A friend had a huge spike in data over the past month. Windows data usage monitor said that "system" was the culprit. This shouldn't be. I ran everything and they have norton installed. Nothing.
I knew something was there, I was about to do a total wipe and reinstall.
But I started thinking about IP since this was a bandwidth issue. Im new to this, but it just rang a bell. When I looked at their setup, I realized the router was providing the IP and it was static, even though their ISP uses dynamic. Dont really understand this. Anyway, I had already disconnected the router and all other devices, hardwiring the ethernet to main pc.
I decided to hook the router up again, giving me the IP that the machine always uses. I instantly started getting alerts from MBAM, not norton, about attempted outbound connections. I ran MBAM and it caught the rootkit. Fileless rootkit.
Do you think I was able to trick it into trying to connect to its server with the IP switch? Or did i just get lucky?
IP Address: 22.214.171.124
that was the connection that drew the alert...
Rootkit.Fileless.MTGen, C:\USERS\ROX\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\06D90.LNK, No Action By User, , [-1],0.0.0
Rootkit.Fileless.MTGen, C:\Users\rox\AppData\Local\03b4e\F5832.063BD7, No Action By User, , [-1],0.0.0
Rootkit.Fileless.MTGen, C:\USERS\ROX\START MENU\PROGRAMS\STARTUP\06D90.LNK, No Action By User, , [-1],0.0.0