It appears that over some short period of time, the malware associated with this attack has the ability to cause Windows 2000/XP (and possibly Vista) to throw a BSOD on boot before the user sees much more than the Windows XP splash screen.

This is either the intended payload of the Trojan or is a combination of the Trojan hooking the winlogon service, causing antivirus products such as McAfee VirusScan Enterprise to accidentally remove winlogon.exe from \system32.  Restoring winlogon.exe with a bootable CD, flash drive, external hard drive, etc and removing the rogue 'XPAntivirus' folder (rhc197j0epd5) from the Program Files folder and the following Trojan files from \system32, brings the system back to life (aka: no more BSOD on boot).

Pull from \system32

CouponPrinter.ocx

cpbrkpie.ocx

phc597j0epd5.bmp

phc597j0epd5.exe

uccspecb.sys

uccspecc.sys

blphc597j0epd5.scr

Coupons.com (shortcut)

cpnprt2.cid

tmp54593328.bat (may vary in name)

Pull from Program Files

rhc197j0epd5 (folder)

Minor clean-up of shortcuts and what-not may also be in order.  Typically, a simple antispyware app can remove these if you hate doing the registry and user clean-up work.  :-)

This attack somehow appears to be tied in with the coupons.com spyware as it is also loaded on each of the 5 systems I've repaired so far.  It also places two policy restrictions in the registry to prevent the desktop theme and screensaver tabs from showing in the Display Properties.  These can be fixed easily by downloading an app called Dial-A-Fix that is designed to repair/replace common Windows files that may be unregistered or corrupt.

I don't have the exact keys with me as I left them on a scratchpad at work, but if you start Dial-A-Fix, it will notify you if these policy restrictions (or other restrictions) are in place and their locations as well as an option to fix them.