AutoIt error on every startup

[PersonalP]

Hi all;

Recently (as of a few days ago) I've been getting an error dialog every time I log into Windows (Windows 7 if that's of interest).

The error reads:

AutoIt Error
Line 207 (File "C:\Windows\Startup.exe"):
(blank line)
Error: Array variable has incorrect number of subscripts or subscript dimension range exceeded.

I haven't installed AutoIt myself, so I'm assuming that it's been installed as a dependency for another program.

Is there anything I can do to make this error dialog go away, or track down why I have AutoIt installed?

Thanks for any help.

[guinness]

Did you create the compiled program? If not then I suggest reporting this to the person who did as they will be able to offer advice and/or a solution.

Edited July 5, 2011 by guinness

[GEOSoft]

That error may be a blessing in disguise.

You don't have to have AutoIt installed for this to happen. That is just a file that was written in and compiled with AutoIt and has nothing at all to do with AutoIt itself.

Look for that C:\Windows\Startup.exe and rename it to startup_old.exe until you know more about it.

Look in the Start Menu>> All Programs >> Strartup folder and hope there is an entry there. It there is just move the shortcut to your desktop. If not then it's being loaded from the registry so if you don't know how to remove those entries get back to us.

Now go to the file you renamed and and look at the file properties. Anything there that gives you a clue as to what it's for?

The reason I'm taking a cautious approach is the very fact that AutoIt, just like any other language, can be used to write malicious code. Have you scanned that file with a virus scanner?

[PersonalP]

I scanned the file with Microsoft Security Essentials and Avira AntiVir Personal, and neither brought up any warnings for it. I found the startup entry in the registry at HKeyLocalMachine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run and disabled it, as well as renaming the exe to Startup.exe.OLD. Thanks for the advice GEOSoft, I'll see if anything fails to start in a spectacular fashion next time I reboot.

[monoscout999]

Also try to scan the file in VirusTotal and post the results here

(if the mods don´t mind to try of find out what is that file here in the forum).

Edited July 5, 2011 by monoscout999

[PersonalP]

I've put a copy of the file up on my public Dropbox at - it wont be there forever though. I've zipped it and changed the file extension to try and make sure no one accidentally runs it.

Edited July 5, 2011 by big_daddy

[bogQ]

you did not change it its still .exe, its trojan downloader from testing it, pls reedit your post and remove your link.

Instal some AV like Avast and do full system schan on butting. Use HijackThis or some similar program to remove reg key from startup if its still there if you need.

Link reported,

Im shure that if needed modernators will ask you to put the link in PM, posting it on forum like this even with changed extension isn't wise.

Edit: you know what's funny, i had identical virus thing 1 year ago on laptop that did not had avast, identical file identical errors, its killing me to see that someone writed some virus (assuming that it's a virus) like this and that he made array mistake that terminates the code ^^.

Edited July 5, 2011 by bogQ

[Chimaera]

can you use Sandboxie?

or a similar program

Then open it contained within the sandbox so it cant damage the system

http://www.sandboxie.com/

Are you sure you havent downloaded someones code and run it and its left a piece on the drive or added itself to the startup?

Maybe a reboot after script install or something like that.

Chimaera

[bogQ]

Are you sure you havent downloaded someones code and run it and its left a piece on the drive or added itself to the startup?

I haven't installed AutoIt myself, so I'm assuming that it's been installed as a dependency for another program.

Edited July 5, 2011 by bogQ

[Chimaera]

Are you sure you havent downloaded someones code and run it and its left a piece on the drive or added itself to the startup?

Maybe a reboot after script install or something like that.

Chimaera

Ok as an exe maybe?, not everyone releases source .. and then run it

[GEOSoft]

Here is what I suspect has happened.

The OP has downloaded a malicious file probably inadvertantly. The part that annoys me is we may have helped the sub-moron write that code and that concept always pisses me off.

I've been in touch with the OP by PM requesting a copy of the file (I have a plan, don't worry). The link he provided here and in his PM reply just 404s so far which is probably an indication it was either scanned or reported so it's no longer available.

I won't post in a public forum what it was that made me suspicious to begin with but I definitly was suspicious as soon as I read his first post and I still feel the same way about that file.

[monoscout999]

The report of the file scaned by VirusTotal Report VT

Can someone remove the link?

[Tripredacus]

The link does work for me. It is written in AutoIT, but is made out to be a Winrar file. But WinRaR can't open it. It definately does attempt to go online and log into a website. Other than that I couldn't tell you what it does.

[GEOSoft]

@PersonalP

I also need you to search your system for a file named poclbminst.exe and another named poclbm.exe. The first may be in the Root dir of your drive and the second is probably in the Windows folder.

Delete both files.

It may also be advantagious to do a file search of all files including non-indexed locations for "poclbm*" and rename them by just adding an extra .old extension to the filename.

[PersonalP]

Thanks for spending so much time looking into this GEOSoft.

I had a look around on my system and found:

C:\poclbminst.exe

C:\Windows\poclbm.exe

I've renamed them both with a ".old" suffix.

I looked up Poclbm, and looks like it's used for generating Bitcoins:

https://en.bitcoin.it/wiki/Poclbm

I have various Python files on my computer as well (e.g. python26.dll) - and I certainly haven't installed Python. Python is used by the Bitcoin generator.

[BrewManNH]

It appears that someone has created an app. that creates bitcoins using other peoples computers to do the work for them. Sounds illegal to me, good thing they can't code very well.

[PersonalP]

Symantec have a "submit a possible virus" form as well at http://www.symantec.com/business/security_response/submitsamples.jsp - I've submitted a copy there. I'll let you know if they get anything back to me.

[GEOSoft]

It does come up as a virus.

@BrewManNH

That is a large part of what the script does and I've already been in touch with the administrator of BitCoins by email as well as tipping of hmamail.com about the user and what he is doing.

I might not be able to stop him but I'm sure I can make life difficult enough.

I already have a feeling about which AutoIt member it was and that person is already banned.

With enough contact with enough people I'm hoping to eventually turn up at least a valid IP address for the individual. I have a newly formatted and reinstalled laptop here that has mysteriously become infected and, if there is any legal recourse against any individual or entity, you can bet that's the way I'll go. Unfortunatly if he is in the country I think he's in the goverment and authorities will just ignore it anyway.

[Tripredacus]

Interesting, I wonder if it is related (at all) to that Bitcoin heighst that happened last month where the dude got fleeced for almost half a mil (USD) as read here:

http://www.techworld.com.au/article/390609/symantec_uncovers_bitcoin-stealing_trojan/

[BrewManNH]

This whole Bitcoins thing sounds so stupid. I don't see this replacing money anytime soon. Not to mention, it's probably way too easy to cheat/lie/steal your way to making "money" like the way this program does.