Database Info

[Q] Gfirewall and Gsearch bloatware/virus problem.. HELP!

Hello guys, i have a problem as reported above with 2 bloatware apps on my android phone: Gfirewall and Gsearch.
My phone model is UBTEL U8 (MTK model, china phone) and i'm running Android 4.2.2 ROOTED. I have no custom rom/firmware installed.
These 2 apps appeared magically about 2/3 months ago, and i thought they were safe beacuse of Google logo and name. Nothing happened in these months except for some phone crashes and restarts, but 2 days ago a banner ad appeared in my home screen at phone restart and/or phone unlock. I use AdAway (similar to AdBlock) to disable ALL TYPES of banner, ads and related on my phone, browser and apps. When i went to AdAway i noticed that was disabled: i enabled it again and restarted the phone.. but banner ads still showing.. so i went again in AdAway and it was disabled.. again!
I have a similar problem with 3G/H connection with Vodafone. Everytime i disable internet connection, it gets activated again in 1 minute max.. so i can't disable internet.. never!
I removed these 2 bloatware apps today and fortunatly they didn't show up again or get reinstalled.. ads and AdAway blocks are disappeared. I started a lot of antivirus controls with Avira and nothing showed up.. so i thought i was fine, BUT the internet problem persists.. i can't disable internet everytime i want. Someone of you could help me to solve this problem? I hope there is an alternative method to solve this without format/reset the phone!

I have the same problem with Gfirewall and Gsearch in my STAR N9800
Same full screen banner ad in my home screen.
In my phone there is Trend Micro Worry Free Business Security Services as antivirus, but nothing was found after a full scan.
If I find something new, I'll write here

user064 said:
I have the same problem with Gfirewall and Gsearch in my STAR N9800
Same full screen banner ad in my home screen.
In my phone there is Trend Micro Worry Free Business Security Services as antivirus, but nothing was found after a full scan.
If I find something new, I'll write here
Click to expand...
Click to collapse
Hello! I solved with hard reset.. if you want to try i suggest you to use titanium backup for your safe apps, so you'll not lose anything

MatthewTaylor92 said:
Hello! I solved with hard reset.. if you want to try i suggest you to use titanium backup for your safe apps, so you'll not lose anything
Click to expand...
Click to collapse
I am facing the same issues, I do not think a hard reset will solve the problem, these two apps are embedded in the firmware, they lie dormant for a while then kick in, after a while, about 3months after purchase.
I have tried uninstalling & they just re-install, if you phone is rooted, you can hybernate them with ''App Quarantine''
I am struggling to deal with them, as my phone is not currently rooted.
FYI: CM security now shows Gsearch as a virus.
Any solutions please??
Cheers Martin

martinzx13 said:
I am facing the same issues, I do not think a hard reset will solve the problem, these two apps are embedded in the firmware, they lie dormant for a while then kick in, after a while, about 3months after purchase.
I have tried uninstalling & they just re-install, if you phone is rooted, you can hybernate them with ''App Quarantine''
I am struggling to deal with them, as my phone is not currently rooted.
FYI: CM security now shows Gsearch as a virus.
Any solutions please??
Cheers Martin
Click to expand...
Click to collapse
remove them after rooting your phone!!! seems soo unimaginable that they are embedded in your rom :/

pushkardua said:
remove them after rooting your phone!!! seems soo unimaginable that they are embedded in your rom :/
Click to expand...
Click to collapse
Yes you are very likely to be correct, I was kinda hoping, for a solution without rooting? Any ideas? Anyone?
Cheers Martin :angel::angel:

Same problem , rooted phone and uninstalled gsearch and gfirewall but in one or two days they auto-reinstall

Play Store
There is a app in the rom called Play Store (Not Google Play Store!) and Opera Service
Remove those apps from the rom to prevent advertisements at screen unlocking.
To remove Play Store and Opera service your phone needs to be rooted (use Titanium backup fi). You can check this by using a firewall like droidwall.
If you can't root your device:
Use a firewall like mobiwol if your device is not rooted (is creates an internal vpn where it can filter your traffic).

Suspicious files found running at background
I have the same problem with the two files reinstalling by itself after I delete them. I have a Chinese made smartphone Tronsmart PS7 running Android 4.2.2 rooted. After digging deeper into the files running at the background, I noticed there are files that have complete access to all the privilege rights in my phone other than android system, they are android.cube, AdupsFotaReboot, RebootAndWriteSys and Common Data Service. I have tried to force these files to stop and it seems the problem is solved, Anyone has any ideas what these 4 files are for?

I don't think to do any hard reset, if these are hard coded in ROM, this is not a stable solution
IMHO there are only two exit ways:
1) do a virus submission request
I've done this request 1 minute ago.
2) flash the device with another ROM (4.2.2 is getting older, anyway...)
You can see the manifests of Gsearch and Gfirewall, are identical:
Not so good news...

Hi all,
in my case, I found a solution. Once MTKDroidTools used to get root on the phone (root only, nothing else), I pressed the button "Delete China" and the application has removed the files from the "files_for_delete.txt" list. After this, the problems are over !!!
Another way to do this with the phone already rooted, you do it manually, and you can follow the steps of:
http://forum.xda-developers.com/showpost.php?p=44455669
or
http://electricheatingcosts.com/removing-chinese-smartphone-spyware/
Best regards.

