Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Adobe Releases Security Update for Acrobat Vulnerability with Public PoC

Featured Deal: Get Over 90% off a Windscribe Pro VPN Lifetime Subscription Deal

Photo

Utopia.net DNS hijack?

Started by RandomRobert , May 26 2017 12:03 PM

  • Please log in to reply
17 replies to this topic

#1 RandomRobert

RandomRobert

  • Members
  • 15 posts
  • OFFLINE
    •  
  • Local time:05:47 PM

Posted 26 May 2017 - 12:03 PM

 Hello, all.

I was doing some repair on my wifi network, (couldn't load usatoday.com, or theatlantic.com via any wifi device in my home, but direct ethernet connections and also cellular G4s signal were able to load both sites easily, there are a bunch more, these are just two examples)

I noticed that in my system tray, my network status said "Currently connected to utopia.net" which is strange since I am a Comcast Xfinity customer, and presumably using their servers, (75.75.75.75)
I looked up "utopia.net" and saw several discussions about DNS hijacking, so as an experiment, set my DNS to google's public DNS servers, (8.8.8.8), restarted my computer, (wasn't sure if that was even needed) and still, my network connection comes up as "utopia.net"
I have used a VPN service to safeguard business information between myself and several clients financial, but have since uninstalled and deleted them from my computer,  seeking an answer to this strange "utopia.net" question. 

I saw was there was a discussion here a couple of years ago on the same subject and thought I'd see if anyone had any definitive information on what exactly "utopia.net" network is, and what to do about it. I'd prefer that if I am using Comcast Xfinity, that my network connection status say "Comcast Xfinity" 


Comcast techs, by phone, (no explanation needed) said that the original problem of not being able to load certain sites on my wifi network, maybe have been due to the DNS getting hijacked, or something to that effect. 

Any ideas or information on what this is and how to fix it?

 

Thanks!
RR

Stats:
Windows 7 Ultimate 64 -bit system

Dreaded arris TG862 standard Comcast wireless router
Processor AMD A8 7600 Radeon R10 10 compute cores 4C+6G
 

Attached Files


Edited by RandomRobert, 26 May 2017 - 12:52 PM.
Moved from Win 7 to Am I Infected - Hamluis.

BC AdBot (Login to Remove)

 

#2 buddy215

buddy215

  • Moderator
  • 13,395 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:47 PM

Posted 26 May 2017 - 02:41 PM

Have you tried resetting your router and resecuring it? How to Login to the Arris TG862

Once you have held the reset button in, log into the router using the IP number and password provided in link above.

 

The above may or may not fix the problem. Suggest you use the programs below to clean, remove adware and remove malware.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

  • download Malwarebytes to your desktop.
  • Double-click mb3-setup-1878.1878-3.0.6.1469.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

 

Download and run the FREE online scanner from Free Virus Scan | Online Virus Scan from ESET | ESET

  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 RandomRobert

RandomRobert
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
    •  
  • Local time:05:47 PM

Posted 26 May 2017 - 07:02 PM

Thanks for the quick reply. 
I am currently running AVAST premium Spybot search and Destroy, and Malwarebytes

I reset and resecured my gateway  (a brand new one just replaced yesterday by comcast, same model)
I ran CCleaner
I ran Malwarebytes (It found bing entries that my premium AVAST apparently missed)
I am going to run ADW Cleaner, and Junkware Remioval 


I was also told that by adding the domain "utopia.net" to the hosts file found on C: drive it would block their DNS servers or something like that,  but I can't seem to open the hosts file, or save anything without creating a copy which is a .txt. file. the original "hosts" file properties just says "file" and when I try to open it asks me to associate it with a program. 

