If your computer has begun flashing mysterious blank pop-up windows and hesitating during simple tasks that should normally only take a moment to complete, or if youโve spotted something named Update1.hta buried among your active processes, then youโre almost certainly facing a Trojan Horse like Update1.hta thatโs made itself far too comfortable.
Discussions on security boards describe script Update1.hta as displaying typical Trojan Horse characteristics in both the way it enters the user’s PC and in the way it gains access to admin-level system settings. Update1.hta initiates execution trough three separate mshta.exe processes. Apparently, it’s a threat similar to Trojans like Trojan.Cryxos and and is very often the cause of launching blank pop-up windows such as Microservice-update-s2-bucket.cc, Microservice-update-s1-bucket.cc and Polystore9-servicebucket.cc.
As such, script Update1.hta can tweak system settings without user permission, create scheduled tasks to keep itself alive, and install helper files built to resist casual deletion. Some users report unwanted downloads; others notice subtle attempts to gather browsing data or financial details. It’s also not uncommon for this malware to use excessive amounts of RAM and GPU to mine for Bitcoins.
The longer Update1.hta lingers, the more leverage it gains and the more issues it can cause, so removing it promptly is essential. The good news is we’ve got two valid solutions to help you remove it – a detailed manual removal guide and a professional anti-malware tool (SpyHunter 5) that’s great at dealing with such malware. Both of them can be found on this page.
We tested that SpyHunter successfully removes Update1.hta* and we recommend using it. It will block Update1.hta from reinstalling itself and it will make sure your device is clean from any malware.
Try Free For 7 Days*
Buy now15% OFF if you buy straight without trial.
OFFERStep-by-step Update1.hta Removal Guide
Start with the simplest approach and attempt to remove Update1.hta through Windows built-in uninstall tools before you do any deeper work. This first pass is quick, low-risk, and often strips away components that would otherwise complicate the rest of the cleanup.
Quick removal of Update1.hta using Apps & Features
- 1.1Start with the standard uninstall area if Update1.hta appears there: open the Start Menu, go to Settings, and open the main panel where Windows groups apps and other system options.
- 1.2In Settings, click Apps to display the list of installed programs. Use the available sort or search controls to narrow down what was added recently or what you rarely use.
- 1.3Change the sort option to Installation date so the newest entries rise to the top. New or unexpected items are easier to identify when they are grouped by when they were installed.
- 1.4When you identify a program that could be linked to the infection, select it, choose Uninstall, and follow the prompts. Let the uninstaller complete fully without closing its windows early.
- 1.5Next, open C:\Users\YourUsername\AppData\Local\Programs in File Explorer. Look for folders tied to apps you just removed or for directories with meaningless names that do not match known software.
- 1.6If you find a leftover folder, delete it manually. Restart Windows afterward so any locked files are released and you can confirm that the uninstalled program does not return.
After restarting, confirm that the unwanted program has disappeared from the list and that no related icons appear. If anything remains, that is typical for more persistent threats, so continue with the rest of the guide to clear hidden components and relaunch mechanisms.
SUMMARY:
How to Completely Remove Update1.hta from Windows
When the malware is still running, you can observe how it behaves in real time. With Update1.hta active, its files, folders, and launch points are easier to trace, which helps you map where it lives on disk before you start removing persistence.
1. Preparing for the Update1.hta Removal
- 1.1
To make leftovers from Update1.hta easier to spot, change Windows so it shows hidden content. Search for Folder Options from the Start Menu, open it, switch to the View tab, and turn on Show hidden files, folders, and drives. - 1.2Stubborn files can refuse to delete, so install LockHunter. This small utility integrates into the context menu and lets you see which process keeps a file open and remove locked executables or DLLs safely.
Most of this guide relies on built-in Windows tools, so you stay in control of every change. When a file refuses to delete because Windows reports that it is in use, LockHunter simply provides a safer way to identify the lock and remove the item.
LockHunter is free, does not include ads, and does not require an account. The download is small, and installation usually takes only a minute or two.
Remove Update1.hta Processes From the Task Manager
Simply killing one process is rarely enough for a persistent threat. The instructions below help you locate the running executable tied to Update1.hta, remove the files it uses, and then close the process so it cannot immediately start again after a reboot or logon.
2. Terminate suspicious Update1.hta processes and remove their files
- 2.1To examine Update1.hta while it is running, press Ctrl + Shift + Esc to open Task Manager and review the list of active processes, their names, and how much CPU and memory they consume.
- 2.2If Task Manager opens in its compact view, click More details. The expanded window shows background processes, publisher information, and startup impact, which makes it easier to spot something unusual.
