mhtmlredir.exploit

Archived from groups: microsoft.public.windowsxp.basics (More info?)

If this is the form for this question please let me know which is he
appropriate form.

A recent Norton Virus scan showed a "virus found" which was "automatically
deleted".

"The file C:\Program Files\Norton SystemWorks\Norton
Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
virus."

The file name being "74702E1C" but a second scan will give a different file
name, file name changes with each scan. I have done Spybot spyware and
Ad-Aware scans.

Searching Symantec for removal instructions I get the following removal
instructions:

"Because this is an exploit only, there are no removal instructions, since
there is nothing to remove. This is a detection for the exploit, preventing
the execution of malicious content on your computer. By detecting the
exploit, it is prevented from running."

How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I have
to change? Where did it come from? My firewall was down for a bit, was
that the origin? Actually, I just want to get rid of it, stop it from
reoccurring?

Thanks, Bob
8 answers Last reply
More about mhtmlredir exploit
  1. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    HTML.MHTMLRedir!exploit is a generic detection of web pages or e-mail
    messages which attempt to exploit the "MHTML URL Processing" vulnerability
    in Internet Explorer.

    This does not necessarily mean that a virus has been found. It merely means
    that HTML code was found which attempts to activate additional executable
    code without the user's express permission. This exploit can be used in a
    malicious web page or inside e-mail messages to execute code of the
    attacker's choice on the user's machine. Users of Internet Explorer and
    applications such as Outlook or Outlook Express that employs Internet
    Explorer to render HTML content are vulnerable to this exploit.
    Microsoft have released a patch to address this issue. Please visit
    Microsoft for further information and to apply the relevant patches:
    http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx

    Note: this detection may be triggered by merely visiting a web page that
    contains malicious code. It does not necessarily mean your machine has been
    compromised, nor that your machine is vulnerable to this particular exploit.

    If this exploit is being detected in the Temporary Internet Files directory,
    in order to remove unwanted files from your computer, you will have to
    remove all off-line content from your PC

    The Temporary Internet Files (or cache) folder contains Web page content
    that is stored on your hard disk for quick viewing. This cache permits
    Internet Explorer or MSN Explorer to download only the content that has
    changed since you last viewed a Web page, instead of downloading all the
    content for a page every time it is displayed. To delete the files in the
    Temporary Internet Files folder, follow these steps:.

    To delete *all* Temporary Internet Files...

    1) Start | Run | Type: inetcpl.cpl | OK
    Or right click the Internet Explorer icon on your Desktop.
    Or: Start | Settings | Control Panel | Internet Options.
    Best to do this with all instances of Internet Explorer closed. Especially
    if there are a large number of files.
    2) On the General Tab, in the middle of the screen, click on Delete Files
    3) Check the box ? Delete all offline content
    4) Click on OK and wait for the hourglass icon to stop after it deletes the
    temporary internet files
    5) You can now click on Delete Cookies and click OK to delete cookies that
    websites have placed on your hard drive.
    -----

    Empty out your temp folder also...
    Start | Run | Type: %tmp% | Click OK |
    Delete everything in the right hand pane.

    --
    Hope this helps. Let us know.

    Wes
    MS-MVP Windows Shell/User

    In news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl,
    Bob H <bobandshauna@shaw.ca> hunted and pecked:
    > If this is the form for this question please let me know which is he
    > appropriate form.
    >
    > A recent Norton Virus scan showed a "virus found" which was
    > "automatically deleted".
    >
    > "The file C:\Program Files\Norton SystemWorks\Norton
    > Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
    > virus."
    >
    > The file name being "74702E1C" but a second scan will give a
    > different file name, file name changes with each scan. I have done
    > Spybot spyware and Ad-Aware scans.
    >
    > Searching Symantec for removal instructions I get the following
    > removal instructions:
    >
    > "Because this is an exploit only, there are no removal instructions,
    > since there is nothing to remove. This is a detection for the
    > exploit, preventing the execution of malicious content on your
    > computer. By detecting the exploit, it is prevented from running."
    >
    > How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I
    > have to change? Where did it come from? My firewall was down for a
    > bit, was that the origin? Actually, I just want to get rid of it,
    > stop it from reoccurring?
    >
    > Thanks, Bob
  2. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    Go to Start>All Programs>Norton SystemWorks>Norton Antivirus>Quarantine and
    when the window opens you should see the file. Delete it.

