Windows 10 mshta.exe

[Manakahofski]

A while ago i download a application called bluestacks (at least i think thats what it was called) , an android emulator i didn't like from the start. It tried to install chromium and make all my default search engines yahoo. I promptly deleted it and moved on. 2 months later now a chromium popup say that it needs an update, however i have already gone into the program files and deleted everything in the chromium folder. the popup is run by a program in my sysWOW64 folder called mshta.exe. it doesn't seem extremely harmful because when i close it, it goes away for two or three weeks. I just wanted to go to somewhere i trust and make sure i'm not in danger, and to know if anyone else has ever had this problem.  

 

 (and if I'm in the wrong section again i have this whole thing copied to clipboard so i can move it if necessary) 

 

 

Thanks!

[HPWebcamAble]

Scan your computer with Avast and malewarebytes

[barkloaf]

Check VirusTotal for any seemingly malicious processes. Also scanning with a rescue CD might be a good idea.

[Manakahofski]

4 minutes ago, HPWebcamAble said:

Scan your computer with Avast and malewarebytes

Done, malewarebytes is scanning, ill get avast later after malwarebytes is done. Ty

[ybriK]

Scan in safe mode no networking.

[Manakahofski]

10 minutes ago, ybriK said:

Scan in safe mode no networking.

Sure.. but why?

 

[barkloaf]

2 minutes ago, Manakahofski said:

Sure.. but why?

 

Doesn't load things that may make the virus/adware undetectable, and there's no networking.

[GoodBytes]

You need to uninstall the software, deleting the files doesn't remove the service Chromium installed, and task scheduler entry it puts which, in your case, checks for updates.

 

Do things properly. Go to Program & Features panel, and uninstall Chromium. If you can't (because you deleted the files), then the easiest easiest is to install back Chromium, and uninstall it.

[Manakahofski]

Here Is the Log from the scan, it seemed to get rid of problem judging by all the file names, also it wasn't blustacks, it was a rom i tried to download a while ago.

 

Thanks Everyone Who helped!

                                                                          

      -Manakahofski

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/22/2016
Scan Time: 9:05 AM
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.05.22.04
Rootkit Database: v2016.05.20.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Manakahofski's PC

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 343731
Time Elapsed: 17 min, 14 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 7
PUP.Optional.InstallCore, HKU\S-1-5-21-3523550846-3331861257-1263492253-1001\SOFTWARE\csastats, Quarantined, [b7350ace5c3d8da9d4f5c41607fcfd03], 
PUP.Optional.InstallCore, HKU\S-1-5-21-3523550846-3331861257-1263492253-1001\SOFTWARE\ICSW1.21, Quarantined, [5d8f32a60e8b9a9c668a1d695ca7f10f], 
PUP.Optional.SearchManager, HKU\S-1-5-21-3523550846-3331861257-1263492253-1001\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pilplloabdedfmialnfchjomjmpjcoej, Quarantined, [6785fcdc4a4f43f3df5bd9d260a207f9], 
PUP.Optional.WinYahoo, HKU\S-1-5-21-3523550846-3331861257-1263492253-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Quarantined, [c8246b6db0e9979ffa394c589c672cd4], 
PUP.Optional.Spigot, HKU\S-1-5-21-3523550846-3331861257-1263492253-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{7600FBCA-FFC9-4A79-9653-CC1139B72373}, Quarantined, [c62610c8752439fd06080492996a8977], 
PUP.Optional.WinYahoo, HKU\S-1-5-21-3523550846-3331861257-1263492253-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BFREPORT, Quarantined, [30bc09cf257476c0265fc11b7a8955ab], 
PUP.Optional.ProductSetup, HKU\S-1-5-21-3523550846-3331861257-1263492253-1001\SOFTWARE\PRODUCTSETUP, Quarantined, [e5073a9e5d3ca88ef8ae711fc73c0df3], 

Registry Values: 4
PUP.Optional.WinYahoo, HKU\S-1-5-21-3523550846-3331861257-1263492253-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TopResultURLFallback, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_lvrms_16_18¶m1=1¶m2=f[c8246b6db0e9979ffa394c589c672cd4]D4%26b[c8246b6db0e9979ffa394c589c672cd4]DIE%26cc[c8246b6db0e9979ffa394c589c672cd4]Dus%26pa[c8246b6db0e9979ffa394c589c672cd4]DWincy%26cd[c8246b6db0e9979ffa394c589c672cd4]D2XzuyEtN2Y1L1Qzu0Dzz0C0Bzz0A0CzyyCyCyBzy0E0E0AyEtN0D0Tzu0StCyDzzyEtN1L2XzutAtFtBtCtFtCtFtCtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StC0C0E0F0AyBtAtCtGyE0BtA0BtGzz0B0AtBtGyBtCzy0EtGyDyB0ByByD0BtCtBzyyCzyyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtBzy0AyEtA0A0CtG0Ezz0EzytGyEzytDzztGzz0E0FtAtG0CyC0B0D0CtCyC0Azz0B0D0F2QtN0A0LzuyE%26cr[c8246b6db0e9979ffa394c589c672cd4]D1649044263%26a[c8246b6db0e9979ffa394c589c672cd4]Dwncy_lvrms_16_18%26os_ver[c8246b6db0e9979ffa394c589c672cd4]D10.0%26os[c8246b6db0e9979ffa394c589c672cd4]DWindowsQuarantinedB10QuarantinedBHome&p={searchTerms}, %4, %5
PUP.Optional.Spigot, HKU\S-1-5-21-3523550846-3331861257-1263492253-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{7600FBCA-FFC9-4A79-9653-CC1139B72373}|URL, https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=502468&p={searchTerms}, Quarantined, [c62610c8752439fd06080492996a8977]
PUP.Optional.WinYahoo, HKU\S-1-5-21-3523550846-3331861257-1263492253-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BFREPORT|filename, C:\Users\Manakahofski's PC\AppData\Local\{5A706C2C-7ED8-0094-1340-257C3728D9E4}\uninstall.exe, Quarantined, [30bc09cf257476c0265fc11b7a8955ab]
PUP.Optional.ProductSetup, HKU\S-1-5-21-3523550846-3331861257-1263492253-1001\SOFTWARE\PRODUCTSETUP|tb, 0X1F1T1V1G1G, Quarantined, [e5073a9e5d3ca88ef8ae711fc73c0df3]

Registry Data: 1
PUP.Optional.WinYahoo, HKU\S-1-5-21-3523550846-3331861257-1263492253-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_lvrms_16_18¶m1=1¶m2=fBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_lvrms_16_18&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Dzz0C0Bzz0A0CzyyCyCyBzy0E0E0AyEtN0D0Tzu0StCyDzzyEtN1L2XzutAtFtBtCtFtCtFtCtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StC0C0E0F0AyBtAtCtGyE0BtA0BtGzz0B0AtBtGyBtCzy0EtGyDyB0ByByD0BtCtBzyyCzyyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtBzy0AyEtA0A0CtG0Ezz0EzytGyEzytDzztGzz0E0FtAtG0CyC0B0D0CtCyC0Azz0B0D0F2QtN0A0LzuyE%26cr%3D1649044263%26a%3Dwncy_lvrms_16_18%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[9b51ffd9f0a9ab8b0be8f25d0202718f]D1%26bBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_lvrms_16_18&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Dzz0C0Bzz0A0CzyyCyCyBzy0E0E0AyEtN0D0Tzu0StCyDzzyEtN1L2XzutAtFtBtCtFtCtFtCtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StC0C0E0F0AyBtAtCtGyE0BtA0BtGzz0B0AtBtGyBtCzy0EtGyDyB0ByByD0BtCtBzyyCzyyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtBzy0AyEtA0A0CtG0Ezz0EzytGyEzytDzztGzz0E0FtAtG0CyC0B0D0CtCyC0Azz0B0D0F2QtN0A0LzuyE%26cr%3D1649044263%26a%3Dwncy_lvrms_16_18%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[9b51ffd9f0a9ab8b0be8f25d0202718f]DIE%26ccBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_lvrms_16_18&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Dzz0C0Bzz0A0CzyyCyCyBzy0E0E0AyEtN0D0Tzu0StCyDzzyEtN1L2XzutAtFtBtCtFtCtFtCtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StC0C0E0F0AyBtAtCtGyE0BtA0BtGzz0B0AtBtGyBtCzy0EtGyDyB0ByByD0BtCtBzyyCzyyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtBzy0AyEtA0A0CtG0Ezz0EzytGyEzytDzztGzz0E0FtAtG0CyC0B0D0CtCyC0Azz0B0D0F2QtN0A0LzuyE%26cr%3D1649044263%26a%3Dwncy_lvrms_16_18%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[9b51ffd9f0a9ab8b0be8f25d0202718f]Dus%26paBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_lvrms_16_18&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Dzz0C0Bzz0A0CzyyCyCyBzy0E0E0AyEtN0D0Tzu0StCyDzzyEtN1L2XzutAtFtBtCtFtCtFtCtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StC0C0E0F0AyBtAtCtGyE0BtA0BtGzz0B0AtBtGyBtCzy0EtGyDyB0ByByD0BtCtBzyyCzyyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtBzy0AyEtA0A0CtG0Ezz0EzytGyEzytDzztGzz0E0FtAtG0CyC0B0D0CtCyC0Azz0B0D0F2QtN0A0LzuyE%26cr%3D1649044263%26a%3Dwncy_lvrms_16_18%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[9b51ffd9f0a9ab8b0be8f25d0202718f]DWincy%26cdBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_lvrms_16_18&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Dzz0C0Bzz0A0CzyyCyCyBzy0E0E0AyEtN0D0Tzu0StCyDzzyEtN1L2XzutAtFtBtCtFtCtFtCtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StC0C0E0F0AyBtAtCtGyE0BtA0BtGzz0B0AtBtGyBtCzy0EtGyDyB0ByByD0BtCtBzyyCzyyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtBzy0AyEtA0A0CtG0Ezz0EzytGyEzytDzztGzz0E0FtAtG0CyC0B0D0CtCyC0Azz0B0D0F2QtN0A0LzuyE%26cr%3D1649044263%26a%3Dwncy_lvrms_16_18%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[9b51ffd9f0a9ab8b0be8f25d0202718f]D2XzuyEtN2Y1L1Qzu0Dzz0C0Bzz0A0CzyyCyCyBzy0E0E0AyEtN0D0Tzu0StCyDzzyEtN1L2XzutAtFtBtCtFtCtFtCtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StC0C0E0F0AyBtAtCtGyE0BtA0BtGzz0B0AtBtGyBtCzy0EtGyDyB0ByByD0BtCtBzyyCzyyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtBzy0AyEtA0A0CtG0Ezz0EzytGyEzytDzztGzz0E0FtAtG0CyC0B0D0CtCyC0Azz0B0D0F2QtN0A0LzuyE%26crBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_lvrms_16_18&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Dzz0C0Bzz0A0CzyyCyCyBzy0E0E0AyEtN0D0Tzu0StCyDzzyEtN1L2XzutAtFtBtCtFtCtFtCtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StC0C0E0F0AyBtAtCtGyE0BtA0BtGzz0B0AtBtGyBtCzy0EtGyDyB0ByByD0BtCtBzyyCzyyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtBzy0AyEtA0A0CtG0Ezz0EzytGyEzytDzztGzz0E0FtAtG0CyC0B0D0CtCyC0Azz0B0D0F2QtN0A0LzuyE%26cr%3D1649044263%26a%3Dwncy_lvrms_16_18%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[9b51ffd9f0a9ab8b0be8f25d0202718f]D1649044263%26aBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_lvrms_16_18&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Dzz0C0Bzz0A0CzyyCyCyBzy0E0E0AyEtN0D0Tzu0StCyDzzyEtN1L2XzutAtFtBtCtFtCtFtCtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StC0C0E0F0AyBtAtCtGyE0BtA0BtGzz0B0AtBtGyBtCzy0EtGyDyB0ByByD0BtCtBzyyCzyyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtBzy0AyEtA0A0CtG0Ezz0EzytGyEzytDzztGzz0E0FtAtG0CyC0B0D0CtCyC0Azz0B0D0F2QtN0A0LzuyE%26cr%3D1649044263%26a%3Dwncy_lvrms_16_18%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[9b51ffd9f0a9ab8b0be8f25d0202718f]Dwncy_lvrms_16_18%26os_verBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_lvrms_16_18&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Dzz0C0Bzz0A0CzyyCyCyBzy0E0E0AyEtN0D0Tzu0StCyDzzyEtN1L2XzutAtFtBtCtFtCtFtCtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StC0C0E0F0AyBtAtCtGyE0BtA0BtGzz0B0AtBtGyBtCzy0EtGyDyB0ByByD0BtCtBzyyCzyyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtBzy0AyEtA0A0CtG0Ezz0EzytGyEzytDzztGzz0E0FtAtG0CyC0B0D0CtCyC0Azz0B0D0F2QtN0A0LzuyE%26cr%3D1649044263%26a%3Dwncy_lvrms_16_18%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[9b51ffd9f0a9ab8b0be8f25d0202718f]D10.0%26osBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_lvrms_16_18&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Dzz0C0Bzz0A0CzyyCyCyBzy0E0E0AyEtN0D0Tzu0StCyDzzyEtN1L2XzutAtFtBtCtFtCtFtCtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StC0C0E0F0AyBtAtCtGyE0BtA0BtGzz0B0AtBtGyBtCzy0EtGyDyB0ByByD0BtCtBzyyCzyyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtBzy0AyEtA0A0CtG0Ezz0EzytGyEzytDzztGzz0E0FtAtG0CyC0B0D0CtCyC0Azz0B0D0F2QtN0A0LzuyE%26cr%3D1649044263%26a%3Dwncy_lvrms_16_18%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[9b51ffd9f0a9ab8b0be8f25d0202718f]DWindowsGood: (www.google.com)B10Good: (www.google.com)BHome, %4, %5

