Author Topic: Questions about Winstart.bat  (Read 8219 times)

Offline Kazera

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Questions about Winstart.bat
« on: September 04, 2010, 06:13:23 PM »
Hello everyone,


I've used Avast! for about 3 years now, I learned a great deal about internet security and switched to Avast! after losing several various online accounts to keyloggers and whatever else was lurking on my HD back then. Since switching to Avast! I have not had a single issue with viruses whatsoever.  

However, this week I did a regular manual virus scan (I scan at least once a month) and I received a very curious message in the results log which looked like this:

"C:\WINDOWS\winstart.bat is offline - it is currently not available (42006)"

I've never received that message before, and all attempts to find out what Winstart.bat is and why Avast! is saying it's "offline" and if Winstart.bat is even supposed to be present in Windows XP have only led me to become more confused, so I decided to come ask someone. ;) I am aware that Winstart.bat is associated with trojans, but is also a normal system file. But I have read more than once that this file shouldn't be present in Windows XP, but other opinions stated that it doesn't really matter, that it's not a threat, etc.... I'm so confused. :S

Also, when I try to locate Winstart.bat in C:\WINDOWS, I can't find it. Even when I have hidden folders shown.

One other thing I thought to be worth mentioning is that my computer has become increasingly sluggish lately, for example it takes between 10-15 seconds to open up a program such as Firefox. Even after running a full defrag, and cleaning the registry up regularly, my computer is slow. When starting up Windows, startup times vary. I do not have a medley of programs set to run at startup.

So far, Avast! is the only AV that has given me this message.

I use Windows XP Home/SP3
My firewall is Comodo, which is consistently at high security settings.

EDIT: I also cannot add winstart.bat to the chest.... for some reason I can't click the "Apply" button.

So my questions are:

1.) Why is Avast! showing me this message? (What is "offline" and how did it get marked as that?)
2.) What does Winstart.bat do exactly, and is it even normally part of Windows XP?
3.) If Winstart.bat is a threat to my security, how do I tell? And if it is determined to be a threat, how do I remove it?

I of course am willing to provide additional details as needed.


Thanks in advance for any information you can provide me! :)
« Last Edit: September 04, 2010, 06:26:53 PM by Kazera »

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21649
  • Gender: Male
    • Personal Message (Offline)
Re: Questions about Winstart.bat
« Reply #1 on: September 04, 2010, 07:44:41 PM »
Quote
So far, Avast! is the only AV that has given me this message.
Does this mean you have more than one AV installed ?



why you should never run more than one AV ( see reply from quietman7 )
http://www.bleepingcomputer.com/forums/index.php?s=49db784baecf17e7b189c833aafb624d&showtopic=260844&view=findpost&p=1441638

Why Shouldn’t I Install More Than One Antivirus Program At A Time?
http://www.security-faqs.com/why-shouldnt-i-install-more-than-one-antivirus-program-at-a-time.html
« Last Edit: September 04, 2010, 08:02:50 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21649
  • Gender: Male
    • Personal Message (Offline)
Re: Questions about Winstart.bat
« Reply #2 on: September 04, 2010, 08:01:22 PM »
From malwarebytes forum, i found that the file " winstart.bat " can be created by certain malware programs.


Try running this

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click the remove selected button to quarantine anything found
you may post the scan log here
« Last Edit: September 04, 2010, 08:41:13 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20119
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Questions about Winstart.bat
« Reply #3 on: September 04, 2010, 08:11:19 PM »
Hi Pondus,

This is how it all started: The WINSTART.BAT file in Windows 95 and 98 loads TSR programs required for Windows-based programs but not needed in MS-DOS sessions. This file, if it exists, is usually in the C:\Windows folder, and is executed every time Windows starts — just like AUTOEXEC.BAT, except that AUTOEXEC.BAT is also launched during a DOS startup. You can examine and edit the contents of WINSTART.BAT with Notepad. You can temporarily suspend any line of WINSTART.BAT by placing REM (followed by a space) in front of the line. (Note that this is ignored in all other versions of Windows, since there is no need to differentiate MS-DOS session behavior.)
Re: http://www.securelist.com/en/descriptions/old18504
Re: http://www.threatexpert.com/report.aspx?md5=3bcbca23cdf9a9d914095e4b90fc6eaf

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Kazera

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: Questions about Winstart.bat
« Reply #4 on: September 04, 2010, 11:05:39 PM »
Quote
So far, Avast! is the only AV that has given me this message.
Does this mean you have more than one AV installed ?



why you should never run more than one AV ( see reply from quietman7 )
http://www.bleepingcomputer.com/forums/index.php?s=49db784baecf17e7b189c833aafb624d&showtopic=260844&view=findpost&p=1441638

Why Shouldn’t I Install More Than One Antivirus Program At A Time?
http://www.security-faqs.com/why-shouldnt-i-install-more-than-one-antivirus-program-at-a-time.html

No, I have scanned with online scanners such as Trend Micro's HouseCall.

