This is just a theory however it is the only theory I have been able to find so far. http://cert.uni-stuttgart.de/archive/intrusions/2003/08/msg00209.html
You may want to read the following threads:
1. RSTs from TCP 83 3389 7000 - Fixed ack and dport - Multiple sources
2. Re: RSTs from TCP 83 3389 7000 and Port 80 Increase
3. port 80 increase
Archives of these threads can be found here:
http://cert.uni-stuttgart.de/archive/intrusions/2003/12/threads.html
The only way to trace it is to go from segment to segment with a sniffer until you find that the source MAC address is no longer a router gateway> then clean the virus off of the device.
Your ISP could be routing 127.0.0.x on the outside interface. Ask them to drop the packets in an acl.
let me know if this has answered your question