Jump to content


Recommended Posts

We had recently problem with our server as it got encrypted and ransom was asked for. We since reinstall it and rebuilt it from back-ups. In the search where the problem come from we identified the possible problem on an old Windows XP machine which we use for legacy compatibility issues with our CNC router as the software which drives the router is incompatible with any higher version of Windows. Malwarebytes found Trojan.Injector.AutoIt exploit and removed it (report attached). When I was looking to find out what this exploit allowed the attacker to do with other computers on the network I did not find much info about it. The guy who we contract to take care of our computers left me a note in Notepad (session was dealt with remotely through TeamViewer) which read this: ''AutoIt is quite safe - but scriptkiddies use it to write malware....'' I later found that it is partial reply from post on AutoIT website where false positive is discussed in relation Malwarebytes detecting the AutoIT.exe file as potential threat and I was somewhat disappointed with our network administrator answer in regards of the malware detection. The machine is now barred from accessing internet but is stil connected to intranet to get access to machining files otherwise we would need to physically save it on USB stick and carry the files to it and then take the programmed machining files again back so they can be archived for futer use.

Could you comment on Trojan.Injector.AutoIt detection and what it could possibly allow the attacker to do? Could you also comment whether the PC with Windows XP SP3 is safe on an intranet network while it's network card MAC address is prevented by router from accessing the internet?

MalwareBytes Report.txt

Edited by cejdasan
spelling errors
Link to post
Share on other sites

  • Root Admin

Hello @cejdasan and :welcome:

Sorry for the delay

This is a left over from what looks to be Cryptowall variant infection. Not sure if it got files from your server or it was the one infected and attacked shares on the server.

They are harmless text files. The infection would appear to be gone. If you run across files like "help_your_files.png" you can just delete them. Then current name we use is a bit misleading is all.

Thank you



Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.