Remove Browser Redirect Trojan:JS/Medfos (Removal Instructions)

Trojan:JS/Medfos.B is a malicious JavaScript file that redirects search queries when using websites such as AOL, Ask, Bing, Google and Yahoo to other website from which cyber criminals get some sort of revenue.
Medfos is a member of the Win32/Medfos family and got your computer, after you have visited an infected website which exploited a vulnerability from a Java or Adobe software and Medfos installed a file called chromeupdate.crx in your %LOCALAPPDATA% folder.
As part of its self-defense mechanism,once installed Medfos disguises itself as a legitimate Google Chrome or Firefox extension with the name ChromeUpdateManager 1.0 or Translate This 2.0, as show in the below images:

Trojan:JS/Medfos.B sole purpose is to generate revenue for its authors via pay-per-click advertising links and redirect traffic to affiliate sites,so we recommend that you remove Trojan:JS/Medfos.B as soon as possible from your computer.

---

Trojan:JS/Medfos.B – Virus Removal Instructions

STEP 1:  Remove Trojan:JS/Medfos.B rootkit with Kaspersky TDSSKiller

Trojan:JS/Medfos.B has installed a  rootkit to protect itself from being removed.To remove the Trojan:JS/Medfos.B  rootkit, we need to run a system scan with Kaspersky TDSSKiller.

1. Please download the latest official version of Kaspersky TDSSKiller.
   KASPERSKY TDSSKILLER DOWNLOAD LINK(This link will automatically download Kaspersky TDSSKiller on your computer.)
2. Before you can run Kaspersky TDSSKiller, you first need to rename it so that
   you can get it to run. To do this, right-click on the TDSSKiller.exe icon and select Rename.
   Edit the name of the file from TDSSKiller.exe to iexplore.exe, and then double-click on it to launch.
   
3. Kaspersky TDSSKiller will now start and display the welcome screen as shown below.In order to start a system scan , press the ‘Start Scan’ button.
   
4. Kaspersky TDSSKiller will now scan your computer for the Trojan:JS/Medfos.B rootkit.
   
5. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.
   
6. To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.A reboot will be require to completely remove this rootkit from your system.

---

STEP 2 : Run a scan with Combofix to remove Trojan:JS/Medfos.B

1. Download Combofix from any of the below links.
   COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
   COMBOFIX DOWNLOAD LINK #2  (This link will automatically download Combofix on your computer)
2. Before running this utiltiy,please follow the below instructions:
   • Close any open browsers.
   • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
     Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection beforeperforming a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
3. Start the Combofix scan:
   1. Double click on ComboFix.exe and then follow the prompts.
   2. Accept the disclaimer and allow to update if it asks
   3. When finished, it shall produce a log for you.
   4. Restart your computer

   Additional Notes:

   • Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
   • Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
   •  If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.

---

STEP 3 : Remove the malicious registry keys added by the Trojan:JS/Medfos.B rootkit

Trojan:JS/Medfos.B has added some malicious registry keys to your Windows installation,to remove them we will need to perform a scan with RogueKiller.

1. Please download the latest official version of RogueKiller.
   ROGUEKILLER DOWNLOAD LINK (This link will automatically download RogueKiller on your computer)
2. Double click on RogueKiller.exe to start this utility and then wait for the Prescan to complete.This should take only a few seconds and then you can click the Start button to perform a system scan.
   
3. After the scan has completed, press the Delete button to remove any malicious registry keys.
   

---

STEP 4: Remove Trojan:JS/Medfos.B malicious files with Malwarebytes Anti-Malware FREE

1. Download the latest official version of Malwarebytes Anti-Malware FREE.
   MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK (This link will open a download page in a new window from where you can download Malwarebytes Anti-Malware Free)
2. You can start the Malwarebytes’ Anti-Malware installation process by double clicking on mbam-setup file.
   
3. When the installation begins, keep following the prompts in order to continue with the setup process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If Malwarebytes’ prompts you to reboot, please do not do so.
   
4. Malwarebytes Anti-Malware will now start and you’ll be prompted to start a trial period , please select ‘Decline‘ as we just want to use the on-demand scanner.
   
5. On the Scanner tab,select Perform full scan and then click on the Scanbutton to start scanning your computer.
   
6. Malwarebytes’ Anti-Malware will now start scanning your computer for Trojan:JS/Medfos.B malicious files as shown below.
   
7. When the scan is finished a message box will appear, click OK to continue.
8. You will now be presented with a screen showing you the malware infections that Malwarebytes’ Anti-Malware has detected.Please note that the infections found may be different than what is shown in the image.Make sure that everything is Checked (ticked) and click on the Remove Selected button.
   
9. Malwarebytes’ Anti-Malware will now start removing the malicious files.After completing this task it will display a message stating that it needs to reboot,please allow this request and then let your PC boot in Normal mode.

STEP 5: Double check your system for any left over infections with HitmanPro

1. Download the latest official version of HitmanPro from the below link.
   HITMANPRO DOWNLOAD LINK(This link will open a download page in a new window from where you can download HitmanPro)
2. Double click on the previously downloaded fileto start the HitmanPro installation.
   
   IF you are experiencing problems while trying to starting HitmanPro, you can use the “Force Breach” mode.To start this program in Force Breach mode, hold down the left CTRL-key when you start HitmanPro and all non-essential processes are terminated, including the malware process. (How to start HitmanPro in Force Breach mode – Video)
3. Click on Next to install HitmanPro on your system.
   
4. The setup screen is displayed, from which you can decide whether you wish to install HitmanPro on your machine or just perform a one-time scan, select a option then click on Next to start a system scan.
   
5. HitmanPro will start scanning your system for malicious files as seen in the image below.
   
6. Once the scan is complete,you’ll see a screen which will display all the malicious files that the program has found.Click on Next to remove this malicious files.
   
7. Click Activate free license to start the free 30 days trial and remove the malicious files.
   
8. HitmanPro will now start removing the infected objects.If this program will ask you to restart your computer,please allow this request.

---

STEP 4: Remove Trojan:JS/Medfos.B from Internet Explorer,Firefox and Google Chrome with AdwCleaner.

We will use AdwCleaner to remove Trojan:JS/Medfos.B from your web browser extensions list.

1. You can download AdwCleaner from the below link.
   ADWCLEANER DOWNLAOD LINK (This link will automatically download AdwCleaner on your computer)
2. Before starting this utility,close all open programs and internet browsers.
3. Double click on adwcleaner.exe to run the tool.
4. Click on Delete,then confirm each time with Ok.
   
5. Your computer will be rebooted automatically. A text file will open after the restart.
6. NEXT,double click on adwcleaner.exe to run the tool.
7. Click on Uninstall,then confirm with yes to remove this utility from your computer.

---

Trojan:JS/Medfos.B should now be gone from your machine.As a last step we will need to remove the tools that we’ve used from your machine.
Lets removeComboFix from your machine:

1. Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
2. In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK
   
3. Follow the prompts on the screen
4. A message should appear confirming that ComboFix was uninstalled

Delete the following files: (If they exist)
C:\ComboFix.txt

Delete the following folders: (If they exist)
C:\ComboFix
C:\Qoobox

Kaspersky TDSSKiller and RogueKiller can be removed by deleting the utilities.
We strongly recommend that you keep Malwarebytes Anti-Malware and HitmanPro installed on your machine and run regular scans with this tools.If you however,wish to remove them,you can go into the Add or Remove programs and uninstall this two utilites.

If you are still experiencing problems while trying to remove Trojan:JS/Medfos.B from your machine, please start a new thread in our Malware Removal Assistance forum.