- 2.3
Sort the list by CPU or Memory usage and look for unfamiliar process names or entries that use resources heavily without a clear reason. - 2.4Right-click any suspicious entry and choose Open file location. Check which folder it runs from and whether the publisher or file name matches software you intentionally installed.
- 2.5Try deleting the folder that contains the executable. If Windows refuses because the file is in use, run LockHunter, select Whatโs locking this file?, release the lock, and remove the file and folder through the utility.
- 2.6After removing the backing file, return to Task Manager and click End task on the same process. Ending it after the binary is gone reduces the chance of an instant restart and prepares the system for the next checks.
Delete Update1.hta-Related Files and Folders
Many intrusions lean on startup folders and scattered helper executables across user and program directories. Cleaning these locations severely limits relaunch attempts and strips away the support files that could otherwise bring Update1.hta back after reboot, even when you believe you already removed the main executable.
3. Purge startup and program folders related to Update1.hta
- 3.1Begin with the startup folders that often relaunch Update1.hta after login: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup and C:\Users\YourUsername\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. Remove shortcuts and executables you do not recognize or that were created around the time the issue began.
- 3.2In each Startup folder, leave desktop.ini in place and delete any other files that look out of place. If Windows reports that removal is blocked, run LockHunter to find the locking process and erase the file securely.
- 3.3Check the main program locations next – C:\Program Files and C:\Program Files (x86). Look for recently created, empty, or oddly named folders that do not belong to software you actually use and remove those directories.
- 3.4Inspect user-specific locations as well: C:\Users\YourUsername\AppData\Local\, C:\Users\YourUsername\AppData\Local\Programs, and C:\Users\YourUsername\AppData\Roaming\Microsoft\Windows\Start Menu\Programs. These paths often store launchers, updater components, or scripts tied to unwanted programs.
- 3.5
Clear temporary data to remove leftover files: open C:\Users\YourUsername\AppData\Local\Temp, press Ctrl + A to highlight everything, delete the selected items, and then empty the Recycle Bin to free the space.
Disable Update1.hta Scheduled Tasks in Windows
Scheduled tasks are a common way for Update1.hta to return even after you delete its main files. By checking each taskโs trigger and target file, you can see what runs at logon or on a timer and remove both the scheduled entry and the underlying executable.
4. Disable scheduled tasks that relaunch the Update1.hta script
- 4.1
Launch Task Scheduler to look for entries that might relaunch Update1.hta. Search for it from the Start Menu, open the console, and expand the Task Scheduler Library tree to show tasks stored for your user account and for the system. - 4.2Open a task by double-clicking it to bring up its Properties window. On the Actions tab, check which program or script runs and whether any command-line parameters are included.
- 4.3Pay special attention to tasks whose actions point to AppData, Roaming, or other user folders, particularly if the names look random. Unexpected paths for well-known vendors deserve extra scrutiny.
- 4.4When you confirm that a task is unwanted, copy the full path shown under Actions, then delete the task from Task Scheduler so it no longer runs automatically.
- 4.5Use File Explorer to open the copied path and delete the associated executable or script. Removing both the task and its payload stops the same command from being scheduled again on reboot.
- 4.6Work through every folder and subfolder inside the Task Scheduler Library, including those created by installers. Persistence mechanisms often hide under generic or misleading task names.
Remove Update1.hta Entries from the Windows Registry
Even when the visible components are gone, Registry entries related to Update1.hta can remain in autostart and policy locations. The goal here is to remove only suspicious values while leaving trusted services intact, so you cut remaining launch points without destabilizing Windows.
5. Remove Update1.hta leftovers via Registry Editor
- 5.1Open Registry Editor so you can inspect startup data that might keep Update1.hta running: press Win + R, type regedit, and press Enter to launch the editor.
- 5.2Use Ctrl + F to search for the exact name of the application you removed earlier. This often reveals leftover service definitions, shell extensions, or configuration keys.
- 5.3When a match appears, select its key in the left pane and delete it. Press F3 to move to the next result and continue until there are no more matching entries in any hive.
- 5.4Repeat the search-and-delete process for other questionable programs you saw during earlier steps. Removing their records stops helper components from quietly restoring removed files.
- 5.5Run one more search for the specific threat name to catch any remaining strings. Deleting the final reference can prevent the system from recreating associated files during startup.
- 5.6Manually review these frequently used Registry locations for autostart and policy-based launches:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services - 5.7In each of these keys, check the right-hand pane for values pointing to unfamiliar executables or unusual directories. Delete only the specific value entries that look suspicious so legitimate components remain untouched.
Complete the process by restarting Windows. Watch for a normal login, absence of pop-ups, and stable browser behavior. If you still notice signs linked to Update1.hta or other suspicious activity, run an offline scanner to check for hidden drivers, repair changes, and confirm tasks are gone.
