How to remove Trojan:JS/Medfos.B malware (Virus Removal Guide)

Photo of author

Written by: Stelian

Published on:

Trojan:JS/Medfos.B is a malicious JavaScript file that redirects search queries when using websites such as AOL, Ask, Bing, Google and Yahoo to other website from which cyber criminals get some sort of revenue.
Medfos is a member of the Win32/Medfos family and got your computer, after you have visited an infected website which exploited a vulnerability from a Java or Adobe software and Medfos installed a file called chromeupdate.crx in your %LOCALAPPDATA% folder.

As part of its self-defense mechanism,once installed Medfos disguises itself as a legitimate Google Chrome or Firefox extension with the name ChromeUpdateManager 1.0 or Translate This 2.0, as show in the below images:

Trojan:JS/Medfos.B sole purpose is to generate revenue for its authors via pay-per-click advertising links and redirect traffic to affiliate sites, so we recommend that you remove this Trojan as soon as possible from your computer.

Files reported as Trojan:JS/Medfos.B may not necessarily be malicious. Should you be uncertain as to whether a file has been reported correctly, you can submit the affected file to https://www.virustotal.com/en/ to be scanned with multiple antivirus engines.
You should always pay attention when installing software because often, a software installer includes optional installs. Be very careful what you agree to install.
Always opt for the custom installation and deselect anything that is not familiar, especially optional software that you never wanted to download and install in the first place. It goes without saying that you should not install software that you don’t trust.

How to remove Trojan:JS/Medfos.B virus (Virus Removal Guide)

This malware removal guide may appear overwhelming due to the amount of the steps and numerous programs that are being used. We have only written it this way to provide clear, detailed, and easy to understand instructions that anyone can use to remove malware for free.
Please perform all the steps in the correct order. If you have any questions or doubt at any point, STOP and ask for our assistance.

STEP 1: Use Zemana AntiMalware Portable to remove malware

Zemana AntiMalware Portable is a free utility that will scan your computer for the Trojan:JS/Medfos.B browser hijacker and other malicious programs.

  1. You can download Zemana AntiMalware Portable from the below link:
    ZEMANA ANTIMALWARE PORTABLE DOWNLOAD LINK (This link will open a new web page from where you can download “Zemana AntiMalware Portable”)
  2. Double-click on the file named “Zemana.AntiMalware.Portable” to perform a system scan with Zemana AntiMalware Free.
    Zemana AntiMalware portable
    You may be presented with a User Account Control dialog asking you if you want to run this program. If this happens, you should click “Yes” to allow Zemana AntiMalware to run.
    Zemana AntiMalware User Account Control
  3. When Zemana AntiMalware will start, click on the “Scan” button to perform a system scan.
    Zemana AntiMalware Free Scan
  4. Zemana AntiMalware will now scan your computer for malicious programs. This process can take up to 10 minutes.
    Zemana AntiMalware scanning for virus
  5. When Zemana has finished finished scanning it will show a screen that displays any malware that has been detected. To remove all the malicious files, click on the “Next” button.
    Zemana AntiMalware Removing Trojan:JS/Medfos.B Virus
    Zemana AntiMalware will now start to remove all the malicious programs from your computer. When the process is complete, you can close Zemana AntiMalware and continue with the rest of the instructions.

STEP 2: Scan and clean your computer with Malwarebytes Anti-Malware

Malwarebytes Anti-Malware is a powerful on-demand scanner which should remove the Trojan:JS/Medfos.B virus from your machine. It is important to note that Malwarebytes Anti-Malware will run alongside antivirus software without conflicts.

