Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter >
Trojan:JS/IframeRef is NOT being removed

Unanswered Trojan:JS/IframeRef is NOT being removed

  • Monday, December 10, 2012 10:01 PM
     
      Has Code
    Sign In to Vote
    0

    We keep getting the Trojan:JS/IframeRef reported through FEP as a Severe Alert. We have our actions for Severe set to Remove. The emails come back and say that No Action was taken and the Action was successful. How do we get FEP to remove this, or at the very least not send an email saying action successful when the action assigned to the category did not happen?

    Malware name: Trojan:JS/IframeRef<o:p></o:p>
    Process name: C:\Program Files (x86)\Internet Explorer\iexplore.exe<o:p></o:p>
    Path found: file:_C:\Users\xxxxx_x\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RB8MIZN9\jscript[1].htm<o:p></o:p>
    Action taken: No action<o:p></o:p>
    Action successful: Yes<o:p></o:p>

     

All Replies

  • Tuesday, December 11, 2012 12:12 AM
     
     
    Sign In to Vote
    1

    Interesting. I've seen over 100 detections of this malware in my organization over the past few weeks and all of the alerts/reports say Action taken: Remove. The removal events take place a little over a minute after the detection events.

    I'm curious what the event logs say on your clients. Look for events 1116 and 1117 in the System log. 1116 is the detection and 1117 is the corresponding action. Do those say "no action" as well? What about the "Action Status" line, does it say "No additional actions required"?

    Also, do the files being detected still exist on the clients? I can imagine a scenario where the files were somehow removed/deleted before FEP had a chance to take action so when it tried, the files were gone. If that is somehow the case, then no action would be taken because none would be required at that point.


     
  • Tuesday, December 11, 2012 8:59 PM
     
     
    Sign In to Vote
    0

    I looked at both of those events on a computer that had this infection.

    In 1116 it lists Severity: Severe and

    1117 lists Action: Not Applicable Action Status:  No additional actions required.

    I manage this on the server end and the clients don't have the option to change what happens when a particular action occurs. I also checked to make sure and on that client is was listed as Severe = Remove.

    On this computer I ran a Full Scan and it never pickup up anything again under the full scan, didn't even report seeing the same problem. It did install multiple programs ie: browser redirection, but they were removable in Add/Remove programs.

    Event 1116


      Name: Trojan:JS/IframeRef
      ID: 2147638646
      Severity: Severe
      Category: Trojan
      Path: file:_C:\Users\x\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9LR0UFXS\ww8_tfacebook_com[1].htm
      Detection Origin: Internet
      Detection Type: Concrete
      Detection Source: Real-Time Protection
      User: x
      Process Name: C:\Program Files (x86)\Internet Explorer\iexplore.exe
      Signature Version: AV: 1.141.973.0, AS: 1.141.973.0, NIS: 17.36.0.0
      Engine Version: AM: 1.1.9002.0, NIS: 2.1.8904.0

    Event 1117


      Name: Trojan:JS/IframeRef
      ID: 2147638646
      Severity: Severe
      Category: Trojan
      Path: file:_C:\Users\x\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9LR0UFXS\ww8_tfacebook_com
      Detection Origin: Internet
      Detection Type: Concrete
      Detection Source: Real-Time Protection
      User:
      Process Name: C:\Program Files (x86)\Internet Explorer\iexplore.exe
      Action: Not Applicable
      Action Status:  No additional actions required
      Signature Version: AV: 1.141.973.0, AS: 1.141.973.0, NIS: 0.0.0.0
      Engine Version: AM: 1.1.9002.0, NIS: 0.0.0.0

    Many thanks,

    Niko

     
  • Wednesday, December 12, 2012 2:34 PM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Thank you for the post.

    As far as I understand, Trojan:JS/IframeRef is the detection for JavaScript that attempts to redirect the browser to another website. You will find more information here: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aJS%2fIframeRef, I would recommend running a full scan on all the machines having this issue by disconnecting them from the network. And once the scan is finished, try to bring them back to the network and see if you still get these errors.

    Regards,

    Nick Gu - MSFT

     
  • Thursday, December 13, 2012 6:09 PM
     
     
    Sign In to Vote
    0
    As of yesterday 12/12/2012 the Trojan:JS/IframeRef is now being removed through FEP. I'm not sure if one of the updated defenitions helped but all of the detections yesterday and today have been removed. I will keep an eye on this and see if the behavior changes.
     
  • Thursday, December 13, 2012 6:51 PM
     
      Has Code
    Sign In to Vote
    0

    Maybe I was being prematurely optimistic, just had one come in with the action taken:no action.

    It does seem like all of these are coming from mispelled websites. Found one that seemed like it was mispelled Monster_com one was usa_co_in and those were both removed. Is it possible that it would matter what site tried to install this? I would assume that FEP would just see JS/IframeRef and remove it no matter where it came from. 

    Collection found: All Systems<o:p></o:p>
    Malware name: Trojan:JS/IframeRef<o:p></o:p>
    Process name: C:\Program Files (x86)\Internet Explorer\iexplore.exe<o:p></o:p>
    Path found: file:_C:\Users\nourse_e\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OIA9WDIJ\searchfusion_com[1].htm<o:p></o:p>
    Action taken: No action<o:p></o:p>
    Action successful: Yes<o:p></o:p>

     
  • Monday, February 11, 2013 4:25 PM
     
     
    Sign In to Vote
    0
    Any resolution on this?  We have been experiencing the same problem from visiting a particular web site.  Forefront continues to say it removes it but will reappear the next day.