Mac Desktop DNS hacked?

Hi all: This question pertains to Mac 10.5 desktop (not server), but is very DNS related. I'm hoping it won't get removed, and that someone here may be able to offer some guidance. Here goes: I have a MacBook Pro running Leopard 10.5.2 client, which is configured to use DHCP via both ethernet and airport, whichever is active. Our LAN router hands out DHCP info: 10.x.x.x private addresses & gateway, and three local 10.x.x.x resolvers. For some reason, only when set to dhcp, two mystery DNS servers (85.255.114.82 and 85.255.112.116) keep showing up in 'System Prefs > Network > > Advanced > DNS' in addition to our local 10.x.x.x DNS resolvers. The nameservers are showing up there greyed out, like they always do when supplied by a DHCP server, but the nameservers are not ours, nor our ISP's. In fact, googling them brings up several pages that mention DNS malware infections ('Search@Hand', etc), but they're only Windows malware, not Mac. They nameservers are also showing up in /etc/resolv.conf. I double-checked our DHCP server config, and it's definitely not providing the weird ns addresses. Also, we have about 25 other practically identical machines on the same lan, same OS, same config, that do not have this problem. So it seems NOT to be the DHCP server handing this out. If I set both network configs to manual, the problem goes away. But then if I switch back to DHCP, after 10-15 seconds, the mystery DNS servers re-appear. This is the only machine on our LAN that's having this problem. I tried 'ipconfig getpacket' on both ethernet and airport, and the DHCP server IP looks correct (10.x.x.x router). So it seems there is some process running on this desktop machine, that, regardless of the user, watches both the ethernet and airport interface configs, and when DHCP is active, inserting the bogus nameservers. I'm thinking configd has been compromised. Obvisously a wipe and install would fix this, but I want to know what happened and is happening, so I can prevent on other machines on the LAN. This happens with any user account on the machine, and survives a reboot, even after flushing dns cache with dscacheutil -flushcache. I suspect some kind of malware infection, perhaps of the configd process, but lack the skills to really track it down. If there were some way to monitor processes that modify the /etc/resolv.conf file, that would be a god start. Can anyone help point me to some tools that might reveal what processes/apps could be modifying my DNS server config? Thanks in advance!