• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

"utopia.net" DNS suffix coming from the router?

What follows is a long story, so bear with me:

  1. I started internet service through Comcast and received an Arris model X5001 gateway from them for my new internet service. Let's say I named the network 'Bob'.
  2. After about a week, I start to get the following message on my antivirus program Norton Security multiple times an hour, every day, on both computers I use to connect to my new internet Bob. Category: Intrusion Prevention
    An intrusion attempt by cgqnpvkaxtasme.utopia.net was blocked. Malicious Site: Malicious Domain Request 21,"cgqnpvkaxtasme.utopia.net (208.91.197.27, 80)",wpad.utopia.net/wpad.dat,"10.0.0.44, 62050",cgqnpvkaxtasme.utopia.net (208.91.197.27),"TCP, www-http"
    Network traffic from <b>wpad.utopia.net/wpad.dat</b> matches the signature of a known attack.  The attack was resulted from \DEVICE\HARDDISKVOLUME4\WINDOWS\SYSTEM32\SVCHOST.EXE.
  3. After a week of this, I get irritated and go looking through the internet to find out what's up. I eventually open command prompt and run 'ipconfig' to see my internet settings. My computer's DNS suffix now reads utopia.net no matter whether I'm connected to Bob or another network. I continue to get the antivirus block notifications (with slightly less frequency) when I use other wifi networks.
  4. I first try system scans using Norton Security and Norton PowerEraser - both give the two computers clean bills of health.
  5. I live chat the Norton support team. They've seen this before, a lot in recent weeks. Wonderfully helpful person assists me in changing my DNS suffix by deleting all instances of "utopia.net" from the registry.
  6. We attempt to reconnect to Bob, and "utopia.net" returns. We then follow instructions on how to perform a hard reset of the router and return it to factory settings, with changed passwords (new name zombieBob).
  7. We connect to zombieBob, and "utopia.net" returns.
  8. We clean up the PC's again and DON'T connect to zombieBob. Norton support person recommends a replacement gateway, so I call Comcast. They've never heard of this issue, but provide a replacement router anyway the next day.
  9. I set router firewalls to maximum, change every password, etc. I attempt to connect to the new wi-fi (let's say Jim) and test the ipconfig. "utopia.net" is labelled as the connection-specific DNS suffix. In the registry, it comes up as "Dhcp domain".
  10. I disconnect from Jim and check the ipconfig. "utopia.net" no longer appears there, or anywhere in the registry.
  11. I post here and on comcast's support forums because I am now thoroughly irritated and out of ideas.

Replies

Kudos0

Re: "utopia.net" DNS suffix coming from the router?

Hello SBernie. Reading your post and doing some research,  I have seen this happen before. Its generally related to DNS poisoning and is discussed here on the Malwarebytes forums at length.  Do you have ANY other freeware scanning / registry software installed? If so remove them all and reboot.

Another Comcast customer also has a discussion about the same issue here in the Bleeping Computer forums. Have you already installed Malwarebytes to see what it may or may not find? Are all your non-Microsoft programs running the current versions? IE Adobe, etc? Is your OS fully patched?

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1909 / build 18363.476 / N360 Deluxe 22.19.8.65 / Norton Core v.288 on Android 2.21 / Opera GX
Kudos0

Re: "utopia.net" DNS suffix coming from the router?

All I have installed is Norton Security.

I've seen both of those discussions before, but thanks for being thorough. The Malwarebytes forum never came to any conclusion, and (as a non-tech expert) I didn't 100% follow the troubleshooting steps they took. Same issue for the Bleeping Computer discussions, as well as others on some Avast, Comcast, and general threat-removal forums. Hence my post here, trying to get clarity.

I ran Malwarebytes on computer #1 and it found and quarantined one threat called "BROWNPILOTFISHSETUP.EXE". The results are attached. I then reconnected to the bad network (Jim, from above) and ran Malwarebytes while connected. It found no threats. Norton continued to block attacks the whole time I was connected to Jim.

I ran Malwarebytes on computer #2 (not connected to Jim) and it found no threats. I connected to Jim and ran Malwarebytes. Still no threats. Just like on computer #1, when connected to Jim, "utopia.net" shows up in the ipconfig and registry. HOWEVER, different from computer #1, when I disconnected from Jim, "utopia.net" remained behind in both places. I ran /flushdns and deleted the registry values for "utopia.net", restarted, and we're back to a clean computer #2.

Finally, yes, everything is up-to-date, especially on computer #2, which has very, very little installed on it at all.

Update: I also ran AdwCleaner, Junkware Removal Tool, and ESET on computer #1, as recommended by someone on BleepingComputer. The first two found some issues, but I'm 90% sure they are unrelated to this problem so I didn't bother to run on PC #2. Logs below.

Kudos0

Re: "utopia.net" DNS suffix coming from the router?

Two things I can recommend.

1- If you can determine a date where this began to happen, restore BOTH devices to the last good restore point that is OLDER than the date just before it began. DO NOT have them connected to your network in any fashion.They will reset just fine. Next, open an elevated command (run as administrator). Edit your hosts file on EACH MACHINE using this guide. PLEASE NOTE: Editing your hosts file comes at your own personal risk. Have a techie assist you if you are in any way not comfortable doing it own your own. ALSO in your device services make sure you have remote desktop services and remote registry disabled. Reboot both devices.

2- Factory reset your Comcast device. Use this as your guide. Use page #25 to configure your TCP/IP settings for Windows 10. When done, connect ONLY 1 device via ethernet and log into your modem, change ALL the defaults for admin name and password to login directly to the Comcast device. Verify there isn't any remnants of Utopia on the connections listing and IP distribution / ARP tables. Look for the firmware update area, run a manual firmware update check and have the modem restart.