Is this true?
thanks!
Under seige,
RR


#4 RandomRobert

RandomRobert
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
    •  
  • Local time:05:47 PM

Posted 26 May 2017 - 07:51 PM

ADW cleaner logfile:
 

# AdwCleaner v6.047 - Logfile created 26/05/2017 at 17:23:26
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-05-26.6 [Server]
# Operating System : Windows 7 Ultimate Service Pack 1 (X64)
# Username : I - U
# Running from : C:\Users\I\Downloads\AdwCleaner.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
No malicious folders found.
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [988 Bytes] - [26/05/2017 17:23:26]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1060 Bytes] ##########
________________________________________________________________________________________________________________________________
 
JRT logfile:
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 7 Ultimate x64 
Ran by I (Administrator) on Fri 05/26/2017 at 17:03:27.69
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 16 
 
Successfully deleted: C:\Users\I\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0N9WKZ26 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\I\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\I\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\I\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AILPM2I3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\I\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\I\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\I\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OE2UYDBN (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\I\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y9L5YLJB (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0N9WKZ26 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AILPM2I3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OE2UYDBN (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y9L5YLJB (Temporary Internet Files Folder) 
 
 
 
Registry: 1 
 
Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_CBA6F2999873A3BB14AE5943DDD53554 (Registry Value) 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 05/26/2017 at 17:06:30.26
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

#5 buddy215

buddy215

  • Moderator
  • 13,395 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:47 PM

Posted 27 May 2017 - 05:02 AM

I suggest uninstalling Spybot S&D. It has lost favor among security pros for several years now and it interferes with other security programs.

It may be why you can't access the Host file.

 

Post the three lists mentioned below using CCleaner.

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 RandomRobert

RandomRobert
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
    •  
  • Local time:05:47 PM

Posted 27 May 2017 - 10:43 PM

I just uninstalled Spybot S&D and here are the three lists. 

Also: Question. I deleted spybot, but my hosts file still does not open to any specific program, unless I pick one, and then it saves it as a separate file from the actual hosts file. 
Is it true if I add utopia.net to the hosts file that it will block or bypass those dns servers?
thanks for all your help!

NOTE: "Everything.exe" is my search and index program from voidtiools, in case you were wondering.


_______________________ _______________________________________________________________________
1: CC startup list

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run GoogleChromeAutoLaunch_CBA6F2999873A3BB14AE5943DDD53554 Google Inc. "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window /prefetch:5
No HKCU:Run GoogleChromeAutoLaunch_CBA6F2999873A3BB14AE5943DDD53554 Google Inc. "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window /prefetch:5
Yes HKCU:Run ISUSPM Flexera Software LLC. C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler
Yes HKLM:Run AvastUI.exe AVAST Software "C:\Program Files\AVAST Software\Avast\AvLaunch.exe" /gui
No HKLM:Run BCSSync Microsoft Corporation "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
Yes HKLM:Run DNS7reminder Nuance Communications, Inc. "C:\Program Files (x86)\Nuance\NaturallySpeaking13\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking13\Ereg.ini"
Yes HKLM:Run Dropbox Dropbox, Inc. "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" /systemstartup
Yes HKLM:Run Everything "C:\Program Files\Everything\Everything.exe" -startup
Yes HKLM:Run ISUSPM Flexera Software LLC. C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler
Yes HKLM:Run iTunesHelper Apple Inc. "C:\Program Files\iTunes\iTunesHelper.exe"
Yes HKLM:Run Malwarebytes TrayApp Malwarebytes C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe
Yes HKLM:Run QuickTime Task Apple Inc. "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
Yes HKLM:Run RTHDVCPL Realtek Semiconductor "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
No HKLM:Run StartCCC Advanced Micro Devices, Inc. "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
Yes Startup User Monitor Cartridge Alerts - HP ENVY 5660 series.lnk Microsoft Corporation C:\Windows\system32\RunDll32.exe
________________________________________________________________________________________________________
2: CC Scheduled tasks list:
Yes Task Adobe Flash Player PPAPI Notifier Adobe Systems Incorporated C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_25_0_0_171_pepper.exe -check pepperplugin
Yes Task Adobe Flash Player Updater Adobe Systems Incorporated C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes Task DropboxUpdateTaskMachineCore Dropbox, Inc. C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /c
Yes Task DropboxUpdateTaskMachineUA Dropbox, Inc. C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /ua /installsource scheduler
Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task IPVanish C:\Program Files\IPVanish\ElevateProcess.exe "C:\Program Files\IPVanish\IPVanish.exe"
Yes Task Opera scheduled Autoupdate 1485342662 Opera Software C:\Program Files\Opera\launcher.exe --scheduledautoupdate $(Arg0)
Yes Task SafeZone scheduled Autoupdate 1485336746 Avast Software C:\Program Files\AVAST Software\SZBrowser\launcher.exe --scheduledautoupdate $(Arg0)
Yes Task {1413E7D8-F803-4393-8F75-188794D8F8A8} Apple Inc. C:\Program Files\iTunes\iTunes.exe
Yes Task {C10160B2-5CA1-41D3-9139-27872A3D18AB} Apple Inc. C:\Users\I\Downloads\iTunes6464Setup.exe
______________________________________________________________________________________________________________
3: CC uninstall list:

7-Zip 16.04 (x64) Igor Pavlov 1/25/2017 4.75 MB 16.04
Adobe Flash Player 25 PPAPI Adobe Systems Incorporated 5/9/2017 4.61 MB 25.0.0.171
AMD Catalyst Install Manager Advanced Micro Devices, Inc. 1/25/2017 26.7 MB 8.0.916.0
Apple Application Support (32-bit) Apple Inc. 2/2/2017 125 MB 5.3.1
Apple Application Support (64-bit) Apple Inc. 2/2/2017 140 MB 5.3.1
Apple Mobile Device Support Apple Inc. 2/2/2017 27.3 MB 10.0.1.3
Apple Software Update Apple Inc. 2/2/2017 2.69 MB 2.2.0.150
Avast Premier AVAST Software 5/9/2017 17.4.2294
Bonjour Apple Inc. 2/2/2017 2.01 MB 3.1.0.1
CCleaner Piriform 1/25/2017 5.26
Cisco EAP-FAST Module Cisco Systems, Inc. 1/25/2017 1.53 MB 2.2.14
Cisco LEAP Module Cisco Systems, Inc. 1/25/2017 632 KB 1.0.19
Cisco PEAP Module Cisco Systems, Inc. 1/25/2017 1.22 MB 1.1.6
Dragon NaturallySpeaking 13.0 Nuance Communications Inc. 1/28/2017 3.75 GB 13.00.000
Dropbox Dropbox, Inc. 5/17/2017 26.4.24
Duplicate Cleaner Free 3.2.7 DigitalVolcano Software Ltd 5/11/2017 8.71 MB 3.2.7
Everything 1.3.4.686 (x64) 1/25/2017
Google Chrome Google Inc. 2/13/2017 58.0.3029.110
Google Earth Google 1/25/2017 90.7 MB 7.1.8.3036
HP Dropbox Plugin HP 1/25/2017 3.38 MB 36.0.41.58587
HP ENVY 5660 series Basic Device Software HP Inc. 2/27/2017 205 MB 40.11.1107.1739
HP ENVY 5660 series Help Hewlett Packard 1/25/2017 13.5 MB 34.0.0
HP Google Drive Plugin HP 1/25/2017 3.38 MB 36.0.41.58587
Icecream Media Converter version 1.56 Icecream Apps 1/25/2017 95.4 MB 1.56
Inkscape 0.92.1 Inkscape Project 4/20/2017 226 MB 0.92.1
iTunes Apple Inc. 2/2/2017 241 MB 12.5.5.5
Leawo Tunes Cleaner version  2.3.0.0 Leawo Software 4/28/2017 2.3.0.0
Malwarebytes version 3.1.2.1733 Malwarebytes 5/26/2017 159 MB 3.1.2.1733
Microsoft .NET Framework 1.1 Microsoft 1/25/2017 34.8 MB 1.1.4322
Microsoft .NET Framework 4.6.1 Microsoft Corporation 4/13/2017 38.8 MB 4.6.01055
Microsoft Office Professional Plus 2010 Microsoft Corporation 1/29/2017 14.0.4763.1000
Microsoft Visual C++ 2005 Redistributable Microsoft Corporation 5/16/2017 428 KB 8.0.56336
Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Corporation 5/16/2017 708 KB 8.0.56336
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 Microsoft Corporation 5/16/2017 788 KB 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Corporation 1/27/2017 1.42 MB 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 Microsoft Corporation 1/25/2017 608 KB 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Corporation 5/16/2017 586 KB 9.0.30729
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 Microsoft Corporation 5/16/2017 13.8 MB 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 Microsoft Corporation 5/16/2017 11.1 MB 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 Microsoft Corporation 5/16/2017 20.5 MB 11.0.61030.0
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 Microsoft Corporation 5/16/2017 17.3 MB 11.0.61030.0
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 Microsoft Corporation 5/16/2017 20.5 MB 12.0.30501.0
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 Microsoft Corporation 4/13/2017 17.1 MB 12.0.30501.0
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23918 Microsoft Corporation 5/16/2017 24.4 MB 14.0.23918.0
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23918 Microsoft Corporation 5/16/2017 20.7 MB 14.0.23918.0
MSXML 4.0 SP2 Parser and SDK Microsoft Corporation 1/28/2017 1.22 MB 4.20.9818.0
netis Wireless LAN Driver and Utility netis Systems Co.,Ltd. 1/25/2017 1.01.0243
OEM Application Profile Advanced Micro Devices, Inc. 1/25/2017 1.04 MB 1.00.0000
Opera Stable 45.0.2552.812 Opera Software 5/18/2017 45.0.2552.812
QuickTime Apple Inc. 2/6/2017 73.2 MB 7.71.80.42
Realtek Ethernet Controller Driver Realtek 1/25/2017 7.92.115.2015
Realtek High Definition Audio Driver Realtek Semiconductor Corp. 1/25/2017 527 MB 6.0.1.8036
ScreenShot V1.0.0.0 MichaelFontana 1/25/2017 28.0 KB 1.0.0
TeraCopy 2.3 Code Sector 1/25/2017 7.22 MB
VLC media player VideoLAN 1/25/2017 2.2.4
Windows Deployment Tools Microsoft 2/13/2017 23.4 MB 8.59.25584
Windows PE x86 x64 Microsoft 2/13/2017 1.24 GB 8.59.25584
Windows PE x86 x64 wims Microsoft 2/13/2017 284 MB 8.59.25584
WizTree v2.01 Antibody Software 1/28/2017 2.37 MB
 
