Background.
Hi! I decided to ask for some help here if someone would know more and better about this security issue than i do. This issue has been a thing to this day, starting from January when our ISP started to inform us via text messages about this security issue called "Dirtjumper" related to some kind of suspicious activity coming out from our way to the internet. First i couldn't find anything from this PC by doing research and scans with avast and malwerebytes, and after they closed the connection we contacted their own technical support where they remotely checked this pc and did mostly all the same things as i did including couple more scans with different tools, they found nothing. Only once between these three months (i guess it was in the end of january or in february) avast found, blocked and quarantined a process called "wuauclt.exe" and a file called "inetcpl.cpl".
So this whole thing kind of started to loop over and over again after they've reopened our connection. They inform us about dirtjumper, i try to do everything i can, nothing will be found and our connection gets closed and then we contact them again asking for help. At some point i decided to install wireshark to see if there is actually something going on, and yes there was random connections to random ip addresses linking to different domains and countries e.g. Russia, China, Japan, Korea, Iran and probably more.
I have done a clean reinstall of windows at least three times but this issue still occurs. We even asked them to send someone to physically take a look of this PC and our router if there actually would be something. After i told him i haven't found anything else than those random connections he did couple scans on this pc and contacted the technical support right away. Only thing he did was he removed our router and told us it was the router sending out all the suspicious activity, because the MAC address of the router corresponded with the one inside the unwanted packets, which the technical support probably took a look on. 91€ Well spent.
So after this we of course received another message from our ISP telling us about dirtjumper, we didn't even bother to contact them anymore, just because it would be useless waste of time and money. I decided to stop using this pc for a week to get some extra time for us, reinstalled windows again and set up antivirus. I noticed Brian's video about his own security solutions and i decided to try out ZoneAlarm. Zonealarm started to block the random connections and we haven't received messages from our isp for about two weeks now. Not sure is it because of ZA fighting against them or is this again some kind of break of our isp not telling us about dirtjumper (Yes they had like 2 and a half week long break in february, when we heard nothing from them although the problem was still there). The problem now is, that it still most likely exists. ZoneAlarm blocks around 1 connection per minute and the total number of blocked connections from the day of 15.3 when i installed ZA to this day is 10,8k(While making this, the count increased with 200~ blocked attempts, it was originally 10,6k). Unfortunately ZA is somehow broken so it doesn't show the logs anymore, but they can still be viewed from the files itself.
What have i done so far.
Various scans with many tools including Avast, Mbam, Mbar, Adwcleaner, NPE, Roguekiller, HitmanPro. All these scans i've done in safe mode too, except for HitmanPro and NPE because they want an internet connection, which doesn't work in safe mode even if i have networking selected with safe mode. I also tried TDSSKiller but it simply didn't even run for some unknown reason.
I tried to reset BIOS CMOS settings with the jumpers on my motherboard if it would've had anything to do with it, or if there was something in the bios. Not 100% sure how those things works.
I also checked my hard drives partitions with gparted for hidden partitions, but i don't think there was anything either.
I've executed some commands related to fixing MBR with cmd inside the recovery environment. I tried second time to do something for the MBR but got stuck at /fixboot command which wasn't allowed to execute by the system.
I've tried to investigate what dirtjumper is, i know it is a botnet used in ddos attacks but there is almost nothing related to dirtjumper in internet, not much of information, no working removal guides, videos etc. just nothing, or then it's me and i don't know how to search. And because dirt jumping is an actual thing it makes things even more difficult.
I have no idea how or where this problem could've come, but after i built this PC in the end of september 2017 i used it without any 3rd party AV for couple months. Not sure what were i thinking back then, but that's probably relating to this issue. There's no any other devices connected to our network because i use it with an ethernet cable, we have one old laptop but that is barely being used.
We are losing our minds because of this continuing hell, so if there is anything to still do i more than gladly read your ideas and tips.
