This is a continuation from this thread: thread779-1587231: Can't boot, plus boot menu lockup, here is what I have done so far:

Machine would not boot in normal mode (hung before login screen) and would not boot in Safe Mode (rebooted after MUP.SYS). Goombawahoo assisted me, and I got the machine booting again. Ran multiple scans (MalwareBytes and Super Antispyware) until I got clean scans, checked Hijackthis logs and all was clean. Except I had a search engine redirector going on (all links from Google or Bing redirected).

Since the machine had IE6, I decided to upgrade to IE8 (probably a mistake to upgrade at this point, but it's done). Now, when I load IE8, it never connects to a page (says "Connecting...", but never connects, never gives up either). Internet connection is fine, I can ping by IP and by domain name, just cannot browse anywhere in IE. Tried resetting settings, still nothing.

I ran GMER, and it pointed to suspicious activity in "atapi.sys" (just like this post: thread760-1587515: Still seeing Antivirus Live after ComboFix!!!). So I ran ComboFix, and it found and cleaned a rootkit, and replaced atapi.sys. This fixed the "Safe Mode" reboot problem, so now I can boot in safe mode. But I STILL cannot get IE8 to connect to any web site.

I tried "netsh winsock reset". I tried SFC /SCANNOW. Still no help. Any ideas on how to proceed?

Are you able to ping external sites from your PC?  If so, that will at least narrow down whether it's the connection, or specifically a browser issue.

I wonder if you could still find the Install Executable for IE8 in Windows Temp files, and reinstall it... especially since you apparently did still have some sort of infection on the machine before the install... it apparently murked up the install.

Another option - after all, you've spent this much time already, just wipe the drive with Active KillDisk or DBAN, reinstall Windows, and start over from scratch - to be sure all malware gone for certain, AND any/all such bugs/issues.

I'm thinking of this last option, b/c if the malware was so bad, then who knows what else it could have messed up.  You might try to do something for the first time, say a month down the road, and find a new issue.

--

"If to err is human, then I must be some kind of human!" -Me

kjv1611,
Well, yeah, at some point I will cut my losses and reformat/reinstall... but I seem so close

Yes, I can ping by IP address, and I can ping by domain name.

Here's what I was getting at about trying to find the IE8 file to reinstall:
http://support.microsoft.com/kb/318378

or

http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/6ca5ef39-3a6c-4af8-a9f9-5bb821027772

If you're gonna try to stick with it, it's worth a shot.  ;p

--

"If to err is human, then I must be some kind of human!" -Me

I would download (from another PC if necessary) and run Winsock XP Fix.  It resets your IP stack and then you reboot, then things usually work.

http://www.snapfiles.com/get/winsockxpfix.html

Check your hosts file for anything weird.

Tell us whether you can ping the following from a CMD prompt:
127.0.0.1
your router ip address
www.google.com

goombawaho,

Thanks for that... To answer your questions, the machine could always ping the router IP, any other IP, and any domain name like google.com. Hosts was clean. I hadn't tried the utility you pointed to, but I did try "netsh winsock reset" to no avail.

This machine is just whacked. This morning, I uninstalled Superantispyware, and at the end it opens a web page on its website... and it opened in IE! If I browsed to sites that had an html in the name (like http://www.superantispyware.com/index.html), the site would open in IE. But sites like http://www.superantispyware.com or http://www.google.com would NOT open. Then, I logged into the user's profile (I had been doing all this work in a separate profile I created), and noticed that Task Manager was disabled, their desktop icons didn't show up... so, basically was still hosed. Then I ran ComboFix again in safe mode in this user account, and now everything seems okay (including IE working fine for all sites).

The user wants their machine back, but I am going to advise that if anything seems wacky that they really need a clean install. This virus/rootkit is just particular nasty, and it looks like you have been fighting something similar. One step forward, two steps back :(

Thanks for the detailed followup, guitarzan.

--

"If to err is human, then I must be some kind of human!" -Me

kjv1611, I could write a book on just this one machine alone

Did you check the hosts file?  I just found one today that had almost all the search engine sites listed in it as 127.0.0.1.

If you were using HJT, click on "other tools" and see if you can open and check the hosts file.  If you find a long list of cr*p, reset it.

If you already did this, apologies -- I try not to make assumptions....

Brian

ronin77: The computer is back with the owner, so far so good... I'm pretty sure I had checked the hosts file, and the only entry was "127.0.0.1 localhost".