 

#7 buddy215

buddy215

  • Moderator
  • 13,395 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:47 PM

Posted 28 May 2017 - 06:25 AM

Delete these Startups: Use CCleaner by clicking on each item and choosing Delete on the right.

Yes HKCU:Run GoogleChromeAutoLaunch_CBA6F2999873A3BB14AE5943DDD53554 Google Inc. "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window /prefetch:5

Yes HKLM:Run QuickTime Task Apple Inc. "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

 

Disable these Startups: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes HKCU:Run ISUSPM Flexera Software LLC. C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler

Yes HKLM:Run DNS7reminder Nuance Communications, Inc. "C:\Program Files (x86)\Nuance\NaturallySpeaking13\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking13\Ereg.ini"
Yes HKLM:Run Dropbox Dropbox, Inc. "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" /systemstartup
Yes HKLM:Run Everything "C:\Program Files\Everything\Everything.exe" -startup
Yes HKLM:Run ISUSPM Flexera Software LLC. C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler
Yes HKLM:Run iTunesHelper Apple Inc. "C:\Program Files\iTunes\iTunesHelper.exe"
Yes Startup User Monitor Cartridge Alerts - HP ENVY 5660 series.lnk Microsoft Corporation C:\Windows\system32\RunDll32.exe
 
