suspicious mshta.exe a virus?

triniP

Commendable
Dec 9, 2016
1
0
1,510
0
Hello all,

I believe windows/SysWOW64/mshta.exe is a virus. I got a popup saying to update chromium, after not using chrome for weeks, and knowing that chrome updates automatically and chromium is a separate browser that I have never used. Links to the popup: http://imgur.com/a/l9Xud

Any ideas if it is a virus? I believe it is but I can't be sure. Any recommendations on how to remove it?
Thanks in advance for the replies!
 

u2desire420

Commendable
May 17, 2016
13
0
1,570
1
Given the date modified matches other files in that screenshot I would say it is not likely a virus. The size of 13 KB also matches the size of mine.
 

nekoxandu

Commendable
Jan 16, 2017
2
0
1,520
1
Alright, so like u2desire420 said, 'mshta.exe' is not a virus, and it is a legitimate Microsoft Executable, but I myself have had this same pop-up occur, and decided to do some deeper investigation into it.

I see from your screenshot that you opened the Task Manager to look into the task that was running, and I did the same thing, you just needed to go one step further. Expand that particular running task and you will see a file with a file-path that leads here: C:\Users\USERNAME\AppData\Local\{INSERT_RANDOM_HEXKEY_HERE}. The file in question that is causing the pop-up is in that directory, and is named 'setup.log'. That is what is using 'mshta.exe' to cause these pop-ups. I tried deleting the entire folder, and thought that this would solve the problem. But a couple of weeks later, it reappeared. I tried running MBAM, and that did not pick up on the new offending file, so I dug a little deeper.

Pay attention to about the time that the pop-up occurred. I just so happened to be up on my computer around 1am, and that's right around when the pop-up showed up. I checked in the Task Scheduler and looked for any task scheduled to run around that same time. I found this task: http://imgur.com/Hi2yuXa. It's scheduled to run at 1:03am. Double-click the task to see the details. Hop over to the 'Actions' tab and you will see this: http://imgur.com/a/3Yd5u. It's referencing a file located at: C:\Users\USERNAME\AppData\Roaming\UpdateTask\SyncTask.exe.

I believe that if you delete the file located at C:\Users\USERNAME\AppData\Local\{INSERT_RANDOM_HEXKEY_HERE}, and the folder located at C:\Users\USERNAME\AppData\Roaming\UpdateTask, as well as removing the task from the Task Scheduler, you will be rid of your problem. I must admit that I cannot guarantee it because I have only just deleted mine, although I have not had the pop-up return yet.

Let me know what you find out.
 

GalaxianGaming

Prominent
Apr 28, 2017
5
0
510
0
I have the same exact popup but did it appear for you again after doing that?? cause I'm too scared to delete anything without being sure 0_0 and my SyncTask is located at local instead of Roaming :T there is no file that is supicous on roaming but the random hexkey named folder in the local folder is present... should I delete that folder and then delete the task??
 

nekoxandu

Commendable
Jan 16, 2017
2
0
1,520
1


I can confidently say that since the day I did the instructions in my post, I have not had the pop-up come back at all. I don't think the order in which you delete them matters, just delete both.
 

GalaxianGaming

Prominent
Apr 28, 2017
5
0
510
0
ok so ive deleted the folder that is named with random hexkeys in the local folder and deleted the task in task scheduler, however there aren't any suspicious folders on the roaming folder 0_0 ill update you if it appears again or not but I'm confident it wont :D
 

CoffeeHamster

Prominent
Jun 23, 2017
1
0
510
0


So for some reason I've followed the filepath of the setup.exe and the user file that it is supposedly in doesn't exist. Do you happen to know why this is?
 

andrew_aj

Prominent
Jul 7, 2017
1
0
510
0
So when I attempted to delete the folder in the local folder it said i needed administrator permission to continue to I clicked continue. Then I still said that and the only option was try again but I am the administrator on my computer. Any way to fix it?
 
Thread starter Similar threads Forum Replies Date
C Antivirus / Security / Privacy 2
A Antivirus / Security / Privacy 3
P Antivirus / Security / Privacy 1
D Antivirus / Security / Privacy 9
B Antivirus / Security / Privacy 16
B Antivirus / Security / Privacy 1
B Antivirus / Security / Privacy 2
T Antivirus / Security / Privacy 1
Z Antivirus / Security / Privacy 3
S Antivirus / Security / Privacy 2
G Antivirus / Security / Privacy 1
itsVance Antivirus / Security / Privacy 1
Wobbleman1 Antivirus / Security / Privacy 3
CAaronD Antivirus / Security / Privacy 2
S Antivirus / Security / Privacy 4
J Antivirus / Security / Privacy 1
anoori9000 Antivirus / Security / Privacy 8
daniel_blacke Antivirus / Security / Privacy 3
kimatahi Antivirus / Security / Privacy 6
Max Guymer Antivirus / Security / Privacy 2

Similar threads


ASK THE COMMUNITY