Sign in with
Sign up | Sign in
Your question

mhtmlredir.exploit

Last response: in Windows XP
Share
Anonymous
March 4, 2005 10:06:41 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

If this is the form for this question please let me know which is he
appropriate form.

A recent Norton Virus scan showed a "virus found" which was "automatically
deleted".

"The file C:\Program Files\Norton SystemWorks\Norton
Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
virus."

The file name being "74702E1C" but a second scan will give a different file
name, file name changes with each scan. I have done Spybot spyware and
Ad-Aware scans.

Searching Symantec for removal instructions I get the following removal
instructions:

"Because this is an exploit only, there are no removal instructions, since
there is nothing to remove. This is a detection for the exploit, preventing
the execution of malicious content on your computer. By detecting the
exploit, it is prevented from running."

How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I have
to change? Where did it come from? My firewall was down for a bit, was
that the origin? Actually, I just want to get rid of it, stop it from
reoccurring?

Thanks, Bob

More about : mhtmlredir exploit

Anonymous
March 4, 2005 11:36:56 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

HTML.MHTMLRedir!exploit is a generic detection of web pages or e-mail
messages which attempt to exploit the "MHTML URL Processing" vulnerability
in Internet Explorer.

This does not necessarily mean that a virus has been found. It merely means
that HTML code was found which attempts to activate additional executable
code without the user's express permission. This exploit can be used in a
malicious web page or inside e-mail messages to execute code of the
attacker's choice on the user's machine. Users of Internet Explorer and
applications such as Outlook or Outlook Express that employs Internet
Explorer to render HTML content are vulnerable to this exploit.
Microsoft have released a patch to address this issue. Please visit
Microsoft for further information and to apply the relevant patches:
http://www.microsoft.com/technet/security/bulletin/ms04...

Note: this detection may be triggered by merely visiting a web page that
contains malicious code. It does not necessarily mean your machine has been
compromised, nor that your machine is vulnerable to this particular exploit.

If this exploit is being detected in the Temporary Internet Files directory,
in order to remove unwanted files from your computer, you will have to
remove all off-line content from your PC

The Temporary Internet Files (or cache) folder contains Web page content
that is stored on your hard disk for quick viewing. This cache permits
Internet Explorer or MSN Explorer to download only the content that has
changed since you last viewed a Web page, instead of downloading all the
content for a page every time it is displayed. To delete the files in the
Temporary Internet Files folder, follow these steps:.

To delete *all* Temporary Internet Files...

1) Start | Run | Type: inetcpl.cpl | OK
Or right click the Internet Explorer icon on your Desktop.
Or: Start | Settings | Control Panel | Internet Options.
Best to do this with all instances of Internet Explorer closed. Especially
if there are a large number of files.
2) On the General Tab, in the middle of the screen, click on Delete Files
3) Check the box ? Delete all offline content
4) Click on OK and wait for the hourglass icon to stop after it deletes the
temporary internet files
5) You can now click on Delete Cookies and click OK to delete cookies that
websites have placed on your hard drive.
-----

Empty out your temp folder also...
Start | Run | Type: %tmp% | Click OK |
Delete everything in the right hand pane.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl,
Bob H <bobandshauna@shaw.ca> hunted and pecked:
> If this is the form for this question please let me know which is he
> appropriate form.
>
> A recent Norton Virus scan showed a "virus found" which was
> "automatically deleted".
>
> "The file C:\Program Files\Norton SystemWorks\Norton
> Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
> virus."
>
> The file name being "74702E1C" but a second scan will give a
> different file name, file name changes with each scan. I have done
> Spybot spyware and Ad-Aware scans.
>
> Searching Symantec for removal instructions I get the following
> removal instructions:
>
> "Because this is an exploit only, there are no removal instructions,
> since there is nothing to remove. This is a detection for the
> exploit, preventing the execution of malicious content on your
> computer. By detecting the exploit, it is prevented from running."
>
> How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I
> have to change? Where did it come from? My firewall was down for a
> bit, was that the origin? Actually, I just want to get rid of it,
> stop it from reoccurring?
>
> Thanks, Bob
Anonymous
March 4, 2005 11:39:51 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Go to Start>All Programs>Norton SystemWorks>Norton Antivirus>Quarantine and
when the window opens you should see the file. Delete it.

--
Colin Barnhorst [MVP Windows - Virtual Machine]
(Reply to the group only unless otherwise requested)
"Bob H" <bobandshauna@shaw.ca> wrote in message
news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl...
> If this is the form for this question please let me know which is he
> appropriate form.
>
> A recent Norton Virus scan showed a "virus found" which was "automatically
> deleted".
>
> "The file C:\Program Files\Norton SystemWorks\Norton
> Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
> virus."
>
> The file name being "74702E1C" but a second scan will give a different
> file name, file name changes with each scan. I have done Spybot spyware
> and Ad-Aware scans.
>
> Searching Symantec for removal instructions I get the following removal
> instructions:
>
> "Because this is an exploit only, there are no removal instructions, since
> there is nothing to remove. This is a detection for the exploit,
> preventing the execution of malicious content on your computer. By
> detecting the exploit, it is prevented from running."
>
> How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I have
> to change? Where did it come from? My firewall was down for a bit, was
> that the origin? Actually, I just want to get rid of it, stop it from
> reoccurring?
>
> Thanks, Bob
>
>
Related resources
Anonymous
March 5, 2005 12:17:09 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

I meant to add, if any files have been quarantined, you can remove. If not,
then you probably need take no futher action.

--
Colin Barnhorst [MVP Windows - Virtual Machine]
(Reply to the group only unless otherwise requested)
"Colin Barnhorst" <colinbarharst(nojunk)@msn.com> wrote in message
news:uLca%23TTIFHA.720@TK2MSFTNGP10.phx.gbl...
> Go to Start>All Programs>Norton SystemWorks>Norton Antivirus>Quarantine
> and when the window opens you should see the file. Delete it.
>
> --
> Colin Barnhorst [MVP Windows - Virtual Machine]
> (Reply to the group only unless otherwise requested)
> "Bob H" <bobandshauna@shaw.ca> wrote in message
> news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl...
>> If this is the form for this question please let me know which is he
>> appropriate form.
>>
>> A recent Norton Virus scan showed a "virus found" which was
>> "automatically deleted".
>>
>> "The file C:\Program Files\Norton SystemWorks\Norton
>> Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
>> virus."
>>
>> The file name being "74702E1C" but a second scan will give a different
>> file name, file name changes with each scan. I have done Spybot spyware
>> and Ad-Aware scans.
>>
>> Searching Symantec for removal instructions I get the following removal
>> instructions:
>>
>> "Because this is an exploit only, there are no removal instructions,
>> since there is nothing to remove. This is a detection for the exploit,
>> preventing the execution of malicious content on your computer. By
>> detecting the exploit, it is prevented from running."
>>
>> How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I
>> have to change? Where did it come from? My firewall was down for a bit,
>> was that the origin? Actually, I just want to get rid of it, stop it
>> from reoccurring?
>>
>> Thanks, Bob
>>
>>
>
>
Anonymous
March 5, 2005 2:22:38 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Nope, each scan of the folder indicates the infected file was deleted, yet
another one is deleted (thus created) with each scan. The security bulletin
doesn't seem to want to instal as it states I do not have the proper form of
Outlook installed (it is). I deleted the temp folders etc with no luck. Is
it a registry key causing this? the only mention is the infected file being
automatically deleted from the Quarantine folder. A search of the folder
shows nothing, should I delete everything in that folder? I can not be the
only person who has had this issue, and new to me.

Help


"Wesley Vogel" <123WVogel955@comcast.net> wrote in message
news:em1XVSTIFHA.3332@TK2MSFTNGP15.phx.gbl...
> HTML.MHTMLRedir!exploit is a generic detection of web pages or e-mail
> messages which attempt to exploit the "MHTML URL Processing" vulnerability
> in Internet Explorer.
>
> This does not necessarily mean that a virus has been found. It merely
> means
> that HTML code was found which attempts to activate additional executable
> code without the user's express permission. This exploit can be used in a
> malicious web page or inside e-mail messages to execute code of the
> attacker's choice on the user's machine. Users of Internet Explorer and
> applications such as Outlook or Outlook Express that employs Internet
> Explorer to render HTML content are vulnerable to this exploit.
> Microsoft have released a patch to address this issue. Please visit
> Microsoft for further information and to apply the relevant patches:
> http://www.microsoft.com/technet/security/bulletin/ms04...
>
> Note: this detection may be triggered by merely visiting a web page that
> contains malicious code. It does not necessarily mean your machine has
> been
> compromised, nor that your machine is vulnerable to this particular
> exploit.
>
> If this exploit is being detected in the Temporary Internet Files
> directory,
> in order to remove unwanted files from your computer, you will have to
> remove all off-line content from your PC
>
> The Temporary Internet Files (or cache) folder contains Web page content
> that is stored on your hard disk for quick viewing. This cache permits
> Internet Explorer or MSN Explorer to download only the content that has
> changed since you last viewed a Web page, instead of downloading all the
> content for a page every time it is displayed. To delete the files in the
> Temporary Internet Files folder, follow these steps:.
>
> To delete *all* Temporary Internet Files...
>
> 1) Start | Run | Type: inetcpl.cpl | OK
> Or right click the Internet Explorer icon on your Desktop.
> Or: Start | Settings | Control Panel | Internet Options.
> Best to do this with all instances of Internet Explorer closed.
> Especially
> if there are a large number of files.
> 2) On the General Tab, in the middle of the screen, click on Delete Files
> 3) Check the box ? Delete all offline content
> 4) Click on OK and wait for the hourglass icon to stop after it deletes
> the
> temporary internet files
> 5) You can now click on Delete Cookies and click OK to delete cookies that
> websites have placed on your hard drive.
> -----
>
> Empty out your temp folder also...
> Start | Run | Type: %tmp% | Click OK |
> Delete everything in the right hand pane.
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl,
> Bob H <bobandshauna@shaw.ca> hunted and pecked:
>> If this is the form for this question please let me know which is he
>> appropriate form.
>>
>> A recent Norton Virus scan showed a "virus found" which was
>> "automatically deleted".
>>
>> "The file C:\Program Files\Norton SystemWorks\Norton
>> Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
>> virus."
>>
>> The file name being "74702E1C" but a second scan will give a
>> different file name, file name changes with each scan. I have done
>> Spybot spyware and Ad-Aware scans.
>>
>> Searching Symantec for removal instructions I get the following
>> removal instructions:
>>
>> "Because this is an exploit only, there are no removal instructions,
>> since there is nothing to remove. This is a detection for the
>> exploit, preventing the execution of malicious content on your
>> computer. By detecting the exploit, it is prevented from running."
>>
>> How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I
>> have to change? Where did it come from? My firewall was down for a
>> bit, was that the origin? Actually, I just want to get rid of it,
>> stop it from reoccurring?
>>
>> Thanks, Bob
>
Anonymous
March 5, 2005 2:24:05 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

It does nmot appeaar in eth folder as Norton indicates it was automatically
deleted. I do not know what recreate this infected file.

"Colin Barnhorst" <colinbarharst(nojunk)@msn.com> wrote in message
news:uLca%23TTIFHA.720@TK2MSFTNGP10.phx.gbl...
> Go to Start>All Programs>Norton SystemWorks>Norton Antivirus>Quarantine
> and when the window opens you should see the file. Delete it.
>
> --
> Colin Barnhorst [MVP Windows - Virtual Machine]
> (Reply to the group only unless otherwise requested)
> "Bob H" <bobandshauna@shaw.ca> wrote in message
> news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl...
>> If this is the form for this question please let me know which is he
>> appropriate form.
>>
>> A recent Norton Virus scan showed a "virus found" which was
>> "automatically deleted".
>>
>> "The file C:\Program Files\Norton SystemWorks\Norton
>> Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
>> virus."
>>
>> The file name being "74702E1C" but a second scan will give a different
>> file name, file name changes with each scan. I have done Spybot spyware
>> and Ad-Aware scans.
>>
>> Searching Symantec for removal instructions I get the following removal
>> instructions:
>>
>> "Because this is an exploit only, there are no removal instructions,
>> since there is nothing to remove. This is a detection for the exploit,
>> preventing the execution of malicious content on your computer. By
>> detecting the exploit, it is prevented from running."
>>
>> How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I
>> have to change? Where did it come from? My firewall was down for a bit,
>> was that the origin? Actually, I just want to get rid of it, stop it
>> from reoccurring?
>>
>> Thanks, Bob
>>
>>
>
>
Anonymous
March 5, 2005 11:02:36 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

"Bob H" <bobandshauna@shaw.ca> wrote in message
news:%23xSLPRVIFHA.3484@TK2MSFTNGP12.phx.gbl
> It does nmot appeaar in eth folder as Norton indicates it was
> automatically
> deleted. I do not know what recreate this infected file.
>
> "Colin Barnhorst" <colinbarharst(nojunk)@msn.com> wrote in message
> news:uLca%23TTIFHA.720@TK2MSFTNGP10.phx.gbl...
>> Go to Start>All Programs>Norton SystemWorks>Norton Antivirus>Quarantine
>> and when the window opens you should see the file. Delete it.
>>
>> --
>> Colin Barnhorst [MVP Windows - Virtual Machine]
>> (Reply to the group only unless otherwise requested)
>> "Bob H" <bobandshauna@shaw.ca> wrote in message
>> news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl...
>>> If this is the form for this question please let me know which is he
>>> appropriate form.
>>>
>>> A recent Norton Virus scan showed a "virus found" which was
>>> "automatically deleted".
>>>
>>> "The file C:\Program Files\Norton SystemWorks\Norton
>>> Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
>>> virus."
>>>
>>> The file name being "74702E1C" but a second scan will give a different
>>> file name, file name changes with each scan. I have done Spybot spyware
>>> and Ad-Aware scans.
>>>
>>> Searching Symantec for removal instructions I get the following removal
>>> instructions:
>>>
>>> "Because this is an exploit only, there are no removal instructions,
>>> since there is nothing to remove. This is a detection for the exploit,
>>> preventing the execution of malicious content on your computer. By
>>> detecting the exploit, it is prevented from running."
>>>
>>> How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I
>>> have to change? Where did it come from? My firewall was down for a
>>> bit,
>>> was that the origin? Actually, I just want to get rid of it, stop it
>>> from reoccurring?
>>>
>>> Thanks, Bob

Boot to Safe Mode and run Norton again.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/defau...
http://defendingyourmachine.blogspot.com/
Anonymous
March 6, 2005 9:53:10 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Damn I must be slow this weekend. As the scan showed the infected file was
in the quarantined folder, and I dod not think anything in there was really
needed, I deleted most of the contents and .. problem solved. thanks for ur
help

"Colin Barnhorst" <colinbarharst(nojunk)@msn.com> wrote in message
news:%236jp0oTIFHA.2564@tk2msftngp13.phx.gbl...
>I meant to add, if any files have been quarantined, you can remove. If
>not, then you probably need take no futher action.
>
> --
> Colin Barnhorst [MVP Windows - Virtual Machine]
> (Reply to the group only unless otherwise requested)
> "Colin Barnhorst" <colinbarharst(nojunk)@msn.com> wrote in message
> news:uLca%23TTIFHA.720@TK2MSFTNGP10.phx.gbl...
>> Go to Start>All Programs>Norton SystemWorks>Norton Antivirus>Quarantine
>> and when the window opens you should see the file. Delete it.
>>
>> --
>> Colin Barnhorst [MVP Windows - Virtual Machine]
>> (Reply to the group only unless otherwise requested)
>> "Bob H" <bobandshauna@shaw.ca> wrote in message
>> news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl...
>>> If this is the form for this question please let me know which is he
>>> appropriate form.
>>>
>>> A recent Norton Virus scan showed a "virus found" which was
>>> "automatically deleted".
>>>
>>> "The file C:\Program Files\Norton SystemWorks\Norton
>>> Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
>>> virus."
>>>
>>> The file name being "74702E1C" but a second scan will give a different
>>> file name, file name changes with each scan. I have done Spybot spyware
>>> and Ad-Aware scans.
>>>
>>> Searching Symantec for removal instructions I get the following removal
>>> instructions:
>>>
>>> "Because this is an exploit only, there are no removal instructions,
>>> since there is nothing to remove. This is a detection for the exploit,
>>> preventing the execution of malicious content on your computer. By
>>> detecting the exploit, it is prevented from running."
>>>
>>> How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I
>>> have to change? Where did it come from? My firewall was down for a
>>> bit, was that the origin? Actually, I just want to get rid of it, stop
>>> it from reoccurring?
>>>
>>> Thanks, Bob
>>>
>>>
>>
>>
>
>
Anonymous
March 7, 2005 12:23:06 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

You're welcome.

--
Colin Barnhorst [MVP Windows - Virtual Machine]
(Reply to the group only unless otherwise requested)
"Bob H" <bobandshauna@shaw.ca> wrote in message
news:uAyGDDsIFHA.2640@TK2MSFTNGP09.phx.gbl...
> Damn I must be slow this weekend. As the scan showed the infected file
> was in the quarantined folder, and I dod not think anything in there was
> really needed, I deleted most of the contents and .. problem solved.
> thanks for ur help
>
> "Colin Barnhorst" <colinbarharst(nojunk)@msn.com> wrote in message
> news:%236jp0oTIFHA.2564@tk2msftngp13.phx.gbl...
>>I meant to add, if any files have been quarantined, you can remove. If
>>not, then you probably need take no futher action.
>>
>> --
>> Colin Barnhorst [MVP Windows - Virtual Machine]
>> (Reply to the group only unless otherwise requested)
>> "Colin Barnhorst" <colinbarharst(nojunk)@msn.com> wrote in message
>> news:uLca%23TTIFHA.720@TK2MSFTNGP10.phx.gbl...
>>> Go to Start>All Programs>Norton SystemWorks>Norton Antivirus>Quarantine
>>> and when the window opens you should see the file. Delete it.
>>>
>>> --
>>> Colin Barnhorst [MVP Windows - Virtual Machine]
>>> (Reply to the group only unless otherwise requested)
>>> "Bob H" <bobandshauna@shaw.ca> wrote in message
>>> news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl...
>>>> If this is the form for this question please let me know which is he
>>>> appropriate form.
>>>>
>>>> A recent Norton Virus scan showed a "virus found" which was
>>>> "automatically deleted".
>>>>
>>>> "The file C:\Program Files\Norton SystemWorks\Norton
>>>> Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
>>>> virus."
>>>>
>>>> The file name being "74702E1C" but a second scan will give a different
>>>> file name, file name changes with each scan. I have done Spybot
>>>> spyware and Ad-Aware scans.
>>>>
>>>> Searching Symantec for removal instructions I get the following removal
>>>> instructions:
>>>>
>>>> "Because this is an exploit only, there are no removal instructions,
>>>> since there is nothing to remove. This is a detection for the exploit,
>>>> preventing the execution of malicious content on your computer. By
>>>> detecting the exploit, it is prevented from running."
>>>>
>>>> How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I
>>>> have to change? Where did it come from? My firewall was down for a
>>>> bit, was that the origin? Actually, I just want to get rid of it, stop
>>>> it from reoccurring?
>>>>
>>>> Thanks, Bob
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Related resources
!