aninkling

Ugh. Can't believe it. The title should read Android/trojan.Boogr.gsh. Can an administator fix this mess so it can be accurately searched?

The title should read Android/trojan/Boogr.gsh.

My phone mysteriously got this new "app"... I hadn't installed anything recently and, to my knowledge I hadn't navigated to any potentially unsafe web pages. It was called "edge" or Function- the app on the phone was called Function, but the messages were about edge. The app wanted to permission to be the launcher. I ran the mobile version of malwarebytes and got the message in the title. What is this and how did it get there? There doesn't appear to be anything of use on a web search, but could be user error.

Started by removing all spyware and antivirus. No network. Then ran Hijackthis, which substantiated diagnosis. Ran a couple month old copy of Malwarebytes and confirmed: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3930 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.11 6/7/2010 10:06:40 PM mbam-log-2010-06-07 (22-06-40).txt Scan type: Full scan (C:\|) Objects scanned: 161950 Time elapsed: 1 hour(s), 7 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gaopdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.74,85.255.112.102 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a2536e10-ac57-48db-a1ef-e9f3852d4d39}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.74,85.255.112.102 -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully. I am currently running GMER. Will report tomorrow morning.

I've followed this particular sequence with great interest because I have seen the same behavior and had to resort to a reinstall. Backing up, is this process, outlined in the above appends, appropriate for general use and if so, under what conditions? Is there a specific set of indicators that suggest that this laborous process must be followed? I'd appreciate some 10,000 ft summary. Thank you. This is in regards to this post: http://www.malwarebytes.org/forums/index.p...st&p=131601

We have been battling an unknown, probably new scareware that can: - disables and hijacks the popular virus and maleware programs, including malwarebytes... seems to impersonate McAfee. - stops hijackthis from running even if the name is changed - stops the recovery process- so we can't recover to an earlier time - otherwise, locks the system until we respond affirmatively to it's requests - looks like "Protection System" but none of the above behaviors have been reported. Articles describing the objects associated with this could not be found. We finally had to break its back by using linux and then reloading the operating system from scratch. I couldn't attach a symtoms file, but I have a word document with pictures and videos of what happens. Thank you.