FIX for Monkey Test & Time Service Virus (Without Flashing)

Search This thread
By:
Advanced…
U

umbrellaCO

New member
Jun 9, 2016
3
1
Hello

I can not install busybox completely because the system folder is locked r/o .

I tried to change with root explorer ... but I did not succeed.... and I root.

At the moment I have all malware frozen... under control, the phone works properly except the detail of the system folder locked to r/o .

Apparently the virus blocking the system folder to avoid being eliminated , there will be some solution to return the system folder r/w ? :(
 
Nuh99

Nuh99

Senior Member
Sep 4, 2015
79
77
Samara
umbrellaCO said:
Hello

I can not install busybox completely because the system folder is locked r/o .

I tried to change with root explorer ... but I did not succeed.... and I root.

At the moment I have all malware frozen... under control, the phone works properly except the detail of the system folder locked to r/o .

Apparently the virus blocking the system folder to avoid being eliminated , there will be some solution to return the system folder r/w ? :(
Click to expand...
Click to collapse

Hello,
Please do this in order!
1) Root your phone again with KINGROOT not Kingoroot.
2) Install SuperSume and run that It'll replace Superuser to SuperSU.
3) Install busybox.
4) Report back!
 
  • Like
Reactions: umbrellaCO
U

umbrellaCO

New member
Jun 9, 2016
3
1
Nuh99 said:
Hello,
Please do this in order!
1) Root your phone again with KINGROOT not Kingoroot.
2) Install SuperSume and run that It'll replace Superuser to SuperSU.
3) Install busybox.
4) Report back!
Click to expand...
Click to collapse

Hello Nuh99, thanks for the help :good:


I had already rooted with kingroot , then replace Kingroot by SuperSU.

Currently I have root access fully functional and verified.

But I can't complete the installation of bussybox and again cannot change to r/w the system folder.


Thanks again.
 
Nuh99

Nuh99

Senior Member
Sep 4, 2015
79
77
Samara
umbrellaCO said:
Hello Nuh99, thanks for the help :good:


I had already rooted with kingroot , then replace Kingroot by SuperSU.

Currently I have root access fully functional and verified.

But I can't complete the installation of bussybox and again cannot change to r/w the system folder.


Thanks again.
Click to expand...
Click to collapse

Try busybox on rails.
 
Last edited:
PAPalinskie

PAPalinskie

Senior Member
Jun 23, 2013
204
22
Cavite
Xiaomi Poco X3 NFC
Newly discovered EXPLOIT:

new exploit replaces system apps. these exploits are from pornclub exploit vulnerability issue due to automatically installing in user and system. you can only remove the exploit by re-flashing your full rom and if you are lucky, without wiping userdata if the exploit level is in system. to prevent this, i recommended that you install an app that can manage to fix system core and some holes that some exploits using it.
 
V

vlad8495

New member
Jul 10, 2016
1
0
I also have a sky vega that blinks and there is always a go shopping app appearing on it. It always restarts even the battery is fully charged. Keeps the WiFi turning on even if you turn it off.
 
Last edited:
PAPalinskie

PAPalinskie

Senior Member
Jun 23, 2013
204
22
Cavite
Xiaomi Poco X3 NFC
Nuh99 said:
Will you please elaborate what's new about this?
Log or whatever...
Click to expand...
Click to collapse

these kind of exploit are just like worms that replacing apks from system/app or system/priv-app and replacing very aggressive ad-ware apks in these locations that forces the device to download anything from the web when you open your network and displays ads aggressively even you dont have network. as the diagnosis for some of devices that iv'e fixed recently, system apps that have been replaced by ad-ware apk files cannot be recovered and totally, the android system was infected by ad-ware exploits, unless you have a nandroid backup or a full rom package from your manufacturer/developer that can fix your android system with/without wiping user partition.
 
