Blocking the iframes themselves would probably require output filtering with modsec, unfortunately most rules I deal with are for preventing inbound requests not data output. It could probably be done, but it's not the best solution for your problem in my opinion.
You need to determine how the iframes are being added to the files. Trying to prevent them from being served is a moot point, since if they are there, your account is probably compromised. Check your FTP logs, and check the apache domlogs for the time stamps when the files with bad iframes were last modified. I find most iframes are added with FTP logins that are compromised, so this is obvious in /var/log/messages. However, occasionally they're added with PHP shells; if it's done with PHP shells you need the apache access logs.
If your domlogs (apache access logs) are being deleted every day (Which is default) you should disable that in WHM under tweak settings > stats and logs. Shut off "delete each sites access logs after stats run." Currently that's the only supported way to enable apache access log archiving for all your users, but it kind of sucks because they never rotate and they're not compressed. The other option is to go into each cPanel under "raw access logs" and enable archiving. This is a much better solution, as the logs are compressed and stored in each user account, but VERY time consuming if you have a ton of users. I have written a script which will enable that option (raw access log archiving) for all your users, it is in the comments of this feature request:
Better Apache Log Rotation | cPanel Feature Requests
