Interesting, especially since I know they were previously enabled. Any idea how that (enabled, then empty and disabled) could be done?

With the machine on, but no LAN connectivity, I am getting audit failures...

The Windows Firewall has detected an application listening for incoming traffic.

service is svchost.exe
nothing at all in c:\windows\system32\Logfiles\W3SVC1

The time of the failures as well as the port (all UDP) seem to be random (ranging from 68 - 65313).

IIS is NOT running
avast is running and checking for most of the popular P2P processes. No hits.

Found DISCover Stream Hub in the exceptions tab under windows firewall...
Beginning to think someone was playing games when they were supposed to be working.

I was hoping to find out who did this, but I dont really have the time to spend on this. Gonna need this machine back online by the weekend. Gonna re-image.

Any things to check to try to identify the varmint before I wipe it clean?