines was flattened & rebuilt; however, when we renamed the machine and joined the domain, the alerts reappeared.

We have since flashed the bios, flattened & rebuilt again. This time, we removed the object from AD & DNS and gave the machine a new name. Joining the domain under the new name resolved the problem for a short period, but the alerts began again.

At this point, we're absolutely dumbfounded & can use any assistance that you may be able to offer.

Thanks, in advance, for the help

 

Thanks for responding, Chas. I was almost hoping you'd see something that might explain the odd behavior on these two machines.

Again, these machines are virtually clones of our other machines. Nothing is installed that isn't installed somewhere else, yet these two keep giving us heartburn - communicating to Ad/DNS over port 1025 & triggering these IPS alerts.

Anyway, thanks for your time!

 

Chas -

I've been working with Microsoft's security team for the past few days poking around in some other logs we captured, as well as some packet captures from the machines in question, our AD servers & our firewall. I got some preliminary results today & wanted to know if you had any details regarding the following:

1335
tcp/udp
digital-notary
Digital Notary Protocol

1336
tcp/udp
ischat
Instant Service Chat
(ischat.exe?)

1337
tcp/udp
menandmice-dns
menandmice DNS

Any feedback would be appreciated.