Adware-carrying MSTHA.EXE file: recognize and prevent

MSTHA.EXE adware disguised as a fake system file

You may have found yourself getting a system-like pop-up that asks you to update Chromium or set Bing search as the default search engine. But you haven’t noticed anything out of the ordinary, at least on the first glance. And then, suspiciously, MSTHA.EXE a system file starts running on your computer. These symptoms suggest that you may have encountered MSTHA virus.

There has been a significant increase in the number of reports about  MSTHA[1] infecting computers. Seemingly, system-like pop-ups [2] are asking users to update various services. Although the pop-ups do not seem to be intrusive and show up once a day, it still is a malicious application you must get rid of.

Interestingly enough, the malware acts as a basic system update: shows up at regular intervals, but despite being in the background like most system updates, it displays pop-ups.

Random downloads and ads can be dangerous

The two main vectors of MSTHA distribution are ads and bundleware. To get infected, the computer user should either click on an ad displayed on a suspicious website or download it alongside legitimate applications. Once it is on your computer, it can manifest itself in 3 different ways:

The first approach is a disguised system file. It is the most widely encountered distribution approach. This is where the name MSTHA virus comes from. It attaches itself to a legitimate system application, called MSTHA.EXE. It does so by editing registries and creating a small file that hijacks the legitimate applications to implement its malicious intentions.

Afterward, it adds a system schedule entry, to launch this application every 24h. It gets the system pop-up designed from this EXE, but the contents inside the pop-up are overridden with malicious content.

The second variant of the virus, slightly less common is called Chromium Virus. It usually comes with various forms of bundleware and less through ads. Chromium virus can either do the same type of injection as the initial variant, hijack MSTHA process or it can manifest itself through CHROMIUM.EXE.

The latter one is much more noticeable and is a little easier to deal with. It also adds the same system schedule entry alongside additional pop-ups from CHROMIUM.EXE.

The third variant that has been recently detected is Amazon Assistant virus. It comes as a browser extension or bundleware. Claiming to be a legitimate Amazon managing service, it causes a significant amount of pop-ups in both the browser and on the desktop. Its detection is easiest and quickest of the 3, although its removal can be a little troublesome.

Is MSTHA.EXE on your PC legitimate?

One of the easier ways to check if your MSTHA.EXE was hijacked is with the help of the Task Manager. When you open the task manager, it will have a slightly higher load than usual and will look slightly different from other system files. If you are familiar with Windows, you will notice the difference.

Additionally, you could look for Chromium or Amazon Assistant (AA) processes. If they are there, there is a high chance that your MSTHA.EXE is also hijacked.

A more advanced approach for MSTHA detection would be surfing through folders manually. The most common paths for MSTHA are these:

C:\Users\username\AppData\Local\{Random Hex key} File is usually named setup.log

C:\Users\username\AppData\Roaming\UpdateTask Entire folder.

Deleting infectious files or killing the processes and using anti-malware software should remove its traces. Just remember to remove the scheduled task from Windows task scheduler otherwise it will keep displaying the uninfected pop-up.

Ugnius Kiguolis