Disable these Tasks:
Yes Task Adobe Flash Player Updater Adobe Systems Incorporated C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes Task DropboxUpdateTaskMachineCore Dropbox, Inc. C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /c
Yes Task DropboxUpdateTaskMachineUA Dropbox, Inc. C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /ua /installsource scheduler

Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler

Yes Task Opera scheduled Autoupdate 1485342662 Opera Software C:\Program Files\Opera\launcher.exe --scheduledautoupdate $(Arg0)
Yes Task SafeZone scheduled Autoupdate 1485336746 Avast Software C:\Program Files\AVAST Software\SZBrowser\launcher.exe --scheduledautoupdate $(Arg0)
Yes Task {1413E7D8-F803-4393-8F75-188794D8F8A8} Apple Inc. C:\Program Files\iTunes\iTunes.exe
Yes Task {C10160B2-5CA1-41D3-9139-27872A3D18AB} Apple Inc. C:\Users\I\Downloads\iTunes6464Setup.exe
 
Uninstall these programs:
QuickTime Apple Inc. 2/6/2017 73.2 MB 7.71.80.42 (NO longer supported)
 
Update VLC Media Player...very important...see Malicious Movie Subtitles Can Give Hackers Full Control Over Your PC
 
I note that there are three Cisco entries in Installed Programs.
 
You can edit the Host file using the info at Windows 7 - Edit the Hosts File
I don't know what effect that will have on accessing the Web. But you can always re-edit the Host file if adding that item creates a problem.
 
I would be very leery of anything specific to itunes that wasn't downloaded from the Apple Store. Such as Leawo Tunes Cleaner

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 RandomRobert

RandomRobert
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
    •  
  • Local time:05:47 PM

Posted 29 May 2017 - 02:28 AM

Followed all the above suggestions, deleted Leawo cleaner, (no reports it had anything to do with utopia, deleted it anyway same to try it) ran a boot time scan on avast, full scan on malwarebytes, released, renewed the config, flushed the DNS,  and started the computer, still says, "Currently connected to: Utopia.net"

The strange thing about this is that it seems to have been going for over 2 years at least, and nearly nobody knows anything about it. Weird.

http://www.dslreports.com/forum/r30150713-DNS-hijacking?search=utopia.net (2015) 
Question
 Can I remove the following without affecting my wireless network, and internet access? In our house we have an Xfinity Blast 250 account, an Arris tg1682g, a d-link 890LR, and a netgear AC3200, the latter two being in AP mode.
 

Cisco EAP-FAST Module Cisco Systems, Inc. 1/25/2017 1.53 MB 2.2.14
Cisco LEAP Module Cisco Systems, Inc. 1/25/2017 632 KB 1.0.19
Cisco PEAP Module Cisco Systems, Inc. 1/25/2017 1.22 MB 1.1.6

Thanks!
RR

Edited by RandomRobert, 29 May 2017 - 02:36 AM.

#9 buddy215

buddy215

  • Moderator
  • 13,395 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:47 PM

Posted 29 May 2017 - 04:53 AM

This should help you decide whether to keep those Cisco items or uninstall them. Can I remove Cisco EAP-FAST Module, Cisco LEAP Module, and Cisco PEAP - Microsoft Community

Install date for those 3 items is the date for several items installed as you can see in the list of installed programs.

 

Your link to dsl reports is different from the one I posted. It had a solution of adding another router. Did you read that?

QUOTE: Only solution (I found) is to use another router behind this, and set this one up in bridged mode. Or leave in default mode (as perim. firewall), and avoid using the builtin DHCP, by manually configuring second router.

The next comment about the above QUOTE: Agree that its annoying that the Cisco device hands out this default domain suffix. If you can login to that box there should be a way under your DHCP settings to disable or change the default domain suffix option being passed out to the DHCP clients in your house.