Now boot each device, one at a time DO NOT allow them to connect to your network. Re-check one device for the original issue being present. IF clear, connect the second and see if anything changes. Let us know what your results are.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1909 / build 18363.476 / N360 Deluxe 22.19.8.65 / Norton Core v.288 on Android 2.21 / Opera GX
Kudos0

Re: "utopia.net" DNS suffix coming from the router?

Update: There is another thread here on the forums where a user has the same issue.

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1909 / build 18363.476 / N360 Deluxe 22.19.8.65 / Norton Core v.288 on Android 2.21 / Opera GX
Kudos0

Re: "utopia.net" DNS suffix coming from the router?

Not having a techie around to assist, I haven't made any progress here.

I know how to find my "hosts" file (one labelled just "hosts" and another "hosts.ics") and open it with elevated Notepad to edit it. However I don't know what to actually edit it to.

Also, I did try this reset of the router previously following that exact guide (you mean page 15, not page 25, which is blank) and it had no effect. I will try again, but during my exploration of it previously I found nothing about "utopia" actually on the router itself.

The two services you mentioned are disabled.

I will see if I can track down a restore point to before this issue, reset the router, and reconnect, in case something about PC #1 keeps reinfecting the router. However, I fist noticed this issue on PC #2 and I'm not sure it has any restore points before this issue, because it's less than two months old.

Edit: PC #1 has no restore points before this issue arose. I'll try the router reset again anyway, I guess. Still got my paperclip handy.

Kudos0

Re: "utopia.net" DNS suffix coming from the router?

Reset again. No change. Reporting back with three observations:

  1. The "utopia.net" suffix remains when you connect and then disconnect via ETHERNET. That's why PC #2 had it linger the second time around - I only have an ethernet connection (no wifi card set up). I found this out after connecting PC #1 via ethernet. The "utopia.net" DNS suffix remained in the ipconfig even after editing the registry and running /fushdns. When disconnected from ethernet, Norton didn't block any attacks, though. Edit: Small chance I was looking in the wifi part of the registry to delete utopia and missed the ethernet entries, so that's why it stayed. Not a tech expert.
  2. This xfinity post has some interesting observations. Like all forum posts I have found, this one doesn't come to a conclusion, so I hesitate to post it. However, the people responding to me over at xfinity seem to think it holds water. https://forums.xfinity.com/t5/Your-Home-Network/DPC3941T-Modem-hacked-Utopia-net/m-p/3003583/highlight/true#M268046
  3. I did something risky and went into my ethernet adapter's settings and manually set the DNS servers and DNS suffixes to comcast-approved ones (pictures below). Now "utopia.net" doesn't show up when I connect to ethernet, as far as I can tell. I'm going to restart and reconnect and will report back if utopia rears its ugly head.

Can anybody tell me if my manual settings are going to be a problem when I try connecting to other internet networks? Like my home's Verizon network?

Update: I restarted the PC with the manual settings in place and the ethernet connected to the "bad" router. On restart, the ipconfig showed the Comcast DNS suffix. I then went to the registry and made sure to click the whole computer up at the top to search. It found lots of utopia entries (in parameters, interfaces, intranet, and unmanaged)! I deleted them all. Screenshots below.

I then restarted and checked the registry and ipconfig. ipconfig good. utopia back in the "parameters" and "interfaces" folders(?) of the registry ONLY.

Unplugged ethernet. Deleted registry key in "interfaces". One in "parameters" disappeared by itself. Restarted. ipconfig clean. Registry clean. User, relieved but confused.

Kudos0

Re: "utopia.net" DNS suffix coming from the router?

SBernie. Here is info about how to post images into your posts here on the forums. It is the preferred method vice opening potentially bad files such as a .pdf. Reading the article you linked it appears the firmware on Comcast modems are the culprit with what you are seeing. I am including the latest CVE vulnerability list for known issues with Comcast/Xfinity firmware here. Check your ethernet adapter settings as well to see if you have any connections set as "bridged".

I run Windows 10 Home 1903 on the laptop I am currently on. My installs DOES NOT have the file hosts.ics which would be located in the directory "C:\Windows\System32\drivers\etc". I am on FIOS. On both your machines I would DELETE hosts.ics, ICS was disabled by default in a previous update to Windows 10 some time ago. Reboot then check the directory again for the file hosts.ics reappearing.

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1909 / build 18363.476 / N360 Deluxe 22.19.8.65 / Norton Core v.288 on Android 2.21 / Opera GX
Kudos0

Re: "utopia.net" DNS suffix coming from the router?

SBernie. I'm following up to see if you gave a go with the suggestions in my last post and if so what were your results?

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1909 / build 18363.476 / N360 Deluxe 22.19.8.65 / Norton Core v.288 on Android 2.21 / Opera GX
Kudos0

Re: "utopia.net" DNS suffix coming from the router?

Thanks for following up. The .ics file has no effect on the problem, and doesnt appear to contain any info about Utopia. Also no connections are bridged; I checked. Current plan is to wait until Black Friday, buy a router with a good reputation for security, and bridge this one to it so that all devices will connect to the new router although the Comcast one will continue to provide internet.
Kudos0

Re: "utopia.net" DNS suffix coming from the router?

The firmware on the Comcast device seems to be the source of your issue. I would almost without reservation say its a DNS hack on that device. What is the model number of your Comcast device? I want to do some research for you. 

 If you are getting another router get one that is compatible with Comcast and use ONLY that router. That will remove the ISP out of the scenario as being the source of things. If utopia reappears using a new router and only that router then the source is either one of your computers or something attached to them. 

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1909 / build 18363.476 / N360 Deluxe 22.19.8.65 / Norton Core v.288 on Android 2.21 / Opera GX

This thread is closed from further comment. Please visit the forum to start a new thread.