IE overtaken

Here's some help for manual removal:
To find out the problematic file, download Sysinternal's Registry Monitor ( http://www.sysinternals.com/ntw2k/source/regmon.shtml ), and set it up to monitor the hijacked registry keys. It will catch the process that causes the key's change.
Likely it will be explorer.exe, since today's spywares install themselves as shell extenison, making the shell itself do the dirty job.
In this case you need to review all the installed shell extensions. Crawling trought the registry is one way, but I recommend using this tool: http://www.snapfiles.com/get/shellexview.html

I'm getting ready to go at it with the above advice. What was said made me think that I should give you some infor on what I previously repaired. After the update, when I tried to restart, the system got hung. Opened task Manager and the explorer.exe CPU reading was at 99. Ended the process and manually ran explorer.exe. Loading continued. Installed another spyware app and restarted. Did the same thing but would not rerun explorer.exe. Task Manger had 4 instances of a program....wuam.exe. Ended the 4 and loading coninued WITH explorer.exe running. Deleted that program and it has worked since. Does this add to the story or confirm your advice? Thanks!

waum.exe is a virus known as W32/Rbot-M

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Time=wuam.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update Time=wuam.exe

and delete them if they exist.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\Microsoft Update Time=wuam.exe.

and delete it if it exists.

Close the registry editor and reboot your computer.

At this point, it should be said that if you didn't already, you should disable system restore for the time being -- If you do not, the virus will only propegate into that reserved area of the system, and further infect the hard drive once it has been cleaned from the partition.  Do disable system restore in windows XP, do the following:

1)Click Start > Programs > Accessories > Windows Explorer
2)Right-click My Computer, and then click Properties.
3)Click the System Restore tab.
4)Check the "Turn off System Restore" or "Turn off System Restore on all drives"
5)Click Apply. A confirmation window will appear As noted in the message, this will delete all existing restore points. Click Yes to do this.
6)Click OK.
7)Restart Machine --

To turn on Windows XP System Restore
1)Click Start.
2)Right-click My Computer, and then click Properties.
3)Click the System Restore tab.
4)Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
5)Click Apply, and then click OK.

Also to add to my above post I found the following

W32/Rbot-M is a worm which attempts to spread to remote network shares.

W32/Rbot-M contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in the
background as a service process.

W32/Rbot-M spreads to network shares with weak passwords as a result of the
backdoor Trojan element receiving the appropriate command from a remote user.

When W32/Rbot-M is run it copies itself to the Windows system folder with the
filename wuam.exe and deletes the original copy if that filename was wuam.exe.

In order to run automatically when Windows starts up W32/Rbot-M creates the
following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Time=wuam.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update Time=wuam.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Time=wuam.exe.

W32/Rbot-M attempts to contact the host babe.thekiller.biz.

whoops -- just noted that it was 2k Pro...for some reason I was thinking XP -- irregardless, the above notes should be helpful, and a start on the bigger issue here.

I don't think Win2000 Pro has System Restore

Sorry for the post. I've got a great program called Restistry Crawler. I ran it last night and deleted every instance of wuam.exe.

>>I don't think win2000 Pro has system restore<<

Your correct -- it doesn't; That's why I posted my retract above: Date: 08/08/2004 10:52AM EDT

>>Sorry for the post. I've got a great program called Restistry Crawler. I ran it last night and deleted every instance of wuam.exe.<<

Glad to hear you got that straightened out.

Still try running the apps I suggested in safemode...reboot, and post the HT log.

Getting ready to shut it down and restart. Until then, here's the entire HT log:

Logfile of HijackThis v1.97.7
Scan saved at 8:17:48 AM, on 8/8/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\mFire Accelerator\mfireaccel.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\mFire\dialer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\DOCUME~1\mb\LOCALS~1\Temp\7zOp68B8\shexview.exe
E:\Program Files\Maxthon\Maxthon.exe
D:\Protection\HijackThis\HijackThis.exe
D:\Protection\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\mFire Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINNT\System32\mshelper.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Registry Crawler] E:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: mFire Accelerator Client.lnk = C:\Program Files\mFire Accelerator\mfireaccel.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\mFire Accelerator\mfireaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\mFire Accelerator\mfireaccel.exe/227
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\sliplsp.dll
O13 - DefaultPrefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - WWW Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Home Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Mosaic Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O17 - HKLM\System\CCS\Services\Tcpip\..\{1886DBB9-B46F-4A2E-86E8-E5A2296800FF}: NameServer = 209.244.0.3 209.244.0.4

FYI: mfire is an internet accelerator that's been on the system a long time.

I'd remove all of this:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)

O13 - DefaultPrefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - WWW Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Home Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Mosaic Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O17 - HKLM\System\CCS\Services\Tcpip\..\{1886DBB9-B46F-4A2E-86E8-E5A2296800FF}: NameServer = 209.244.0.3 209.244.0.4

Also, make sure you delete all the files out of your recycle bin, and do the following:

go to START>Run

type CMD press enter

when the window opens up make sure you are at C:\ if not use cd.. to get there, and then:

type DEL *.tmp /s [there are spaces between the del and * and also between tmp and /s]

This will delete all temp files on the harddrive -- Also, I never noticed, did you run the scans in safemode?  

munkyxct----You da man!!!!!!!
I cleared the recycle bin then started in Safe Mode. Ran CWS and Ad-Aware. Instead of perm. deleting the items found in CWS, I sent them to the Recycle Bin so that I could view the contents after normal restart. Ran HT after CWS and A-A and the guilty entries still appeared. Ran CWS again and nothing was found. Ran HT and all the entries were gone. Restarted normally and checked the Recycle Bin. The following files were in the Bin:

mshelper.dll  (C:\WINNT\System32)
mtwcnl32.dll  (C:\WINNT\System32)
Readme        (C:\Program Files\Internet Explorer)

Cleared the Bin and ran the CMD as you stated. Can't delete one File as it's 'in use'. Opened Internet Options and the home page was 'Blank'. Bingo.
Before I give the points, would you briefly explain to me why Safe Mode? I ran CWS, Ad-Aware and Hijack This while running normally but the entries ALWAYS propogated. Why?

>>would you briefly explain to me why Safe Mode?<<

Sure, safemode is a diagnostic boot sequence loaded into windows operating systems -- When you boot into safemode, only the bare essential items are loaded, meaning only files that windows needs to startup, nothing else - It is an extremely powerful tool when dealing with adware/spyware because these applications exploit security flaws in the system, and make it look like they are system processes therefore, the spyware removal tools cannot remove them, since they look like a system process [which is looks makes it look like the system would become unstable if they were removed] therefore they are not removed during a scan when the machine is booted normally.  When you start in safemode, these services/processes do not startup since windows say 'I don't need these files to boot' when the spyware removal tool is run, it will recognize the file name, or applicatioin as not required by windows; therefore allowing you to remove the files.  Ok, I hope that better explains 'why safemode' but more inportantly, I'm glad I was able to help get your PC back up and running.  anything else, just ask.