Using nslookup is spotty at best wink.gif I have a feeling that if you ran the exact same nslookup command with a trailing . at the end of your command, you would get the correct result i.e. C:> nslookup google.ca.

Also - in theory, the default domain suffix should not affect anything that you are doing via your web browser as most are smart enough to deal with this. However it could lead to some slowness because of additional DNS work being potentially required.

When it comes right down to it, what you are doing to solve the problem will work. Put the Cisco into bridged mode and use another device for wifi in your house. Honestly, you will end up having many fewer problems running this way - unless the 2nd device is also garbage wink.gif Let the modem be a modem, and let a wifi device handle wifi. Good luck!

END QUOTE

 

 


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 RandomRobert

RandomRobert
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
    •  
  • Local time:05:47 PM

Posted 29 May 2017 - 06:31 AM

EAP-FAST, LEAP, PEAP, I got rid of all three since I never use wireless with this computer. Flushed DNS cache, restarted same problem. I still get utopia.net
You were saying that I can use another router as a filter for this DNS hijack? when you say put the router BEHIND my Comcast router, you mean make a direct cable connection to the new router and then attach my Comcast router to that one, or the reverse?

I truly appreciate this help. Thank you!


#11 buddy215

buddy215

  • Moderator
  • 13,395 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:47 PM

Posted 29 May 2017 - 09:40 AM

I think it is harmless....utopia.net. I only provided info to help you decide. It has been a learning experience for me. At first I thought it

might be some adware or worse. Not anymore after doing research on the web.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#12 RandomRobert

RandomRobert
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
    •  
  • Local time:05:47 PM

Posted 29 May 2017 - 04:46 PM

Really? Then What is it exactly?

Thanks.
RR


#13 buddy215

buddy215

  • Moderator
  • 13,395 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:47 PM

Posted 29 May 2017 - 06:14 PM

Start a new topic in the Malware Removal forum. Someone there will be able to remove all of Utopia.net. They use tools not

allowed in this forum and know how to use them.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#14 RandomRobert

RandomRobert
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
    •  
  • Local time:05:47 PM

Posted 29 May 2017 - 06:30 PM

Update: SOLVED
 

I opened my AVAST antivirus and internet security, and did a “Scan network for threats” , it found a vulnerability for Wannacry Double pulsar ransomeware/ malware virus,  and so I followed their instructions on how to remove it using an update patch. NOTE; I am not certain what if, any connection this has with my former problem.
Google this to find out the patch for your version of windows.
“March 2017 Security Only Quality Update for Windows”

Then I went to the  “settings” in the firewall section of avast, and saw a list of  network profiles, and among them, sure enough, was Utopia.net! I selected “Delete” from the right click drop down menu, not really knowing what would happen. And deleted utopia.net from the network profiles list.
Strangely, despite the fact that Avast said I was not connected to a network,  I was able to go to several pages easily.

Finally I restarted my computer and then when I logged back on,  POW, utopia.net was no longer listed as the network I was connected to. My network now says 
“Currently connected to hsd1.ca.comcast.net”

I don’t know how I would do that in other security programs, but I’d guess that deleting the network profile “utopia.net” is the key, since it was for me. Thanks for all your help!

In avast at least, the path is firewall-settings-network profiles, look for utopia.net and use the right hand menu to delete it and restart computer. 

RR
 


Edited by RandomRobert, 29 May 2017 - 07:56 PM.

#15 buddy215

buddy215

  • Moderator
  • 13,395 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:47 PM

Posted 29 May 2017 - 07:19 PM

Good...hopefully it is gone for good. I could never determine if your ISP was responsible for Utopia or not....mixed results.

 

As far as the patch goes...if you updated each month or accept updates automatically  then you have the March update that is referring to.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”
Back to Am I infected? What do I do?


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Am I infected? What do I do?
  4. Privacy Policy
  5. Rules ·