So I put a little HTML shortcut on my desktop... is currently keeping the problem solved, but it's slowing my IE down.
Here is my HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 9:25:54 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\DefWatch.exe
C:\LDCLIENT\LOCALSCH.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\LDCLIENT\TMCSVC.EXE
C:\Program Files\Net Nanny\NNSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Net Nanny\nntray.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\sysxm.exe
C:\WINDOWS\sdkyv32.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\explorer.exe
C:\Eugene\Spyscan\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xlkbn.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xlkbn.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xlkbn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xlkbn.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xlkbn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xlkbn.dll/sp.html#96676
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C7F8F9B4-5233-5460-C2DB-34313EC35B32} - C:\WINDOWS\sdkax32.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [NNTray] C:\Program Files\Net Nanny\NNTray.exe /autorun
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sysxm.exe] C:\WINDOWS\system32\sysxm.exe
O4 - HKLM\..\RunOnce: [mfclq.exe] C:\WINDOWS\mfclq.exe
O4 - HKLM\..\RunOnce: [sdkyv32.exe] C:\WINDOWS\sdkyv32.exe
O4 - HKLM\..\RunOnce: [ieqt32.exe] C:\WINDOWS\system32\ieqt32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} - http://download.macr...are/awswaxf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {3E9B39EF-5BBD-C23B-CC66-F1DE3B25B22B} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://hanabank.co.k...INIplugin40.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mayo.edu
O17 - HKLM\Software\..\Telephony: DomainName = mayo.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7D83E26-BA75-4BB3-B0CD-209D2870AA27}: Domain = mayo.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7D83E26-BA75-4BB3-B0CD-209D2870AA27}: NameServer = 129.176.199.5,129.176.100.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7F40F62-B92F-4F59-9DBA-8130C21C6053}: Domain = mayo.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7F40F62-B92F-4F59-9DBA-8130C21C6053}: NameServer = 129.176.199.5,129.176.100.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32FF779-3B67-4F96-95FF-3F3CAAA115E1}: Domain = mayo.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32FF779-3B67-4F96-95FF-3F3CAAA115E1}: NameServer = 129.176.171.5,129.176.199.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mayo.edu
Meh. This is relaly annoying.. I've even tried the safe mode thing to delete the TV Media, but the home page hijack is still there. I've removed the BHO that causes this numerous times with Spybot, and I've scanned with the custom options in Adaware...
I've decided that whoever wrote the code for this is gonna get a swift kick in the arse if I ever find them.
Thanks.