none
how to remove medfos.b

    Question

  • One week ago MS Security Essential detected a vius (medfos.b).  Thankfully MS SE quarantined the virus so my pc is not effected (YET).  I'm not a novice but not a pro at programming either.  I've scoured the internet searching for solutions from MS and have tried every virus detector/removal app MS has.  I've run dozens of security scans without success.  The MS SE virus alert keeps popping up every 5 minutes.  I've uninstalled JAVA 7 completely for the last few days as many of the websites report this may be the culprit....with no success.  I am not running Google Chrome either as that was another suspected entry for the virus.  I've also run searches for any files that might be related to these programs and have deleted them....again with no success.  MS SE allows me to remove the virus once it has been detected but not the source of the infection (what keeps generating the medfos.b detection).

    I am running Vista Home Edition on a 32-bit processor.  I use IE as my web browser and have never used Firefox or any other browser.

    Again, I've had my share of experiene with viruses and usually have success removing them quickly using MS tools.  I'm very responsible about keeping Windows updated as well as my security software.  I regularly run scans often.  I haven't downloaded any third-party virus detection apps as I prefer to rely on MS products.

    I would greatly appreciate any help you could provide.

    Thank you.

    Friday, October 05, 2012 1:15 AM

Answers

All replies

  • Hi,


    I suggest you check the following KB:


    How to prevent and remove viruses and other malware

    http://support.microsoft.com/kb/129972


    In addition, here is an article about Medfos.B:


    How to Manually Remove Trojan:JS/Medfos.B/ Tips for Trojan Virus Removal

    http://www.zimbio.com/Latest+Computer+Threats/articles/s8tDtfARIYM/How+Manually+Remove+Trojan+JS+Medfos+B+Tips


    Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information


    Hope this helps


    Vincent Wang

    TechNet Community Support

    Monday, October 08, 2012 9:29 AM
    Moderator
  • I had this issue yesterday. I have no idea how the trojan that creates the chromeupdate.crx was installed, but I found it.

    For me, it was: %APPDATA%\rcdset.dll

    Even when I disabled it from Startup in msconfig, it still loaded via the registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

    Removing it required killing the rundll32 and Internet Explorer processes from task manager. Once you remove it, restart your computer and verify that the issue is resolved. You might have a differently named DLL causing the issue. If you do, just look for the file in Run and in msconfig. If yours is named differently, let me know.

    I tested the file manually by intentionally loading it from a user command prompt. Within a few seconds, Internet Explorer is loaded and chromeupdate.crx is created. Let me know if any of this helps.

    • Proposed as answer by davidgvh Thursday, November 01, 2012 3:34 PM
    Thursday, November 01, 2012 3:33 PM
  • Thanks for the info, davidgvh.  I was going around in circles trying to get rid of this.  On my Windows 7 machine the bogus dll file was named otnpmp.dll, ostensibly from Uli Electronics (now a part of Nvidia).  I read a note elsewhere regarding the trojan that said their bogus dll file was named rcdset.dll.  Looking back there were two red flags on that otnpmp.dll, one that it was running out of the \appdata area and second that it came up with no matches when I searched the Internet for what otnpmp.dll was!  As you said, the key is to kill the running Iexplore.exe tasks and the running dll first, otherwise the registry entries come back faster than you can clean them out.  On my machine it seemed that the trojan removed all the system restore points, as that was going to be my first approach to try after Microsoft Security Essentials was unable to clean up the problem.
    Tuesday, November 27, 2012 1:33 AM
  • Davidgvh. I had the same problem. I was able to stop the virus by starting in safe mode an deleting the registry file HKCU\Software\Microsoft\Windows\CurrentVersion\Run and my file was named udmrsp. I also msconfig and stopped it on start up. The odd part was when i went to the AppData\Roaming folder there was no dll file. Do you know why this might be? The string for my start up is "C:\Windows\System32\rundll32.exe" "C:\Users\MyUser\AppData\Roaming\udmrsp.dll",FromString
    Wednesday, November 28, 2012 8:26 AM
  • Hello Craig,

    Are you able to view hidden files in Explorer? Have you looked at the directory using "dir /a" in a console?

    Friday, November 30, 2012 5:48 PM
  • The zimbio.com page is just a template page--not very useful.  I've just worked through removing Medfos.B on a Windows 8 computer and I wrote up the procedure for others to use.  See

    http://alanbaker.net/medfos.b

    Alan

    • Proposed as answer by alanwbaker Tuesday, January 01, 2013 7:33 AM
    Tuesday, January 01, 2013 7:32 AM
  • I found suspicious names using msconfig, opened in Safe Mode, opened "Start up", stopped the two files, and now MS Security Essentials no longer reports it.  Could it be this easy?  If so, I just can't thank you enough!

    Thursday, May 09, 2013 11:04 PM