Remove Browser Redirect Trojan:JS/Medfos (Removal Instructions)

Trojan:JS/Medfos.B is a malicious JavaScript file that redirects search queries when using websites such as AOL, Ask, Bing, Google and Yahoo to other website from which cyber criminals get some sort of revenue.
Medfos is a member of the Win32/Medfos family and got your computer, after you have visited an infected website which exploited a vulnerability from a Java or Adobe software and Medfos installed a file called chromeupdate.crx in your %LOCALAPPDATA% folder.
As part of its self-defense mechanism,once installed Medfos disguises itself as a legitimate Google Chrome or Firefox extension with the name ChromeUpdateManager 1.0 or Translate This 2.0, as show in the below images:

Trojan:JS/Medfos.B sole purpose is to generate revenue for its authors via pay-per-click advertising links and redirect traffic to affiliate sites,so we recommend that you remove Trojan:JS/Medfos.B as soon as possible from your computer.

Trojan:JS/Medfos.B – Virus Removal Instructions

STEP 1:  Remove Trojan:JS/Medfos.B rootkit with Kaspersky TDSSKiller

Trojan:JS/Medfos.B has installed a  rootkit to protect itself from being removed.To remove the Trojan:JS/Medfos.B  rootkit, we need to run a system scan with Kaspersky TDSSKiller.

  1. Please download the latest official version of Kaspersky TDSSKiller.
    KASPERSKY TDSSKILLER DOWNLOAD LINK(This link will automatically download Kaspersky TDSSKiller on your computer.)
  2. Before you can run Kaspersky TDSSKiller, you first need to rename it so that
    you can get it to run. To do this, right-click on the TDSSKiller.exe icon and select Rename.
    Edit the name of the file from TDSSKiller.exe to iexplore.exe, and then double-click on it to launch.
    Kaspersky Tdsskiller renamed
  3. Kaspersky TDSSKiller will now start and display the welcome screen as shown below.In order to start a system scan , press the ‘Start Scan’ button.
    Start a Kaspersky scan
  4. Kaspersky TDSSKiller will now scan your computer for the Trojan:JS/Medfos.B rootkit.
    Kaspersky TDSSKiller scanning
  5. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.
    Kaspersky TDSSKiller results
  6. To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.A reboot will be require to completely remove this rootkit from your system.

STEP 2 : Run a scan with Combofix to remove Trojan:JS/Medfos.B

  1. Download Combofix from any of the below links.
    COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
    COMBOFIX DOWNLOAD LINK #2  (This link will automatically download Combofix on your computer)
  2. Before running this utiltiy,please follow the below instructions:
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      Temporarily disable your anti-virusscript blocking and any anti-malware real-time protection beforeperforming a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  3. Start the Combofix scan:
    1. Double click on ComboFix.exe and then follow the prompts.
    2. Accept the disclaimer and allow to update if it asks
    3. When finished, it shall produce a log for you.
    4. Restart your computer

    Additional Notes:

    • Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
    • Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
    •  If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.

STEP 3 : Remove the malicious registry keys added by the Trojan:JS/Medfos.B rootkit

Trojan:JS/Medfos.B has added some malicious registry keys to your Windows installation,to remove them we will need to perform a scan with RogueKiller.

  1. Please download the latest official version of RogueKiller.
    ROGUEKILLER DOWNLOAD LINK (This link will automatically download RogueKiller on your computer)
  2. Double click on RogueKiller.exe to start this utility and then wait for the Prescan to complete.This should take only a few seconds and then you can click the Start button to perform a system scan.
    RogueKiller scanning after Trojan:JS/Medfos.B virus virus
  3. After the scan has completed, press the Delete button to remove any malicious registry keys.
    Remove Trojan:JS/Medfos.B virus  infection with RogueKiller

STEP 4: Remove Trojan:JS/Medfos.B malicious files with Malwarebytes Anti-Malware FREE

  1. Download the latest official version of Malwarebytes Anti-Malware FREE.
    MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK (This link will open a download page in a new window from where you can download Malwarebytes Anti-Malware Free)
  2. You can start the Malwarebytes’ Anti-Malware installation process by double clicking on mbam-setup file.
    [Image: Malwarebytes Installer]
  3. When the installation begins, keep following the prompts in order to continue with the setup process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If Malwarebytes’ prompts you to reboot, please do not do so.
    [Image: Finishing Malwarebytes installation]
  4. Malwarebytes Anti-Malware will now start and you’ll be prompted to start a trial period , please select ‘Decline‘ as we just want to use the on-demand scanner.
    [Image: Decline Malwarebytes trial]
  5. On the Scanner tab,select Perform full scan and then click on the Scanbutton to start scanning your computer.
    [Image: Starting a full system sca]
  6. Malwarebytes’ Anti-Malware will now start scanning your computer for Trojan:JS/Medfos.B malicious files as shown below.
    [Image: Malwarebytes scanning for malicious files]
  7. When the scan is finished a message box will appear, click OK to continue.[Image: Malwarebytes scan results]
  8. You will now be presented with a screen showing you the malware infections that Malwarebytes’ Anti-Malware has detected.Please note that the infections found may be different than what is shown in the image.Make sure that everything is Checked (ticked) and click on the Remove Selected button.
    [Image: Infections found by Malwarebytes]
  9. Malwarebytes’ Anti-Malware will now start removing the malicious files.After completing this task it will display a message stating that it needs to reboot,please allow this request and then let your PC boot in Normal mode.

