AdeptusMechanicus

Greetings, Whenever I see events relating to a user who visits a site, then for whatever reason ESET blocks the connection ( connection terminated - quarantined), There are always one to several .htm files that accompany the blocked connection. Those .HTM files are always "unable to clean". And if I try to search for the file manually, I can NEVER find that .htm file in windows explorer. What exactly does this mean? the .htm files were never transferred to the computer? can I assume the computer is still clean? Below is an example of what I typically see. Date Occurred Name Threat Action 12/22/2015 11:06 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOQNUL2E\1598[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:58 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VK5XHEFY\checkout[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:57 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QXJUASWB\cart[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:56 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1ZEGQD60\cart[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:54 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NN82WL7Y\cart[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:53 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AAFJ7RDG\checkout[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:52 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOQNUL2E\armaglock[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:52 hxxp://www.armaglock.com/product/armaglock JS/Kryptik.AYR trojan connection terminated - quarantined 12/22/2015 10:47 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HPKWB745\checkout[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:44 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM01VP24\shop[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:44 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SC8YM8MM\shop[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:43 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G1D9Y18L\shop[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:34 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOL1RANN\armaglock_com[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 8:56 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOL1RANN\checkout[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 8:54 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOQNUL2E\shop[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 8:51 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NN82WL7Y\shop[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 8:46 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VK5XHEFY\armaglock_com[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 8:43 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJLWF5SQ\shop[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 8:43 hxxp://www.armaglock.com/shop JS/Kryptik.AYR trojan connection terminated - quarantined 12/22/2015 8:35 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOQNUL2E\armaglock_com[1].htm JS/Kryptik.AYR trojan unable to clean Thanks in advance!

My company is getting numerous hits in ERAS for endpoints hitting random sites with the exact same threat name " JS/Kryptik.AYR Trojan ". All of these started triggering 2015-12-19. and has been everyday since. We have not had any hits on this signature before. Does anyone know what exactly the script is trying to do? hxxp://jaspersthewoodlands.com JS/Kryptik.AYR trojan hxxp://lunkerquest.com/gallery/lunkers JS/Kryptik.AYR trojan hxxp://wimberleyview.com/articles/sports JS/Kryptik.AYR trojan hxxp://www.armaglock.com/product/armaglock JS/Kryptik.AYR trojan hxxp://www.armaglock.com/shop JS/Kryptik.AYR trojan hxxp://www.brotherskeepersmc.com JS/Kryptik.AYR trojan hxxp://www.brotherskeepersmc.com/index.php/about-us JS/Kryptik.AYR trojan hxxp://www.brotherskeepersmc.com/index.php/component/content JS/Kryptik.AYR trojan hxxp://www.coldcreekranch.com JS/Kryptik.AYR trojan hxxp://www.coldcreekranch.com/fallow.html JS/Kryptik.AYR trojan hxxp://www.elnidoresorts.com JS/Kryptik.AYR trojan hxxp://www.elnidoresorts.com/lagen-island JS/Kryptik.AYR trojan hxxp://www.mamatrains.com JS/Kryptik.AYR trojan hxxp://www.mamatrains.com/index.php/admissions-and-courses/deck-courses JS/Kryptik.AYR trojan hxxp://www.norguard.com/fall-protection-products/rescue-systems/gotcha-kit JS/Kryptik.AYR trojan hxxp://www.salononkirby.com JS/Kryptik.AYR trojan hxxp://www.soeholmmarine.dk/en JS/Kryptik.AYR trojan hxxp://www.webshellba.com/super-luxury-cars-future-best-wallpaper-hd-sjmgf/super-luxury-cars-future-best-wallpaper-hd-sjmgf-future-car-trends-for-desktop-car JS/Kryptik.AYR trojan