Hey, I have the same exact problem... but finally got it mostly under control, thought I was clean but just now spotted the 126.96.36.199 IP address pop up in my What'sRunning program (the red highlight I think meant it was being blocked) which this time I wrote down. Searched on that term and found this post. Glad to meet you, and boy were we hit with a nasty one or what? My wife was doing some Google searches when the little netbook was taken over, windows popping up and out all over the place and she finally just shut it off. When I got to it I found a real mess.
First, the DNS IP address was manually set to something 91 or 96 ish (didn't write it down) which was something another system of mine suffered last year with another malware attack. I experienced nearly all the same symptoms and thwarted efforts to clean the system as I went from safe mode running Malwarebytes, SpybotS&D, Norton Antivirus, etc. finding various files resisting deletion (Malwarebytes has a powerful delete tool that overcame the permissions of one malfile). Over a few days I also fought to regain control and tooks steps backward and forward like you described. I did not take good notes but my scan logs might be useful - let me know if I should post them.
After getting most of my functionality back, the main thing that bugged me is that I could not turn off system restore to eliminate restore point files (where Norton had found some virus files but could not eliminate). That led me to a posting describing turning off the system restore service manually, setting it to manual starting, rebooting, then restarting. Should have cleared those restore point files, but now I still see the checkbox grayed out with the message "disabled by Group Policy".
So, I think I am still infected, though not acting like a maniac botted mess like before. Now I worry something more subtle and insidious and threatening is going on.
Will post more as I learn more.
Oh, and I cannot get to the Windows Update service anymore. Gets blocked/thwarted... and Firefox gives a sorry, connection reset by foreign host message. And now that I think more, Internet Explorer and Firefox don't always start up the first time. Yeah, I'm still infected, or just really messed up. Any thoughts?
Edited by meastwoo, 29 April 2010 - 11:12 PM.