Any network/hardware specialists in the house?

I'd have thought a root kit unlikely unless you are particularly badly configured.

Run the usual suspects through first - spyware, av etc - full system scans so might be worth doing over night. I've no experince of NOD32 - I know some gamers recommend it because it's light weight - I used to do a lot of AV stuff, & light weight is not what I'd want on an IIS\Exchange box.. Might be worth looking at Mcafee or trend, even if it's just for trials.

Update on the server problem: I think it's safe to rule out hardware/driver problems now. I've identified a pattern of behaviour but I'll be damned if I can find the cause. Whatever's at the root of this problem is something to do with Exchange/IIS. I've been monitoring ping times against activity in TCPView and every so often the inetinfo process opens up a connection to port 25 of an external server, almost always to some random server in another country. At this point ping times go through the roof as it presumably starts flooding the connection with packets. If I kill this connection the ping times drop immediately, but it does try to reconnect again straight away until I kill it again and then it goes quiet for a bit.

I'm no expert in malware, but I'm guessing that as it's connecting on port 25 it's some kind of spambot. However, I've run four different virus scanners, SpyBot, Hijack This and a couple of rootkit detectors and can't find anything. Short of a server rebuild, which I really don't want to do, I'm stumped...

Do you have an upstream ISP providing anti-spam? You can set your firewall up to only allow port 25 from the ISP's mail drop servers and it will stop the problem in it's tracks. If you look at the exchange logs you'll see it denying relays at the same times the problem occurs.

If what you say is right the problem is external and no amount of rebuilding will fix it!

The problem is with outgoing traffic, not incoming spam (that's a whole different bucket of squid).
When the problem occurs two inetinfo process start sending traffic, using what look like random port numbers this side (usually in the range 30000 to 40000) to port 25 (smtp) on the remote server.

Que?

Currently, no. If I turn it on then I should see my inbox swamped with NDRs if we have a spambot on the server, yes?

Are NDRs normally sent straight away or batched for block sending? Given the volume of spam we get (a lot but still only in the hundreds per hour) unless NDRs are batched I can't see how sending them could cause the kind of sustained network slowdown I'm seeing

In c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\ there are currently a grand total of 9 items. I'll keep an eye things. I'm using the Intelligent Message Filter to move suspected spam to a separate folder and then have a quick look through it using IMFCompanion before deleting it - so all the spam coming in should not necessarily be sending out NDRs. Whether that makes any difference remains to be seen.

ETA: in a 19 hour window there have been 2400 or so emails flagged as spam and dumped in the spam trap. That should give you an idea of volume.

I've been using process explorer and so far there's nothing I can see that's out of place - but as I've said, I'm not a server admin, just the poor sap who knows a bit more than everyone else about computers so gets landed with the job

No BN*.tmp files to be found. What's the deal with them?

Ah - right. This problems been ongoing for a while now though

Proc Explorer screenshot during normal network activity: