Trojan:HTML/Redirector!MTB Alert Guide

Brendan Smith
Brendan Smith - Cybersecurity Analyst
11 Min Read
Editorial poster showing a cached HTML redirector stopped by a security scan.
Featured image for a Microsoft Defender Trojan:HTML/Redirector!MTB browser cache alert guide.

Trojan:HTML/Redirector!MTB is a Microsoft Defender detection for HTML or script content that can redirect a browser toward an unwanted or malicious page. If the affected item is in a browser cache, Service Worker cache, INetCache, a mail viewer cache, or a temporary app folder, it often means Defender blocked a cached web resource rather than a full installed Trojan. Keep it quarantined, copy the affected path, clear the matching cache, update Defender, and run a full scan before deciding it was only a false positive.

The path matters more than the label alone. The same family name can appear after a malicious redirect, a compromised website, an email/webmail preview, a qBittorrent tracker favicon/cache file, or an Office document that loads external web resources. Repeated detections after clearing the cache, detections in normal downloads, or browser redirects that continue after reopening the browser deserve deeper cleanup.

Microsoft Defender-style alert for Trojan:HTML/Redirector!MTB showing the item quarantined.
A Defender-style alert for Trojan:HTML/Redirector!MTB can point to a quarantined temporary file, browser cache entry, or downloaded HTML resource.

What Trojan:HTML/Redirector!MTB Means

Microsoft lists Trojan:HTML/Redirector!MTB as a Defender Antivirus detection and says technical behavior details are not currently available for the exact label. Microsoft Q&A describes the close Trojan:HTML/Redirector.MKK!MTB variant as an HTML-based redirector detection for web pages or HTML files that redirect users without consent.

That is why this alert is different from a normal executable Trojan. Defender may be reacting to a fragment of HTML, JavaScript, a redirect tag, or an externally loaded resource. It can still be dangerous, especially if the redirect points to phishing, fake updates, exploit pages, scam pop-ups, or malware downloads. But the cleanup path should start with the location Defender reports.

Check the Affected Path First

Open the Defender alert details and copy the full affected-item path. Then compare it with these common cases.

Where Defender found it What it usually means and what to do
Chrome\User Data\...\Service Worker\CacheStorage, browser cache, or Firefox/Opera/Edge cache Likely a cached web resource from a page you opened. Keep quarantine, clear cache for that browser, close all tabs from the triggering site, then rescan.
INetCache or Temporary Internet Files Often a Windows/Edge/Office/web preview cache item. Clear browser data, close the app that opened the web content, and rescan.
Content.MSO, word\_rels, or an Office document relationship An Office document may contain external image or web links. Treat the document as suspicious until you confirm the source and remove untrusted external links.
Temp\.qBittorrent or a torrent client temp/favicon path It may be a tracker or web favicon/cache resource. Clear the client cache, avoid the tracker that triggered it, and scan downloads separately.
Downloads, a saved .html file, archive extraction folder, startup folder, or repeated normal file path Higher risk. Do not restore the file. Scan the folder, browser extensions, startup entries, and recently downloaded installers.

What To Do Now

  1. Leave the detection quarantined. Do not restore or exclude it just because the file is in cache.
  2. Copy the path and detection variant. Note whether it says Trojan:HTML/Redirector!MTB, Trojan:HTML/Redirector.GPXQ!MTB, Trojan:HTML/Redirector.MKK!MTB, Trojan:HTML/Redirector.RQG!MTB, Trojan:HTML/Redirector.RQV!MTB, or another suffix.
  3. Close the triggering browser or app. Close suspicious tabs, webmail previews, Office files, and torrent-client web previews before clearing cache.
  4. Clear the affected cache. In Chrome, Edge, Brave, Opera, or Firefox, clear cached images/files and cookies for the time window around the alert. In Edge, Microsoft documents this under browsing history and clear browsing data. Google documents Chrome cache and cookies through its account help flow.
  5. Disable suspicious extensions. Remove recently installed extensions, especially download helpers, coupon/search extensions, fake VPNs, or anything that returns after removal. Our browser extension keeps reinstalling itself guide covers the persistence side.
  6. Update Defender and run a full scan. The exact Microsoft page recommends updated antimalware definitions and a full scan to catch remnants.
  7. Run a second-opinion malware scan if symptoms persist. Use Gridinsoft Anti-Malware when redirects continue, the alert returns after cache cleanup, or other suspicious files appear outside cache.
  8. Avoid the triggering site or file. If a specific site, email, torrent tracker, document, or installer repeatedly causes the alert, do not keep testing it on your main Windows profile.

If the alert started after a fake browser update, use our fake Chrome update cleanup guide. If the alert looked like a fake Windows warning in the browser, compare it with the Windows Defender Security Center scam guide before calling any phone number or downloading a “support” tool.

When It Is Probably Cache-Only

A cache-only case is more likely when all of these are true:

  • the affected item is only under browser cache, Service Worker cache, INetCache, webmail cache, or a temporary web resource folder;
  • you did not download or run an executable from the redirected page;
  • the browser stops redirecting after you close the site and clear cache;
  • a full Defender scan and a second-opinion scan find nothing else;
  • no suspicious extensions, startup entries, scheduled tasks, or account compromise symptoms appear.

In that situation, do not restore the quarantined item, but you usually do not need to format the PC. Keep the event as evidence, avoid the page that triggered it, and watch whether the same label returns during normal browsing.

When To Investigate Deeper

Treat the system as potentially compromised if the alert returns after cache cleanup or if Defender reports normal file locations rather than cache. The same is true when you see pop-ups, search redirects, new extensions, unknown scheduled tasks, browser policies you did not set, new startup entries, or sign-in alerts from your accounts.

For JavaScript-related malware cleanup context, see our TrojanDownloader:JS/Nemucod guide. If Defender or Microsoft Safety Scanner says infected files were found but gives little detail, our Safety Scanner result guide explains what to check before assuming the machine is clean.

Scan And Cleanup Flow

Use this flow after clearing the obvious cache source. It keeps the response proportional: cache detections get cache cleanup and scans; persistent redirects get extension, startup, and malware cleanup.

  1. Run Defender’s full scan after updating security intelligence.
  2. Scan the affected browser profile folder and recent downloads with Gridinsoft Anti-Malware.
  3. Remove suspicious browser extensions and reset notification permissions for sites you do not recognize.
  4. Check Startup apps and Task Scheduler for unknown browser launchers, scripts, or installers.
  5. Delete the triggering download, email attachment, HTML file, or torrent item if it was not from a trusted source.
  6. Reboot, browse normally without returning to the same site, and confirm the alert does not reappear.
After manual cleanup: reboot Windows and run a full scan to check startup entries, scheduled tasks, bundled apps, and hidden files that may restore the threat.

Do not add Defender exclusions for Trojan:HTML/Redirector!MTB. Exclusions hide future detections and do not prove the HTML resource was safe. Only consider a false positive after the source is known, the file is not active malware, and clean follow-up scans support that conclusion.

FAQ

Is Trojan:HTML/Redirector!MTB a real virus?

It is a real Defender detection, but it often points to HTML or script content rather than an installed Windows program. A browser-cache path usually means a web resource was blocked or quarantined. A normal download, startup path, or repeated alert is more serious.

Can a cached redirect infect my PC by itself?

A cached HTML redirect does not normally run by itself while it sits in cache. The risk comes from visiting the triggering page, following redirects, downloading files, entering credentials, or having a vulnerable/outdated browser. Clear the cache and scan before revisiting anything related to the alert.

Should I restore the quarantined item?

No. Restoring a cached redirect or suspicious HTML file gives you no useful benefit and can reintroduce the same detection. Clear the cache or remove the source document instead.

Why does Defender show variants like GPXQ, MKK, RQG, RQV, or JIZ?

Those suffixes identify related Defender detection variants. The practical triage is the same: inspect the path, clear the affected cache or source file, scan the system, and investigate deeper if the alert returns outside cache.

Is it a false positive if the path is Content.MSO or an Office document?

Not automatically. Office documents can load external images or links, and Defender may flag a redirecting external resource. Confirm the document source, remove untrusted external links, and scan again before calling it harmless.

References

  1. Microsoft. “Trojan:HTML/Redirector!MTB threat description.” Microsoft Security Intelligence malware encyclopedia, published August 16, 2023, accessed June 2, 2026. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AHTML%2FRedirector%21MTB&threatId=-2147114208
  2. Microsoft Q&A. “Trojan:HTML/Redirector.MKK!MTB details.” Microsoft Learn, October 2025, accessed June 2, 2026. https://learn.microsoft.com/en-us/answers/questions/5573463/trojan-html-redirector-mkk-mtb-details
  3. Google. “Clear cache & cookies – Computer.” Google Account Help, accessed June 2, 2026. https://support.google.com/accounts/answer/32050?co=GENIE.Platform%3DDesktop&hl=en
  4. Microsoft. “View and delete browser history in Microsoft Edge.” Microsoft Support, accessed June 2, 2026. https://support.microsoft.com/en-us/edge/view-and-delete-browser-history-in-microsoft-edge
  5. ictschule. “Trojan:HTML/Redirector.RQV!MTB.” ictschule.com, February 20, 2026, accessed June 2, 2026. https://ictschule.com/2026/02/20/trojanhtml-redirector-rqvmtb/

A related JavaScript scam-alert case is Trojan:JS/Cryxos.ASI!MTB, where Defender may flag cached browser content tied to tech-support-scam pages rather than a standalone executable.

TrickBot Hack Group Systematically Attacks Ukraine
Moscovium Ransomware
Microsoft developers will stop supporting classic Edge and IE 11
Trojan:Script/Downloader!MSR
PUABundler:Win32/DriverPack
TAGGED:
Share This Article
ByBrendan Smith
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Previous Article Editorial poster showing Steam profile comments feeding a WordPress malware backdoor on a web server. Steam C2 Backdoor
Next Article Editorial poster showing wslservice.exe process checks and suspicious path signals. wslservice.exe: Safe or Malware?
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?