Help - Search - Members
Full Version: HEUR: TROJAN.Script.Iframer
Kaspersky Lab Forum > English User Forum > Virus-related issues
AmyMc
KAS just detected this virus a few minutes ago and when KAS asked if I wanted to Quarenteen, I obviously did what was "recommended". Trying to find it in KAS Virus List pages.....the list cannot be found! Any suggestions? (ASAP Please!!!)
Baz^^
Hi,

What exactly are you looking for?

It's a heuristic detection of suspicious scripts....where was it detected?
AmyMc
QUOTE(Baz^^ @ 17.01.2009 16:34) *
Hi,

What exactly are you looking for?

It's a heuristic detection of suspicious scripts....where was it detected?



I just copied this from the Reports page.....btw....I am not very computer friendly! (learning, but slowly)

1/17/2009 4:07:14 PM C:\Documents and Settings\Hello\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\SQJIA7CS\415734[1].htm Internet Explorer Detected: HEUR:Trojan.Script.Iframer
Baz^^
That is something that you accessed on the internet and stored in your temporary internet files... go ahead and delete it to be safe.
AmyMc
QUOTE(Baz^^ @ 17.01.2009 16:43) *
That is something that you accessed on the internet and stored in your temporary internet files... go ahead and delete it to be safe.



Strange...I had only just turned on the PC, turned on Hotmail and then the warnings popped up. So, it's quaranteened right now....I can just delete it and all will be good? The report in KIS says that there are "5 Virus and 4 Malware". This stuff just really confuses me. LOL
Ralph1955
QUOTE(AmyMc @ 17.01.2009 16:50) *
Strange...I had only just turned on the PC, turned on Hotmail and then the warnings popped up. So, it's quaranteened right now....I can just delete it and all will be good? The report in KIS says that there are "5 Virus and 4 Malware". This stuff just really confuses me. LOL



I just ran into the same message, but KIS 2009 blocked it.
W000
I also received a notice, its similar but not in a temp file like the other one posted. I am also computer ignorant. What should I do with

HEUR:Trojan.script.Iframer C:\ Documents and settings\ local settings\ application\ DATA \Mozilla\ Firefox\ Profiles\ i9iw12hx.default\ Cache\ 8FDD4639d01

I quarantined it, now what do I do?
Baz^^
Nothing..you dealt with the infected file.
hlhart
There is a news web site that I go to everyday. When I go to the main site I get a warning from Kaspersky and this is what shows in the reports.

1/16/2009 8:15:27 AM hxxp://content.worldnow.com/global/interface/linksplus/linksplusbridge.js Internet Explorer Detected: HEUR:Trojan.Script.Iframer

Kaspersky is denying the trojan. Is this something I need to let their webmaster know about? I know a great deal of people look at this site all day long.

edit: live link made not.
ctzifbn
I now can not get to a part of the web site I visit everyday hxxp://www.nano10.co.il

It does not allow me to view the live broadcast. I get domain/JScript/www.js and something about IFrame.

What can I do to be able to access this or is there really a virus I need to notify the web master

18-Jan-09 8:40:55 hxxp://www.nana10.co.il/JScript/www.js C:\Program Files\INTERNET EXPLORER\ IEXPLORE.EXE 5464 "C:\Program Files\Internet Explorer\iexplore.exe" Detected Virus HEUR:Trojan.Script.Iframer High Probably


Thanks

Paul

edit: live links made not.
richbuff
Welcome. A new heuristic detection mechanism for malicious scripts was released, so there may be false positives and/or increased detection. Please send such to the Lab, instructions located in third Important pinned topic at top of this forum page; instead of posting live, possibly questionable links on the forum.
Baz^^
QUOTE(ctzifbn @ 18.01.2009 06:44) *
I now can not get to a part of the web site I visit everyday hxxp://www.nano10.co.il

It does not allow me to view the live broadcast. I get domain/JScript/www.js and something about IFrame.

What can I do to be able to access this or is there really a virus I need to notify the web master

18-Jan-09 8:40:55 hxxp://www.nana10.co.il/JScript/www.js C:\Program Files\INTERNET EXPLORER\ IEXPLORE.EXE 5464 "C:\Program Files\Internet Explorer\iexplore.exe" Detected Virus HEUR:Trojan.Script.Iframer High Probably


Thanks

Paul

edit: live links made not.


Hi,




It was a false positive, now fixed.

Erasmus
QUOTE(Baz^^ @ 19.01.2009 06:43) *
Hi,
It was a false positive, now fixed.



I just received the message too. Detected: HEUR:Trojan.Script.Iframer
X_NRG
Hi. I just got a "HEUR:Trojan.Script.Iframer" warning message from KIS 9 when trying to access a website that I go to every day.
The website is www.katehizis.com.
Could you, please, check out if this is a false alarm or not? smile.gif
Lucian Bara
there's an obfuscated script on the page, so doesn't seem so.
X_NRG
Thank you! beer.gif
jondm1
I can no longer get to due to KIS2009 blocking the page due to trojan.script.iframer. Is this a false positive, as I could get to the page a few days ago?
Lucian Bara
no,
Click to view attachment
this code loads an iframe which leads to some porn site (possibly to malware)
jondm1
Thanks Lucian - just looked at it and found some dodgy javascript code. I won't put it on here but code to write a 1x1 invisible iframe pointing to a dodgy site is not good.
Eoin
Hello, I am experiencing the exact same problem also with my site www.binarynotions.com It's built on Wordpress using only plug ins hosted on their site. One of them could well be at fault but I don't know enough to investigate. Any advice would be much appreciated smile.gif
Lucian Bara
hello
yes, the page is infected.
Eoin
Hello, Thank you. The site seems to have been compromised since the last update. I appreciate your speedy response smile.gif
ibow
hi, i have this issue too on this site, would you confirm please
http://www.trancesource.com/index.php
Lucian Bara
yes,first thing in the page source s a malicious script
ibow
thanks for fast reply..
Pinkmonkey07
I am trying to access a band's website www. sixteencandlesband .com without the spaces... I am getting this error "HEUR:Trojan.Script.Iframer" and I think it may be a false positive. Please double check and let me know. Thanks smile.gif

edit: spoiler.
richbuff
Welcome. Instead of post questionable item on forum, please send such to the Lab, instructions in third important topic at top of this forum page.
Lucian Bara
QUOTE(Pinkmonkey07 @ 26.02.2009 05:06) *
I am trying to access a band's website www. sixteencandlesband .com without the spaces... I am getting this error "HEUR:Trojan.Script.Iframer" and I think it may be a false positive. Please double check and let me know. Thanks smile.gif

edit: spoiler.


nope, it's there, some iframe link in an obfuscated script, to a .ru website.
PeterABC
Hi
I got the same problem when trying to acces my own webpage: www.danskmisbrugsbehandling.dk
Can anybody (dear Lucian Bara) see if the page is infected?
Thank you
Lucian Bara
yes, it's infected.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.