One of the workstations we have had it's security log full. The reason to that was constantly appearing event 861, that is Widows Firewall blocks processes svchost.exe and lsass.exe from listening to non-system over UDP. By non-system ports I mean high number ports such as 1500, 3000, 6000 (not limited to those).
Why on earth would the Services Host process would be listening to ports usually used by programs over UDP?
I scanned for infections using 3 different anti-malware tools and found nothing. This looks like an infection, but no infection is found. I am investigating which processes actually run under the process ID's that listen. I will post the services a bit later.
Have you tried running CurrPorts to see if svchost and lsass are phoning back to any external IPs? You could even use it with IP to Country lookup tables to identify the remote country/site. If indeed there is such traffic, then that would support your suspicions of an infection.
I would also run Process Explorer to see more details about the threads that are created and see if that helps.