Folders: 0
(No malicious items detected)

Files: 2
PUP.Optional.InstallCore, C:\Users\Manakahofski's PC\Downloads\LoveROMs_1015 - Pokemon Diamond (U).exe, Quarantined, [20cceeeaf1a839fdc226caa145bf5fa1], 
PUP.Optional.WinYahoo, C:\Users\Manakahofski's PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HowToRemove.html.lnk, Quarantined, [8765c3159207e551911ffbc56d962dd3], 

Physical Sectors: 0
(No malicious items detected)

(end)

[GoodBytes]

ROM file that ends with .exe.... that's always good.

:facepalm:

 

Be careful on what you download and run on your PC. And it remember: If it asks admin privileges and there is no reason for it to, you know something is wrong, click on "No". For example, if you open a picture file and it request admin... why would a picture needs system level? It doesn't. You know it is virus, or malware. Keep in mind that randsomeware don't need admin privileges to run.

[Manakahofski]

8 minutes ago, GoodBytes said:

You need to uninstall the software, deleting the files doesn't remove the service Chromium installed, and task scheduler entry it puts which, in your case, checks for updates.

 

Do things properly. Go to Program & Features panel, and uninstall Chromium. If you can't (because you deleted the files), then the easiest easiest is to install back Chromium, and uninstall it.

I know one of my friends was like "heres that rom you asked for" looking back on it i feel stupid. trust me.Thanks for the help though! (Quoted wrong post)

[Manakahofski]

7 minutes ago, GoodBytes said:

ROM file that ends with .exe.... that's always good.

:facepalm:

 

Be careful on what you download and run on your PC. And it remember: If it asks admin privileges and there is no reason for it to, you know something is wrong, click on "No". For example, if you open a picture file and it request admin... why would a picture needs system level? It doesn't. You know it is virus, or malware. Keep in mind that randsomeware don't need admin privileges to run.

Thanks for the advice, ill be more careful next time. 

                              

Is there a way to move this response to the top, it can help more people like me i'm sure.

[GoodBytes]

20 minutes ago, Manakahofski said:

Thanks for the advice, ill be more careful next time. 

                              

Is there a way to move this response to the top, it can help more people like me i'm sure.

Yea, don't worry about it. I did my share of computer mistakes when I was younger.

 

Sure to move a post all the way to the top, click on the check mark bellow the post. It will also turn the post green.