Alright, more update.

Tracked down an infected machine and found what was causing the SYN flood. It was netmon.exe*.pf. Deleting the prefetch stopped the SYN attack. Tied that into a service called 'network client'. Stopping and starting the service stops and starts the flood.

Did a bunch of googling and the only thing I could find that actively infects netmon.exe is w32.mimail, which this doesn't appear to be.
Anyway, long story short, I've sent a copy of the executable to symantec, and maybe we'll find out what it is soon.