Author Topic: Any real fix for utopia.net DNS Hijack?  (Read 5471 times)

0 Members and 2 Guests are viewing this topic.

Offline darcevader30

  • Newbie
  • *
  • Posts: 8
Any real fix for utopia.net DNS Hijack?
« on: November 18, 2018, 10:05:54 PM »
Good afternoon Avast volunteers,

I apologize in advance if I breach proper forum etiquette or post in the incorrect forum as I am still very new to forums in general.

I was wondering if I may have some insight and assistance into the utopia.net DNS Hijack, and its removal please?

My network keeps resetting to it. Apparently the modem my ISP uses (Technicolor DPC3848V) is a prolific target. I have been in contact with them and have been reassured that it has the latest firmware. Avast Premier states that the DNSmasQ fix of October 2017 identified the issue and resolved it, but I still seem to be a victim.

While Avast premier SHOULD protect against this, I am not going to berate and direct frustration at those who may be the only ones who can help me.

I'm running: Avast Premier
Program Version: 18.8.2356 (build 18.8.4084.0)
Virus Definitions Version: 181118-10
# of definitions: 5.199.944

I have not utilized a 60 day trial of SecureLine VPN yet, which is a suggested fix, but I'm hesitant to do so, if giving my info to install it, goes through this utopia.net.

Any information/removal strategies will be greatly appreciated.

Thank you for your time.

Regards,

Darcy

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36042
Re: Any real fix for utopia.net DNS Hijack?
« Reply #1 on: November 18, 2018, 10:46:29 PM »
Follow instructions and attach requested logs  >>  https://forum.avast.com/index.php?topic=194892.0

Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: Any real fix for utopia.net DNS Hijack?
« Reply #2 on: November 18, 2018, 11:38:35 PM »
Haven't we been there before? -> https://forum.avast.com/index.php?topic=218466.0

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline darcevader30

  • Newbie
  • *
  • Posts: 8
Re: Any real fix for utopia.net DNS Hijack?
« Reply #3 on: November 20, 2018, 10:15:54 PM »
Thank you for your responses Pondus and Polonus, I appreciate your time.

I have tried some of the suggestions aforementioned, with no results, or recurring network switching. I did find both threads on my own, hence, asking for a moderators help when the suggestions were unsuccessful.

I will attach requested logs and information as soon as they can be generated.

Thank you both ladies/gentleman/both.

Regards,

Darcy

Offline darcevader30

  • Newbie
  • *
  • Posts: 8
Re: Any real fix for utopia.net DNS Hijack?
« Reply #4 on: November 20, 2018, 11:21:14 PM »
Attention Polonus and Pondus,

Here are the logs you requested. I hope they assist in some way.

Perhaps another note to mention, the infected computer is running off of a Linksys EA6400 running in bridge mode off the main router (Technicolor DPC3848V). I have a TP-LINK repeater inserted into the network as well, but it shows no ill effects. Could the EA6400 be the weakness? Avast WiFi Inspector says its secured.

I sincerely hope it is something simple and nothing that takes up to much of your time, and am grateful for your efforts.

Regards,

Darcy

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: Any real fix for utopia.net DNS Hijack?
« Reply #5 on: November 21, 2018, 11:55:02 AM »
Hi Darcy,

See whether you have run all Windows updates for that OS.

What you could do is go to the  “settings” in the firewall section of avast, and look for a list of  network profiles, and among them, sure enough, you'd see Utopia.net! Then select “Delete” from the right click drop down menu, and delete utopia.net from the network profiles list". Flush your DNS - The first step to flushing your DNS is to open your “Windows Command” prompt.

WinXP: Start, Run and then type “cmd” and press Enter.
Vista, Window 7 and Windows 8: Click “Start” and type the word “Command” in the Start search field. Finally, right-click the command prompt icon and select the option to “Run as Administrator”.
In the open prompt, type “ipconfig /flushdns” (without the quotes).
You should receive a message of your success as confirmation when the cache is cleared.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 724
Re: Any real fix for utopia.net DNS Hijack?
« Reply #6 on: November 21, 2018, 12:28:49 PM »
According to FRST logs your PC is clean. As for routers, update their firmwares.

Offline darcevader30

  • Newbie
  • *
  • Posts: 8
Re: Any real fix for utopia.net DNS Hijack?
« Reply #7 on: November 21, 2018, 09:49:23 PM »
Good evening,

Thank you Sass Drake for jumping in to help! Sadly Sass, all firmwares are up to date. It was one of the first things I checked....even double checking with ISP as  it is the router they supplied with service.

Polonus....I have indeed tried all suggestions found in this forum, with no success. Hence, the re-opening of this topic. You even stated prior "Haven't we been there before?" I hope this is not an updated version of an old problem.

I have deleted the network profile within Avast and flushed DNS with ipconfig /flushdns in Command prompt (even elevated) with no success. I will try again, step by step and convey results. But, it seems utopia.net returns upon boot.

Any ideas of how this slipped by/or still is present , with Avast installed? Just curious....

Thank you again to all, for your time,

Darcy

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: Any real fix for utopia.net DNS Hijack?
« Reply #8 on: November 21, 2018, 10:08:11 PM »
Hi darcevader30,

This is a rather pesky DNS hijacker malware.

Have you read through this? ->: https://www.reddit.com/r/antivirus/comments/7qwn93/utopianet_malware_dns_hijack/
and also here as a last resort:
Quote
The Comcast DNS Engineering and Operations team has been aware of the utopia.net malware for quite a while.

The only thing we have found searching Google where someone has stated that they have successfully removed this rather pernicious malware can be found here: https://www.bleepingcomputer.com/forums/t/647723/utopianet-dns-hijack/#entry4250145

Also, you can download the router configuration file and search for utopia.  You can then replace the domain="utopia..." with the comcast domain = "hsd1.tx.comcast.net".  Again, you can use the domain specific for your area.  Call Comcast Tech support and ask them for the info.

Hope you'd finally have a lucky strike and get rid of it for good.

polonus

 
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline darcevader30

  • Newbie
  • *
  • Posts: 8
Re: Any real fix for utopia.net DNS Hijack?
« Reply #9 on: November 27, 2018, 12:56:51 AM »
Good evening Polonus,

My apologies for not replying sooner. I have been hammering away at this problem and now have clean modem/routers, but the problem is worse as ALL 7 machines have utopia.net infections that run through the registry. While I have no utopia.net network profiles listed under any of the connections, they are still listed in the registry using the ctrl+f function. After deleting all keys, they reappear upon reboot. Deleting any keys higher on the tree leaves networking capabilities DOA.

That being said, I will have to completely reinstall Windows on every machine. already been a month of wasted time and long nights....whats a few more. Not happy that this slipped by Avast Premier, and the fact it cannot be detected and removed by it either. But, that's life in the digital age. I will be replacing Avast immediately....such a shame, I was happy up until now.

I appreciate everyone's input and thank them for their time. Unless you have some kind of registry cleaner that will deletes infected keys so they do not reappear, without damaging W10 networking abilities, I guess this thread will be closed as unresolved.

Special thanks to you, Polonus for sticking it out to the bitter end. If this is the final post, Merry Christmas to you and yours!

Signing off,

Darcy


Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36042
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: Any real fix for utopia.net DNS Hijack?
« Reply #11 on: November 27, 2018, 01:35:58 PM »
Hi Darcevader,

Did you know you could have been hacked by a BusyBox httpd 1.13 exploit? -> https://www.securityfocus.com/bid/20067/exploit

So it might be due to a Grandstream Device Fibernetics router directory traversal attack.
See recommendations here: https://dnsspy.io/scan/295.ca
Quote
We detected the following errors or warnings about your DNS configuration. These caused your DNS rating to be lowered. Resolving these will grant a higher DNS Spy rating for your domain.

All IPv4 nameservers are hosted by the same provider (AS36493 - 295CA-TOR-ASN - FIBERNETICS CORPORATION, CA). Consider spreading the nameservers across multiple DNS providers for increased redundancy.
No DNSSEC records found. Consider enabling DNSSEC, as it provides a way to validate DNS responses for data integrity.
Well your personal cgi-bin/login page is approachable from the Interwebs.  ::)

According to RouterCheck pingable routers are NOT a good thing to have, :(

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
« Last Edit: November 27, 2018, 01:40:47 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline darcevader30

  • Newbie
  • *
  • Posts: 8
Re: Any real fix for utopia.net DNS Hijack?
« Reply #12 on: November 27, 2018, 09:13:11 PM »
Good afternoon Polonus,

I really admire and appreciate your persistence. I thought I was back to square one!

I tried everything in the "bleeping computer" write up prior to reaching out in the Avast forum. I am running the ESET online scanner again for good measure. Will try the Kaspersky route next.

Thank you for your revelation about the exploit for our particular devices. We are not allowed to go into the router and change settings, but I will be forwarding your findings and suggestions to their tech support department.

Will keep you posted on their response.

Thanks again, Polonus

Regards,

Darcy

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: Any real fix for utopia.net DNS Hijack?
« Reply #13 on: November 27, 2018, 10:24:47 PM »
Hi darcevader30,

And I admire your responsible attitude towards the internet community to try and solve this issue.
Not only for yourself, but also for all others that wrestle with the persistence of this pesky online threat.

It is just because the likes of you, dear Darcy, that we are able to go that extra mile to come,
and make the community of average users just that "tad" more secure.

It is the good vibrations found around folks which share such right intentions that matter here.  ;)

Again thanks for you reporting and I hope finally it will all lead to an "all's well that ends well".
I wait for your further reporting and how matters are developing towards a final solution.

Receive kind regards from me here in the vicinity of Rotterdam, Europe,

polonus aka Damian
« Last Edit: November 27, 2018, 10:27:16 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline darcevader30

  • Newbie
  • *
  • Posts: 8
Re: Any real fix for utopia.net DNS Hijack?
« Reply #14 on: December 23, 2018, 07:53:42 PM »
Good afternoon Damian (Polonus)

I thought I would just check back in before the holidays for an update. I was met with your VERY kind words and thank you for them. I'm extremely new to the "forum" platform, and am relieved. My mother (God, rest her precious soul), simply raised me to respect all others, be courteous, and use my manners. Unfortunately, not everyone shares my personal views. But, if people can be nicer at Christmas time, why can't they do it for the rest of the year? I'll stop preaching now ;P

While I have retrieved my DNS lookups from Utopia, there are still registry keys and strings I simply lack the knowledge to delete. I have tried salvaging W10 installations doing so, but since render them useless. Using the search command in the registry (ctrl+f, i believe) I can delete the obvious inclusive keys, but they reappear on boot.

I sincerely hope I am safe, until I can definitively eliminate all traces of Utopia. I will dedicate more time to it as more information becomes available.

Once again Damian, thank you for your time and efforts. I'll do my best to pay it forward, my friend.

Sincerest holiday wishes to you and yours from Canada.

Darcy