No more Gsearch and Gfirewall
I had the same problem with my Chinese new teca n9900 and I found the same apps on my phone that you mentioned. I force stopped android.cube, AdupsFotaReboot, Common Data Service, and RebootandWriteSys in app manager in the setting and now Gfirewall and Gsearch stopped automatically installing. I can't seem to enable them back to restart even after I reboot the phone except for "android.cube" that app will restart after I reboot the phone which may be the app causing them to reinstall. I'm not sure what exactly these apps do but my phone seems to work perfectly without them running. Thank you.

Pete636 said:
I had the same problem with my Chinese new teca n9900 and I found the same apps on my phone that you mentioned. I force stopped android.cube, AdupsFotaReboot, Common Data Service, and RebootandWriteSys in app manager in the setting and now Gfirewall and Gsearch stopped automatically installing. I can't seem to enable them back to restart even after I reboot the phone except for "android.cube" that app will restart after I reboot the phone which may be the app causing them to reinstall. I'm not sure what exactly these apps do but my phone seems to work perfectly without them running. Thank you.
Click to expand...
Click to collapse
It seems like now i don't have Gfirewall anymore but Gsearch got reinstalled and i've got an add displayed again so this solution doesn't really work

uninstall gsearch en gfirewall.
I had the same troubles with my phone (elephone P8). First I stopped the software, then I uninstalled it. So far so good.. Did'nt get popupsuntill now..
Succes..
Arthur
Netherlands
MatthewTaylor92 said:
Hello guys, i have a problem as reported above with 2 bloatware apps on my android phone: Gfirewall and Gsearch.
My phone model is UBTEL U8 (MTK model, china phone) and i'm running Android 4.2.2 ROOTED. I have no custom rom/firmware installed.
These 2 apps appeared magically about 2/3 months ago, and i thought they were safe beacuse of Google logo and name. Nothing happened in these months except for some phone crashes and restarts, but 2 days ago a banner ad appeared in my home screen at phone restart and/or phone unlock. I use AdAway (similar to AdBlock) to disable ALL TYPES of banner, ads and related on my phone, browser and apps. When i went to AdAway i noticed that was disabled: i enabled it again and restarted the phone.. but banner ads still showing.. so i went again in AdAway and it was disabled.. again!
I have a similar problem with 3G/H connection with Vodafone. Everytime i disable internet connection, it gets activated again in 1 minute max.. so i can't disable internet.. never!
I removed these 2 bloatware apps today and fortunatly they didn't show up again or get reinstalled.. ads and AdAway blocks are disappeared. I started a lot of antivirus controls with Avira and nothing showed up.. so i thought i was fine, BUT the internet problem persists.. i can't disable internet everytime i want. Someone of you could help me to solve this problem? I hope there is an alternative method to solve this without format/reset the phone!
Click to expand...
Click to collapse

UPDATE:
I'm triyng "Disconnect Mobile" to limit the amount of data probably stolen by these two applications, and after the last unistall of Gsearch and Gfirewall, they do not auto-reinstall!
Disconnect Mobile is a privacy app inspired by our award-winning browser software. The app actively blocks the biggest mobile trackers when you use an app or browse the web using 3G, 4G, LTE, or Wi-Fi. Optional packs include ad filtering and malware protection. Does NOT require root.
Features:
- Blocks the biggest mobile trackers from tracking and collecting your info
- Blocks ads from more than 2500 ad tracking services
- Blocks thousands of websites suspected of malware, spyware, phishing scams and more
Click to expand...
Click to collapse
Like all ad-blocker apps, you can't find this on Play Store, you can find it on 1mobile, for example.
(I cannot post links)
Please let me know if this hint works on your phones

Hi all, my rooted phone is Ulefone U9592 and I found this information :
http://androidforums.com/android-applications/864435-gfirewall.html
TEXT : " My phone is rooted, i set every apk need confirm install, and wait the apk download and confirm install, i used root explorer try to search which directory is. In my phone, i found "/data/user/0/com. cube. android" have the gfirewall apk, i delete that directory, also check whose apk create this directory. The apk is Cube_CJIA01.apk in /system/app, i delete this apk. It fixed. (I think you find the name may not same Cube_CJIA01.apk)"
Well, I revised this information and the folder are : "/data/user/0/com. cube.activity" or "/data/data/com. cube.activity" and in the folder "files" I found :
"_com.gsz.own.pack.apk" and "_com.zgs.gg.pack.apk" (GSearch and GFirewall), I deleted this APK's and I think the problem is solved ..... NOT REALLY!!
If you check the folder "shared_prefs" you find various XML with the information shared at ALISOFT (Chinesse company) and specifically "ApkLoader.xml" with the URL where are downloaded GSearch and GFirewall. Only you need to delete in the XML the parts what you not are interested .... well, if you reboot the phone, the infected XML are restored. The best option is delete the file Cube_CJIA01.apk (do Backup) and reboot the phone. The mentioned folder disappears and the phone works well. Enjoy !!!
Best regards.

Hi jorfen,
I want to follow your instructions, but I need to root my phone before.
Pelase can you give me some hint (or link) to find the right software?
I don't want to install another chinese spyware (like probably VROOT), to remove GFirewall and GSearch
---------- Post added at 09:28 AM ---------- Previous post was at 08:54 AM ----------
may be I have already found the right answer to my question: Framaroot
Compatibility list:
http://www.tfq.me/rooting-almost-any-android-smartphone-without-computer/
App:
http://forum.xda-developers.com/apps/framaroot/root-framaroot-one-click-apk-to-root-t2130276

jorfen said:
If you check the folder "shared_prefs" you find various XML with the information shared at ALISOFT (Chinesse company) and specifically "ApkLoader.xml" with the URL where are downloaded GSearch and GFirewall. Only you need to delete in the XML the parts what you not are interested.
Click to expand...
Click to collapse
I found two files "ApkLoader.xml" and "ApkLoad.xml" with similar info inside, and in both of them I modified the string starting with
<string name="json">blah blah blah...</string> to <string name="json"></string>
jorfen said:
well, if you reboot the phone, the infected XML are restored. The best option is delete the file Cube_CJIA01.apk (do Backup) and reboot the phone. The mentioned folder disappears and the phone works well. Enjoy !!!
Click to expand...
Click to collapse
in my phone I found some files with different names:
_com.gsz.own.pack.apk
_com.zgs.gg.pack.apk
core.apk
gad.apk
uac.apk
uac.dex
jorfen, Cube_CJIA01.apk was in "/data/user/0/com.cube.activity/files" (or similar) in your phone?
Thanks in advance,
Federico

Hi Federico,
I think you already have rooted the phone. Well, I used for this MTKDroidTools, found in this forum (and modified for only install 'su" and "SuperUser.apk"). No problem, only is needed root for System access.
The app Cube_CJIA01.apk is in the folder "/System/app/" (the normal folder for System App's ). The folder "/data/user/0/" is a soft-link (use ln in linux) to the folder "/data/data/"). You locate in this folders the same information, and this is a default folder for working or write files, used in the APK's. Every reboot of phone regenerate information in this folder.
Best regards.

Good news from my virus submission request at Trend Micro:
The two samples are confirmed as malware.
They will be detected as AndroidOS_FakeGSearch.A
Click to expand...
Click to collapse
From now, all products coming from Trend Micro will handle this malware the right way

Adware/Virus on Android

Hello
im facing an ad-ware issues on my htc desire 610
out of no where my phone's screen dims and an add appear (while im on my home screen and all the apps are closed)
You can see the adds in the attachment
please tell me how to locate and remove it

You could try running Malwarebytes, I've normally had quite good results with it.

It's one of the apps you're using. Go through the permissions your apps have

genius911 said:
Hello
im facing an ad-ware issues on my htc desire 610
out of no where my phone's screen dims and an add appear (while im on my home screen and all the apps are closed)
You can see the adds in the attachment
please tell me how to locate and remove it
Click to expand...
Click to collapse
i also have this problem... i guess "Clean Master" is doing it in my Z3 Compact.

I have solved this issue on canvas a116 and core duos (gt i8262)
firstly, to check the severity of the virus do this : go to settings>security>device administrators
try to remove all apps under device administrators. If u are unable to remove them implies the virus is now embedded to ur fone's firmware.
solution : 1. backup ur contacts and media only, (do not backup apps and app data)
2. now u need to do a factory reset either from recovery menu or using adb (factory reset from 'settings' wont work)
3. if u again see any app under device administrators then the only solution is to reflash ur firmware
About the virus: This virus come packed in several apps on playstore in april 2015, those apps were immediately removed from playstore. however before its removal from playstore the virus had infected around 5000 smartphones. some websites refer to it as ghosthost virus. Still some non playstore apps carry this virus with them. once you install such apps, the virus will first root ur fone, and then grant itself superuser permissions without u even knowing it. Then it will install itself into system folder so dat it appears to be a system app. Whenever u r connected to internet it will download adware and install them in system folder. Its a very powerful virus, it also hides itself by running a script. Once it is in system folder u wont be able to delete it because it imitates the file names of the system files.

There's a huge list of infected apps hosted by Google playstore. So I think it's not easy to keep our devices secure from virus infection.

AVG can be as correct the problem

Hi guys! i have a serious adware problem on my elephone p7000 and i hope you can help me out.
So it's been a few days and i haven't been able to uninstall this mofo.
Here's what the adware is doing:
-Used to open ads on homescreen. it did that disguising itself as a dancing matrioska doll (which you could move around). since i installed CM security it stopped showing this kinds of ads.
-It opens pop up windows with du batery saver or other related apps (from appstore and from non-official stores). Mostly when i browse the internet.
-it places vertical ad banners (like the normal ones on almost every app on the store) on some apps, it seems to be random, cause it doesn't always happen on the same app, but it's always placed on the lower side of the phone.
-it installs push notifications with ads
-i believe it shows app ads on google play store (i haven't installed any app in quite a while so it could be google implementing this).
i have tried a lot of apps:
-Avg
-Avira
-Avast
-Malwarebytes
-CM manager (found a stagefright vulnerability and fixed it)
-Stagefright detector (with vulnerable result)
-addons detector
-airpush detector
-trustgo ad detector
-adware
-ad clean & antivirus security
and not even has been able to remove this damn malware, they don't even spot it!
i've also tried looking for all the apps on the phone,searching for apps with all the permissions and here's the list ( i don't know if these are the problem or not):
-Aging test
-agoldFactory test
-Bluetooth
.Bluetooth Share
-Bluetoooth LE
-Common data service
-e_Compass
-Elephone launcher (apparently it's the same as X launcher mysterious)
-LocationEM2
-MTK THERMAL MANAGER
- at least 3 different phone apps, 2 with 4.4 icons and 1 with android 5.0 icon. all have access to everything (is it normal to have 3 apps with the same name but different icons? )
- settings storage
-trusted face
-ygps
i have also cleared the cache of the phone, because i've read on several places that it helps (settings -> storage -> clear cache data) but with no positive result.
i have also tried looking for admin permissions but the only things in there are CM security and android manager (which i suppose is NOT an app but part of the OS).
I have tried looking for hidden files while checking my phone on my pc but there wasn't any nor did i find any weird app NOT installed by me.
i don't know if you have any other advice on what to do, or if you can help me reduce this list of apps so i can find the culprit app.
i'm afraid this is the ghost virus everyone's talking about, it appeared out of nowhere.
i haven't browsed that much. and when i do i always go to trusted sources. apart from the netflix app which i downloaded a few days ago i haven't downloaded anything in like 1 or 2 months and didn't have this problem until a few days ago. Right after my girlfriend's phone (same model as mine) got the same problem.
We both had the "install from untrusted sources" option on because i was testing an app i am making, but i doubt that's the problem since we only activated it whenever i tried to install the app on the phone (like twice in a week).
she has sent me pictures or files through mail, whatsapp or telegram only and it's the only link between our phones, besides being under the same wifi connection, of course.
thanks in advance for the help!

This is a known issue with these types of devices. They have these ads built into the system apks.

Hi !
Thanks for that solutions !
I have a question : where could I find malwarebytes for android ?
Best regard.

Adware and infected htc desire 526 g plus
Guys I am in a pickle! :silly:
I want to wipe my HTC desire 526 plus clean of malware that is causing it to download unwanted apps without consent. The malware seems capable of modifying the inherent permissions and bypassing all security features.
I am unable to gain root access by kingoroot alone. adware is not letting me update the Superuser app and being nasty on purpose.
It can gain permission to automatically start wifi, gain pemission to install 'Unknown Apps' and sends location and data with impunity. The ads are everywhere.:crying:
I have tried stock backup but it still reinstalls all the malware and the same cycle begins again. What I want is a freash stock rom/nand backup for this menace. Surprisingly I still cant find one link on the world wide web. Please Help me find it.
I am unable to gain root access by kingoroot alone. adware is not letting me update the Superuser app and being nasty on purpose.

alokmey3 said:
Guys I am in a pickle! :silly:
I want to wipe my HTC desire 526 plus clean of malware that is causing it to download unwanted apps without consent. The malware seems capable of modifying the inherent permissions and bypassing all security features.
I am unable to gain root access by kingoroot alone. adware is not letting me update the Superuser app and being nasty on purpose.
It can gain permission to automatically start wifi, gain pemission to install 'Unknown Apps' and sends location and data with impunity. The ads are everywhere.:crying:
I have tried stock backup but it still reinstalls all the malware and the same cycle begins again. What I want is a freash stock rom/nand backup for this menace. Surprisingly I still cant find one link on the world wide web. Please Help me find it.
I am unable to gain root access by kingoroot alone. adware is not letting me update the Superuser app and being nasty on purpose.
Click to expand...
Click to collapse
Kingo root is the reason you are in this jam as it is. I don't think HTC ever released anything for this device so your best bet is to contact HTC.

ENERGYSER400 MTK 6572 virus help android 4.4.2
Bonjour, hy
For me it's exactly the same on my phone.... i have the snowfoxer folder with a lot of malicious apk on it and i don't know how to delete or erase the virus .... without wifi and google play ..... how i can flash the firmwire please
!

philjps said:
Bonjour, hy
For me it's exactly the same on my phone.... i have the snowfoxer folder with a lot of malicious apk on it and i don't know how to delete or erase the virus .... without wifi and google play ..... how i can flash the firmwire please
!
Click to expand...
Click to collapse
Find the forum that supports your device
model/carrier and post there. You'll likely find your answers there. If not someone will help you.

HTC desire 526G+ bricked
zelendel said:
Kingo root is the reason you are in this jam as it is. I don't think HTC ever released anything for this device so your best bet is to contact HTC.
Click to expand...
Click to collapse
I have deleted my priv-app folder and now I am stuck in boot loop, or just the HTC logo.
cant boot into recovery or bootloader (I tried). Tell me if you know something

[Q] iRoot(Vroot) detected as an Android.Spy Virus?

Hello everyone! I am not new here,I have an old account "JBmorris", however i dont use it anymore.
Anyway, does anyone know iRoot(formerly Vroot)? If so. I'm going to need your help.
I am a person who almost often scans files before running them. So yesterday, I was download iRoot, and I scanned it, and it was detected as A virus called "Android:Agent-GYN [PUP]" (avast) and "Android/Spy.Agent.Y.Gen" (Avira).
It was scanned on virustotal.
I am afraid of hackers spying me.. can you clarify me? thanks.

JBmorris289 said:
Hello everyone! I am not new here,I have an old account "JBmorris", however i dont use it anymore.
Anyway, does anyone know iRoot(formerly Vroot)? If so. I'm going to need your help.
I am a person who almost often scans files before running them. So yesterday, I was download iRoot, and I scanned it, and it was detected as A virus called "Android:Agent-GYN [PUP]" (avast) and "Android/Spy.Agent.Y.Gen" (Avira).
It was scanned on virustotal.
I am afraid of hackers spying me.. can you clarify me? thanks.
Click to expand...
Click to collapse
As far as i know its safe to use iROOT (formerly VRoot) I used it before my my computer is free of viruses. Many root "exploits" are detected as viruses or PUP. Just disconnet your internet, disable AV for rooting, delete iROOT once done OR add iROOT to your AV's exceptions. BUT you should change the contained superuser app for SuperSU once rooted.

But what about the Android Spy Agent detections?

JBmorris289 said:
But what about the Android Spy Agent detections?
Click to expand...
Click to collapse
As I said, once the phone is rooted install SuperSU. SuperSU will prompt you to uninstall the crappy chinese superuser app and you're done

LS.xD said:
As I said, once the phone is rooted install SuperSU. SuperSU will prompt you to uninstall the crappy chinese superuser app and you're done
Click to expand...
Click to collapse
Ah...okay. Thanks!

I used iRoot/VRoot but my phone got infected with something. After using the root application (which does work) it installed several more apps and I'm getting popups in my browsers and whatsapp. So far I haven't been able to remove it.

Any luck removing this? I tried using iRoot on my Galaxy S5 G900W8 and root failed, but I got a bunch of apps installed. The dam thing is in chinese and I can't read anything..... grr! This thing is sketchy... I'd say IF you're going to try it, do it NOT connected to internet (disable data/wifi) MAYBE then you wont get all these ****ty apps.....
but for me it has not worked thus far...

Happened to me yesterday. It was so painful! This junk installed 2 stubborn trojans in system/priv-app. Impossible to remove even with factory reset. It gains admin privileges, starts downloading crap from the net, fills the display with porn pics etc. Kingroot saved the day in the end! Managed to root my phone and clean the mess. It was a whole day battle.
BTW, credit to Stubborn Trojan Killer as well! It showed me the location, but wasn't able to clean because the phone wasn't really rooted.
Also, Total Commander was the only file manager capable of opening that dir without root.
P.S. First trojan was named "shell" and had version 1.0. The original shell app is higher version. That's how you know which is the good and which is the bad one. The other trojan was names something like xy_1_some digits. You should stop that "shell" crap immediately and disable it. It will be hard, but possible to do. Otherwise you wouldn't be able to do anything.

Need Help: BEEN Infected by MALWARE Lenovo tab model a5500-hv android version 4.4.2

model number : lenovo a5500-hv
android version: 4.4.2
baseband version: a5500-hv.v34, 2014/05/08 22:28
kernel version: 3.4.67
build number: a5500hv_a442_000_011_140508_row
As shared in subject, my tab ANDROID is infected by malware where multiple issues have starting lately
a) Constant popup message stating" Unfortunately, com.system.update has stopped"
b) Constant popup message stating" Unfortunately, org.snow.down.update has stopped"
c) Constant popup displaying to INSTALL application" com.android.keyguard"
d) Automatic checking (on) in Settings> Security> Allow installation of apps from unknown sources, despite my regular check off( its gets reactivated again). Device Administrators viewed are Android Device Manager (ticked), Daemon Service( twice listed- unchecked).
e) Installed Malwarebytes Anti-malware, upon scanning detected these 11 malwares, which it is unable to delete ( Norton is unable to detect those even). Any open app which I try to use after some seconds are abruptly closed.
Malware name- Path
Android/ Backdoor.Triada.c - /system/priv-app/higher.apk ( File linked to be uninstalled- AppManage)
Android/ Backdoor.Triada.js - /system/priv-app/BCTService.apk ( File linked to be uninstalled- bcct_service)
Android/ Trojan.Rootnik.I - /system/priv-app/Bseting.apk ( File linked to be uninstalled- com.android.sync)
Android/ Trojan.SMSSend.ge - /system/app/com.android.token.apk ( File linked to be uninstalled- com.android.taken)
Android/ Trojan.OveeAd.F - /system/priv-app/com.mws.tqy.vsdp.apk ( File linked to be uninstalled- com.system.update)
Android/ Backdoor.Triada.J - /system/priv-app/com_android_goglemap_services.apk ( File linked to be uninstalled- GoogleMapService)
Android/Trojan.Dropper.Shedun.dc - /system/priv-app/parlmast.apk ( File linked to be uninstalled- GuardService)
Android/Trojan.Dropper.Agent.MJ - /system/priv-apk/Sooner.apk ( File linked to be uninstalled- PhoneService)
Android/Trojan.OveeAd.J - /system/priv-apk/com.tsr.eny.hyu.apk ( File linked to be uninstalled- system.bin)
Android/Trojan.Guerrilla.Q - /system/priv-apk/NAT.apk ( File linked to be uninstalled- SysTool)
Android/Trojan.Triada.m - /system/priv-apk/com.glb.filemanager.apk ( File linked to be uninstalled- UPDATE)
PS: If I try to connect to Internet, app icons are downloaded and auto open displaying porn images.
Please assist to REMOVE the MALWARE INFECTION. Tried FACTORY DATA RESET from Settings, but no help. Tab not rooted.

