Welcome to Comcast Help & Support Forums
Find solutions, share knowledge, and get answers from customers and experts

New to the Community? Start here.

5,761,420

members

64

online now

1,917,340

discussions

Back to Top

DPC3941T Modem hacked? Utopia.net

New Poster

Re: DNS reverts to Utopia.net after gateway/router reboot- Malware & Virus software finds nothin

Alright, I have some more findings and data that people on here might find relevant and useful.

So when we lost internet and TV 2 days ago, and it was knocked out in that big wind storm, we got a hold of a technician to come and take a look. He confirmed that the reason we didn't have either was because of a blown fuse in a box up the street, he's currently fixing it and we should have internet within the next hour or so.

The whole situation and not knowing why we didn't have TV and internet was what caused me to go on this wild goose chase and try to figure out what was going on. The circumstances were strange, and I wanted to get to the bottom of it.
This is what caused me to stumble upon the whole utopia.net thing in my current DNS settings.

But I have some potentially good news. As I was scrambling to look at all of my devices' current DNS settings, only to find utopia.net on every single one, I remembered that I had a laptop sitting around that hadn't been used or connected to the internet for roughly a week.
I cracked it open, and lo and behold, it's DNS settings we're correct, and pointing to the proper Comcast DNS.

While this is not 100% confirmable as of yet, it does seem to indicate that this isn't malicious or a DNS hijacking, at least in my case. What this means is that there is indeed some sort of a weird default DNS baked into the modems firmware.

I'm not saying that this is the case for everyone experiencing this issue, but it would seem to indicate that this is probably the case for many of these reported scenarios. I know how much I've been freaking out about it, so I wanted to post this here in the hopes of bringing some peace of mind to people who are still experiencing the issue and looking for answers.

I'll post more once I know more, and as things progress.
New Poster

Re: DNS reverts to Utopia.net after gateway/router reboot- Malware & Virus software finds nothin

Hello everyone.  I am having the utopia.net hijack problem for months.  I do believe that it is coming from the Comcast modem, as I switched out three times and it always comes back.

My temporary fix on windows 10 is eliminate the three mentions in regedit.exe.  then run the following commands on an administrator command prompt.

 

ipconfig /flushdns
ipconfig /release
ipconfig /renew

 

This keeps it to the comcast DNS for a while, maybe days or a week or so, but utopia.net comes back.

 

For those that say that it does not matter, I say yes it does.  Because my upload speed goes down to 100 KBS from 12.7 MBS when uploading to YouTube.

 

I do not know how to get rid of it permanently.  I am angry and I wish Comcast would admit that it is their problem and not anything on our systems.

 

heartdaughter

New Poster

Re: DPC3941T Modem hacked? Utopia.net

With the abundance of information posted regarding utopia.net in forums (including this one), I am astounded that nobody at Xfinity customer service has any training on how to deal with it. I spent almost on hour on the phone, and Comcast's "technicians" in India don't seem to understand what I'm talking about, much less have capability to solve it. This is a serious issue that can adversely affect customers without their knowledge — because malware and virus scans can't detect it. I have changed my wireless router settings to reflect what you have suggested here, hopefully isolating the issue to the modem when it arises. But this gives me little assurance. In any case, the Internet Security team at Comcast is woefully lacking in their knowledge and ability to solve problems that are beyond textbook level.

Contributor

Re: DPC3941T Modem hacked? Utopia.net

For those looking for "resolution" here is my best attempt at providing you as much detail as I can from various sources.

What we know:

  • This is a known (by customers atleast) issue with the comcast XB3 series and potentially some other Cisco and Technicolor models.
  • This appears to be a issue within the firmare of the modem itself, where the "default" DNS is "utopia.net" while the modem is loading and connecting to comcast.
    • I suspect this is the case because whomever created the firmware needed to enter "something" as a default and was likely thinking "haha, utopia.net, that'll never exist"
      • Someone smart figured this out, and actually created the domain utopia.net which may I add looks suspicious as ever
  • This issue seems to be 100% duplicatable by rebooting the modem and PC at the same time (confirmed on multiple PC's)
  • This will create atleast 1 registry entry for "utopia" on every machine that is powered on when this issue occurs.
    • Search the registry for the word utopia and if it matches utopia.net, DELETE IT.
    • If you do not delete it, the machine WILL revert to it randomly, upon reboots, or whenever it desires.
      • This gives an illusion that this issue is happening more frequently than it really is.
  • This appears to NOT be related to any particular virus or malware infection on the PC
    • Some AntiVirus/Malware software WILL detect the afore mentioned registry key as a virus. While this registry key itself is NOT a virus, it does relate to other malware.
  • This DNS will be handed out to ANY device connected on your network. PC's and Mac's are prune to retaining this entry.
    • My OSX repair days have come to a minium, I cannot remember how to clear a previous DNS entry from OSX, but I suspect it is somewhere in the network manager.

