3 edits
1 recommendation |
[Connectivity] SOLVED: The dreaded "utopia.net" DNS hijack.AFTERMATH Update: SOLVED I opened my AVAST antivirus and internet security, and did a “Scan network for threats” , it found a vulnerability for Wannacry Double pulsar ransomeware/ malware virus, and so I followed their instructions on how to remove it using an update patch. (NOTE; I am not certain what if, any connection this has with my former problem) Google this to find out the patch for your version of windows. “March 2017 Security Only Quality Update for Windows” So I went to the “settings” in the firewall section of avast, and saw a list of "network profiles", scrolled down, and among them, sure enough, was Utopia.net! I selected “Delete” from the right click drop down menu, not really knowing what would happen. And deleted utopia.net from the network profiles list. Strangely, when I went back to "firewall" despite the fact that Avast said I was not connected to a network, I was able to go to several pages easily. Finally I restarted my computer and then when I logged back on, POW, utopia.net was no longer listed as the network I was connected to. My network now says “Currently connected to hsd1.ca.comcast.net” I don’t know how I would do that in other security programs, but I’d guess that deleting the network profile “utopia.net” is the key, since it was for me. Thanks for all your help! RR ___________________________________________________ Here is the past using avast I used to get rid of utopia.net. NOTE: Changing the DNS server setting in "Adapter settings" did not work in getting rid of utopia.net for me at least. |
|
|
1 recommendation |
Anon0844a
Anon
2017-May-29 12:37 pm
[Connectivity] Re: The dreaded "utopia.net" DNS hijack. |
|
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR ·Comcast XFINITY Asus GT-AX6000 Asus RT-AC66U B1
1 edit |
to RandomRobert
Try this link on Comcast's own forum » forums.xfinity.com/t5/Yo ··· /2888703I see looks like you have a post on Bleeping Computer too. They're good. |
|
1 recommendation |
There's amazingly little information available on what this even is. Thanks, RR |
|
JJ Johnson Premium Member join:2001-08-25 Fort Collins, CO |
to RandomRobert
said by RandomRobert:I looked up one day and my status went from "currently connected to Xfinity comcast" to "Currently connected to Utopia.net" Where exactly do you see this? If your house is connected to the internet via Comcast, then you're connected to Comcast. That can't be hijacked or changed. |
|
2 recommendations |
Connected via Comcast and through which DNS servers are two different things I think. Here. it network center, and in my system tray. |
|
JJ Johnson Premium Member join:2001-08-25 Fort Collins, CO |
Is that a wireless connection? |
|
NetFixerFrom My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU
2 recommendations |
NetFixer
Premium Member
2017-May-29 6:30 pm
This is about a router vulnerability that allows the router's DHCP/DNS services to be hijacked. It has nothing to do with WiFi vs Ethernet connections. FYI, It is not limited to just Comcast gateways, but since Comcast is probably the largest user of cable gateways, their gateways are probably more likely to be infected just due to the numbers. The typical infection method is the usual visiting of an infected or malicious web site, or clicking on a malicious link in an email. The real cure will have to come from cooperation between the router vendors and ISPs, and a commitment to actually do something about it (which so far is not evident). |
|
Devious Premium Member join:2002-08-22 Seattle, WA |
to RandomRobert
|
|
JJ Johnson Premium Member join:2001-08-25 Fort Collins, CO
1 recommendation |
to NetFixer
said by NetFixer:This is about a router vulnerability that allows the router's DHCP/DNS services to be hijacked. It has nothing to do with WiFi vs Ethernet connections. So it just changes the DNS servers assigned to clients through DHCP? If so, that's trivial to fix. |
|
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR ·Comcast XFINITY Asus GT-AX6000 Asus RT-AC66U B1
1 recommendation |
jbob
Premium Member
2017-May-29 6:53 pm
The question is whether it's the router affected by itself or a machine inside the router is infected thus reinfecting the router again and again. You would think a router reset would fix things but other posts(elsewhere) suggest it doesn't work.
