Avast WEBforum

Other => Viruses and worms => Topic started by: darcevader30 on November 18, 2018, 10:05:54 PM

Title: Any real fix for utopia.net DNS Hijack?
Post by: darcevader30 on November 18, 2018, 10:05:54 PM
Good afternoon Avast volunteers,

I apologize in advance if I breach proper forum etiquette or post in the incorrect forum as I am still very new to forums in general.

I was wondering if I may have some insight and assistance into the utopia.net DNS Hijack, and its removal please?

My network keeps resetting to it. Apparently the modem my ISP uses (Technicolor DPC3848V) is a prolific target. I have been in contact with them and have been reassured that it has the latest firmware. Avast Premier states that the DNSmasQ fix of October 2017 identified the issue and resolved it, but I still seem to be a victim.

While Avast premier SHOULD protect against this, I am not going to berate and direct frustration at those who may be the only ones who can help me.

I'm running: Avast Premier
Program Version: 18.8.2356 (build 18.8.4084.0)
Virus Definitions Version: 181118-10
# of definitions: 5.199.944

I have not utilized a 60 day trial of SecureLine VPN yet, which is a suggested fix, but I'm hesitant to do so, if giving my info to install it, goes through this utopia.net.

Any information/removal strategies will be greatly appreciated.

Thank you for your time.

Regards,

Darcy
Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: Pondus on November 18, 2018, 10:46:29 PM
Follow instructions and attach requested logs  >>  https://forum.avast.com/index.php?topic=194892.0

Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: polonus on November 18, 2018, 11:38:35 PM
Haven't we been there before? -> https://forum.avast.com/index.php?topic=218466.0

polonus
Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: darcevader30 on November 20, 2018, 10:15:54 PM
Thank you for your responses Pondus and Polonus, I appreciate your time.

I have tried some of the suggestions aforementioned, with no results, or recurring network switching. I did find both threads on my own, hence, asking for a moderators help when the suggestions were unsuccessful.

I will attach requested logs and information as soon as they can be generated.

Thank you both ladies/gentleman/both.

Regards,

Darcy
Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: darcevader30 on November 20, 2018, 11:21:14 PM
Attention Polonus and Pondus,

Here are the logs you requested. I hope they assist in some way.

Perhaps another note to mention, the infected computer is running off of a Linksys EA6400 running in bridge mode off the main router (Technicolor DPC3848V). I have a TP-LINK repeater inserted into the network as well, but it shows no ill effects. Could the EA6400 be the weakness? Avast WiFi Inspector says its secured.

I sincerely hope it is something simple and nothing that takes up to much of your time, and am grateful for your efforts.

Regards,

Darcy
Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: polonus on November 21, 2018, 11:55:02 AM
Hi Darcy,

See whether you have run all Windows updates for that OS.

What you could do is go to the  “settings” in the firewall section of avast, and look for a list of  network profiles, and among them, sure enough, you'd see Utopia.net! Then select “Delete” from the right click drop down menu, and delete utopia.net from the network profiles list". Flush your DNS - The first step to flushing your DNS is to open your “Windows Command” prompt.

WinXP: Start, Run and then type “cmd” and press Enter.
Vista, Window 7 and Windows 8: Click “Start” and type the word “Command” in the Start search field. Finally, right-click the command prompt icon and select the option to “Run as Administrator”.
In the open prompt, type “ipconfig /flushdns” (without the quotes).
You should receive a message of your success as confirmation when the cache is cleared.

polonus
Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: Sass Drake on November 21, 2018, 12:28:49 PM
According to FRST logs your PC is clean. As for routers, update their firmwares.
Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: darcevader30 on November 21, 2018, 09:49:23 PM
Good evening,

Thank you Sass Drake for jumping in to help! Sadly Sass, all firmwares are up to date. It was one of the first things I checked....even double checking with ISP as  it is the router they supplied with service.

Polonus....I have indeed tried all suggestions found in this forum, with no success. Hence, the re-opening of this topic. You even stated prior "Haven't we been there before?" I hope this is not an updated version of an old problem.

