Ran spinrite 6 on the drive before doing an image backup ... no issues found ... chkdsk /f/r found nothing
Used Acronis 2013 to do a image backup to a external drive
Memory issues in my experience typically cause random crashes and or program lockups/failures ... I don't see any evidence of that happening over the past 4 days of diagnostics ... but could possibly run memtest on it overnight just to be sure
After Imaging the Harddrive I did reload an as built/delivered image of the machine which has no issues with internet access ... this to me rules out the nic and downstream hardware
I also moved the drive to an esata port as a slave external drive and ran a few virus/malware programs but I don't believe these will review the registry of the slave drive properly?
This is one of the ugliest infections I have seen given that none of the 45 tools I have thrown at it have found anything other then a few PUP and PUM files which were eradicated straight off
sfc -scanow says the core files are good ... is it possible an infection could spoof this?
None of the rootkit tools appear to run prior to boot ... it is possible an infection is smart enough to hide from the major tools (some new variant 2-3 weeks old?) ... if a rootkit is involved here wouldn't it be easy to hide from known tools? My expectation is that a proper test would run prior to the OS ever starting ... POST BIOS level code could run prior to the OS starting and do anything.
If this is indeed a registry only issue it makes me wonder why everything else is totally functional ... ie Word, Excel, Ping, tracert, Temprature Widgets, etc. all work properly ... in one of my tests I totally removed all the browsers, Nic, and Network Related programes then added them back ... issue still existed even with netsh resets ... Wire Shark suggests the internet services are working ... my suspcion is that this thing is just blocking the browsers from accessing the network services.
Everything I have done so far points to it being an infection ... what was interesting was a Wire Shark trace that showed activity with an address in the 1.192.168.nnn domain which reverses to a Mainland China Server ... why would this machine be talking to China automatically?
Researching this issue suggests it is new ... there are variations but for the most part they appear to be picked up by the core tools.
If you have other suggestions I can reload the before image and glady follow your steps to see if perhaps I have missed something ... I don't consider myself and expert even though I have coded in most systems going back over 30 years ... there is a lot going on in the newer PC's so it's no longer a simple task to trouble shoot.