N

nass08

New member
Nov 20, 2011
1
0
I'm having trouble removing this 4 virus.

after fallowing the instruction, it was successful., but after restart its keep going back.

please help me.

14238188_1393720687309268_6663494659516061616_n.jpg
 
M

makarelo

Member
Nov 11, 2016
14
0
Can't remove .gap file from system/bin.
I tried all of these methods, used the monkey removal software (monyet gila), tried to delete manually but after reboot it comes back.
What I managed to do is to contain the virus, it isn't aggressive as it used to be, it's only constantly trying to open google store.
App Names:
- Phone Service - com.android.base.jinti:daemon
- Local Alarm . com.iduo.tual with three services running:
UClass
SClass
TuaService

I also tried all antiviruses and Stubborn trojan killer but had no success.
 
Nuh99

Nuh99

Senior Member
Sep 4, 2015
79
77
Samara
makarelo said:
Can't remove .gap file from system/bin.
I tried all of these methods, used the monkey removal software (monyet gila), tried to delete manually but after reboot it comes back.
What I managed to do is to contain the virus, it isn't aggressive as it used to be, it's only constantly trying to open google store.
App Names:
- Phone Service - com.android.base.jinti:daemon
- Local Alarm . com.iduo.tual with three services running:
UClass
SClass
TuaService

I also tried all antiviruses and Stubborn trojan killer but had no success.
Click to expand...
Click to collapse

Freeze the apps and services with titanium backup pro and then try to remove them.
 
M

makarelo

Member
Nov 11, 2016
14
0
Nuh99 said:
Freeze the apps and services with titanium backup pro and then try to remove them.
Click to expand...
Click to collapse

Froze it in Titanium Backup and deinstalled, few seconds later it's back.
No other suspicious apps running at all. Then I froze the app and as soon as it was uninstalled i rebooted the phone, and did a factory reset.
After the reset, it came back up. Local alarm got downloaded by some other app and now it's spamming other apps install.
What I noticed on startup, app called org.snow.down.update was running and it's the app which probably downloaded Local Alarm.

Couple of screenshots:
http://imgur.com/a/vPsAO

Output of 'pm list packages -f':
http://pastebin.com/NhDccihX
 
Last edited:
Nuh99

Nuh99

Senior Member
Sep 4, 2015
79
77
Samara
makarelo said:
Froze it in Titanium Backup and deinstalled, few seconds later it's back.
No other suspicious apps running at all. Then I froze the app and as soon as it was uninstalled i rebooted the phone, and did a factory reset.
After the reset, it came back up. Local alarm got downloaded by some other app and now it's spamming other apps install.
What I noticed on startup, app called org.snow.down.update was running and it's the app which probably downloaded Local Alarm.

Couple of screenshots:
http://imgur.com/a/vPsAO

Output of 'pm list packages -f':
http://pastebin.com/NhDccihX
Click to expand...
Click to collapse

Did you try to remove org.snow.down.update ?
Anyway I'm gonna upload Monkey Test Virus Checker and Monkey Test Virus Remover apk tomorrow...
I assume you struggled with Windows OS Monkey Test Remover and it didn't help.. If this virus is a part of monkey test the apk will remove it.. Meanwhile you try out removing org.snow.down.update & Let me know!
 
M

makarelo

Member
Nov 11, 2016
14
0
Nuh99 said:
Freeze the apps and services with titanium backup pro and then try to remove them.
Click to expand...
Click to collapse

Nuh99 said:
Did you try to remove org.snow.down.update ?
Anyway I'm gonna upload Monkey Test Virus Checker and Monkey Test Virus Remover apk tomorrow...
I assume you struggled with Windows OS Monkey Test Remover and it didn't help.. If this virus is a part of monkey test the apk will remove it.. Meanwhile you try out removing org.snow.down.update & Let me know!
Click to expand...
Click to collapse

Yes, I have removed org.snow.down.update and a vast number of other apps before removing Local Alarm, but Local Alarm and Phone Service keep installing themselves.
 
M

makarelo

Member
Nov 11, 2016
14
0
Today I got an email from ISP that one of my computers has been infected with a botnet (tinba botnet?) and the date corresponds to the date I got this mobile phone. Be sure shutdown / unplug the battery if you're infected.
 
You must log in or register to reply here.

Similar threads

Anatoly79
BlueStacks Tweaker 6. Tool for modifing BlueStacks 2 & 3 & 3N & 4 & 5
Replies
2K
Views
993K
lieuliau
lieuliau
Ut0p1a
  • Locked
GPRS/Internet Connection Settings for the whole world
Replies
122
Views
608K
orb3000
orb3000
v7
[GUIDE][FIX]Fix SystemUpdateService wakelock on latest Google Play Services
Replies
282
Views
198K
phantomhell
phantomhell
J
PS2 Emulator for Android
Replies
745
Views
696K
J
jackbauer
A
  • Locked
All Opera Mobile/Mini versions: Official thread
Replies
3K
Views
1M
orb3000
orb3000

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 42
    Nuh99
    Nuh99
    Hello everyone,
    This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this

    To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.

    Here is how to change that:
    Google this: how to get ride and replace kinguser with supersu app (Follow first zidroid link)

    I'm not able to submit links so im going to write the exact apps with developer names to download from Playstore.

    Busybox Installer by JRummy Apps Inc.
    Terminal Emulator by Jack Palevich
    Root Explorer Pro by Speed Software

    Once you have installed everything here is what to do in steps:
    [Note: USB DEBUGGING MUST BE ENABLED Turn on Usb Debugging by going to settings> developer options> Usb debugging]

    1) Turn off wifi/3G/4G, and then go to settings> apps> all> disable time service and monkey test. (If already frozen via titanium backup or other app) skip this.

    2) Open Root explorer go to system/xbin and see if there is any file starting with a dot (eg: .ext.base) also note that every (.) file has diff permission then the rest of other files. So just remember those files with dots because those are the one that you're going to remove in terminal emulator.

    3) Go back to system and then go to Priv-app folder and look for these two files
    [1] cameraupdate.apk [2] providerCertificate.apk and also notice permission of these two files are different then the rest of Apks so these two are the base of MT TS virus and needs to be deleted.

    4) Open Terminal Emulator OR if you have access to your device via adb from a computer.

    5) WHAT TO TYPE IN TERMINAL EMULATOR or ADB (CMD Windows)

    adb devices (Type this line if you're using adb Windows)
    adb shell
    su
    mount -o remount,rw /system
    cd system/priv-app
    chattr -iaA providerCertificate.apk
    rm providerCertificate.apk
    chattr -aA cameraupdate.apk
    rm cameraupdate.apk
    cd ..
    cd system/xbin
    chattr -iaA .b
    rm .b
    chattr -iaA .ext.base
    rm .ext.base
    chattr -iaA .sys.apk
    rm .sys.apk
    [NOTE: If you are using older version than KK you need not to type priv-app just type cd system/app]

    6) Please make sure you type the file name correctly just as providerCertificate C is capital otherwise permission wont change.

    7) Exit Emulator/ADB

    8) Go to settings> apps> all> send me the screenshot if you have Monkey test or Time Service there

    9) I'm 100% sure if you've followed everything as I mentioned you are good as new and you don't need to flash.

