Internet not working yet network is connected.

UsernameIssues said:

Download Process Monitor to a USB flash drive.
There is nothing to install.
Just unzip and copy Procmon.exe to the desktop of the problematic computer.

Start Process Monitor (run as admin).
Accept the EULA.

When it starts for the first time, it automatically starts gathering data.
You can stop that via the button/icon with the magnifying glass.
Then de-select the 3 buttons/icons shown in the right part of this image:

Attachment 318163


Clear the data that was gathered:

Attachment 318164


Add a filter for the IP address of interest:

Attachment 318165


Add a second filter for the registry action of interest:

Attachment 318167


Start the data collection process.
(Use the same magnifying glass button/icon that you see in screenshot #1.)

Manually change the DNS setting back to automatic.
Then let's see if Process Monitor can find the app that changes it back to 127....


If I use the Windows interface to set the 127... IP as the DNS value, then I see this:

Attachment 318168


Hopefully, these steps will find the offending app on your computer. Unfortunately, there is a chance that the offending app calls another app to do that actual change to the registry and/or the offending app hides itself from Process Monitor.

No luck I'm afraid, the process monitor didn't show anything.

I looked at the advanced DNS settings and removed the DNS server ip shown in the picture but it keeps popping up. Is there anything else that's wrong with the advanced DNS settings?

Please start Process Monitor again.

Process Monitor should show you the filter dialog box. If it doesn't, then stop the data collection, clear the data and manually open the filter dialog box.

Click on the button named Reset to remove all of the filters that we added (including the ones applied by the steps shown in the first image).

Let Process Monitor run and gather data while you manually change back to the "automatic" DNS setting.

Once you close all of the dialog boxes for making that manual change, open them again to see if the 127... address is back already. If it is, please stop the Process Monitor's data gathering.

Use Ctrl-F to search for 127.0.0.1 within Process Monitor.

Matthew Harbuz said:

~~~
Is there anything else that's wrong with the advanced DNS settings?

No - nothing looks out of place on that screen except what we already know about...
...that pesky 127.... address.


We might need to involve some forum members that search for infections.

UsernameIssues said:

Please start Process Monitor again.

Process Monitor should show you the filter dialog box. If it doesn't, then stop the data collection, clear the data and manually open the filter dialog box.

Click on the button named Reset to remove all of the filters that we added (including the ones applied by the steps shown in the first image).

Let Process Monitor run and gather data while you manually change back to the "automatic" DNS setting.

Once you close all of the dialog boxes for making that manual change, open them again to see if the 127... address is back already. If it is, please stop the Process Monitor's data gathering.

Use Ctrl-F to search for 127.0.0.1 within Process Monitor.

Ok so I did that and it highlighted this...

TheCyberMan said:

Open a cmd prompt and type ipconfig /flushdns.

Re-boot com[puter for the flush dns to work.

Change DNS to obtain a DNS server automatically.

Re-boot Computer.

If an infection then it should return.

Edit: check DNS client in services that it is set to automatic and is started.

Did everything you said and yep, it returned...

Thank you for gathering that Process Monitor info again, Unfortunately, the WMI app highlighted is started by Windows - then the WMI app listens for commands for other apps. We could turn on WMI tracing, but that can be a mess to read and it too could lead to a dead end :-(

Let's see what TheCyberMan wants to try next.

I am unclear about what all you tried while you were in the safe mode with networking. If you manually set DNS to automatic while in the safe mode with networking - does the offending app change it back to 127...?

UsernameIssues said:

I am unclear about what all you tried while you were in the safe mode with networking. If you manually set DNS to automatic while in the safe mode with networking - does the offending app change it back to 127...?

No, in safe mode the DNS settings stay the way they should be. When I change the settings they don't change back.