Help, I have a rootkit!

My server has been compromised (Windows Server 2003, SP1). It has a servicehost.exe file on it that Mcafee detects as the ServU Daemon. I repeatedly delete this file, but it keeps coming back. I have scanned and cleaned in safe mode, but it will come back.
I have disabled it in the services applet, and found as many references to the file in question in the registry and manually deleted them. But it still comes back. Mcafee does not find any additional viruses/threats. I have it set to find all jokes/remote tools/etc. It is version 8.0i. I have used Symantec on this server, and it finds nothing, it completely ignores the ServU Daemon altogether.
Additionally, Bitcomet has been installed repeatedly somehow, and doing a netstat, i have found 100+ users connected to it, all using the Bitcomet.exe process. When I remove Bitcomet and its program files, within a couple hours it is right back again, and i can find users attaching to it right away. It also changed my keyboard to Norweigen as well.
I have attempted to use the Windows Firewall, however when i do so, bitcomet and servicehost add themselves to the exceptions list automatically every time they come back!.
I am sure their must be a rootkit of some kind on this server, but i cannot find anything to detect it.
I have had similar problems on other machines, and even if i format them, within a few days they experience the same problems again.

Let me know if you need additional information,

Thanks!
WendyN

 

Welcome to MajorGeeks.com, please follow the steps below:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

 

Yes i read how to properly install and run Hijack this, and i did so, and attached the log file as directed in your instructions.
Here are the results from read and run me first:
System restore cannot be disabled, it is 2003 server, no system restore exists.
Yes i am viewing Hidden and system files
i am not running multiple antivirus tools, just mcafee 8.0i with all of the unwanted program detection options checked. it has the latest engine and dat files, and runs complete scans of everything including the compressed and mime files 2 times daily.
This server is a domain controller, so certain things will not run on it properly.
adaware found 2 low risk tracking cookies that i removed.
ms antispyware found nothing
spybot found nothing
i have also run blacklight and found nothing

 

Please download Spy Sweeper

• Click the link above to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into notepad and save it as spysweeper.txt and attach it to your next post along with a fresh HJT log.