Found a virus (or a trojan) this morning on two web servers that had been put on servers over the weekend. This virus/trojan disabled the port 443 (SSL) web sites on these two boxes. It was listening on port 443 and another 1489 or somesuch port. I found it using fport.exe to be a file called ntoskrnl.exe. It had installed itself as a service called MS Windows Update, running as SYSTEM. So, I killed the process and moved off the file. Instead of 1660 KB, the file was 704KB, and it was in a different directory c:\winnt\system32\config. Once the service was disabled, IIS had no problem taking the port back.
These two servers had not had the patches that came from Microsoft last week (week before?), and I'm supposing that that was the entry point for this particular bug. I'm still looking through the bug to see what I can see, but it's an executable, so full analysis will be tough, and I probably don't have the time for it.