Trojan Medfos.B Removal


The antivirus software on my friend's Windows 8 computer detected and quarantined Medfos.B but it kept returning.  I tried several tools to isolate and remove it, but as of this date (December 31, 2012) none were effective.  These included: Microsoft Security Essentials (Windows Defender in Windows 8), Microsoft's Malicious Software Removal Tool, Malwarebytes, and Combofix.

What to do about it

I searched the web and found lots of sites that say they have instructions for removing Medfos.B.  These included,,,, and  I didn't find them helpful.

I found some useful discussion on a Microsoft TechNet forum which enabled me to develop the manual method below.  If you are not comfortable with things like editing the registry, get a techie friend to do this for you.

Software Tools

Various tools can be used to accomplish these steps, e.g. msconfig, regedit, task manager, and command line.  I used Codestuff's Starter because it's simplifies the removal.

1. Reboot in safe mode

Why?  When you boot in safe mode, Medfos.B's processes do not start.  This makes it easier to get rid of them.

There are several ways to boot in safe mode in Windows 8.  I used msconfig.  In Windows 7 and earlier use the F8 key during boot.

2.  Disable Medfos.B's startups

Why?  Medfos.B starts up four processes at boot time

When you open Starter you'll see a list similar to this that shows everything that starts at boot time.  Medfos.B used four of these processes--Giese, lathet, peracl, and quosvc.  The names of these startups will be different on your computer, but you can distinguish them from the "good" ones because they will have:

  • Random names
  • No description or company
  • Files in the Appdata\Roaming folder.  The location may be different on earlier versions of Windows.  Write down these file locations.

In Starter, right click and delete all four of these.  This removes the registry entries that caused these processes to run.  Instead of Starter you could use msconfig and regedit.

3.  Delete Medfos.B's files

Why?  It's not absolutely essential, but it's wise to remove Medfos.B's files from your disk.

With Windows 8 File Explorer (Windows Explorer or My Computer on earlier versions of Windows) open the folder containing the the files you wrote down.  Again these will be random file and folder names (like lathet, peracl, quosvc, and Ermaca) with similar timestamps.  Delete them.

4. Reboot in normal mode and run your antivirus scanner again

Why?  We've finished removing Medfos.B and we want to verify that everything works OK in normal mode.

The easiest way to reboot into normal mode in Windows 8 is to use msconfig.  In earlier versions of Windows, just reboot.

When the computer has finished rebooting, run your virus scanner with the latest virus definitions to confirm that all is well.  Other malware could be lurking.

   Medfos.B in Windows Defender:


   Boot mode in msconfig (Windows 8)


   Startup processes shown in Starter:


   Files in the Appdata\Roaming folder: