VIRUS FIX

did you go into internet explorer properties under connections then uncheck the proxy settings?

If you have a second user account, try booting the computer into Safe mode and then log in as that second user. We had something similar happen recently that doing this allowed us to run MWB completely and get rid of the infection.

However, it did leave the original account unable to run any EXE files so I had to save off her documents, delete the profile and have her log on again to create a new profile.

Try running this Microsoft Fixit.
http://support.microsoft.com/kb/972034

Under the LAN Settings?  There the proxy settings is unchecked.  I don't see a proxy settings just under the connections tab.  

Then I would do what jhyiesla suggested.  

@Experts:
Please read the actual guidance from the developers of MBAM and quit making this "Safe Mode" recommendation.

http://forums.malwarebytes.org/index.php?showtopic=17334&pid=88995&start=&st=#entry88995

Microsoft fixit didn't work.  I can only connect to this machine remotely.  Booting into safe made would terminate my connection.  

Has anyone possibly searched the registry in the older versions and recorded the folders that stored 127.0.0.1.  If I delete those folders I think it will start to work again (this is my theory).

Try WinSock XP Fix, you can get it here. http://www.snapfiles.com/get/winsockxpfix.html

I would try logging in using a different profile.  Most of these viruses only affect the user profile that it was installed with.  Once you log on using a different profile, you can backup the needed files in that profile and delete the profile.  Most of these place an executable file (.exe or .cmd) somewhere in the user profile.  If you compare a different user profile with the infected one, you can probably fine the executable file it is running.  Most times it ends up either in the root of the profile or in one of the app data directories in the profile folder.

nettek0300,
"Different profile/account" was already suggested here: http:#a35128254

Please acknowledge prior Expert's suggestions when you expand on a comment they have made.

"Tony_the_PC-Tuner" mentions downloading "Rkill" to a USB device.

You can also download it (to the Desktop) of that remote computer - but use this link:
http://download.bleepingcomputer.com/grinler/eXplorer.exe

It is a renamed version of Rkill that won't be recognized by the malware.

I would check your hosts file.

From the run box, type the following:

 notepad c:\windows\system32\drivers\etc\hosts

How does the hosts file look?

i tried the other account thing.  I tried the admin account with no success.  I tried rkill and the host file looks fine.  I am rebooting after rkill.exe/ccleaner.exe/mbam.exe -> this one found 4 instead of 2.  I also went into documents and settings\[the user accounts]\local setting\temp and deleted all the files and folders.

No DNS resolution, I also can't ping but ICMP is turned off.

Is there a router at that remote location?

This link was provided by the Expert known as sjklein42 - if he checks in to this question (and it works) please give him the credit.

http://tidystorm.com/423/the-redirect-virus-was-in-my-router/ 

I know you're trying to restore internet connectivity, but have you found yourself in a place where you are satisfied the machine is clean?

I could be reading you wrong, but it sounds like you're trying to connect to the net while working from a sick machine.  In my opjnion this is not the best route to take, mostly because if you've still got some nasty malware, it could phone home and invite its cousins, or it might reinstall some of the stuff you've already removed.

The route I would take is to make sure you're clean as a whistle, then just reinstall your LAN/NIC drivers as needed.  

what was the name of the program that pretended to be a virus scan and clean?? antivirus 2011?

I'll go with that.  I was called and told that outlook express was installed on the machine.  Since outlook express is installed on all machines then the icon had to appear at random.  Most likely by an employee (is what I was thinking).  When I logged into the computer it had the lock computer, shutdown, login screen,  This is impossible since I used remote desktop to connect.  I canceled out and got the Desktop.  I then started to run scans.

The reason I say anitvirus is because it is doing all the same stuff.  From the weird file in windows\temp to the internet proxy setting that fails after the virus's removal.  I have no symptoms other than the wierd login screen and outlook express icon appearing on the desktop and possibly in the quick launch.

I think I got it.  Most likely the rkill, cccleaner, mbam combo.  The DNS settings were wiped out.  I put the settings back in and it came up to the run once screen.  I'm getting errors there but I'll probably figure that out (if not I'll post again)  Thanks for everyone's help!

kwolbert_IT,
My comment here: http:#a35128348 is specifically targeted to these 'scareware' infections such as Antivirus 2011.

Another link here from the Malwarebytes forum.
http://forums.malwarebytes.org/index.php?showtopic=77433

OK - good.
I was typing at the same time you were.

I think I got it.  Most likely the rkill, cccleaner, mbam combo.  The DNS settings were wiped out.  I put the settings back in and it came up to the run once screen.  I'm getting errors there but I'll probably figure that out (if not I'll post again)  Thanks for everyone's help!

That is good news!

But just an FYI, make sure that after you've completed all of this, you do a full reboot into the "normal" mode on the primary user's account (the one with the infection) and run another complete deep scan with Malwarebytes or whatever high quality antimalware program you are running.

I know, It takes forever, but you want to make sure that some trace of the virus didn't respawn.  If it does respawn because some trace of it was left,  it is possible that you'll find yourself back in the same situation with your DNS settings wiped out or your proxy settings messed with.  Doing a second (and hopefully final) scan from the user's profile will give you a much better degree of certainty.