Jump to content

How can I remove JS/DwnLdr-MON trojan from Android

Recommended Posts

After a year of dependable service, my HTCOne Android 5.0.1 (HTC HTC6526LVW_4.17.605.9-4.17.605.5_R4) has been downloading what appears to be the same or similar zip file, all in the following name format:


FedEx_00000118613-20151014-165026368.zip I -r


The first section of letters, underscore and numbers is always the same. The second section is the date. The third section is the time (on a 24 hour basis). And the last five digits are different each time, though they are not consecutive from file to file nor are they always in increasing numbers.


The zipfile contains one file named FedEx_00000118613.doc.js.

The usually come two at a time, though at times there have been 6 at once; it appears to always be an even number of files. They are almost all 274 kb though a few of the duplicates are 271 kb. The first file at a time to download may be of either size, though it usually seems to be the 2.71. There is almost always a 2.71 tn the files that download at the same time, but there is never more than one 2.71. The files download every time I turn on WiFi or mobile data if sufficient time has passed since the last download. They download whether set to only WiFi or only mobile data.

They do not download when only bluetooth is on nor are they associated with email because I access my email accounts from several devices and my PC does not get the downloads.


I reset the phone after saving my data--but not my files--to Verizon cloud, but I found the files were still downloading. I then downloaded Kaspersky and Webroot (the latter of which had been on my phone by subscription at the time I developed the problem). One of the apps, presumably, now strips the virus from the downloaded file, leaving the following as a text file but leaving the downloaded files:


This attachment contained a virus and was stripped.
Filename: =?utf-8?B?RmVkRXhfMDAwMDAxMTg2MTMtMjAxNTEwMTUtMTAwNjA1NjI0LnppcA==?=
Content-Type: application/zip
Virus(es): JS/DwnLdr-MON
I also downloaded Malwarebytes Anti-Malware Mobile today but it showed no virus after a scan. But there has to be something on my phone that is calling these downloads. After installing Malwarebytes, I no longer see the downloaded files, just the text file with the above message.

I also began noticing problems with my phone last week in NC and this week in WA. At times the call immediately says "Call has been lost' Sometimes that happens in global mode, sometimes in LTE only mode. Verizon says I should use the latter. In addition, with the mobile data "On", it said it was "Disconnected" but I could access the internet. A Verizon rep thought it might be the SIM card but he did not have a micro card available when I spoke with him.

Attached is a screenshot of several days ago. There were 32 downloads from 0722 to 1736.


How can I get this off my phone?

Thanks for any help.


Link to post
Share on other sites

Hello and :welcome: :


This section of the forum is reserved for malware removal help on the Windows platform. ;)


If you need help with malware removal for your Android device, then you might want to start with the advice in this pinned topic in the MBAM-Mobile Forum here:

MBAM Mobile Support


It contains helpful advice and a link to MBAM-Mobile Help Desk for assistance with cleaning your Android phone. :)


Thank you,

Link to post
Share on other sites

  • 6 months later...
  • Root Admin

We're sorry. It looks like your topic was somehow overlooked. Due to the length of time we'll go ahead and close this topic now but if you still actually need help please send a private message to one of the Moderators and we'll assist you.Thank you and sorry we missed your topic.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.