  1. You can download download Malwarebytes Anti-Malware from the below link.
    MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK (This link open a new page from where you can download “Malwarebytes Anti-Malware”)
  2. When Malwarebytes has finished downloading, double-click on the “mb3-setup-consumer” file to install Malwarebytes Anti-Malware on your computer.
    Malwarebytes installer
    You may be presented with an User Account Control pop-up asking if you want to allow Malwarebytes to make changes to your device. If this happens, you should click “Yes” to continue with the installation.
    Malwarebytes User Account Control Prompt
  3. When the Malwarebytes installation begins, you will see the Malwarebytes Setup Wizard which will guide you through the installation process.
    Setup Malwarebytes installer
    To install Malwarebytes Anti-Malware on your machine, keep following the prompts by clicking the “Next” button.
    Completing the Malwarebytes Setup Wizard
  4. Once installed, Malwarebytes will automatically start and update the antivirus database. To start a system scan you can click on the “Scan Now” button.
    Perform a system scan with Malwarebytes
  5. Malwarebytes Anti-Malware will now start scanning your computer for malicious programs.
    This process can take a few minutes, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.
    Malwarebytes scanning for malware
  6. When the scan has completed, you will be presented with a screen showing the malware infections that Malwarebytes Anti-Malware has detected.
    To remove the malicious programs that Malwarebytes has found, click on the “Quarantine Selected” button.
    Malwarebytes Quarantine Selected
  7. Malwarebytes Anti-Malware will now quarantine all the malicious files and registry keys that it has found.
    To complete the malware removal process, Malwarebytes may ask you to restart your computer.
    Malwarebytes removing malware from computer
    When the malware removal process is complete, you can close Malwarebytes Anti-Malware and continue with the rest of the instructions.

STEP 3: Double-check for malicious programs with HitmanPro

HitmanPro can find and remove malware, adware, bots, and other threats that even the best antivirus suite can oftentimes miss. HitmanPro is designed to run alongside your antivirus suite, firewall, and other security tools.

  1. You can download HitmanPro from the below link:
    HITMANPRO DOWNLOAD LINK (This link will open a new web page from where you can download “HitmanPro”)
  2. When HitmanPro has finished downloading, double-click on the “hitmanpro” file to install this program on your computer.
    HitmanPro icon
    You may be presented with an User Account Control pop-up asking if you want to allow HitmanPro to make changes to your device. If this happens, you should click “Yes” to continue with the installation.
    HitmanPro User Account Control Pop-up
  3. When the program starts you will be presented with the start screen as shown below. Now click on the Next button to continue with the scan process.
    HitmanPro setup process
  4. HitmanPro will now begin to scan your computer for malware.
    HitmanPro scanning for Trojan:JS/Medfos.B virus
  5. When it has finished it will display a list of all the malware that the program found as shown in the image below. Click on the “Next” button, to remove malware.
    HitmanPro detected malware
  6. Click on the “Activate free license” button to begin the free 30 days trial, and remove all the malicious files from your computer.
    Activate HitmanPro to remove malware
    When the process is complete, you can close HitmanPro and continue with the rest of the instructions.
Your computer should now be free of the Trojan:JS/Medfos.B virus. If you are still experiencing problems while trying to remove Trojan:JS/Medfos.B virus from your machine, you can ask for help in our Malware Removal Assistance forum.

10 Rules to Avoid Online Scams

Here are 10 practical safety rules to help you avoid malware, online shopping scams, crypto scams, and other online fraud. Each tip includes a quick “if you already got hit” action.

  1. Stop and verify before you click, log in, download, or pay.

    warning sign

    Most scams win by creating urgency. Verify using a trusted method: type the website address yourself, use the official app, or call a known number (not the one in the message).

    If you already clicked: close the page, do not enter passwords, and run a malware scan.

  2. Keep your operating system, browser, and apps updated.

    updates guide

    Updates patch security holes used by malware and malicious ads. Turn on automatic updates where possible.

    If you saw a scary “update now” pop-up: close it and update only through your device settings or the official app store.

  3. Use layered protection: antivirus plus an ad blocker.

    shield guide

    Antivirus helps block malware. An ad blocker reduces scam redirects, phishing pages, and malvertising.

    If your browser is acting weird: remove unknown extensions, reset the browser, then run a full scan.

  4. Install apps, software, and extensions only from official sources.

    install guide

    Avoid cracked software, “keygens,” and random downloads. During installs, choose Custom/Advanced and decline bundled offers you do not recognize.

    If you already installed something suspicious: uninstall it, restart, and scan again.

  5. Treat links and attachments as untrusted by default.

    cursor sign

    Phishing often impersonates delivery services, banks, and popular brands. If it is unexpected, do not open attachments or log in through the message.

    If you entered credentials: change the password immediately and enable 2FA.

  6. Shop safely: research the store, then pay with protection.

    trojan horse

    Be cautious with brand-new stores, “closing sale” stories, and prices that make no sense. Prefer credit cards or PayPal for dispute options. Avoid wire transfers, gift cards, and crypto payments.

    If you already paid: contact your card issuer or PayPal quickly to dispute the transaction.

  7. Crypto rule: never pay a “fee” to withdraw or recover money.

    lock sign

    Common patterns include fake profits, then “tax,” “gas,” or “verification” fees. Another is a “recovery agent” who demands upfront crypto.

    If you already sent crypto: stop paying, save evidence (wallet addresses, TXIDs, chats), and report the scam to the platform used.

  8. Secure your accounts with unique passwords and 2FA (start with email).

    lock sign

    Use a password manager and unique passwords for every account. Enable 2FA using an authenticator app when possible.

    If you suspect an account takeover: change passwords, sign out of all devices, and review recent logins and recovery settings.

  9. Back up important files and keep one backup offline.

    backup sign

    Backups protect you from ransomware and device failure. Keep at least one backup on an external drive that is not always connected.

    If you suspect infection: do not connect backup drives until the system is clean.

  10. If you think you are a victim: stop losses, document evidence, and escalate fast.

    warning sign

    Move quickly. Speed matters for disputes, account recovery, and limiting damage.

    • Stop payments and contact: do not send more money or respond to the scammer.
    • Call your bank or card issuer: block transactions, replace the card if needed, and start a dispute or chargeback.
    • Secure your email first: change the email password, enable 2FA, and remove unfamiliar recovery options.
    • Secure other accounts: change passwords, enable 2FA, and log out of all sessions.
    • Scan your device: remove suspicious apps or extensions, then run a full malware scan.
    • Save evidence: screenshots, emails, order pages, tracking pages, wallet addresses, TXIDs, and chat logs.
    • Report it: to the payment provider, marketplace, social platform, exchange, or wallet service involved.

These rules are intentionally simple. Most online losses happen when decisions are rushed. Slow down, verify independently, and use payment methods and account controls that give you recourse.

38 thoughts on “How to remove Trojan:JS/Medfos.B malware (Virus Removal Guide)”

  2. Well thank you very much for the simple and effective solution. I am not sure where the fix was actually done, but I am grateful all the same. Take note others about to do this – it takes hours so be patient, but the reward is that it works.

    Thank you very much Stelian for helping my with my Messi

  3. My antivirus blocks the ADWCleaner website, saying it is infected with Mal/Generic-L.
    Is there an alternative?
    I believe JS/Medfos on my friend’s computer came from the Avios website.

    • Hello Garnie,
      Adwcleaner is a legit and malware free software..Your antivirus is having a false positive detection, which you can ignore.

  4. My virus program found the troj_medfos.smi under appdata\roaming\rsvcrp.dll, squplo.dll, rcobc.dll but not able to remove the threat. Both malwarebytes and hitman pro scan came back zero. Rougekiller came back with a list of the registry that has those 3 dll files, I did not delete afraid I might be deleting something that I am not supposed to. All files are under system 32\rundll32.exe, also some window\regboot clean 64.exe

    • Hello BT,
      Can you please copy/paste the RogueKiller (should be on your desktop) and Combofix (should be in C:\Combofix.txt) logs so that I can take a look at what’s going on…

  6. Thanks Stelian. This was a lifesaver for me. After three whole days of trying to get this fixed, things were getting a bit depressing but your steps took care of it beautifully!

  7. Hello Stelian,

    I can’t thank you enough for your help. With one exception, I followed your instructions to the letter and got rid of medfos, although it appeared that ComboFix and Roguekiller did most of the work. The exception: I did not rename the TTDSKiller executable. It did not make sense to me to call it iexplore.exe, so I didn’t. It worked anyhow. Why do you instruct the user to rename it?

    I’m very pleased, and thank you again for your help. Best wishes,

    Lou

    • Hello Lou,
      There are different versions on the Medfos trojan, and some of them will detect and block TDSSKiller from running… In your case it worked without needing to be renamed so that’s great!:D
      Stay safe!

  8. Thank you so much for taking the time to help people solve this problem. Like another poster on here, I am also a single parent and can’t afford to take my laptop to the shop to get rid of this cursed virus. I also often work from home for my job and would have struggled without the computer. It took me about three hours, but I think I got rid of the virus by at first using info from other sites (w/o success), and then finding yours and going through the step by step directions. Also like others, MSE detected and quarantined the virus, but would not remove it. Malwarebytes and Superantispyware did not even detect it and neither did TDSSKiller, even with renaming it to iexplorer, etc. I think somewhere in or after the Combofix part of the process, I was finally able to get rid of the virus. I don’t know how I got it but suspect either an Adobe update or just being on an innocent-looking website. Thank you so much for your help!