    --
    Colin Barnhorst [MVP Windows - Virtual Machine]
    (Reply to the group only unless otherwise requested)
    "Bob H" <bobandshauna@shaw.ca> wrote in message
    news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl...
    > If this is the form for this question please let me know which is he
    > appropriate form.
    >
    > A recent Norton Virus scan showed a "virus found" which was "automatically
    > deleted".
    >
    > "The file C:\Program Files\Norton SystemWorks\Norton
    > Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
    > virus."
    >
    > The file name being "74702E1C" but a second scan will give a different
    > file name, file name changes with each scan. I have done Spybot spyware
    > and Ad-Aware scans.
    >
    > Searching Symantec for removal instructions I get the following removal
    > instructions:
    >
    > "Because this is an exploit only, there are no removal instructions, since
    > there is nothing to remove. This is a detection for the exploit,
    > preventing the execution of malicious content on your computer. By
    > detecting the exploit, it is prevented from running."
    >
    > How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I have
    > to change? Where did it come from? My firewall was down for a bit, was
    > that the origin? Actually, I just want to get rid of it, stop it from
    > reoccurring?
    >
    > Thanks, Bob
    >
    >
  3. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    I meant to add, if any files have been quarantined, you can remove. If not,
    then you probably need take no futher action.

    --
    Colin Barnhorst [MVP Windows - Virtual Machine]
    (Reply to the group only unless otherwise requested)
    "Colin Barnhorst" <colinbarharst(nojunk)@msn.com> wrote in message
    news:uLca%23TTIFHA.720@TK2MSFTNGP10.phx.gbl...
    > Go to Start>All Programs>Norton SystemWorks>Norton Antivirus>Quarantine
    > and when the window opens you should see the file. Delete it.
    >
    > --
    > Colin Barnhorst [MVP Windows - Virtual Machine]
    > (Reply to the group only unless otherwise requested)
    > "Bob H" <bobandshauna@shaw.ca> wrote in message
    > news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl...
    >> If this is the form for this question please let me know which is he
    >> appropriate form.
    >>
    >> A recent Norton Virus scan showed a "virus found" which was
    >> "automatically deleted".
    >>
    >> "The file C:\Program Files\Norton SystemWorks\Norton
    >> Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
    >> virus."
    >>
    >> The file name being "74702E1C" but a second scan will give a different
    >> file name, file name changes with each scan. I have done Spybot spyware
    >> and Ad-Aware scans.
    >>
    >> Searching Symantec for removal instructions I get the following removal
    >> instructions:
    >>
    >> "Because this is an exploit only, there are no removal instructions,
    >> since there is nothing to remove. This is a detection for the exploit,
    >> preventing the execution of malicious content on your computer. By
    >> detecting the exploit, it is prevented from running."
    >>
    >> How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I
    >> have to change? Where did it come from? My firewall was down for a bit,
    >> was that the origin? Actually, I just want to get rid of it, stop it
    >> from reoccurring?
    >>
    >> Thanks, Bob
    >>
    >>
    >
    >
  4. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    Nope, each scan of the folder indicates the infected file was deleted, yet
    another one is deleted (thus created) with each scan. The security bulletin
    doesn't seem to want to instal as it states I do not have the proper form of
    Outlook installed (it is). I deleted the temp folders etc with no luck. Is
    it a registry key causing this? the only mention is the infected file being
    automatically deleted from the Quarantine folder. A search of the folder
    shows nothing, should I delete everything in that folder? I can not be the
    only person who has had this issue, and new to me.

    Help


    "Wesley Vogel" <123WVogel955@comcast.net> wrote in message
    news:em1XVSTIFHA.3332@TK2MSFTNGP15.phx.gbl...
    > HTML.MHTMLRedir!exploit is a generic detection of web pages or e-mail
    > messages which attempt to exploit the "MHTML URL Processing" vulnerability
    > in Internet Explorer.
    >
    > This does not necessarily mean that a virus has been found. It merely
    > means
    > that HTML code was found which attempts to activate additional executable
    > code without the user's express permission. This exploit can be used in a
    > malicious web page or inside e-mail messages to execute code of the
    > attacker's choice on the user's machine. Users of Internet Explorer and
    > applications such as Outlook or Outlook Express that employs Internet
    > Explorer to render HTML content are vulnerable to this exploit.
    > Microsoft have released a patch to address this issue. Please visit
    > Microsoft for further information and to apply the relevant patches:
    > http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx
    >
    > Note: this detection may be triggered by merely visiting a web page that
    > contains malicious code. It does not necessarily mean your machine has
    > been
    > compromised, nor that your machine is vulnerable to this particular
    > exploit.
    >
    > If this exploit is being detected in the Temporary Internet Files
    > directory,
    > in order to remove unwanted files from your computer, you will have to
    > remove all off-line content from your PC
    >
    > The Temporary Internet Files (or cache) folder contains Web page content
    > that is stored on your hard disk for quick viewing. This cache permits
    > Internet Explorer or MSN Explorer to download only the content that has
    > changed since you last viewed a Web page, instead of downloading all the
    > content for a page every time it is displayed. To delete the files in the
    > Temporary Internet Files folder, follow these steps:.
    >
    > To delete *all* Temporary Internet Files...
    >
    > 1) Start | Run | Type: inetcpl.cpl | OK
    > Or right click the Internet Explorer icon on your Desktop.
    > Or: Start | Settings | Control Panel | Internet Options.
    > Best to do this with all instances of Internet Explorer closed.
    > Especially
    > if there are a large number of files.
    > 2) On the General Tab, in the middle of the screen, click on Delete Files
    > 3) Check the box ? Delete all offline content
    > 4) Click on OK and wait for the hourglass icon to stop after it deletes
    > the
    > temporary internet files
    > 5) You can now click on Delete Cookies and click OK to delete cookies that
    > websites have placed on your hard drive.
    > -----
    >
    > Empty out your temp folder also...
    > Start | Run | Type: %tmp% | Click OK |
    > Delete everything in the right hand pane.
    >
    > --
    > Hope this helps. Let us know.
    >
    > Wes
    > MS-MVP Windows Shell/User
    >
    > In news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl,
    > Bob H <bobandshauna@shaw.ca> hunted and pecked:
    >> If this is the form for this question please let me know which is he
    >> appropriate form.
    >>
    >> A recent Norton Virus scan showed a "virus found" which was
    >> "automatically deleted".
    >>
    >> "The file C:\Program Files\Norton SystemWorks\Norton
    >> Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
    >> virus."
    >>
    >> The file name being "74702E1C" but a second scan will give a
    >> different file name, file name changes with each scan. I have done
    >> Spybot spyware and Ad-Aware scans.
    >>
    >> Searching Symantec for removal instructions I get the following
    >> removal instructions:
    >>
    >> "Because this is an exploit only, there are no removal instructions,
    >> since there is nothing to remove. This is a detection for the
    >> exploit, preventing the execution of malicious content on your
    >> computer. By detecting the exploit, it is prevented from running."
    >>
    >> How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I
    >> have to change? Where did it come from? My firewall was down for a
    >> bit, was that the origin? Actually, I just want to get rid of it,
    >> stop it from reoccurring?
    >>
    >> Thanks, Bob
    >
  5. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    It does nmot appeaar in eth folder as Norton indicates it was automatically
    deleted. I do not know what recreate this infected file.

    "Colin Barnhorst" <colinbarharst(nojunk)@msn.com> wrote in message
    news:uLca%23TTIFHA.720@TK2MSFTNGP10.phx.gbl...
    > Go to Start>All Programs>Norton SystemWorks>Norton Antivirus>Quarantine
    > and when the window opens you should see the file. Delete it.
    >
    > --
    > Colin Barnhorst [MVP Windows - Virtual Machine]
    > (Reply to the group only unless otherwise requested)
    > "Bob H" <bobandshauna@shaw.ca> wrote in message
    > news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl...
    >> If this is the form for this question please let me know which is he
    >> appropriate form.
    >>
    >> A recent Norton Virus scan showed a "virus found" which was
    >> "automatically deleted".
    >>
    >> "The file C:\Program Files\Norton SystemWorks\Norton
    >> Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
    >> virus."
    >>
    >> The file name being "74702E1C" but a second scan will give a different
    >> file name, file name changes with each scan. I have done Spybot spyware
    >> and Ad-Aware scans.
    >>
    >> Searching Symantec for removal instructions I get the following removal
    >> instructions:
    >>
    >> "Because this is an exploit only, there are no removal instructions,
    >> since there is nothing to remove. This is a detection for the exploit,
    >> preventing the execution of malicious content on your computer. By
    >> detecting the exploit, it is prevented from running."
    >>
    >> How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I
    >> have to change? Where did it come from? My firewall was down for a bit,
    >> was that the origin? Actually, I just want to get rid of it, stop it
    >> from reoccurring?
    >>
    >> Thanks, Bob
    >>
    >>
    >
    >
  6. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    "Bob H" <bobandshauna@shaw.ca> wrote in message
    news:%23xSLPRVIFHA.3484@TK2MSFTNGP12.phx.gbl
    > It does nmot appeaar in eth folder as Norton indicates it was
    > automatically
    > deleted. I do not know what recreate this infected file.
    >
    > "Colin Barnhorst" <colinbarharst(nojunk)@msn.com> wrote in message
    > news:uLca%23TTIFHA.720@TK2MSFTNGP10.phx.gbl...
    >> Go to Start>All Programs>Norton SystemWorks>Norton Antivirus>Quarantine
    >> and when the window opens you should see the file. Delete it.
    >>
    >> --
    >> Colin Barnhorst [MVP Windows - Virtual Machine]
    >> (Reply to the group only unless otherwise requested)
    >> "Bob H" <bobandshauna@shaw.ca> wrote in message
    >> news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl...
    >>> If this is the form for this question please let me know which is he
    >>> appropriate form.
    >>>
    >>> A recent Norton Virus scan showed a "virus found" which was
    >>> "automatically deleted".
    >>>
    >>> "The file C:\Program Files\Norton SystemWorks\Norton
    >>> Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
    >>> virus."
    >>>
    >>> The file name being "74702E1C" but a second scan will give a different
    >>> file name, file name changes with each scan. I have done Spybot spyware
    >>> and Ad-Aware scans.
    >>>
    >>> Searching Symantec for removal instructions I get the following removal
    >>> instructions:
    >>>
    >>> "Because this is an exploit only, there are no removal instructions,
    >>> since there is nothing to remove. This is a detection for the exploit,
    >>> preventing the execution of malicious content on your computer. By
    >>> detecting the exploit, it is prevented from running."
    >>>
    >>> How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I
    >>> have to change? Where did it come from? My firewall was down for a
    >>> bit,
    >>> was that the origin? Actually, I just want to get rid of it, stop it
    >>> from reoccurring?
    >>>
    >>> Thanks, Bob

    Boot to Safe Mode and run Norton again.

    --
    Frank Saunders, MS-MVP, IE/OE
    Please respond in Newsgroup only. Do not send email
    http://www.fjsmjs.com
    Protect your PC
    http://www.microsoft.com./athome/security/protect/default.aspx
    http://defendingyourmachine.blogspot.com/
  7. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    Damn I must be slow this weekend. As the scan showed the infected file was
    in the quarantined folder, and I dod not think anything in there was really
    needed, I deleted most of the contents and .. problem solved. thanks for ur
    help

    "Colin Barnhorst" <colinbarharst(nojunk)@msn.com> wrote in message
    news:%236jp0oTIFHA.2564@tk2msftngp13.phx.gbl...
    >I meant to add, if any files have been quarantined, you can remove. If
    >not, then you probably need take no futher action.
    >
    > --
    > Colin Barnhorst [MVP Windows - Virtual Machine]
    > (Reply to the group only unless otherwise requested)
    > "Colin Barnhorst" <colinbarharst(nojunk)@msn.com> wrote in message
    > news:uLca%23TTIFHA.720@TK2MSFTNGP10.phx.gbl...
    >> Go to Start>All Programs>Norton SystemWorks>Norton Antivirus>Quarantine
    >> and when the window opens you should see the file. Delete it.
    >>
    >> --
    >> Colin Barnhorst [MVP Windows - Virtual Machine]
    >> (Reply to the group only unless otherwise requested)
    >> "Bob H" <bobandshauna@shaw.ca> wrote in message
    >> news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl...
    >>> If this is the form for this question please let me know which is he
    >>> appropriate form.
    >>>
    >>> A recent Norton Virus scan showed a "virus found" which was
    >>> "automatically deleted".
    >>>
    >>> "The file C:\Program Files\Norton SystemWorks\Norton
    >>> Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
    >>> virus."
    >>>
    >>> The file name being "74702E1C" but a second scan will give a different
    >>> file name, file name changes with each scan. I have done Spybot spyware
    >>> and Ad-Aware scans.
    >>>
    >>> Searching Symantec for removal instructions I get the following removal
    >>> instructions:
    >>>
    >>> "Because this is an exploit only, there are no removal instructions,
    >>> since there is nothing to remove. This is a detection for the exploit,
    >>> preventing the execution of malicious content on your computer. By
    >>> detecting the exploit, it is prevented from running."
    >>>
    >>> How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I
    >>> have to change? Where did it come from? My firewall was down for a
    >>> bit, was that the origin? Actually, I just want to get rid of it, stop
    >>> it from reoccurring?
    >>>
    >>> Thanks, Bob
    >>>
    >>>
    >>
    >>
    >
    >
  8. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    You're welcome.

    --
    Colin Barnhorst [MVP Windows - Virtual Machine]
    (Reply to the group only unless otherwise requested)
    "Bob H" <bobandshauna@shaw.ca> wrote in message
    news:uAyGDDsIFHA.2640@TK2MSFTNGP09.phx.gbl...
    > Damn I must be slow this weekend. As the scan showed the infected file
    > was in the quarantined folder, and I dod not think anything in there was
    > really needed, I deleted most of the contents and .. problem solved.
    > thanks for ur help
    >
    > "Colin Barnhorst" <colinbarharst(nojunk)@msn.com> wrote in message
    > news:%236jp0oTIFHA.2564@tk2msftngp13.phx.gbl...
    >>I meant to add, if any files have been quarantined, you can remove. If
    >>not, then you probably need take no futher action.
    >>
    >> --
    >> Colin Barnhorst [MVP Windows - Virtual Machine]
    >> (Reply to the group only unless otherwise requested)
    >> "Colin Barnhorst" <colinbarharst(nojunk)@msn.com> wrote in message
    >> news:uLca%23TTIFHA.720@TK2MSFTNGP10.phx.gbl...
    >>> Go to Start>All Programs>Norton SystemWorks>Norton Antivirus>Quarantine
    >>> and when the window opens you should see the file. Delete it.
    >>>
    >>> --
    >>> Colin Barnhorst [MVP Windows - Virtual Machine]
    >>> (Reply to the group only unless otherwise requested)
    >>> "Bob H" <bobandshauna@shaw.ca> wrote in message
    >>> news:eFquZBTIFHA.3588@TK2MSFTNGP14.phx.gbl...
    >>>> If this is the form for this question please let me know which is he
    >>>> appropriate form.
    >>>>
    >>>> A recent Norton Virus scan showed a "virus found" which was
    >>>> "automatically deleted".
    >>>>
    >>>> "The file C:\Program Files\Norton SystemWorks\Norton
    >>>> Antivirus\Quarantine\74702E1C is infected with the MHTMLRedir.Exploit
    >>>> virus."
    >>>>
    >>>> The file name being "74702E1C" but a second scan will give a different
    >>>> file name, file name changes with each scan. I have done Spybot
    >>>> spyware and Ad-Aware scans.
    >>>>
    >>>> Searching Symantec for removal instructions I get the following removal
    >>>> instructions:
    >>>>
    >>>> "Because this is an exploit only, there are no removal instructions,
    >>>> since there is nothing to remove. This is a detection for the exploit,
    >>>> preventing the execution of malicious content on your computer. By
    >>>> detecting the exploit, it is prevented from running."
    >>>>
    >>>> How do I get rid of this "mhtmlredir.Exploit". Is it a registry key I
    >>>> have to change? Where did it come from? My firewall was down for a
    >>>> bit, was that the origin? Actually, I just want to get rid of it, stop
    >>>> it from reoccurring?
    >>>>
    >>>> Thanks, Bob
    >>>>
    >>>>
    >>>
    >>>
    >>
    >>
    >
    >
Ask a new question

Read More

Exploit Norton Virus Windows XP