I have deleted the network profile within Avast and flushed DNS with ipconfig /flushdns in Command prompt (even elevated) with no success. I will try again, step by step and convey results. But, it seems utopia.net returns upon boot.

Any ideas of how this slipped by/or still is present , with Avast installed? Just curious....

Thank you again to all, for your time,

Darcy
Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: polonus on November 21, 2018, 10:08:11 PM
Hi darcevader30,

This is a rather pesky DNS hijacker malware.

Have you read through this? ->: https://www.reddit.com/r/antivirus/comments/7qwn93/utopianet_malware_dns_hijack/
and also here as a last resort:
Quote
The Comcast DNS Engineering and Operations team has been aware of the utopia.net malware for quite a while.

The only thing we have found searching Google where someone has stated that they have successfully removed this rather pernicious malware can be found here: https://www.bleepingcomputer.com/forums/t/647723/utopianet-dns-hijack/#entry4250145

Also, you can download the router configuration file and search for utopia.  You can then replace the domain="utopia..." with the comcast domain = "hsd1.tx.comcast.net".  Again, you can use the domain specific for your area.  Call Comcast Tech support and ask them for the info.

Hope you'd finally have a lucky strike and get rid of it for good.

polonus

 
Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: darcevader30 on November 27, 2018, 12:56:51 AM
Good evening Polonus,

My apologies for not replying sooner. I have been hammering away at this problem and now have clean modem/routers, but the problem is worse as ALL 7 machines have utopia.net infections that run through the registry. While I have no utopia.net network profiles listed under any of the connections, they are still listed in the registry using the ctrl+f function. After deleting all keys, they reappear upon reboot. Deleting any keys higher on the tree leaves networking capabilities DOA.

That being said, I will have to completely reinstall Windows on every machine. already been a month of wasted time and long nights....whats a few more. Not happy that this slipped by Avast Premier, and the fact it cannot be detected and removed by it either. But, that's life in the digital age. I will be replacing Avast immediately....such a shame, I was happy up until now.

I appreciate everyone's input and thank them for their time. Unless you have some kind of registry cleaner that will deletes infected keys so they do not reappear, without damaging W10 networking abilities, I guess this thread will be closed as unresolved.

Special thanks to you, Polonus for sticking it out to the bitter end. If this is the final post, Merry Christmas to you and yours!

Signing off,

Darcy

Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: Pondus on November 27, 2018, 10:54:22 AM
maybe this will help you (two pages)  >>  https://www.bleepingcomputer.com/forums/t/647723/utopianet-dns-hijack/

and this  >>  https://forum.kaspersky.com/index.php?/topic/372488-utopianet-malware/

Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: polonus on November 27, 2018, 01:35:58 PM
Hi Darcevader,

Did you know you could have been hacked by a BusyBox httpd 1.13 exploit? -> https://www.securityfocus.com/bid/20067/exploit

So it might be due to a Grandstream Device Fibernetics router directory traversal attack.
See recommendations here: https://dnsspy.io/scan/295.ca
Quote
We detected the following errors or warnings about your DNS configuration. These caused your DNS rating to be lowered. Resolving these will grant a higher DNS Spy rating for your domain.

All IPv4 nameservers are hosted by the same provider (AS36493 - 295CA-TOR-ASN - FIBERNETICS CORPORATION, CA). Consider spreading the nameservers across multiple DNS providers for increased redundancy.
No DNSSEC records found. Consider enabling DNSSEC, as it provides a way to validate DNS responses for data integrity.
Well your personal cgi-bin/login page is approachable from the Interwebs.  ::)

According to RouterCheck pingable routers are NOT a good thing to have, :(

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: darcevader30 on November 27, 2018, 09:13:11 PM
Good afternoon Polonus,

I really admire and appreciate your persistence. I thought I was back to square one!

I tried everything in the "bleeping computer" write up prior to reaching out in the Avast forum. I am running the ESET online scanner again for good measure. Will try the Kaspersky route next.

Thank you for your revelation about the exploit for our particular devices. We are not allowed to go into the router and change settings, but I will be forwarding your findings and suggestions to their tech support department.

Will keep you posted on their response.

Thanks again, Polonus

Regards,

Darcy
Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: polonus on November 27, 2018, 10:24:47 PM
Hi darcevader30,

And I admire your responsible attitude towards the internet community to try and solve this issue.
Not only for yourself, but also for all others that wrestle with the persistence of this pesky online threat.

It is just because the likes of you, dear Darcy, that we are able to go that extra mile to come,
and make the community of average users just that "tad" more secure.

It is the good vibrations found around folks which share such right intentions that matter here.  ;)

Again thanks for you reporting and I hope finally it will all lead to an "all's well that ends well".
I wait for your further reporting and how matters are developing towards a final solution.

Receive kind regards from me here in the vicinity of Rotterdam, Europe,

polonus aka Damian
Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: darcevader30 on December 23, 2018, 07:53:42 PM
Good afternoon Damian (Polonus)

I thought I would just check back in before the holidays for an update. I was met with your VERY kind words and thank you for them. I'm extremely new to the "forum" platform, and am relieved. My mother (God, rest her precious soul), simply raised me to respect all others, be courteous, and use my manners. Unfortunately, not everyone shares my personal views. But, if people can be nicer at Christmas time, why can't they do it for the rest of the year? I'll stop preaching now ;P

While I have retrieved my DNS lookups from Utopia, there are still registry keys and strings I simply lack the knowledge to delete. I have tried salvaging W10 installations doing so, but since render them useless. Using the search command in the registry (ctrl+f, i believe) I can delete the obvious inclusive keys, but they reappear on boot.

I sincerely hope I am safe, until I can definitively eliminate all traces of Utopia. I will dedicate more time to it as more information becomes available.

Once again Damian, thank you for your time and efforts. I'll do my best to pay it forward, my friend.

Sincerest holiday wishes to you and yours from Canada.

Darcy

Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: bob3160 on December 23, 2018, 09:36:05 PM
Have you looked at the following?
https://forums.xfinity.com/t5/Your-Home-Network/DPC3941T-Modem-hacked-Utopia-net/m-p/2910108#U2910108 (https://forums.xfinity.com/t5/Your-Home-Network/DPC3941T-Modem-hacked-Utopia-net/m-p/2910108#U2910108)
Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: darcevader30 on January 10, 2019, 11:06:50 PM
Good evening bob3160,

Thank you for jumping in to help on this matter. I have indeed read this article prior to coming to the Avast forums. I have fixed this issue, with a degree od certainty, but there are still remnant left that pop up here and there. I wouldn't wish this nightmare on anyone.

Once again, thank you for bringing more information forward. Perhaps some good will come from all of this.

Regards,

Darcy
Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: polonus on January 11, 2019, 01:23:36 AM
Hi darcevader,

For the remnants. Whenever you have a known clean restore point prior to this DNS hijacker incident,
a system restore could also cure these.

Damian
Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: mchain on January 11, 2019, 04:21:25 AM
Since your browser is the window to the outside world, I suggest you start to protect it by running it in a sandbox along with an antivirus. 
Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: bob3160 on January 11, 2019, 12:39:20 PM
Since your browser is the window to the outside world, I suggest you start to protect it by running it in a sandbox along with an antivirus.
Using the Avast Secure Browser in Bank Mode is a great way to stay safe.
(https://screencast-o-matic.com/screenshots/u/Lh/1547206731864-34426.png)


Title: Re: Any real fix for utopia.net DNS Hijack?
Post by: polonus on January 11, 2019, 05:55:35 PM
Folks,

Utopia is not particularly a BHO in that restricted sense only, so the browser is not the first line of defense involved for Browsing hijacking.
The real threat is DNS manipulation and for instance letsencrypt laissez-faire, see and read here:
-> https://arstechnica.com/information-technology/2019/01/a-dns-hijacking-wave-is-targeting-companies-at-an-almost-unprecedented-scale/ 
Threat is coming in like the waves of a cybercriminal driven  tsunami now.

polonus