How can I remove Troj/Iframe-HJ?

Hello JK,

Iframe labels malicious "web content"  (HTML,Scripts,...) - not necessarily from a web page, it can also arrive e.g. in an email. If you close and reopen the Quarantine Manager - is the item still there with the status Cleaning up? Where has it been found? Andrew/Agile for sure knows much more about threats and cleanup so I suggest you wait for him to comment on it. Meanwhile don't worry - if the initial scan found it it's likely from the past and will no longer be accessed by an application which could "activate" it. And even if you deliberately attempt to open it it will be blocked as long as on-access scanning is active.  

HTH

Christian

Christian,

Thanks very much.  Once I started the clean-up process, it never completed, and required a Force Quit to close.  I did that several times, even with a re-boot, but Quarantine Manager came up the same each time:  Action Available is "Clean up" and Filename is blank.  On supplying the Administrator password, Threat Details, Path and Filename is also blank  (and Action Available is "The threat can be cleaned up.")

I have tried running a full system scan, but, so far. attempting to scan 3.6 million files, when left to itself, I have wound up with a "can't complete" kind of error message, with no details; maybe the power saving completely powered off, maybe not.  I am running the scan again, though it is very slow.

Any chance 8.0.6C is unhappy with Lion, rather than Mountain Lion?

All information is appreciated.  Thanks.

JK

Hello JK,

I'm just an occasional user (and not even on Lion) not a Mac expert - and as I never had any problems not good at troubleshooting. Searching for quarantine blank turns up a very few threads and only some applicable but it suggests that your problem is not related to 8.0.6C or Lion. They might give you some idea about the issue though. You could check the scan log if a path is recorded there (but it might as well be missing from the log). Has the item been detected by the initial scan or on-access (if it was the scan you'll see it in the scan's log)?

As for the full scan taking very long - by default Scan inside archives and compressed files is checked. While it is a good idea to "deep scan" (initially and from time to time) naturally it can take quite long depending on your Mac's contents (and even use up your free space). So you could give it a try without the option checked.

Christian

I tried running the scan without the deep scanning.  Once again it ran for about an hour and then terminated with a message that gave no useful information.  The scan logs gave no information except the time the drive began.  The Sophos Anti-Virus ==> Scans ==> Scan Local Drives logs gave no useful (to me) information but start time, the System Diagnostic Reports showed three SophosAntiVirus localhost.crash files, two at the time I booted and one at what was probably the time the crash ended, about an hour after start, but are way too technical to be useful to me and don't even have time stamps beyond their titles.  The /Library/Logs ==> Sophos Anti-Virus.log, in a scan that tried to run yesterday, flags encrypted files, and every two minutes or so puts out a message that says

2012-07-26 21:37:05 -0400 Threat: 'Troj/Iframe-HJ' detected in
                                                         Access to the file denied

But, in this scenario, I'm just a dumb user.  Why should I be wading through these logs that I don't really understand?  I see a threat that has been flagged by this program, and I just want to get rid of it.  I am not really comfortable seeing that this threat has been "quarantined" by a program which seems to have some problems, at least on my machine.  At work, I have had good reason to respect Sophos, but I am encountering problems here.

JK

Troj/Iframe-HJ will likely always show up in web cache files only; it is likely that the file was purged from the cache between when the item was detected and when the scan was complete.  If you re-scan your ~/Library/ folder (and possibly your TimeMachine volume), is the threat still listed?

iFrame threats are more useful for on-access scans than for on-demand scans, unless you're saving html to your computer for specific reading later.

If the detection is still there, try clearing your web cache and see if the detection goes away.

Is there any further information on how this malware operates on the Mac?  I have only seen reference to it in Windows.  I deleted the occurrences found by Sophos, but I have had Sophos generate messages twice since in Quarantine, that looked like this

com.sophos.intercheck: 2012-07-31 21:18:09 -0400 Threat: 'Troj/Iframe-HJ' detected in /private/var/folders/gx/ms01z1yj6w17wk_82zv847k40000gn/T/clamav-121a721d7f031e9988b6591e2f3d7822/javascript

When I enttered the admin password for more details, the message disappeared, though remained in the log.  Both of these occurrences happened when I was also running ClamXav.

I have also disabled Java, hoping this may prevent some further action, if the malware is still operating.

Can anyone give me further help in tracking this down, and/or eliminating it?  I am hoping that this can be eliminated without jeopordizing my data (and programs) but I have not been able to be comfortable that it is gone.  These two occurences in /private/var/folders have been the only two in recent days, and have disappeared, as have the folders they were pointing too, which I assume are temporary.

Hello lk10003,

first of all, Java and JavaScript are different things although they have a common denominator. JavaScript is interpreted by the browser (or a viewer, e.g. PDF). While applications usually allow to turn off JavaScript you can't turn it off globally and definitely not by disabling Java.

Malicious JavaScript is mainly detected in web pages, usually in the browser's cache. As cache space is limited it's likely to get deleted somewhen in the future when new content is downloaded. Thus these items might disappear - of course the message about the detection will not be removed from the log (to keep such messages is what the log is for). Usually these items also need the browsing context in order to do their "work" and are often harmless by themselves.

Using two AV products with a real-time (on-access) component together is generally not a good idea. One might block the others attempted action (e.g. disinfect or move) on a file, and as the two can't access (and assess) a file at the same time results are unpredictable. Looks like ClamXav "did" something with the script and at this time it has been scanned and detected by Sophos. Deletions are not intercepted so if a temporary is deleted everything in it also disappears.

Christian

I have been quite worried about the indications I have received from Sophos, so I tried scanning with other programs. I have now removed all competing AV programs.  What can I do next to remove this threat?

Hello jk10003,

so you have still new detections and they occur when no scan is running? Then likely it's your browser downloading the item (directly or indirectly) from the page you visit. Thus you can't really remove the threat other than by stop visiting the offending site. Make a note of what you are doing at the time and which applications are open when the alert pops up.

If a scan does find the item (ideally you should run it with no other applications open) this scan's log should have the path details (also the summary will tell you how many threats have been detected).

Christian 

Ah... here we see why you are cautioned not to use multiple AV products at the same time....

SAV appears to be detecting the cached ClamXav template they use to detect the same malware -- so there's nothing actually there.

As for how this malware operates -- the detection detects malicious iFrame code in HTML pages, containing redirects to known-malicious landing pages.  The ClamAV template looks like it detects the javascript (not Java) code that injects the malicious iFrame into the web pages in the first place.