Rootkit Issues

Here's the deal. Last Sunday, my McAfee On-Access scanner detected and deleted two viruses on my computer:

12/16/2007 12:12:57 AM Deleted JAMAAL\Sasha C:\WINDOWS\system32\ineWc01\ineWc011065.exe Generic Downloader.s
12/16/2007 12:16:25 AM Deleted JAMAAL\Sasha C:\WINDOWS\b122.exe Downloader.gen.a

Immediately afterwards, my WinPatrol software (which detects unauthorized installations) asked me if I wanted to allow gebcd.dll to be added as an IE helper. I searched for this and found that it is associated with Vundo. I tried to delete this file manually, but found that it was locked by lsass.exe. After killing lsass.exe I tried to delete the file again, and found that it was now locked by rundll32.exe. I killed rundll32.exe, but it immediately respawned and locked the file again. I couldn't manage to come up with a way to delete the file (safe mode, command prompt, etc. etc. etc.) At this point, I downloaded Symantec's VundoFix.exe (which couldn't find Vundo on my computer), and then FixVundo.exe (which found it, but couldn't delete the files). I then downloaded SuperAntiSpyware, which found the files and managed to quarantine and remove them. However, upon rebooting my machine, WinPatrol now detected a NEW IE helper (vtutts.dll, also associated with Vundo) and asked if I wanted to install it. Realizing that I must have a downloader on my box somewhere, I used a portsniffer on myself (CurrPorts) and found that there were two abnormal programs that were making outside connections. Unfortunately, CurrPorts listed them as "Unknown" and wouldn't give me their paths. Looking around my computer for files that were modified around the time my virus scanner detected the viruses, I found xrun.exe in a temp directory in my local settings directory. I used KillBox on it (as it was locked, by an unknown file) but that still didn't solve the rogue downloader issue. I also found QtFont.qfn in my Windows directory and deleted it. It was replaced by something upon reboot. Suspecting a rootkit, I wanted to see if HiJackThis would give a normal report, and it did indeed:

Edit: removed inline log

The entry regarding "pylimvlx.exe" seems suspicious to me for three reasons:

1) It was modified on the same day (though not at the same time) as I got the virus
2) It is included in a registry key that authorizes programs to bypass the firewall.
3) My system32 folder contains no such executable, meaning it is hidden from a directory process.

Other rootkit scanners (i.e. Blacklight and Rootkit Hook Analyzer) didn't reveal much.

At this point I feel pretty helpless. I see evidence of something all over my computer (registry keys regenerated on startup, folders randomly created, etc.) but I cannot find what the culprit is. Am I going crazy, or is this a rootkit situation?