I'm kinda surprised at the lack of topics with answers that show up on a Google search. |
|
Jim721 join:2014-07-31 Belleville, MI
1 recommendation |
Jim721
Member
2017-May-29 6:54 pm
Is it possible to Telnet or SSH in to the router and clear all NVram and memory ? As far as the computer i would do a full wipe out with a clean install no games here. |
|
tshirt Premium Member join:2004-07-11 Snohomish, WA
2 recommendations |
to jbob
said by jbob:or a machine inside the router is infected thus reinfecting the router again and again. And/or infecting one or more machines to reinfect router/first attached device upon/shortly after reboot. |
|
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR
1 recommendation |
to RandomRobert
Have you tried a hardware reset of the Gateway(TG1862G)? Do you have another modem you can connect and try? |
|
1 edit
1 recommendation |
Re: The dreaded "utopia.net" DNS hijack.Update: SOLVED I opened my AVAST antivirus and internet security, and did a “Scan network for threats” , it found a vulnerability for Wannacry Double pulsar ransomeware/ malware virus, and so I followed their instructions on how to remove it using an update patch. NOTE; I am not certain what if, any connection this has with my former problem. Google this to find out the patch for your version of windows. “March 2017 Security Only Quality Update for Windows”
Then, I opened Avast again, went to “firewall” and noticed there too it said that my network was “Utopia.net” So I went to the “settings” in the firewall section of avasat, and saw a list of network profiles, and among them, sure enough, was Utopia.net! I selected “Delete” from the right click drop down menu, not really knowing what would happen. And deleted utopia.net from the network profiles list. Strangely, despite the fact that Avast said I was not connected to a network, I was able to go to several pages easily.
Finally I restarted my computer and then when I logged back on, POW, utopia.net was no longer listed as the network I was connected to. My network now says “Currently connected to hsd1.ca.comcast.net”
I don’t know how I would do that in other security programs, but I’d guess that deleting the network profile “utopia.net” is the key, since it was for me. Thanks for all your help! THIS WAS DRIVING ME CRAZY!
NOTE: Advanced DNS settings Address changes did nothing for me, I run Windows 7 ultimate 64-Bit
RR |
|
1 recommendation |
[Connectivity] Re: The dreaded "utopia.net" DNS hijack.Well I don't have that option in my Avast, I use Avast Free Version without FIrewall, Network scan shows NO problems on any devices, all machines have been scanned, phones, tablets with Avast mobile, i'm at a lost, everytime I restart this gateway (Cisco DPC3941T) it shows dns suffix utopia.net, 2 Machines are Windows 10 Pro, Fully patch, 1 Windows PC, fully patched
Willing to do a full Gateway reset soon as have time to |
|
Devious Premium Member join:2002-08-22 Seattle, WA
3 recommendations |
Devious
Premium Member
2017-May-29 8:31 pm
Check the network adapter TCP/Ipv4 DNS setting on each computer. You may have utopia listed in there as DNS on one of your computers. DNS should be blank and this pic shows default setting Win 10.
|
|
1 recommendation |
That is all clear on all systems, on both Windows 10 Systems, Windows system I can reload up and check that one to |
|
NetFixerFrom My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU
4 recommendations |
to jbob
said by jbob:The question is whether it's the router affected by itself or a machine inside the router is infected thus reinfecting the router again and again. You would think a router reset would fix things but other posts(elsewhere) suggest it doesn't work. The infection agent is in a PC (or PCs) connected to the router. That agent then proceeds to make changes to the vulnerable router's DHCP and DNS services (it is the DHCP service that changes the network name of its client computers) with the object being to send user's DNS requests to utopia.net controlled DNS servers. Until the PC's are cleared of the infection (or at least blocked as some have done with firewalls and/or hosts file entries), and until the router vendors and ISPs get off their butts and fix the router vulnerability, this utopia.net boondoggle will continue. |
|
1 recommendation |
So far done in order on my systems here
Avast boot scan Clean system install and drive wipe on Desktop 8 Core system Full virus scan with WIndows Defender/Offline scan as well Eset online scan ADW Cleaner scan junkware removal tool Malwarebytes full scan on all of them, including every drive connected, external and everything
Complete Gateway reset reprovision done from Comcast even
if there is anything I missed willing to do more |
|
1 recommendation |
Computerman! can you go to firewall? once there can you see "setting?" (far right small print) If so, click on it and choose "network profiles" |
