HXDEFDRV.sys A Tricky Trojan...

Ok now I've spent a few days cleaning our system and registry and going through numerous posts and very helpful info on this site after, among other things, getting a Backdoor trojan called Hacdef.

I've followed a lot of tips on this site but there is yet one symptom left on the system that defies me. A file called hxdefdrv.sys keeps reappearing in my windows folder and even if I save a blank file with that name it willget overwritten.
I have run Hijack this and cleared all entries I didn't like and also checked each Autoloading program carefully.
I had trouble getting Hijack this onto the system so i saved a floppy with the program but the file is not visible until I renamed the file.
So now I run "ijack this" and although the "hijack this" file is on the floppy I can't see it. Same goes for saving the log file so I had to rename it as well.

How the buggers can hide these specific files has got me beat and I cant find a program that has yet picked up what is creating this file.
Under running processes i have two entries for svchost.exe and thats got me suspicious but apart from that the log file looks short and clean....to me...
Any ideas guys

 

Absolutely I have enabled viewing of hidden files and folders and extensions.

If you note in my post I said that the file I saved on a floppy on another machine was called "hijackthis.exe" and was not visible to this system until I copied it and renamed the file "ijackthis.exe"
So its the same file with a new name. The same happens with the log file so I think there is a block in allowing certain names to be visible, its the same reason you can't download the hijackthis file via the web from this machine I assume.

Anyway I'll drop back in once I've read up on your links, thanks for the first attempt.
Cheers

 

Yeah system restore is off, I've read most of those links before but its good to reread and double check since I've obviously missed something.

Looks like it is able to stealth particular names of files and registry values but I have deleted all references that I can find to these associated files in both registry and other folders. If I can't unstealth the file names that are hidden it makes it harder...
I come back to what feels suspect to me which was the entries under the hijackthis log file that was a duplication in the log file under running processes.
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
Maybe I'm clutching at straws here.

I'm guessing that as we are running a hardware firewall it will not be able to open any ports as it might desire but I want to ensure this system is clean.

All help appreciated, thanks Major.