Is my information compromised?

  • Keep in mind, these points aren't going to be things that an "average" person just "does". It would require someone with an amount of IT knowledge to successfully pull most of these things off.
    • While it is unlikely that this particular issue actually steals any information from you or your computer, it is possible for the owner of this domain to detect incoming connections coming from your machine which may give away your IP address and potentially allow a remote hacker to later compromise your system if you have open ports on your network.
    • It could redirect you to other malicious sites or search results that may contain questionable content. These sites are typically the sites you will get the infection from, not the DNS server.
    • Packets could get snooped and the contents revealed, although this form of hacking is getting substantially harder with advanced encription algorithms.
  • Use general internet common sense.
    • Do not enter a username, password, or any other personal information anywhere online while your DNS shows up as utopia.net
    • Don't use the same passwords everywhere, especially for banking & health, for the aforementioned bullet could allow one person to take control of your entire digital life.

How can you resolve this?

  • Buy your own external router
  • Disable the WiFi on the comcast gateway, including opting out of the Public WiFi Hotspot via your comcast account page
  • Set the firewall for IPv4 and IPv6 to "none/disabled"
  • Place the comcast gateway in bridged mode. The gateway should automatically reboot.
  • Disconnect ALL ethernet cables from the gateway while it reboots (independent issue, just trust me)
  • Wait for the gateway to fully bootup, including the telephony portion.
    • Confirm that your telephone works (if subscribed)
  • Connect the ethernet cable from your router to an ethernet port on the back of the gateway. 
    • Reports indicate that port 4 will not work as it is reserved for "Xfinity Home Security"
    • Other reports indicate that port 1 will not work either (random?)
    • Try port 2 for best luck
  • Power up the external router and wait a few minutes for it to establish a connection
  • Plugin your wired devices to the new router and/or pair with a wifi device
  • Configure new wireless router
    • Look for a subsection labeled DNS
    • DISABLE automatic DNS assignment
      • This disables getting the DNS server from the comcast gateway, which as we know passes out Utopia.net
    • Manually enter comcast's DNS servers, which are in the beginning of this thread
      • Primary: 75.75.75.75
      • Secondary: 75.75.76.76
    • *Optionally use Google DNS instead - Known to provide faster response times*
      • Primary: 8.8.8.8
      • Secondary: 8.8.4.4
    • If available, enable the option that allows the router to hand out these DNS entries to each PC instead of passthrough the router
      • This will further prevent the PC from otherwise reverting in very rare cases
      • If this option isn't available, you will likely be fine. This is just a second layer.

I hope the information contained in this post is helpful and if so, please click the Kudos button. I'm just a normal everyday IT guy trying to help everyone who has likely spent countless days searching the internet for resolution to this. I am in no way related to Comcast and the information contained above is to be used at your sole discretion. I know some will complain that they shouldn't need to buy an external device to prevent an issue with the firmware, to which I 100% agree whole heartedly. I am offering a right-now solution versus waiting an undetermined amount of time for a firmware fix to be applied, tested, and deployed for this issue which could take weeks, months, or even more than a year to roll out widespread.

Frequent Visitor

Re: DPC3941T Modem hacked? Utopia.net

Yes my connection still needs your help.  We were supposed to have a tech call us this weekend and come over for neighbor splitting off my service causing issues with x1 companion box downstairs...shows failed but is connected, internet speeds inconsistent.  No call from Tech 3 days later.  

 

portion of chat Saturday November 18 2017:

 

12:50 PM Comcast : I have raised a request for you.
12:50 PM Me : shows here as failed
12:50 PM Me : ok
12:50 PM Comcast : The request number is 0 4 4 5 5 5 4 2 0.
12:50 PM Comcast : You will receive a call with in 2 hours from our tech.
12:50 PM Me: ok
12:51 PM Comcast : The box is showing failed on your end because of the splitter issue, No worries, out tech will fix it for you.
12:51 PM Comcast : You will not have to repeat your self again.
New Poster

Re: DPC3941T Modem hacked? Utopia.net

SOLVED: I had such an issue with this that I could barely use the internet. When I sent a reset to the modem and/or renewed my ip address (ipconfig/release > ipconfig/renew [in cmd prompt]) the dns would change back to comcast, but then get hijacked again by utopia.net a few minutes later. The below is how I fixed the problem (IMPORTANT: You should still run a good antivirus program or two so that any remaining infection can be removed.)