    10) I'm not a developer and That's it!
    View
    2
    Nuh99
    Nuh99
    drdkundu said:
    In karbonn A 30
    x-bin has these files :
    .b
    .ext.base
    .sys.apk
    root/system has no priv-app but app file, it has two files:
    SettingProvider.apk
    cameraupdate.apk

    I have given command cd system/app
    followed by
    chattr -iaA SettingProvider.apk
    ....Error...
    chattr-iaA not found
    WHAT TO DO ?
    Click to expand...
    Click to collapse

    If you don't have a priv-app folder than you are not on Kitkat and you have to delete files from system/app folder.
    Well anyway you have to delete cameraupdate.apk and providerCertificate.apk
    and you are deleting SettingProvider.apk which I never said you have to.
    Please look closely
    View
    2
    Nuh99
    Nuh99
    macon157 said:
    i did as u said, when i typed
    ...
    chattr -iaA providerCertificate.apk [enter]
    notice: chattr: Read-only file system while setting flag on providerCertificate.apk
    rm providerCertificate.apk
    notice: rm failed for providerCertificate.apk, Read-only file system
    ...
    and i can get rit of those malware
    it also happen with cameraupdate, .b, .ext.base, .sys.apk
    Click to expand...
    Click to collapse

    Kindly follow this :

    Igor Alter said:
    Thank you, Nuh99!
    You are legend!
    I have spend days, trying to get rid of this annoying malware.
    Just wanted to add something FYI:
    You most likely have been infected to SnapPea (Windows/Android) software:
    Google for:



    If while deleting *.apk files you get "read only" message and file cannot be deleted - you have to remount your /system partition be mounted as a read/write partition.
    What you need to do is:

    Code: 
                # mount -o remount,rw /system
    Click to expand...
    Click to collapse
    View
    2
    A
    agzpur
    Thanks, its work, no more monkey test and Time service on my android.
    before: my Malwarebytes detect there are virus cameraupdate.apk;MusicProvider.apk;
    LiveWallpaper.apk;SistemCertificate.apk and providerCertificate.apk .so i delete all on system/app. all can delete except cameraupdate.apk

    I try your way but i have different case on my ColorOS android 4.2.2
    Using App Master(EasyApps Studio) i find that :
    monkey test refer to sytem/app/cameraupdate.apk
    but time service refer to data/app/com.android.hardware.ext0-1.apk
    so i add
    cd data/app
    chattr -iaA com.android.hardware.ext0-1.apk
    rm com.android.hardware.ext0-1.apk
    with Root explorer browse root directory and sd card search cameraupdate.apk and com.android.hardware.ext0-1.apk after find check list all then delete.
    No need clear cache just delete
    /data/dalvik-cache/[email protected]@[email protected]
    /data/dalvik-cache/[email protected]@com.android.hardware.ext0-1.apk @classes.dex
    This work
    Thanks

    Note:
    if you find ...Error... chattr -iaA not found
    WHAT TO DO ? its mean you only install app not yet istall busybox
    after install Busybox Installer by JRummy Apps Inc. from play store open app
    on tab installer, select busybox ver1.2 select intall location /system/xbin/ then touch Install
    View
    2
    Nuh99
    Nuh99
    agzpur said:
    Thanks, its work, no more monkey test and Time service on my android.
    before: my Malwarebytes detect there are virus cameraupdate.apk;MusicProvider.apk;
    LiveWallpaper.apk;SistemCertificate.apk and providerCertificate.apk .so i delete all on system/app. all can delete except cameraupdate.apk

    I try your way but i have different case on my ColorOS android 4.2.2
    Using App Master(EasyApps Studio) i find that :
    monkey test refer to cameraupdate.apk
    but time service refer to com.android.hardware.ext0-1.apk
    so i add
    cd data/app
    chattr -iaA com.android.hardware.ext0-1.apk
    rm com.android.hardware.ext0-1.apk
    with Root explorer browse root directory and sd card search cameraupdate.apk and com.android.hardware.ext0-1.apk after find check list all then delete.
    No need clear cache just delete
    /data/dalvik-cache/[email protected]@[email protected]
    /data/dalvik-cache/[email protected]@com.android.hardware.ext0-1.apk @classes.dex
    This work
    Thanks
    Click to expand...
    Click to collapse

    Yes you don't need cache clear but doing it on a safe side is better.
    If this post helped you please give a thumbs up!
    View

New posts