There are so many wonderful posts here that show people what steps to take no matter what phase your in from prevention to forensics. A packet capture of the flurry of traffic you stated your box was sending would have been usefull as well as firewall logs and Windows auditing logs if those were enabled. Better luck next time I guess.