Solved Internet not working yet network is connected.

[Matthew Harbuz]

Download Process Monitor to a USB flash drive.
There is nothing to install.
Just unzip and copy Procmon.exe to the desktop of the problematic computer.

Start Process Monitor (run as admin).
Accept the EULA.

When it starts for the first time, it automatically starts gathering data.
You can stop that via the button/icon with the magnifying glass.
Then de-select the 3 buttons/icons shown in the right part of this image:

View attachment 318163


Clear the data that was gathered:

View attachment 318164


Add a filter for the IP address of interest:

View attachment 318165


Add a second filter for the registry action of interest:

View attachment 318167


Start the data collection process.
(Use the same magnifying glass button/icon that you see in screenshot #1.)

Manually change the DNS setting back to automatic.
Then let's see if Process Monitor can find the app that changes it back to 127....


If I use the Windows interface to set the 127... IP as the DNS value, then I see this:

View attachment 318168


Hopefully, these steps will find the offending app on your computer. Unfortunately, there is a chance that the offending app calls another app to do that actual change to the registry and/or the offending app hides itself from Process Monitor.

No luck I'm afraid, the process monitor didn't show anything.

I looked at the advanced DNS settings and removed the DNS server ip shown in the picture but it keeps popping up. Is there anything else that's wrong with the advanced DNS settings?

 

[UsernameIssues]

Please start Process Monitor again.

Process Monitor should show you the filter dialog box. If it doesn't, then stop the data collection, clear the data and manually open the filter dialog box.

Click on the button named Reset to remove all of the filters that we added (including the ones applied by the steps shown in the first image).

Let Process Monitor run and gather data while you manually change back to the "automatic" DNS setting.

Once you close all of the dialog boxes for making that manual change, open them again to see if the 127... address is back already. If it is, please stop the Process Monitor's data gathering.

Use Ctrl-F to search for 127.0.0.1 within Process Monitor.

 

[UsernameIssues]

~~~
Is there anything else that's wrong with the advanced DNS settings?

No - nothing looks out of place on that screen except what we already know about...
...that pesky 127.... address.


We might need to involve some forum members that search for infections.

 

[TheCyberMan]

Open a cmd prompt and type ipconfig /flushdns.

Re-boot com[puter for the flush dns to work.

Change DNS to obtain a DNS server automatically.

Re-boot Computer.

If an infection then it should return.

Edit: check DNS client in services that it is set to automatic and is started.

 

[Layback Bear]

On my third cup of coffee and got a thought.

Iobit Advanced System Care and their other programs.
If Iobit has been on this computer all kinds of goofy things could be happening.
Including Iobits trying to call home to China.

I will go back to watching.

 

[Matthew Harbuz]

Please start Process Monitor again.

Process Monitor should show you the filter dialog box. If it doesn't, then stop the data collection, clear the data and manually open the filter dialog box.

Click on the button named Reset to remove all of the filters that we added (including the ones applied by the steps shown in the first image).

Let Process Monitor run and gather data while you manually change back to the "automatic" DNS setting.

Once you close all of the dialog boxes for making that manual change, open them again to see if the 127... address is back already. If it is, please stop the Process Monitor's data gathering.

Use Ctrl-F to search for 127.0.0.1 within Process Monitor.

Ok so I did that and it highlighted this...

 

[Matthew Harbuz]

Open a cmd prompt and type ipconfig /flushdns.

Re-boot com[puter for the flush dns to work.

Change DNS to obtain a DNS server automatically.

Re-boot Computer.

If an infection then it should return.

Edit: check DNS client in services that it is set to automatic and is started.

Did everything you said and yep, it returned...

 

[UsernameIssues]

Thank you for gathering that Process Monitor info again, Unfortunately, the WMI app highlighted is started by Windows - then the WMI app listens for commands for other apps. We could turn on WMI tracing, but that can be a mess to read and it too could lead to a dead end :-(

Let's see what TheCyberMan wants to try next.

 

[UsernameIssues]

I am unclear about what all you tried while you were in the safe mode with networking. If you manually set DNS to automatic while in the safe mode with networking - does the offending app change it back to 127...?

 

[Matthew Harbuz]

I am unclear about what all you tried while you were in the safe mode with networking. If you manually set DNS to automatic while in the safe mode with networking - does the offending app change it back to 127...?

No, in safe mode the DNS settings stay the way they should be. When I change the settings they don't change back.

 

[Matthew Harbuz]

I tried to look at the HOSTS file and got this... Is this any help?
Forgive me but I have no idea what I'm doing...

 

[UsernameIssues]

Thank you for clarifying the safe mode with networking stuff.
So - your settings stay normal, but no internet in that mode.

Fewer things are running in the safe mode. Whatever is changing this DNS setting to 127.... is not running in that mode or it is aware that the computer is in the safe mode and opts not to change the DNS IP. I would have thought that the clean boot process would have come close to doing what the safe mode does.


The HOSTS file looks fine. It looks like the default one and it is doing nothing. All lines are commented out.


A few posts back, Layback Bear mentioned "Iobit Advanced System Care and their other programs." Do you recall ever having installed anything from that company?

 

[Matthew Harbuz]

Thank you for clarifying the safe mode with networking stuff.
So - your settings stay normal, but no internet in that mode.

Fewer things are running in the safe mode. Whatever is changing this DNS setting to 127.... is not running in that mode or it is aware that the computer is in the safe mode and opts not to change the DNS IP. I would have thought that the clean boot process would have come close to doing what the safe mode does.


The HOSTS file looks fine. It looks like the default one and it is doing nothing. All lines are commented out.


A few posts back, Layback Bear mentioned "Iobit Advanced System Care and their other programs." Do you recall ever having installed anything from that company?

I don't think I have no, oh and the internet does work in safe mode with networking.
TBH I think I will call the PC doctor tomorrow to see if they can figure out the problem and how to fix it.

Thanks for all the help though, I really apriciate it

 

[TheCyberMan]

Boot into safe mode with networking download Malwarebytes and update it by run as administrator and run it.

No virus should be running in safe mode with networking.

Let us know if there are any nasties by posting the log.

Malwarebytes download The free version.
Malwarebytes Anti-Malware - Protect, Detect & Remove Malware From Your PC

EDIT: Backup fisrt your data and current system and data.

Ensure you have backup disks

 

[Matthew Harbuz]

I've fixed it!!!! I looked in my installed programs and saw that there was a program that I was unfamilier with that I had apparently installed around the time the problem occurred. I just uninstalled it and now the DNS settings aren't changing WOOP!

 

[Layback Bear]

Come on Matt tell us what the programs you remove was.

 

[TheCyberMan]

You are glad i can see, that I am glad the Malwarebytes would have turned up nothing.

I am with Layback bear here and can you mark solved after please.

Have a great day.

 

[Matthew Harbuz]

Come on Matt tell us what the programs you remove was.

The program was called "PenWes", no idea what it was and i can't remember installing it.

 

[chev65]

Everything you need to know about PenWes

Yes it protects you by jamming the host file IP into the static DNS settings?

It say's it can't install without consent. Pretty useless program I'd say.

 

[TheCyberMan]

A program like PenWes can do something else not what you want can be used by malware processes I imagine best thing you did uninstalling it.