New
#21
Please start Process Monitor again.
Process Monitor should show you the filter dialog box. If it doesn't, then stop the data collection, clear the data and manually open the filter dialog box.
Click on the button named Reset to remove all of the filters that we added (including the ones applied by the steps shown in the first image).
Let Process Monitor run and gather data while you manually change back to the "automatic" DNS setting.
Once you close all of the dialog boxes for making that manual change, open them again to see if the 127... address is back already. If it is, please stop the Process Monitor's data gathering.
Use Ctrl-F to search for 127.0.0.1 within Process Monitor.
Open a cmd prompt and type ipconfig /flushdns.
Re-boot com[puter for the flush dns to work.
Change DNS to obtain a DNS server automatically.
Re-boot Computer.
If an infection then it should return.
Edit: check DNS client in services that it is set to automatic and is started.
On my third cup of coffee and got a thought.
Iobit Advanced System Care and their other programs.
If Iobit has been on this computer all kinds of goofy things could be happening.
Including Iobits trying to call home to China.
I will go back to watching.
Thank you for gathering that Process Monitor info again, Unfortunately, the WMI app highlighted is started by Windows - then the WMI app listens for commands for other apps. We could turn on WMI tracing, but that can be a mess to read and it too could lead to a dead end :-(
Let's see what TheCyberMan wants to try next.
I am unclear about what all you tried while you were in the safe mode with networking. If you manually set DNS to automatic while in the safe mode with networking - does the offending app change it back to 127...?