|
1 recommendation |
I don't have Firewall in Avast Free, and I use Windows Firewall in Windows 10 here
Avast Free I have The Following shields installed, File shield, Web shield, mail shield, behavior shield, and wifi-inspector |
|
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR
3 recommendations |
to RandomRobert
Re: [Connectivity] SOLVED: The dreaded "utopia.net" DNS hijack.Can't you do a Registry search for utopia.net for location? |
|
NetFixerFrom My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU
1 edit
1 recommendation |
to computerman2
Re: [Connectivity] Re: The dreaded "utopia.net" DNS hijack.said by computerman2:I don't have Firewall in Avast Free, and I use Windows Firewall in Windows 10 here If you don't have a software firewall that can delete/protect network profiles, you might try the hosts file approach that was suggested in another forum post (sorry, I don't remember exactly where I saw the post that claimed a hosts file entry "fixed" the problem). Make a 127.0.0.1 utopia.net entry in your existing hosts file (or create one if you don't currently have one). Substituting 0.0.0.0 for 127.0.0.1 may also work for you without the delay that 127.0.0.1 sometimes introduces (on the occasions that I have used a hosts file to block access to certain host names, I almost always use 0.0.0.0 even though most "experts" will say to always use 127.0.0.1). You should write protect the hosts file after making this entry. The hosts file "fix" is only a cover-up (and if you have multiple PCs and other devices, you may need to do the same thing for all devices) and you may still need to do a factory reset on your gateway again to clear the bogus changes made to it by the utopia.net infection. I wish I could tell you what you need to do to remove it from infected PCs, but I have not personally encountered this particular malware (although I have seen similar things in the past), so I can't offer any first hand advice on that subject. One thing you might try doing is to search the Windows registry for "utopia.net", and that might give you a clue to where the infection is hiding. It is possible that just deleting any utopia.net references in the registry might "fix" the problem -- but don't delete anything if you are not sure what you are deleting. Searching the file system for files containing utopia.net mignt also be helpful in finding the source of the infection (make sure that you include system and hidden files in that search). |
|
1 recommendation |
Yeah i'll work on it more tomorrow, think for tonight about done looking thru things, already did host file and write protect on it, so hopefully that helps on all systems |
|
NetFixerFrom My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU
1 recommendation |
to jbob
Re: [Connectivity] SOLVED: The dreaded "utopia.net" DNS hijack.said by jbob:Can't you do a Registry search for utopia.net for location? Your faster nimbler fingers beat my slow stiff arthritic fingers to the punch. |
|
DarkLogixTexan and Proud Premium Member join:2008-10-23 Baytown, TX
2 recommendations |
to NetFixer
Re: [Connectivity] Re: The dreaded "utopia.net" DNS hijack.said by NetFixer: Make a 127.0.0.1 utopia.net entry in your existing hosts file Why not a ::1 entry instead? or just :: |
|
tshirt Premium Member join:2004-07-11 Snohomish, WA
1 recommendation |
tshirt
Premium Member
2017-May-30 9:58 am
said by DarkLogix:Why not a ::1 entry instead? or just :: Good Idea but add a comment line so, you don't delete it later said by NetFixer:One thing you might try doing is to search the Windows registry for "utopia.net", You may not find Utopia net shown, even so simple low memory devices seem to be reseeding this, so maybe the infector file just redirects a WAN site which injects "utopia.net" and the redirect file on each vunerable machine on the LANside. A bit more complex then the typical DNS hijack, very persistent, and maybe multiple reinfection modes. |
|
DarkLogixTexan and Proud Premium Member join:2008-10-23 Baytown, TX
1 recommendation |
DarkLogix
Premium Member
2017-May-30 10:19 am
said by tshirt:said by DarkLogix:Why not a ::1 entry instead? or just :: Good Idea but add a comment line so, you don't delete it later Ya go IPv6 with your loopbacks. |
|
1 recommendation |
Modem restarted this morning for Firmwire update, Comcast DPC3941T 3941T, I ran Avast boot scan last night, All hard disks--results Clean lol
did show utopia.net during the modems reload after firmwire update
DPC3941_2.6p1s1_prod_sey
Checked registry last night before I went upstairs and let virus scan check all the drives, only one cached entry found for utopia.net, deleted that, restarted, ran the virus scan over night
Very strange issue, I think I can safely say all the machines locally are clean, I ran scan on all of them 4 times |
|