Solution
Last night i got some pesky malwares. For now i think i removed them. Get Avast and see what it can find. After that try to remove the files from file explorer and the most important thing - go to Settings-Security-Device Administrators. From there remove everything and now from Avast you should be able to remove the infected apps. Hope i helped

Tried cm's stubborn Trojan remover from play store and it did the trick- as in disabled the infected processes but at end took my mail ID with followup request if raised to get the device cleaned from malware. Cross checked from Malwarebytes and kaspersky, and looks seemingly clean with no active culprits. Though not checked with WiFi or data connection through sim.
Sent from my A0001 using XDA-Developers mobile app

Ashish1+1 said:
Tried cm's stubborn Trojan remover from play store and it did the trick- as in disabled the infected processes but at end took my mail ID with followup request if raised to get the device cleaned from malware. Cross checked from Malwarebytes and kaspersky, and looks seemingly clean with no active culprits. Though not checked with WiFi or data connection through sim.
Sent from my A0001 using XDA-Developers mobile app
Click to expand...
Click to collapse
Did it root your phone first? Else I can't see how it would be able to get to those apps installed as system. If so, if it was me, I'd unroot my phone at the very least & uninstall the CM apps since they do not have a good reputation so far as data snooping goes and excessive app permissions etc goes.
eg (from The Capitol Forum)
The apps require extensive access to the devices on which they run, and they are able to harvest a great deal of data about users’ interests, demographics and location. Cheetah Mobile’s business model is not significantly different from the way in which some major American tech companies such as Facebook monetise their free products. However, Cheetah Mobile is different from American tech companies in that its headquarters are located in China and its data servers are primarily located there as well, and its main business partners are major Chinese tech firms. The Chinese government, according to sources, accesses its companies’ data for internal security, economic competitiveness or other purposes. Cheetah Mobile, and similar companies, represents a major point of entry for China to access American app marketplaces and their users to gather information. However, U.S. government officials in national security and intelligence agencies are highly aware of surveillance and hacking both inside and outside China, presumably coming from actors affiliated with the Chinese state.
Click to expand...
Click to collapse
see the alteco report (about investment risks but they ran tests on other apps that didn't do anything, what battery savers don't help!!! :silly: )
https://drive.google.com/file/d/0B_zW4GWDn5wpVDBiLUpDcE9IS0E/view
Now I haven't used the app you quote but if it didn't root your phone then it can't have removed the malware and they are likely up to their old tricks ie the app doesn't really work, they have just been blocked or something. (Ask yourself why aren't there other apps from well known companies that can remove trojans in system on play store?) ANd with their dodgy reputation for ads, & selling user data if it did root your phone you may only be slightly better off!!?? But at least it should only be your user data they are gathering and not your bank account number to try and get ya money like the malware guys!
Anyhow happy for you if you really are free of malware and don't forget to change all your passwords for all accounts, your routers etc else you could be reinfected by the time you read this!
I would reflash the stock ROM to be sure (backup ALL your pics, txts address, whatsapp etc etc)
I would also be interested to know how the app worked, if you can explain it. Did it say it would ROOT your phone? (there is nothing in their write up to say it will, Google would not allow an app that can root on play store, as far as I know) Do you have an app that can read what system apps are installed, like Link2sd? Does that show any of the malicious apk?

Thanks, No I did not root my phone but judging by the way removal came (easy) I too was bit surprised with outcome. No sooner I decided to remove the cm app Trojans and malware again became evident meaning it was just being suppressed in a way not removed and now again came back (when removed).
Sent from my A0001 using XDA-Developers mobile app

Ashish1+1 said:
Thanks, No I did not root my phone but judging by the way removal came (easy) I too was bit surprised with outcome. No sooner I decided to remove the cm app Trojans and malware again became evident meaning it was just being suppressed in a way not removed and now again came back (when removed).
Sent from my A0001 using XDA-Developers mobile app
Click to expand...
Click to collapse
Sorry to hear this. However I think it is possible that the CM app did its job as those malicious apps have probably already rooted your phone, so CM may have just used that root access without informing you, though whether or not other apps like CM app can still use that root, I'm not sure, it depends if its been left "on". I did watch a video on youtube for CM Stubborn Trojan app and the guy had to root his phone first. (You could try some/several of the root checker apps, if you want to know). So lets assume the CM app worked properly and removed trojan as it could get root without giving you a root request notification.
It's entirely possible that your reinfection is from your external SD card or via some other means eg. your router has had some ports opened or some other means. (Sorry I should have said reset router when I said change router password [do this for all routers you use & update firmware & ensure remote access is off (ref. dirty cow) while you are about it too!]
So I would reinstall CM Stubborn Trojan (lets assume it removes malware as it has root, even if it just blocks them it helps us) so you can then reflash official stock ROM for your country (& update to newest version if available), you must flash the FULL stock ROM so all partitions are reflashed. partial stock or custom ROM will not do this & potentially leave you open to reinfection! Reflash the FULL STOCK ROM is the only way to "easily" be sure you have cleaned the malware from your phone. NOTE: just doing a factory reset will NOT remove the malicious apps if they are in operating system folders, this only works for malicious apps in user data areas! Then you must make sure all possible ways you can be reinfected eg via sync, external SD cards or storage, your PC, router etc are cleaned/blocked/reset/updated
If you are not getting updates for your ROM you might want to consider installing a custom ROM (AFTER you have flashed the stock ROM!) from a reliable & trustworthy source, if available for your model, so that you get security patch updates. But you need to research and consider the risks of things like bricks, security etc for yourself first.
Hope this helps you clean your phone