  9. Thank you! Thank you! Thank you! My heart dropped when I got this trojan from a java link. I am a single Mom who uses my computer for extra income. I did not have $100+ dollars to put it in the shop. As others mentioned. Rogue Killer seems to have worked. MSE kept finding this virus but didn’t get rid if it. This was very frustrating. Can’t thank you enough!

  10. Thank you for your easy step by step instructions. Like most here, I think the remover was roguekiller but the other programs were helpful in determining the exact locations and assaulted areas of concern. Brilliant minds!!

  11. Having been bitten by this pestiferous bug I approached the cleaning-up with some trepidation, being afraid to make more damage than good. However your step-by-step instructions, clear screen shots and detailed comments were a real boon for an old codger, and I’m glad to report that everything now looks fine. I am very grateful indeed. Combofix was a bit touchy, as was HitmanPro (didn’t complete the “one-off scan” but was OK when I changed the option). Again many thanks and a belated Happy New Year!
    8{)

  13. BLESS YOU- my computer is completely fixed now! I’ve heard a lot of warnings against using Combofix, but it worked like a dream for me! Roguekiller was good too. Thanks a ton! ^___^

  15. Thank you for the step-by-step instructions. They worked! I think the tool combination of ComboFix and RogueKiller worked on my computer, removing the malware, Trojan:JS/Medfos.B. The other tools were useful as well, cleaning up some other nits. Microsoft’s Security Essentials, while putting the malware into quarantine, could not remove it; the MSE website was not helpful. Thankfully, I found this website and its useful instructions. Time invested was about 6.5 hours running the tools, Malwarebytes having the longest run time, but it was time well spent. Thank you again for a most useful website, spot-on guidance, and effective instructions.

  16. In Step 2, above, when I started Combofix it told me that Norton Virus Security was running. As I don’t have Nortons installed on the machine and no other programs or processes were running apart from Combofix, I decided to continue. The scan has now been running for over half an hour – should I just let it continue? I am running in Safe Mode – is that likely to stop it working properly?

    • Hello Helen,
      Combofix may detect some left over files from Norton and give you that notification.Just to be on the safe side, skip the Combofix scan for now and go ahead with the rest of the guide.

  17. Think we got it.
    Microsoft Security Essentials tech support minimum charge for this is Usd $99.oo

    Users should take note of “update” to get latest data on each of steps, as well as the “be sure to” advisories about how to install & run. Don’t panic, wait for the dialogue box to advise, and remember that some changes don’t happen (or happen completely) until after a restart.

    BE YOUR OWN TECH SUPPORT!
    Cheers Steleian.
    rgds, J.

  18. I too had this slippery little bugger on my computer, which had been picked up by both Avira and Malwarebytes but after scanning and removing it they simply couldn’t pick it up anymore and it was only MSE that did, otherwise i’d have been oblivious to it now.

    There wasn’t a problem locating it, as mentioned in the article it was getting rid of it, eventually found this and put my trust in it even though i thought it was way over my head. Anyway, to cut a long story and some threasts towards the git that created it (at the sceen i may add), i took a short cut and went straight for the Hitman Pro, then followed the destructions from there; and yes it got it without too much pain to be honest, i’m just over the moon i had found this article and it WORKED!!!!

    ”JUST SO PEOPLE ARE AWARE; IT ALL STARTED WITH AN ADOBE UPDATE (IT LOOKED EVERYTHING LIKE THE ONE YOU GET WHEN TURNING THE COMPUTER ON) BUT TOOK ME 40MINS TO GET PAST IT AS I WAS REFUSING TO UPDATE AND ONCE I SAID YES, THATS WHEN IT ATTACKED”

    THANK YOU SOO MUCH

  19. A solution at last. Like previous comments many applications such as MSE found and quarantined this infection only for it to be reinstalled a few minutes later. Lke the others, step 3, “RogueKiller” worked a treat for me.
    Thanks for the info.

  20. Thanks for this information. My laptop was recently infected with Medfos. MSE kept quarantining it, but couldn’t remove it. I tried MalwareBytes Anti-Malware. Same thing-found it, but couldn’t get rid of it. Tried HitmanPro. Same result. So far, RogueKiller has worked. I deleted everything related to Java, but I’m going to have to reinstall it so my kid can play Minecraft, but I’m going to disable all my browser plug ins. This Trojan is insidious and I really appreciate the information you’ve provided.

Comments are closed.

Previous

Remove Zivb8r7v.com virus (Malware Removal Guide)