PC Specs if needed:
Cpu: Ryzen 5 1600
Gpu: Gtx 1060 6gb
RAM: Corsair vengeance LPX black 16GB running on 3000Mhz
Mboard: Asus Prime b350 plus Bios version 3803
Storage: Western Digital 1TB WD Blue 7200 rpm and Samsung 250Gb 850 EVO SSD as a system drive
PSU: Seasonic 520W M12II-520 Evolution
Hi! I decided to ask for some help here if someone would know more and better about this security issue than i do. This issue has been a thing to this day, starting from January when our ISP started to inform us via text messages about this security issue called "Dirtjumper" related to some kind of suspicious activity coming out from our way to the internet. First i couldn't find anything from this PC by doing research and scans with avast and malwerebytes, and after they closed the connection we contacted their own technical support where they remotely checked this pc and did mostly all the same things as i did including couple more scans with different tools, they found nothing. Only once between these three months (i guess it was in the end of january or in february) avast found, blocked and quarantined a process called "wuauclt.exe" and a file called "inetcpl.cpl".
So this whole thing kind of started to loop over and over again after they've reopened our connection. They inform us about dirtjumper, i try to do everything i can, nothing will be found and our connection gets closed and then we contact them again asking for help. At some point i decided to install wireshark to see if there is actually something going on, and yes there was random connections to random ip addresses linking to different domains and countries e.g. Russia, China, Japan, Korea, Iran and probably more.
I have done a clean reinstall of windows at least three times but this issue still occurs. We even asked them to send someone to physically take a look of this PC and our router if there actually would be something. After i told him i haven't found anything else than those random connections he did couple scans on this pc and contacted the technical support right away. Only thing he did was he removed our router and told us it was the router sending out all the suspicious activity, because the MAC address of the router corresponded with the one inside the unwanted packets, which the technical support probably took a look on. 91€ Well spent.
So after this we of course received another message from our ISP telling us about dirtjumper, we didn't even bother to contact them anymore, just because it would be useless waste of time and money. I decided to stop using this pc for a week to get some extra time for us, reinstalled windows again and set up antivirus. I noticed Brian's video about his own security solutions and i decided to try out ZoneAlarm. Zonealarm started to block the random connections and we haven't received messages from our isp for about two weeks now. Not sure is it because of ZA fighting against them or is this again some kind of break of our isp not telling us about dirtjumper (Yes they had like 2 and a half week long break in february, when we heard nothing from them although the problem was still there). The problem now is, that it still most likely exists. ZoneAlarm blocks around 1 connection per minute and the total number of blocked connections from the day of 15.3 when i installed ZA to this day is 10,8k(While making this, the count increased with 200~ blocked attempts, it was originally 10,6k). Unfortunately ZA is somehow broken so it doesn't show the logs anymore, but they can still be viewed from the files itself.
What have i done so far.
Various scans with many tools including Avast, Mbam, Mbar, Adwcleaner, NPE, Roguekiller, HitmanPro. All these scans i've done in safe mode too, except for HitmanPro and NPE because they want an internet connection, which doesn't work in safe mode even if i have networking selected with safe mode. I also tried TDSSKiller but it simply didn't even run for some unknown reason.
I tried to reset BIOS CMOS settings with the jumpers on my motherboard if it would've had anything to do with it, or if there was something in the bios. Not 100% sure how those things works.
I also checked my hard drives partitions with gparted for hidden partitions, but i don't think there was anything either.
I've executed some commands related to fixing MBR with cmd inside the recovery environment. I tried second time to do something for the MBR but got stuck at /fixboot command which wasn't allowed to execute by the system.
I've tried to investigate what dirtjumper is, i know it is a botnet used in ddos attacks but there is almost nothing related to dirtjumper in internet, not much of information, no working removal guides, videos etc. just nothing, or then it's me and i don't know how to search. And because dirt jumping is an actual thing it makes things even more difficult.
I have no idea how or where this problem could've come, but after i built this PC in the end of september 2017 i used it without any 3rd party AV for couple months. Not sure what were i thinking back then, but that's probably relating to this issue. There's no any other devices connected to our network because i use it with an ethernet cable, we have one old laptop but that is barely being used.
We are losing our minds because of this continuing hell, so if there is anything to still do i more than gladly read your ideas and tips.
PC Specs if needed:
Cpu: Ryzen 5 1600
Gpu: Gtx 1060 6gb
RAM: Corsair vengeance LPX black 16GB running on 3000Mhz
Mboard: Asus Prime b350 plus Bios version 3803
Storage: Western Digital 1TB WD Blue 7200 rpm and Samsung 250Gb 850 EVO SSD as a system drive
PSU: Seasonic 520W M12II-520 Evolution