Sometimes, it's times, it's the firmware itself that is infected
IronRoo said:
Did it root your phone first? Else I can't see how it would be able to get to those apps installed as system. If so, if it was me, I'd unroot my phone at the very least & uninstall the CM apps since they do not have a good reputation so far as data snooping goes and excessive app permissions etc goes.
eg (from The Capitol Forum)
see the alteco report (about investment risks but they ran tests on other apps that didn't do anything, what battery savers don't help!!! :silly: )
https://drive.google.com/file/d/0B_zW4GWDn5wpVDBiLUpDcE9IS0E/view
Now I haven't used the app you quote but if it didn't root your phone then it can't have removed the malware and they are likely up to their old tricks ie the app doesn't really work, they have just been blocked or something. (Ask yourself why aren't there other apps from well known companies that can remove trojans in system on play store?) ANd with their dodgy reputation for ads, & selling user data if it did root your phone you may only be slightly better off!!?? But at least it should only be your user data they are gathering and not your bank account number to try and get ya money like the malware guys!
Anyhow happy for you if you really are free of malware and don't forget to change all your passwords for all accounts, your routers etc else you could be reinfected by the time you read this!
I would reflash the stock ROM to be sure (backup ALL your pics, txts address, whatsapp etc etc)
I would also be interested to know how the app worked, if you can explain it. Did it say it would ROOT your phone? (there is nothing in their write up to say it will, Google would not allow an app that can root on play store, as far as I know) Do you have an app that can read what system apps are installed, like Link2sd? Does that show any of the malicious apk?
Click to expand...
Click to collapse
In my case, I have a similar issue - however, it's an infected SYSTEM file - which Malwarebytes spotted (but is unable to remove), and is NOT related to the KingRoot dodgy file. It's actually two different Trojans - both in /system/priv-app (settings.apk and smsservices.apk) - the first is the more problematical. (It's problematical because it's a critical system file/app/service - killing it without a replacement is NOT an option.) How the heck do you replace such a critical system file when it got itself hijacked?

In this case, I would agree with just a complete factory reset or ROM reflash. Like it is simply too much of an issue to try removing and recovering everything. Especially, once it's deep within your system....

Josh Ross said:
In this case, I would agree with just a complete factory reset or ROM reflash. Like it is simply too much of an issue to try removing and recovering everything. Especially, once it's deep within your system....
Click to expand...
Click to collapse
This was what I did finally, I went to service centre and spent bucks. They reloaded the firmware I suppose ( not flashing it) and instantaneously it was as good as new. I think, malware was itself part of original installation like uc browser- it was there. It just activated after some time or may be I clicked on some advertisement while running app and then the hell happened.
Any ways, its working fine, added an adblocker, restricted usage to few apps and keeping my fingers crossed for future.
Sent from my A0001 using XDA-Developers Legacy app

Yeah, the bloatware that you get with some phones nowadays is unbearable. If there is an option, go with a rooted phone, custom ROM, some couple custom solutions for protection and you will be good to go. And they work better than defaults most of the time. Good luck! Hopefully, we will only be hearing good news from you

PGHammer said:
In my case, I have a similar issue - however, it's an infected SYSTEM file - which Malwarebytes spotted (but is unable to remove), and is NOT related to the KingRoot dodgy file. It's actually two different Trojans - both in /system/priv-app (settings.apk and smsservices.apk) - the first is the more problematical. (It's problematical because it's a critical system file/app/service - killing it without a replacement is NOT an option.) How the heck do you replace such a critical system file when it got itself hijacked?
Click to expand...
Click to collapse
I'd reflash stock.

How to remove recurring virus in android 4.4.2 lava iris atom 2

I have a virus on my phone device mentioned at the title. I have heard about it in some websites and 1 in xda too but it didn't help. I hard resetted it alot from the power and volume buttons. It still comes. My device was rooted using king root. The virus installs many apps . I do not know the exact file names. it was like asd.htj.zcx , zgf.iok.lkj etc. I get it every time i connect to the internet. It creates shortcut to porn sites (sex club, hot videos). I do not own the device its of my mom and she will be mad if she saw it. I couldn't suspect any apps that could do it i would have removed it if i could suspect it. It gives another type of ad about juggernaut champions, uc browser(which i already had). It displays full screen ads excluding the status bar stating launcher loading. It just draws its content over other apps as i noticed it while i hold down the home button i noticed the recent apps thing. And I discovered that if i turn off wifi its gone. Until the time i turn off wifi.
I couldn't install a custom rom as my phone is not detected in spreadtrum driver update tool.
The official update from lavamobiles.com fails halfway while verification.
I have a good experience on samsung devices. But i don't know about others
Plz help!! Fast!!!

sashinm said:
I have a virus on my phone device mentioned at the title. I have heard about it in some websites and 1 in xda too but it didn't help. I hard resetted it alot from the power and volume buttons. It still comes. My device was rooted using king root. The virus installs many apps . I do not know the exact file names. it was like asd.htj.zcx , zgf.iok.lkj etc. I get it every time i connect to the internet. It creates shortcut to porn sites (sex club, hot videos). I do not own the device its of my mom and she will be mad if she saw it. I couldn't suspect any apps that could do it i would have removed it if i could suspect it. It gives another type of ad about juggernaut champions, uc browser(which i already had). It displays full screen ads excluding the status bar stating launcher loading. It just draws its content over other apps as i noticed it while i hold down the home button i noticed the recent apps thing. And I discovered that if i turn off wifi its gone. Until the time i turn off wifi.
I couldn't install a custom rom as my phone is not detected in spreadtrum driver update tool.
The official update from lavamobiles.com fails halfway while verification.
I have a good experience on samsung devices. But i don't know about others
Plz help!! Fast!!!
Click to expand...
Click to collapse
If your mom hasn't killed you yet, follow these steps.
1. Download ES File Explorer from Google Play
2. Run app and navigate to the "Apps Page"
3. Sort installed apps by Date. Making the most recently installed apps appear first
3. Using Es File Explorer, unistall the suspicious looking apps. Or navigate to data/app or system/app and delete the apps manually. You can sort the files (apks) in the system/app folder by date. That should make it easier to locate the newly installed malware.
4. After you've removed all the suspicious apps, Reboot and connect to a WiFi/Mobile Data to make sure all the malicious apps are gone (you shouldn't get the pop ups or the shortcuts anymore)
5. If everything works as intended, uninstall ES File Explorer.

Thanks
Freewander10 said:
If your mom hasn't killed you yet, follow these steps.
1. Download ES File Explorer from Google Play
2. Run app and navigate to the "Apps Page"
3. Sort installed apps by Date. Making the most recently installed apps appear first
3. Using Es File Explorer, unistall the suspicious looking apps. Or navigate to data/app or system/app and delete the apps manually. You can sort the files (apks) in the system/app folder by date. That should make it easier to locate the newly installed malware.
4. After you've removed all the suspicious apps, Reboot and connect to a WiFi/Mobile Data to make sure all the malicious apps are gone (you shouldn't get the pop ups or the shortcuts anymore)
5. If everything works as intended, uninstall ES File Explorer.
Click to expand...
Click to collapse
Thank you!
But I already did that. :good::good::good:
I was inactive to reply if i am late i checked my email and got the reply.
The method was pretty much the same.
The differences from the method are:
I used link2sd to do so
and i found that they weren't in /system/app/ but in /system/priv-app/ .
I tried uninstalling them and it said reboot device. Still they were not uninstalled.
I have just frozen them. And now it works fine.
Good news for non rooted people you can disable the apps if you have the same virus.
If you still have the virus after disabling the apps then you can use link2sd without root and view the system apps and sort them acc to date.
The name of the apps are:
Android Media Service
catstudio
netalpha
org.rain.ball.update
PhoneService
Good news the device is mine now :laugh::laugh::laugh:
I classified the virus and its impacts and removed the explicit one.
And let my mom use facebook for a while i know it sounds cruel but i had to do it.
She had a experience from hell. Then i disabled the sim and said "Now even the sim doesnt work" :cyclops::cyclops::cyclops:

sashinm said:
Thank you!
But I already did that. :good::good::good:
I was inactive to reply if i am late i checked my email and got the reply.
The method was pretty much the same.
The differences from the method are:
I used link2sd to do so
and i found that they weren't in /system/app/ but in /system/priv-app/ .
I tried uninstalling them and it said reboot device. Still they were not uninstalled.
I have just frozen them. And now it works fine.
Good news for non rooted people you can disable the apps if you have the same virus.
If you still have the virus after disabling the apps then you can use link2sd without root and view the system apps and sort them acc to date.
The name of the apps are:
Android Media Service
catstudio
netalpha
org.rain.ball.update
PhoneService
Good news the device is mine now :laugh::laugh::laugh:
I classified the virus and its impacts and removed the explicit one.
And let my mom use facebook for a while i know it sounds cruel but i had to do it.
She had a experience from hell. Then i disabled the sim and said "Now even the sim doesnt work" :cyclops::cyclops::cyclops:
Click to expand...
Click to collapse
I'm glad you got them removed.
You're cold bro
But you got a new phone so :good:

Flash the device
using ResearchDownload Spreadtrum
first, install driver spreadtrum in pc
2, firmware firmwarefile*com/lava-iris-atom-2

Freewander10 said:
I'm glad you got them removed.
You're cold bro
But you got a new phone so :good:
Click to expand...
Click to collapse
Thanks
And actually I got an old phone :silly::silly::silly:
But something is better than nothing:good::good:

danmrz said:
using ResearchDownload Spreadtrum
first, install driver spreadtrum in pc
2, firmware firmwarefile*com/lava-iris-atom-2
Click to expand...
Click to collapse
My device isnt detected in flash tool while it is detected in auto driver installer.