I think I may have killed it!! In Safe Mode, I noticed there were other .exe files that were newly created (since the infection) in my C:\WINDOWS\System32\ folder:
C:\WINDOWS\System32\slathe.exe
C:\WINDOWS\System32\netmod.exe
C:\WINDOWS\System32\htmdce.exe
C:\WINDOWS\System32\exdl.exe
C:\WINDOWS\System32\exdl3.exe
C:\WINDOWS\System32\exdl1.exe
I ran KillBox and deleted all above files plus the vvnrzi in the !Submit folder, rebooted and I don't see that vvnrzi.exe anymore...
My latest HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:26:04 AM, on 5/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\HJ\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\mysql\bin\winmysqladmin.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJ\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://go.microsoft....ink/?LinkId=374O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\HJ\Spybot\Spybot - Search & Destroy\SDHelper.dll
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....467&clcid=0x409O17 - HKLM\System\CCS\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\HJ\Ewido\security suite\ewidoctrl.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe