AdeptusMechanicus 0 Posted December 28, 2015 Share Posted December 28, 2015 (edited) Greetings, Whenever I see events relating to a user who visits a site, then for whatever reason ESET blocks the connection ( connection terminated - quarantined), There are always one to several .htm files that accompany the blocked connection. Those .HTM files are always "unable to clean". And if I try to search for the file manually, I can NEVER find that .htm file in windows explorer. What exactly does this mean? the .htm files were never transferred to the computer? can I assume the computer is still clean? Below is an example of what I typically see. Date Occurred Name Threat Action 12/22/2015 11:06 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOQNUL2E\1598[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:58 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VK5XHEFY\checkout[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:57 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QXJUASWB\cart[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:56 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1ZEGQD60\cart[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:54 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NN82WL7Y\cart[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:53 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AAFJ7RDG\checkout[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:52 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOQNUL2E\armaglock[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:52 hxxp://www.armaglock.com/product/armaglock JS/Kryptik.AYR trojan connection terminated - quarantined 12/22/2015 10:47 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HPKWB745\checkout[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:44 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM01VP24\shop[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:44 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SC8YM8MM\shop[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:43 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G1D9Y18L\shop[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 10:34 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOL1RANN\armaglock_com[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 8:56 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOL1RANN\checkout[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 8:54 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOQNUL2E\shop[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 8:51 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NN82WL7Y\shop[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 8:46 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VK5XHEFY\armaglock_com[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 8:43 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJLWF5SQ\shop[1].htm JS/Kryptik.AYR trojan unable to clean 12/22/2015 8:43 hxxp://www.armaglock.com/shop JS/Kryptik.AYR trojan connection terminated - quarantined 12/22/2015 8:35 C:\Users\(USERNAME)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOQNUL2E\armaglock_com[1].htm JS/Kryptik.AYR trojan unable to clean Thanks in advance! Edited December 29, 2015 by TomasP removed links Link to comment Share on other sites More sharing options...
Recommended Posts