STEP 5: Double check your system for any left over infections with HitmanPro

  1. Download the latest official version of HitmanPro from the below link.
    HITMANPRO DOWNLOAD LINK(This link will open a download page in a new window from where you can download HitmanPro)
  2. Double click on the previously downloaded fileto start the HitmanPro installation.
    [Image: HitmanPro Icon]
    IF you are experiencing problems while trying to starting HitmanPro, you can use the “Force Breach” mode.To start this program in Force Breach mode, hold down the left CTRL-key when you start HitmanPro and all non-essential processes are terminated, including the malware process. (How to start HitmanPro in Force Breach mode – Video)
  3. Click on Next to install HitmanPro on your system.
    [Image: Starting HitmanPro]
  4. The setup screen is displayed, from which you can decide whether you wish to install HitmanPro on your machine or just perform a one-time scan, select a option then click on Next to start a system scan.
    [Image: HitmanPro installation screen]
  5. HitmanPro will start scanning your system for malicious files as seen in the image below.
    [Image: HitmanPron scanning for Trojan:JS/Medfos.B virus]
  6. Once the scan is complete,you’ll see a screen which will display all the malicious files that the program has found.Click on Next to remove this malicious files.
    [Image: HitmanPro scan results]
  7. Click Activate free license to start the free 30 days trial and remove the malicious files.
    [Image: Activate HitmanPro license]
  8. HitmanPro will now start removing the infected objects.If this program will ask you to restart your computer,please allow this request.

STEP 4: Remove Trojan:JS/Medfos.B from Internet Explorer,Firefox and Google Chrome with AdwCleaner.

We will use AdwCleaner to remove Trojan:JS/Medfos.B from your web browser extensions list.

  1. You can download AdwCleaner from the below link.
    ADWCLEANER DOWNLAOD LINK (This link will automatically download AdwCleaner on your computer)
  2. Before starting this utility,close all open programs and internet browsers.
  3. Double click on adwcleaner.exe to run the tool.
  4. Click on Delete,then confirm each time with Ok.
    Adwcleaner utility
  5. Your computer will be rebooted automatically. A text file will open after the restart.
  6. NEXT,double click on adwcleaner.exe to run the tool.
  7. Click on Uninstall,then confirm with yes to remove this utility from your computer.

Trojan:JS/Medfos.B should now be gone from your machine.As a last step we will need to remove the tools that we’ve used from your machine.
Lets removeComboFix from your machine:

  1. Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  2. In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK
    Combofix uninstall command
  3. Follow the prompts on the screen
  4. A message should appear confirming that ComboFix was uninstalled

Delete the following files: (If they exist)

Delete the following folders: (If they exist)

Kaspersky TDSSKiller and RogueKiller can be removed by deleting the utilities.
We strongly recommend that you keep Malwarebytes Anti-Malware and HitmanPro installed on your machine and run regular scans with this tools.If you however,wish to remove them,you can go into the Add or Remove programs and uninstall this two utilites.

If you are still experiencing problems while trying to remove Trojan:JS/Medfos.B from your machine, please start a new thread in our Malware Removal Assistance forum.


If we have managed to help with your computer issues, then please let other people know that this article will help them!
You can share this article on Facebook,Twitter or Google Plus by using the below buttons.


I am the creator and owner of MalwareTips. I am passionate about computer security and technology. I have an experience of 9 years working as a security researcher.

My area of expertise includes Malware Analysis and Computer Forensics. I'm active in the various online anti-malware communities where I do researches for new malware threats as they are released.


All our malware removal guides and utilities are completely free! We do not request any kind of payment for our services, however if you like to support us (with this website maintenance costs), you can make a small donation.
Any amount is appreciated, and will support our fight against malware.

  • Jeff

    Yep, finally! Thanks. MSE first identified and quarantined it, but couldn’t remove it. I tried the Malicious Software Tool, nuttin’. Malwarebytes, surprisingly, nuttin’. And MS Emergency Response Tool, nuttin’. None of those even saw it. Safe Mode boot, still none saw it. Skipped to Rogue Killer since most folks seemed to say that was the one…it identified two malicious entries which it highlighted red, the others were brown and clearly ok from what I could tell. Deleted the two reds, and we seem to be ok now.

  • DN

    Wow………. Thank you soooooooooooo much! What a great person to take the time to give such detailed instructions; complete with links for the program downloads! This was the ONLY site/instructions that worked on this virus!!!!! You are a life saver!!! THANK YOU THANK YOU!

  • Erika

    At first I was skeptical that this page was an add for malware removal tools,lol. But scanning through the comments it seemed to be legit and not just marketing comments, so I gave it a try. Worked like a charm. Combofix, Roguekiller and Malwarebytes each found a few items, the other 3 scans had no results. Took about 3 hours, but these links and directions made it simple and a frustration free experience. Never removed a virus with so easy an experience. Thank you!!!! Erika

  • Don

    Thanks for the help, I ran all the programs and our Windows 7 computer is now clean. This was a hard one to handle, great web site and support.

  • CIS Consulting

    Thanks for the instructions. Worked wonders. Get explanation on each step. This site rocks!

  • Jim D

    This did the trick. All the different stages worked fine. some took as long as 25 min, but the results are worth it. Thanks for giving me my computer back!

  • edwin

    Thanks a combination of these software removed that annoying thing.

  • Sean

    This worked a charm. Took a while, but it was well worth it. Thank you very much.

  • Patti

    I could use a little more help. I ran the TDSSKiller–it didn’t find anything, so I moved on to the next step. The ComboFix seems to be “stuck” trying to create a new System Restore point. (left it overnight in case it was a slow process. . .found it in the same spot this morning. .. ). What do I do now?

    • Stelian Pilici

      Hello Patti,
      Go ahead with the next step please.

  • beatrice

    Thank you for this! I was so worried I was going to have to spend a bunch of money and be without my work laptop. I followed your steps exactly and I dont know which step got rid of the problem, but my laptop is working as good as new now. Thank you SO much!

  • Richard

    Tried lots of things until I found this processs. A little long but worked great.
    Thank you so much for the simple and complete instructions. Since Kaspersky TDSSKiller didn’t find anything I used RKill instead, it did stop some processes. This trojan was really persistant so thanks again.

  • C

    Great page. Got me sorted out. Much appreciated.

  • Guy Moody

    Well thank you very much for the simple and effective solution. I am not sure where the fix was actually done, but I am grateful all the same. Take note others about to do this – it takes hours so be patient, but the reward is that it works.

    Thank you very much Stelian for helping my with my Messi

  • Garnie

    My antivirus blocks the ADWCleaner website, saying it is infected with Mal/Generic-L.
    Is there an alternative?
    I believe JS/Medfos on my friend’s computer came from the Avios website.

    • Stelian Pilici

      Hello Garnie,
      Adwcleaner is a legit and malware free software..Your antivirus is having a false positive detection, which you can ignore.

  • BT

    My virus program found the troj_medfos.smi under appdata\roaming\rsvcrp.dll, squplo.dll, rcobc.dll but not able to remove the threat. Both malwarebytes and hitman pro scan came back zero. Rougekiller came back with a list of the registry that has those 3 dll files, I did not delete afraid I might be deleting something that I am not supposed to. All files are under system 32\rundll32.exe, also some window\regboot clean 64.exe

    • Stelian Pilici

      Hello BT,
      Can you please copy/paste the RogueKiller (should be on your desktop) and Combofix (should be in C:\Combofix.txt) logs so that I can take a look at what’s going on…

  • Philip

    Thank you very much for the helpful step-by-step instructions!

  • David Rissenberg

    Thanks Stelian. This was a lifesaver for me. After three whole days of trying to get this fixed, things were getting a bit depressing but your steps took care of it beautifully!

  • Lou

    Hello Stelian,

    I can’t thank you enough for your help. With one exception, I followed your instructions to the letter and got rid of medfos, although it appeared that ComboFix and Roguekiller did most of the work. The exception: I did not rename the TTDSKiller executable. It did not make sense to me to call it iexplore.exe, so I didn’t. It worked anyhow. Why do you instruct the user to rename it?

    I’m very pleased, and thank you again for your help. Best wishes,


    • Stelian Pilici

      Hello Lou,
      There are different versions on the Medfos trojan, and some of them will detect and block TDSSKiller from running… In your case it worked without needing to be renamed so that’s great!:D
      Stay safe!

      • Lou

        Thank you!

  • Single Mom Ninja

    Thank you so much for taking the time to help people solve this problem. Like another poster on here, I am also a single parent and can’t afford to take my laptop to the shop to get rid of this cursed virus. I also often work from home for my job and would have struggled without the computer. It took me about three hours, but I think I got rid of the virus by at first using info from other sites (w/o success), and then finding yours and going through the step by step directions. Also like others, MSE detected and quarantined the virus, but would not remove it. Malwarebytes and Superantispyware did not even detect it and neither did TDSSKiller, even with renaming it to iexplorer, etc. I think somewhere in or after the Combofix part of the process, I was finally able to get rid of the virus. I don’t know how I got it but suspect either an Adobe update or just being on an innocent-looking website. Thank you so much for your help!

  • Lorraine

    Thank you! Thank you! Thank you! My heart dropped when I got this trojan from a java link. I am a single Mom who uses my computer for extra income. I did not have $100+ dollars to put it in the shop. As others mentioned. Rogue Killer seems to have worked. MSE kept finding this virus but didn’t get rid if it. This was very frustrating. Can’t thank you enough!

  • Dr. Lola

    Thank you for your easy step by step instructions. Like most here, I think the remover was roguekiller but the other programs were helpful in determining the exact locations and assaulted areas of concern. Brilliant minds!!

  • Duccio

    Having been bitten by this pestiferous bug I approached the cleaning-up with some trepidation, being afraid to make more damage than good. However your step-by-step instructions, clear screen shots and detailed comments were a real boon for an old codger, and I’m glad to report that everything now looks fine. I am very grateful indeed. Combofix was a bit touchy, as was HitmanPro (didn’t complete the “one-off scan” but was OK when I changed the option). Again many thanks and a belated Happy New Year!

  • Gabor

    Thank you for the step-by-step instructions. Great to have people like you on the net.

  • R

    BLESS YOU- my computer is completely fixed now! I’ve heard a lot of warnings against using Combofix, but it worked like a dream for me! Roguekiller was good too. Thanks a ton! ^___^

  • James

    Thank You !!!

  • CRN

    Thank you for the step-by-step instructions. They worked! I think the tool combination of ComboFix and RogueKiller worked on my computer, removing the malware, Trojan:JS/Medfos.B. The other tools were useful as well, cleaning up some other nits. Microsoft’s Security Essentials, while putting the malware into quarantine, could not remove it; the MSE website was not helpful. Thankfully, I found this website and its useful instructions. Time invested was about 6.5 hours running the tools, Malwarebytes having the longest run time, but it was time well spent. Thank you again for a most useful website, spot-on guidance, and effective instructions.

  • Helen Vorrath

    In Step 2, above, when I started Combofix it told me that Norton Virus Security was running. As I don’t have Nortons installed on the machine and no other programs or processes were running apart from Combofix, I decided to continue. The scan has now been running for over half an hour – should I just let it continue? I am running in Safe Mode – is that likely to stop it working properly?

    • Stelian Pilici

      Hello Helen,
      Combofix may detect some left over files from Norton and give you that notification.Just to be on the safe side, skip the Combofix scan for now and go ahead with the rest of the guide.

  • J.

    Think we got it.
    Microsoft Security Essentials tech support minimum charge for this is Usd $99.oo

    Users should take note of “update” to get latest data on each of steps, as well as the “be sure to” advisories about how to install & run. Don’t panic, wait for the dialogue box to advise, and remember that some changes don’t happen (or happen completely) until after a restart.

    Cheers Steleian.
    rgds, J.

  • Liam Wilson

    I too had this slippery little bugger on my computer, which had been picked up by both Avira and Malwarebytes but after scanning and removing it they simply couldn’t pick it up anymore and it was only MSE that did, otherwise i’d have been oblivious to it now.

    There wasn’t a problem locating it, as mentioned in the article it was getting rid of it, eventually found this and put my trust in it even though i thought it was way over my head. Anyway, to cut a long story and some threasts towards the git that created it (at the sceen i may add), i took a short cut and went straight for the Hitman Pro, then followed the destructions from there; and yes it got it without too much pain to be honest, i’m just over the moon i had found this article and it WORKED!!!!



  • G

    A solution at last. Like previous comments many applications such as MSE found and quarantined this infection only for it to be reinstalled a few minutes later. Lke the others, step 3, “RogueKiller” worked a treat for me.
    Thanks for the info.

  • Me

    Thanks for this information. My laptop was recently infected with Medfos. MSE kept quarantining it, but couldn’t remove it. I tried MalwareBytes Anti-Malware. Same thing-found it, but couldn’t get rid of it. Tried HitmanPro. Same result. So far, RogueKiller has worked. I deleted everything related to Java, but I’m going to have to reinstall it so my kid can play Minecraft, but I’m going to disable all my browser plug ins. This Trojan is insidious and I really appreciate the information you’ve provided.

    • Adam

      The last post is correct
      Only RogueKiller worked for me too.