Sign in to follow this  
Followers 0
PersonalP

AutoIt error on every startup

21 posts in this topic

Hi all;

Recently (as of a few days ago) I've been getting an error dialog every time I log into Windows (Windows 7 if that's of interest).

The error reads:

AutoIt Error
Line 207 (File "C:\Windows\Startup.exe"):
(blank line)
Error: Array variable has incorrect number of subscripts or subscript dimension range exceeded.

I haven't installed AutoIt myself, so I'm assuming that it's been installed as a dependency for another program.

Is there anything I can do to make this error dialog go away, or track down why I have AutoIt installed?

Thanks for any help.

post-65844-0-76560900-1309823934_thumb.p

Share this post


Link to post
Share on other sites

#2 ·  Posted (edited)

Did you create the compiled program? If not then I suggest reporting this to the person who did as they will be able to offer advice and/or a solution.

Edited by guinness

_AdapterConnections()_AlwaysRun()_AppMon()_AppMonEx()_BinaryBin()_CheckMsgBox()_CmdLineRaw()_ContextMenu()_ConvertLHWebColor()/_ConvertSHWebColor()_DesktopDimensions()_DisplayPassword()_DotNet_Load()/_DotNet_Unload()_Fibonacci()_FileCompare()_FileCompareContents()_FileNameByHandle()_FilePrefix/SRE()_FindInFile()_GetBackgroundColor()/_SetBackgroundColor()_GetConrolID()_GetCtrlClass()_GetDirectoryFormat()_GetDriveMediaType()_GetFilename()/_GetFilenameExt()_GetHardwareID()_GetIP()_GetIP_Country()_GetOSLanguage()_GetSavedSource()_GetStringSize()_GetSystemPaths()_GetURLImage()_GIFImage()_GoogleWeather()_GUICtrlCreateGroup()_GUICtrlListBox_CreateArray()_GUICtrlListView_CreateArray()_GUICtrlListView_SaveCSV()_GUICtrlListView_SaveHTML()_GUICtrlListView_SaveTxt()_GUICtrlListView_SaveXML()_GUICtrlMenu_Recent()_GUICtrlMenu_SetItemImage()_GUICtrlTreeView_CreateArray()_GUIDisable()_GUIImageList_SetIconFromHandle()_GUIRegisterMsg()_GUISetIcon()_Icon_Clear()/_Icon_Set()_IdleTime()_InetGet()_InetGetGUI()_InetGetProgress()_IPDetails()_IsFileOlder()_IsGUID()_IsHex()_IsPalindrome()_IsRegKey()_IsStringRegExp()_IsSystemDrive()_IsUPX()_IsValidType()_IsWebColor()_Language()_Log()_MicrosoftInternetConnectivity()_MSDNDataType()_PathFull/GetRelative/Split()_PathSplitEx()_PrintFromArray()_ProgressSetMarquee()_ReDim()_RockPaperScissors()/_RockPaperScissorsLizardSpock()_ScrollingCredits_SelfDelete()_SelfRename()_SelfUpdate()_SendTo()_ShellAll()_ShellFile()_ShellFolder()_SingletonHWID()_SingletonPID()_Startup()_StringCompact()_StringIsValid()_StringRegExpMetaCharacters()_StringReplaceWholeWord()_StringStripChars()_Temperature()_TrialPeriod()_UKToUSDate()/_USToUKDate()_WinAPI_Create_CTL_CODE()_WinAPI_CreateGUID()_WMIDateStringToDate()/_DateToWMIDateString()Au3 script parsingAutoIt SearchAutoIt3 PortableAutoIt3WrapperToPragmaAutoItWinGetTitle()/AutoItWinSetTitle()CodingDirToHTML5FileInstallrFileReadLastChars()GeoIP databaseGUI - Only Close ButtonGUI ExamplesGUICtrlDeleteImage()GUICtrlGetBkColor()GUICtrlGetStyle()GUIEventsGUIGetBkColor()Int_Parse() & Int_TryParse()IsISBN()LockFile()Mapping CtrlIDsOOP in AutoItParseHeadersToSciTE()PasswordValidPasteBinPosts Per DayPreExpandProtect GlobalsQueue()Resource UpdateResourcesExSciTE JumpSettings INISHELLHOOKShunting-YardSignature CreatorStack()Stopwatch()StringAddLF()/StringStripLF()StringEOLToCRLF()VSCROLLWM_COPYDATAMore Examples...

Updated: 04/09/2015

Share this post


Link to post
Share on other sites

That error may be a blessing in disguise.

You don't have to have AutoIt installed for this to happen. That is just a file that was written in and compiled with AutoIt and has nothing at all to do with AutoIt itself.

Look for that C:\Windows\Startup.exe and rename it to startup_old.exe until you know more about it.

Look in the Start Menu>> All Programs >> Strartup folder and hope there is an entry there. It there is just move the shortcut to your desktop. If not then it's being loaded from the registry so if you don't know how to remove those entries get back to us.

Now go to the file you renamed and and look at the file properties. Anything there that gives you a clue as to what it's for?

The reason I'm taking a cautious approach is the very fact that AutoIt, just like any other language, can be used to write malicious code. Have you scanned that file with a virus scanner?


George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

I scanned the file with Microsoft Security Essentials and Avira AntiVir Personal, and neither brought up any warnings for it. I found the startup entry in the registry at HKeyLocalMachine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run and disabled it, as well as renaming the exe to Startup.exe.OLD. Thanks for the advice GEOSoft, I'll see if anything fails to start in a spectacular fashion next time I reboot. :)

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

Also try to scan the file in VirusTotal and post the results here

(if the mods don´t mind to try of find out what is that file here in the forum).

Edited by monoscout999

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

I've put a copy of the file up on my public Dropbox at - it wont be there forever though. I've zipped it and changed the file extension to try and make sure no one accidentally runs it. :)

Edited by big_daddy

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

you did not change it its still .exe, its trojan downloader from testing it, pls reedit your post and remove your link.

Instal some AV like Avast and do full system schan on butting. Use HijackThis or some similar program to remove reg key from startup if its still there if you need.

Link reported,

Im shure that if needed modernators will ask you to put the link in PM, posting it on forum like this even with changed extension isn't wise.

Edit: you know what's funny, i had identical virus thing 1 year ago on laptop that did not had avast, identical file identical errors, its killing me to see that someone writed some virus (assuming that it's a virus) like this and that he made array mistake that terminates the code ^^. :)

Edited by bogQ

TCP server and client - Learning about TCP servers and clients connection
Au3 oIrrlicht - Irrlicht project
Au3impact - Another 3D DLL game engine for autoit. (3impact 3Drad related)



460px-Thief-4-temp-banner.jpg
There are those that believe that the perfect heist lies in the preparation.
Some say that it’s all in the timing, seizing the right opportunity. Others even say it’s the ability to leave no trace behind, be a ghost.

 

Share this post


Link to post
Share on other sites

can you use Sandboxie?

or a similar program

Then open it contained within the sandbox so it cant damage the system

http://www.sandboxie.com/

Are you sure you havent downloaded someones code and run it and its left a piece on the drive or added itself to the startup?

Maybe a reboot after script install or something like that.

Chimaera

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

Are you sure you havent downloaded someones code and run it and its left a piece on the drive or added itself to the startup?

I haven't installed AutoIt myself, so I'm assuming that it's been installed as a dependency for another program.

Edited by bogQ

TCP server and client - Learning about TCP servers and clients connection
Au3 oIrrlicht - Irrlicht project
Au3impact - Another 3D DLL game engine for autoit. (3impact 3Drad related)



460px-Thief-4-temp-banner.jpg
There are those that believe that the perfect heist lies in the preparation.
Some say that it’s all in the timing, seizing the right opportunity. Others even say it’s the ability to leave no trace behind, be a ghost.

 

Share this post


Link to post
Share on other sites

Are you sure you havent downloaded someones code and run it and its left a piece on the drive or added itself to the startup?

Maybe a reboot after script install or something like that.

Chimaera

Ok as an exe maybe?, not everyone releases source .. and then run it

Share this post


Link to post
Share on other sites

Here is what I suspect has happened.

The OP has downloaded a malicious file probably inadvertantly. The part that annoys me is we may have helped the sub-moron write that code and that concept always pisses me off.

I've been in touch with the OP by PM requesting a copy of the file (I have a plan, don't worry). The link he provided here and in his PM reply just 404s so far which is probably an indication it was either scanned or reported so it's no longer available.

I won't post in a public forum what it was that made me suspicious to begin with but I definitly was suspicious as soon as I read his first post and I still feel the same way about that file.


George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

The report of the file scaned by VirusTotal Report VT

Can someone remove the link?

Share this post


Link to post
Share on other sites

The link does work for me. It is written in AutoIT, but is made out to be a Winrar file. But WinRaR can't open it. It definately does attempt to go online and log into a website. Other than that I couldn't tell you what it does.

Share this post


Link to post
Share on other sites

@PersonalP

I also need you to search your system for a file named poclbminst.exe and another named poclbm.exe. The first may be in the Root dir of your drive and the second is probably in the Windows folder.

Delete both files.

It may also be advantagious to do a file search of all files including non-indexed locations for "poclbm*" and rename them by just adding an extra .old extension to the filename.


George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

Thanks for spending so much time looking into this GEOSoft.

I had a look around on my system and found:

C:\poclbminst.exe

C:\Windows\poclbm.exe

I've renamed them both with a ".old" suffix.

I looked up Poclbm, and looks like it's used for generating Bitcoins:

https://en.bitcoin.it/wiki/Poclbm

I have various Python files on my computer as well (e.g. python26.dll) - and I certainly haven't installed Python. Python is used by the Bitcoin generator.

Share this post


Link to post
Share on other sites

It appears that someone has created an app. that creates bitcoins using other peoples computers to do the work for them. Sounds illegal to me, good thing they can't code very well.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Symantec have a "submit a possible virus" form as well at http://www.symantec.com/business/security_response/submitsamples.jsp - I've submitted a copy there. I'll let you know if they get anything back to me.

Share this post


Link to post
Share on other sites

It does come up as a virus.

@BrewManNH

That is a large part of what the script does and I've already been in touch with the administrator of BitCoins by email as well as tipping of hmamail.com about the user and what he is doing.

I might not be able to stop him but I'm sure I can make life difficult enough.

I already have a feeling about which AutoIt member it was and that person is already banned.

With enough contact with enough people I'm hoping to eventually turn up at least a valid IP address for the individual. I have a newly formatted and reinstalled laptop here that has mysteriously become infected and, if there is any legal recourse against any individual or entity, you can bet that's the way I'll go. Unfortunatly if he is in the country I think he's in the goverment and authorities will just ignore it anyway.


George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

Interesting, I wonder if it is related (at all) to that Bitcoin heighst that happened last month where the dude got fleeced for almost half a mil (USD) as read here:

http://www.techworld.com.au/article/390609/symantec_uncovers_bitcoin-stealing_trojan/

Share this post


Link to post
Share on other sites

This whole Bitcoins thing sounds so stupid. I don't see this replacing money anytime soon. Not to mention, it's probably way too easy to cheat/lie/steal your way to making "money" like the way this program does.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0