Avast! is my only installed AV.

I will try MalwareBytes and see what happens.

Offline Kazera

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: Questions about Winstart.bat
« Reply #5 on: September 05, 2010, 09:18:54 PM »
Malwarebytes' turned up with nothing. :P Starting to think this winstart.bat thing is nothing serious. But I still don't understand what "file is offline" is all about, and why Avast! can't scan the file.

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20119
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Questions about Winstart.bat
« Reply #6 on: September 05, 2010, 09:28:14 PM »
Hi Kazera.

Did you try to upload it to virustotal, and what results did you get there?
This could clear the issue up and set your mind at ease, it's your choice to keep or to remove it then. There are sources that claim that the presence of the file will speed up the boot process by a second. However the file isn't needed and it makes no difference if it's present or not.
The winstart.bat file could indeed be created by certain malware programs. If it is being protected by a rootkit it could be hidden to the Windows API, so you would not find it even if you had all hidden files revealed. Re: http://www.raymond.cc/forum/spyware-viruses/18528-avast-5-free-showing-infection-of-win-32-malware-gen.html
If the latter is the case we should ask for the qualified elimination expertise of essexboy to get rid of it as avast apparently can not... I have sent him a PM, when he is available I think he will instruct you what to do.
If there is no generic malware involved, this could be the cause of the error message:
http://support.microsoft.com/kb/69186/

polonus
« Last Edit: September 05, 2010, 09:35:52 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Kazera

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: Questions about Winstart.bat
« Reply #7 on: September 05, 2010, 09:49:55 PM »
Hello Polonus,

I tried VirusTotal, the result was 0/43, with "0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware."

While waiting for the analysis, I was reading a comment posted about winstart.bat on VirusTotal that states the following:

"Scanned with Spybot S&D, Malwarebytes, SuperAntiSpyware and none of these detect this file as a problem. Avast Free 5 detects it and states it is Offline, It is found here: C:\WINDOWS\winstart.bat When right-clicking and choosing to edit it opens with Notepad as intended and shows up blank but has a file size of 2 bytes. VirusTotal shows 0/42 so no rating has been done for this file, hopefully this info helps someone a little but since I cannot determine exactly what it is I'm afraid it is pretty much useless that this even get submitted."



The more I dig into the issue the more I get the impression that there's a lot of confusion about this file, lol.  :P  In regards to your post, it is indeed my situation that I cannot locate winstart.bat in C:\WINDOWS, even though I have enabled hidden files & folders to be shown. I hope that what you say isn't what's really happening as far as a rootkit goes, but I'd like to determine for sure somehow if there really is something lurking on my hard drive so that I can combat it.  :) Thank you for your assistance! I will watch for essexboy.
« Last Edit: September 05, 2010, 09:52:28 PM by Kazera »

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21649
  • Gender: Male
    • Personal Message (Offline)
Re: Questions about Winstart.bat
« Reply #8 on: September 05, 2010, 09:55:41 PM »
Quote
but I'd like to determine for sure somehow if there really is something lurking on my hard drive so that I can combat it.

Follow this guide from Essexboy and post the log`s
http://forum.avast.com/index.php?topic=53253.0

To avoid using 20 post with copy and paste you have to attach the log`s

Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )
« Last Edit: September 06, 2010, 05:37:06 AM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline leahv

  • Newbie
  • *
  • Posts: 12
    • Personal Message (Offline)
Re: Questions about Winstart.bat
« Reply #9 on: January 22, 2013, 08:53:33 AM »
Normally I would "consider starting a new topic," but I have the exact same problem as this person on this thread! (See Kazera of course - 1st posted Sept 4/10) My computer has never had this result show ("C:\WINDOWS\winstart.bat is offline - it is currently not available (42006)") after an avast full scan before; this is the first time.  Avast is my only AV.  My computer has been lagging lately and was having some trouble crashing etc. recently.  The scan did not show any other viruses/issues, but in the past (last year) had a really big problem (not this one) (and was fixed), but I have been left a little gun-shy now and want to make sure whatever is causing this new problem is eliminated.  Please note as well, I just completely removed Avast from my machine today and redownloaded it b/c it was completely not working. It had some security warning and wouldn't work at all (freezing up and everything).  So now it's working but has this mysterious file that it can't open.  I hope you will help me get rid of the problem on my computer!  :'(  Thank you so much, Leah   ;D
« Last Edit: January 22, 2013, 08:59:57 AM by leahv »

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21649
  • Gender: Male
    • Personal Message (Offline)
Re: Questions about Winstart.bat
« Reply #10 on: January 22, 2013, 10:02:54 AM »
@leahv follow the guide in my post above...
start new topic, and attach the requested logs
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now