> VilmaTech Blog > JS:Iframe-DHY [Trj], Remove JS Trojan Horse that Redirects with Tips

JS:Iframe-DHY [Trj], Remove JS Trojan Horse that Redirects with Tips

Technical Analysis

JS:Iframe-DHY [Trj] is identified as a Trojan horse embedded with JavaScript technique, which can be also easily inferred by its name. Usually virus makers would name a virus according to the main property and function for perfect combination with other infections so that a seamless infiltration can be made to keep virus alive without being easily removed by installed security utilities.

The JS technique adopted by JS:Iframe-DHY [Trj] refers to JavaScript, a dynamic computer programming language formalized in the ECMAScript language standard and primarily used as part of a web browser (client-side JavaScript). That’s why victims encounter browser problems when warned by installed anti-virus program about JS:iframe-dhy [Trj] affection:

  1. Being redirect to certain web page and restore can only be made by hitting Backspace button.
  2. Additional web application such as visualbee being installed without permission.
  3. Being annoyed by random advertisements.

Actually, the main purpose for JS:Iframe-DHY [Trj]’s affection is not about messing up surfing experience but about collecting information for money and helping additional unauthorized installation for illegal revenue. VilmaTech Online Support would suggest a complete reading so as to get to know the security risks brought by the Trojan horse and to get a comprehensive removal method to solve the common incidental problems found by a specialized technician from Global PC Support Center with over a decade hands-on background in this industry. Should you come across difficulty that needs to be solved immediately, please feel free to start a live chat for solution.

live chat


Threat Assessment

JS:Iframe-DHY [Trj] affection can be dangerous. Such danger does not manifest itself mechanically, it mainly imperils information security. To deliver its scripts to run on a client computer via the web, JS:Iframe-DHY [Trj] manages to monitor target’s online whereabouts, record stored log-in credentials and re-write the information of web applications. As a consequence, the below problems are brought to life:

  1. Sandbox implementation errors.
  2. Browser and plugin coding errors.
  3. Misplaced trust in the client.
  4. Cross-site vulnerabilities.

To put them in details, victims affected by js:iframe-dhy may become frequent visitor to trustless sites; attacker manages to send away vicious code in your name without authorization; browser  crash may happen due to script bug or malicious modifications on the script.

There’s a classic character for Trojan horse which is backdoor forming should drew your attention. By overwriting drivers for further modifications on information of desktop and system objects, JS:iframe-dhy [Trj] becomes capable of opening a backdoor. Through the backdoor, the Trojan horse is capable of sending away collected information to its remote attacker. The attack will then earn illegal revenue by reselling the information as virus authors are eager to create a new variant with the capability of faster spreading, deeper infiltrating and broader affecting. Be noted that with the backdoor, one is under the radar of additional infections concealed in the Internet. It is highly recommended to remove JS:iframe-dhy [Trj] as soon as possible before additional vicious items infiltrating into the same machine to complex the removal procedure. Below is the user guide to help remove JS:iframe-dhy [Trj] manually. Stick to the steps to avoid any mistake that may give rise to system failure or instability. Should you run into dead end unexpectedly, it is advisable to resort specialized technical help from VilmaTech Online Support.

live chat


User Guide to Remove JS:Iframe-DHY [Trj] that Redirects

Step one – Enter DataBase to clear up entries there.

  • Use Win+R key combination to enable a Run box.                     win+r
  • Type “regedit” and hit Enter key will bring up Database window.
  • Press Ctrl and F key together to bring up Find box.
  • Type ‘regedit’ and press Enter key will prompt to you search results.
  • Scroll files and find regedit.exe under Windows.                                                                           modify regedit under windows

a.    remove ‘Top’ under

b.    substitute ‘’ with ‘C:Program FilesInternet ExplorerIEXPLORE.EXE’ under
HKEY_CLASSES_ROOTCLSID{random numbers} shellOpenHomePageCommand.

c.    substitute ‘’ with ‘C:Program FilesInternet Exploreriexplore.exe” %1″’ under
HKEY_CLASSES_ROOT ftpshellopencommand

d.    Delete ‘Check_Associations’ under
HKEY_CURRENT_USERSoftwareVB and VBA Program Settings
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain

  • Back to C:\WINDOWS\ that we just changed.
  • Change the extension back to .exe.

Step two – show hidden files and folders to remove associated vicious objects.

Windows 8

  • Open Windows Explorer and hit View tab to tick ‘File name extensions’ and ‘Hidden items’ explorer

Windows 7/XP/Vista

  • Access ‘Control Panel’ from Start menu and bring up “user accounts and family safety” window.user accounts and family safety
  • Search for ‘Folder Options’ and click to open it so as to hit View tab.
  • Tick ‘Show hidden files and folders and non-tick ‘Hide protected operating system files (Recommended)’

When done, one should mainly navigate to C:\windows\winstart.bat, C:\windows\wininit.ini and C:\windows\Autoexec.bat, C:\WINDOWS\System32 to find and delete every files and folders named after JS:Iframe-DHY [Trj] and the ones with a string of numbers and letters.

Step three – the common incidental issue is about browser. Therefore we offer the steps to fix the browser problems caused by JS:iframe-dhy [Trj].

1.    show hidden items to remove the below listed files

C:\Program Files (x86)\the browser you use (Mozilla Firefox, Internet Explorer, Google Chrome, Opera)
C:\users\UserAccount\AppData\Roaming\ the browser you use (e.g. Mozilla\Firefox)

2. copy the entries below to notepad; save it as fixME.reg to your desktop. (Tip:be sure the “Save as” type is set to “all files”. Once you have saved it, double click it and allow it to merge with the registry.)


[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6AB978D7-9465-41FE-9FAD-A75380E4B992}]

3. access extension section contained in browsers to remove any suspicious add-ins.

Internet Explorer

  • Spread Tools menu to access ‘Manage add-ons’.
  • Navigate respectively to ‘Toolbars and Extensions’ as well as ‘Search Providers’ to remove any suspicious items.                                                                                                                 manage addon IE_

Mozilla Firefox

  • Spread Tools menu and click Options.
  • Navigate to ‘Add-ons’ as well as select ‘plugins’ to remove any suspicious items.firefox management

Google Chrome

  • Click spanner icon to get options and select “Tools”.
  • Access ‘Extensions’ to remove any suspicious items.                trash Google chrome extension


  • Spread Opera menu to access Extensions.
  • Navigate to ‘Manage Extensions’ to remove any suspicious items.extension

4. access Control Panel to remove any unwanted programs that installed without knowledge.

Windows 8

  • Hover your mouse to the bottom-right corner of Start Screen.
  • Hit on “Unpin” button to choose ‘Control Panel’ in the option list.
  • Access “Programs and Features” to uninstall any suspicious items.

Windows 7/Vista/XP

  • Hit Start menu to select Control Panel.
  • Access “Add/Remove Programs” to uninstall any suspicious items.

Step four – run full scan again to remove any detected items.


JavaScript affection has become a concerning issue in these days. Due to its multiple functions, it can be used by technical programmers and also by malicious authors. Such ambiguity does post security utilities with difficulty in whether to flag JavaScript or not. But to avoid causing chaos, utilities are programmed not to flag such affection. As a result, infections employing JS technique such as JS:iframe-dhy [Trj] will not be completely removed automatically and re-image can be anticipated therefore. To decrease the chance that JS being utilized unlawfully, VilmaTech Online Support would like to offer some tips: 1) restrict scripts to run in a sandbox so that general-purpose programming tasks like creating files can be stopped; 2) comply with the same origin policy so that scripts from web sites do not have the access to information such as usernames, passwords, or cookies sent to another site; 3) use Content Security Policy to ensure that only trusted code can be executed on a web page. Apparently that enriching computer knowledge would benefit PC users with peace and secure. It is impossible to impart particle computer knowledge in one single article. Therefore it is recommended to update virus database where practical knowledge is explained in details. You can learn what’s new in the virus world to avoid downloading verisimilar virus unwittingly and willingly on one hand, and you get to know more ways to keep your precious computer safe on the other. Should you have any question about JS:iframe-dhy [Trj] and its removal method, you are welcome to start a live chat for on-demand response.

live chat

Comments are closed.

Latest Posts