Detection and Removal of Trojan JS/Medfos.B

A Windows 7 Pro computer at some point was infected by the search engine malware known as JS/Medfos.B. The symptom of this malware is that search results are not processed by the selected search engine; instead results are clumsily merged with advertising and related links. A knowledgeable user sees this almost immediately, but that was not the case with the user of this computer.

This computer uses Microsoft Security Essentials (MSE). MSE was able to detect the presence of JS/Medfos.B, probably at the time it was invoked. MSE quarantined it, but after removal, Medfos.B "returned" within 24 hours. Unclear if that was due to the user visiting an infected site or reloading the malware.

Microsoft Security Essentials Detection of Medfos.B
The browsers on the machine didn't show any obvious rogue add-ins or redirects, and there were no network forwards in the obvious places. The Microsoft Malicious Software Removal Tool also found nothing.

A thread at Microsoft community provided some suggestions. In the past, my usual methods have been to use Malwarebytes, then Superantivirus, and then a root kit removal tool such as Kaspersky's TDSSKiller.  Two weeks ago, on a different computer, TDSSKiller had been the magic bullet to remove a different adware trojan. But on this occasion, none of these tools detected anything. The thread recommended Hitman Pro (trial), a sort of cloud-based malware tool aggregator, and it did find malware to remove, but the version downloaded wanted me to buy the tool to remove them. It didn't identify the evidence clearly enough ("tracking cookies?") for a connection to be made with JS/Medfos.B, but it was alarming enough.

At this point, the last MSE-detected appearance of the malware was 18 Feb 2013. I'm going to wait and see.

Also suggested:  The Comparitech Guide to Windows Malware removal.

Update June 2013:  All is well.

No comments: