mhtml.redir.

Does it happen any time you visit any site or only on specific ones?

Have you cleared your web cache?

it just happens at any time ...not specific to website or not.....it happens when i boot up also......EZ antivirus pops up relentlessly telling of this bug but when i scan with it , it doesnt find it. Also i use Ad aware, and spy bot s&d. I have norton also and while they mention it in there reference files for Dec 03 it doesnt eradicate it.
Its a damn pain in the butt. I am currently working with lavasoft on it and have sent HJT logs in but so far nothing has come out of it. I originally had a bug that had a blank webpage and then constantly referred me to spyware listings. I havent had this for awhile but as soon as that was resolved this immediately appeared?
Thanks for any help

Well if I remember correctly it's just a javascript in an html file.

Usually they get flagged when a site lauches them. It shouldn't be doing so on booting up.

Clear your cache and disable and reinable system restore.

Post a HJT log here for good measure, maybe something is launching popups that go to a page with this exploit.

mhtml.redir is an exploit that can be fixed by a Microsoft patch:

http://securityresponse.symantec.com/avcenter/venc/data/mhtmlredir.exploit.html

Yeah, and it may already be patched on his box. But the AV will still flag it.

BTW Canary51, this is a very low level exploit, Norton and most big AV programs don't even flag it, they just kill it silently.

Hi there and thx:

HJT log:

Logfile of HijackThis v1.98.0
Scan saved at 9:00:59 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\eTrust EZ Firewall\ca.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Canary\Desktop\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Canary\My Documents\Trojanspy utilities\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.discoverneo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Documents and Settings\Administrator\Start Menu\Programs\eTrust EZ Firewall\ca.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunServices: [TrojanShield Protector] C:\Program Files\TrojanShield\Port.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O21 - SSODL: System - {11665005-026D-4F6B-9954-64A14282A831} - C:\WINDOWS\system32\system32.dll

Should i delete EZ antivirus: thats the one causing the pop up. I have Norton now?
I attach my latest defrag: i am concerned about the 70 megs at the bottom that can't be defraged. Is that acceptable. Not very comp literate i am afraid
Thanks again.
Volume (C
Volume size = 74.47 GB
Cluster size = 4 KB
Used space = 9.06 GB
Free space = 65.41 GB
Percent free space = 87 %

Volume fragmentation
Total fragmentation = 0 %
File fragmentation = 0 %
Free space fragmentation = 0 %

File fragmentation
Total files = 45,093
Average file size = 244 KB
Total fragmented files = 3
Total excess fragments = 564
Average fragments per file = 1.01

Pagefile fragmentation
Pagefile size = 766 MB
Total fragments = 1

Folder fragmentation
Total folders = 2,893
Fragmented folders = 1
Excess folder fragments = 0

Master File Table (MFT) fragmentation
Total MFT size = 65 MB
MFT record count = 48,057
Percent MFT in use = 71 %
Total MFT fragments = 3

--------------------------------------------------------------------------------
Fragments File Size Files that cannot be defragmented
545 70 MB \System Volume Information\catalog.wci\00010008.ci

C:\WINDOWS\kdx\KHost.exe

And

C:\Program Files\Common Files\Stardock\SDMCP.exe

Look fishy, after a quick one-over.

I think you may well have some spyware installed.

Download, install, update and run Spybot and AdAware

As to EZ Virus yes, you should uninstall all of the AV programs except Norton, if norton is your main one now.