Java/TrojanDownloader.OpenConnection.AQ trojan

ESET NOD 5.0.93, defs 6695

I am getting the following messages from ESET (all are the same, example shown here):
12/8/2011 12:52:50 PM HTTP filter file
~url removed~ a variant of Java/TrojanDownloader.OpenConnection.AQ trojan
connection terminated - quarantined <domain name>\<user name> Threat was detected upon access to web by the application: C:\Program Files\Java\jre6\bin\java.exe.

I scanned java.exe and it is clean. I ran ESET and Malware Bytes scans and found nothing.

This first came up when I went to a website that I thought was a computer help site (not the k71e74.com website shown in the log entry). I have received 2 groups of these messages, it is just getting annoying to have to keep seeing them. ESET quarrantined a file and I sent it off for analysis.

I also killed a java.exe process twice which has been shown to be running in task manager (and indicated in the log message). I have JRE 1.6 level 23 installed on the computer. The process seems to come back and try and access the .jar file on the website (rootkit?). The java.exe file is clean, according to ESET. For now, I renamed the file to java.exebak as I am not using the one app that requires it.

Any ideas are greatly appreciated.

 

I assume that a Java script triggered on your machine attempted to download a Trojan downloader which was subsequently blocked by ESET. Is the threat continually being detected or it happened just once?

 

i would reccomend uninstalling all current java versions and use eiether java 6 update 29 or java 7 update 1 after the threat is sorted.

 

I uninstalled Java Runtime after determining with my IT guy that it is not need on my machine anymore. No messages have appeared since.

The threat happened twice. Initial at 10:30am ET, then around 12:30pm ET.
I suspect something is still lurking around my computer, trying to fire up a non-existant java.exe every so often. All scans still showing clean (ESET, Malware Bytes, and Spybot). Anything else I should try?

Thanks.

 

I think you had a Java version with a known vulnerability, and a website was exploiting that. They payload that was sent was then detected by ESET.

 

Hitman Pro would be worth a try.

 

Clean run for Hitman Pro - just some tracking cookies. RKill also reports nothing.

I did get this logged recently while on a fire fighting webpage:
12/9/2011 12:30:56 PM HTTP filter file -http://gm21wv.com/news- JS/Kryptik.EC trojan connection terminated - quarantined TFSG\djackino Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.