 

I found the registry keys for the network and deleted the profile, then changed the signature DNS suffix back to comasts:

(Go to start and run REGEDIT [be careful as messing with these files can seriously harm your computer])

 

  • Delete any utopia.net profile from here

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\

 

  • Change the signature (DNS suffix) back to comcast's “hsd1.tx.comcast.net” for any that are "utopia.net"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged

 

 

utopianet fix.png
Service Expert

Re: DPC3941T Modem hacked? Utopia.net


Quirkyhndl wrote:

SOLVED: I had such an issue with this that I could barely use the internet. When I sent a reset to the modem and/or renewed my ip address (ipconfig/release > ipconfig/renew [in cmd prompt]) the dns would change back to comcast, but then get hijacked again by utopia.net a few minutes later. The below is how I fixed the problem (IMPORTANT: You should still run a good antivirus program or two so that any remaining infection can be removed.)

 

I found the registry keys for the network and deleted the profile, then changed the signature DNS suffix back to comasts:

(Go to start and run REGEDIT [be careful as messing with these files can seriously harm your computer])

 

  • Delete any utopia.net profile from here

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\

 

  • Change the signature (DNS suffix) back to comcast's “hsd1.tx.comcast.net” for any that are "utopia.net"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged

 

 


I have utopia.net in my registry but my DNS is Comcast's.  I don't see any need to make these changes.




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

Problem Solver

Re: DPC3941T Modem hacked? Utopia.net

@RobertWy

Did you have one that said utopia.net and and another that showed the correct DNS Suffix?
Service Expert

Re: DPC3941T Modem hacked? Utopia.net


jweaver0312 wrote:
@RobertWy

Did you have one that said utopia.net and and another that showed the correct DNS Suffix?

Yes.  And ipconfig is correct.

Microsoft Windows [Version 10.0.16299.64]
(c) 2017 Microsoft Corporation. All rights reserved.

C:\Users\rwyco>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DESKTOP-CBAI5AM
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd1.tx.comcast.net

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : hsd1.tx.comcast.net
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 00-25-AB-A4-78-06
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2601:2c6:4f00:9ef::611d(Preferred)
Lease Obtained. . . . . . . . . . : Saturday, December 2, 2017 2:17:44 AM
Lease Expires . . . . . . . . . . : Saturday, December 9, 2017 2:17:44 AM
IPv6 Address. . . . . . . . . . . : 2601:2c6:4f00:9ef:61a3:cb32:23ef:64ad(Preferred)
Temporary IPv6 Address. . . . . . : 2601:2c6:4f00:9ef:15e9:f682:cfec:d700(Preferred)
Link-local IPv6 Address . . . . . : fe80::61a3:cb32:23ef:64ad%2(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.0.174(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, December 1, 2017 4:08:47 PM
Lease Expires . . . . . . . . . . : Tuesday, December 12, 2017 5:36:08 AM
Default Gateway . . . . . . . . . : fe80::5ee3:eff:fecf:1c63%2
10.0.0.1
DHCP Server . . . . . . . . . . . : 10.0.0.1
DHCPv6 IAID . . . . . . . . . . . : 50341291
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-EF-BC-F0-00-25-AB-A4-78-06
DNS Servers . . . . . . . . . . . : 2001:558:feed::2
2001:558:feed::1
75.75.76.76
75.75.75.75
NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsd1.tx.comcast.net
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 3168
Physical Address. . . . . . . . . : 30-E3-7A-AF-A3-43
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : 30-E3-7A-AF-A3-44
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 30-E3-7A-AF-A3-47
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:c42:38b2:f5ff:ff51(Preferred)
Link-local IPv6 Address . . . . . : fe80::c42:38b2:f5ff:ff51%11(Preferred)
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 352321536
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-EF-BC-F0-00-25-AB-A4-78-06
NetBIOS over Tcpip. . . . . . . . : Disabled




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

Problem Solver

Re: DPC3941T Modem hacked? Utopia.net

Ok. @Quirkyhndl

Did your registry already have anything in it showing the proper DNS Suffix or did it all say utopia.net instead?
Service Expert

Re: DPC3941T Modem hacked? Utopia.net


jweaver0312 wrote:
Ok. @Quirkyhndl

Did your registry already have anything in it showing the proper DNS Suffix or did it all say utopia.net instead?

My registry has both.

 

I do not have the DPC6941T any more.  It was replaced by an Arris TG1682G.  (Full disclosure.Smiley Happy)




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

Problem Solver

Re: DPC3941T Modem hacked? Utopia.net

Understood. I swapped mine out for a 1682 a while back as well. I was mainly trying to ask that question to @Quirkyhndl mainly. My registry had both while mine shows hsd1.nj.comcast.net. I was starting to make a theory that the for the people were for some reason they would get utopia.net is probably because it’s not getting into their registry and update it. I was trying to ask Quirkyhndl to see if theirs only had utopia.net while ours had both yet showed the correct DNS suffix.