This is one of the strangest issues I have ever had... Unfortunately it is adding unnecessary workload to our helpdesk and we need it resolved.
We (abc.com) recently acquired a company (xyz.com). We have brought over quite a few VMs and a number of pieces of equipment from xyz.com as well as around 80 employees and their laptops. We ended up upgrading many of these laptops to Windows 7 via clean install and put them on our domain.
Recently, and without warning a number of users (15 in the first batch) were suddenly unable to resolve some of our internal addresses such as our intranet site and ERP thin deployment.
Addresses were now resolving as "intranet.xyz.com" instead of "intranet.abc.com"
The DNS search list setting had been set to default in the adapter tcp/ip v4 settings under DNS tab which is "Append primary and connection specific DNS suffixes" with "Append parent suffixes of the primary DNS suffix checked". After the"infection" it now had "Append these DNS suffixes (in order):" with xyz.com above abc.com in the list.
Even setting it back to default did not fully resolve the issue. Now when I typed "intranet" into IE, it attempted to go to www.Intranet and failed. I would have to manually type intranet.abc.com to get to the right page, which caused issues with our ERP.
To "fix" the issue, we had to blow away the user's profile as this appeared to be profile specific.
That would be fine and dandy if it stopped there, but a scattering of users have had this "infection" pop up, and a few users have even been "reinfected".
This is not a malware issue. Scans have been negative in all cases. The fact that it is coming up with xyz.com which is a known address leads me to believe it is not malware.
I have been running a wireshark trace on a laptop non stop, but of course that machine isn't getting "infected"...
Any ideas?