I did a routine check with avast (updated and running properly) yesterday and it told me that the file C:\Windows\winstart.bat could not be scanned because it is offline and not avaivable at the moment (translated freely because i run avast in german). When i wanted to investigate further, i found that the file does not show up in Windows Explorer, although I have “show hidden files” activated. A little internet research revealed that the file can be created by trojans, I was however not able to find any solutions to the problem.
I downloaded Malwarebytes Anti-Malware and ran a scan, it discovered 4 PUPs which i removed. Another scan found nothing wrong, but avast still showed the problem with winstart.bat (Malwarebytes logs attached).
Is the winstart.bat harmful and if yes, how can I remove it?
Thank you in advance for your help and sorry for the multiple posts at first, that was not on purpose.
Posted logs does not show active malware. Let’s check additionaly …
Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:
[*]Type winstart.bat into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.
This shall preform additional PUP/AdWare cleaning …
Please download AdwCleaner by Xplode and save to your Desktop.
Double click on AdwCleaner.exe to run the tool.
[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-10-2014 01
Ran by Lucas at 2014-10-11 00:08:30 Run:2
Running from C:\Users\Lucas\Desktop
Loaded Profiles: Lucas & UpdatusUser (Available profiles: Lucas & UpdatusUser)
Boot Mode: Normal
==============================================
There is no active malware on board. Logs came as clean. You can report that to avast! lab as FP.
Winstart.bat is a batch File (text file) which contains commands that can be used to run other processes or tasks when you execute it and is usually located in the C:\Windows folder. Winstart.bat was used on older Windows Operating Systems like Windows 95, 98 and ME and was executed every time Windows starts just like AUTOEXEC.BAT as described here. Winstart.bat was also used to load memory-resident utilities in Windows applications in order to run DOS applications under Microsoft Windows version 3.00 as described in Microsoft Article ID: 69186 but in could be misused for malicious purposes.
• The following will implement some post-cleanup procedures:
=> Please download DelFix by Xplode to your Desktop.
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.