FIX for Monkey Test & Time Service Virus (Without Flashing)

Search This thread
By:
Advanced…
F

faisalasghar18

Account currently disabled
Mar 12, 2014
4
0
Faisalabad
Easiest Fix without ressting phone is here from PK Helper

Nuh99 said:
Hello everyone,
This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this

To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.

Here is how to change that:
Google this: how to get ride and replace kinguser with supersu app (Follow first zidroid link)

I'm not able to submit links so im going to write the exact apps with developer names to download from Playstore.

Busybox Installer by JRummy Apps Inc.
Terminal Emulator by Jack Palevich
Root Explorer Pro by Speed Software

Once you have installed everything here is what to do in steps:
[Note: USB DEBUGGING MUST BE ENABLED Turn on Usb Debugging by going to settings> developer options> Usb debugging]

1) Turn off wifi/3G/4G, and then go to settings> apps> all> disable time service and monkey test. (If already frozen via titanium backup or other app) skip this.

2) Open Root explorer go to system/xbin and see if there is any file starting with a dot (eg: .ext.base) also note that every (.) file has diff permission then the rest of other files. So just remember those files with dots because those are the one that you're going to remove in terminal emulator.

3) Go back to system and then go to Priv-app folder and look for these two files
[1] cameraupdate.apk [2] providerCertificate.apk and also notice permission of these two files are different then the rest of Apks so these two are the base of MT TS virus and needs to be deleted.

4) Open Terminal Emulator OR if you have access to your device via adb from a computer.

5) WHAT TO TYPE IN TERMINAL EMULATOR or ADB (CMD Windows)

adb devices (Type this line if you're using adb Windows)
adb shell
su
mount -o remount,rw /system
cd system/priv-app
chattr -iaA providerCertificate.apk
rm providerCertificate.apk
chattr -aA cameraupdate.apk
rm cameraupdate.apk
cd ..
cd system/xbin
chattr -iaA .b
rm .b
chattr -iaA .ext.base
rm .ext.base
chattr -iaA .sys.apk
rm .sys.apk
[NOTE: If you are using older version than KK you need not to type priv-app just type cd system/app]

6) Please make sure you type the file name correctly just as providerCertificate C is capital otherwise permission wont change.

7) Exit Emulator/ADB

8) Go to settings> apps> all> send me the screenshot if you have Monkey test or Time Service there

9) I'm 100% sure if you've followed everything as I mentioned you are good as new and you don't need to flash.

10) I'm not a developer and That's it!
Click to expand...
Click to collapse

Things you need are:

Your phone must be rooted, if it is not rooted you can use iroot or kingo root to root your phone in 1 click.
Now install titanium backup on your phone.
Now turn off wifi and data connection.
First stop unknown apps from running applications and then disable them 1 by 1 from all apps. Some of them will be istalled as your system applications but don't worry. disable all of them which you suspect that it might be a virus.
You can find list of all apps on PK Helper18 Blog.
After disabling suspected apps, now time to freeze those apps which have never seen in your phone before using titanium backup.Freeze all those apps which you disabled and stopped before. Use titanium backup for freezing.
At last, delete some of the suspected folders from your sd card and again disable some suspected apps from settings>applications>all. And Its time to cheer.Turn on wifi / data connection without any problem and Enjoy Now.
Don't forget to hit thanks and like my comment.
 
Last edited:
D

danger.ahead

New member
Jan 5, 2016
1
0
I have a Gionee M2, I followed each of your steps correctly... But still the virus was there... Actually apart from 'Monkey Test' and 'Time Service' there are some other viruses, their names are 'iom', 'ceryos' etc.. After following your steps I expected that atleast time service and monkey test will get removed but to my disappointment, none of viruses got removed even not the time service and monkey test.. Please help me what to do next. :confused:
 
J

janalam143

Member
Dec 31, 2015
25
5
my two mobile useless because of monkey viruse.

I have two mobile 1st clone note3 n900 and other hisense and I can't find any solution pls help..I request to xda pls made a good tool for this problem.:confused:
 
Nuh99

Nuh99

Senior Member
Sep 4, 2015
79
77
Samara
janalam143 said:
I have two mobile 1st clone note3 n900 and other hisense and I can't find any solution pls help..I request to xda pls made a good tool for this problem.:confused:
Click to expand...
Click to collapse

You can manually delete this virus if you are willing to learn something for now and for the future by following the guide.
If you face any difficulty you can ask me, but first you have to take a step.
 
J

janalam143

Member
Dec 31, 2015
25
5
thank you sir for ur reply.

Nuh99 said:
You can manually delete this virus if you are willing to learn something for now and for the future by following the guide.
If you face any difficulty you can ask me, but first you have to take a step.
Click to expand...
Click to collapse
I deleted manually all viruse but when I open wifi it's back again.
 
B

bakwie

New member
Jan 14, 2016
2
0
HOW??

b45k4r said:
Thank you. i successfully removed those virus(cameraupdate.apk, providerCertificate.apk, providerdown,com.android.wp.net.log.apk,mobileOcr) from my xperia.

if you found "chattr not found" problem. try to install busy box by "Stephen (Stericson)".
Click to expand...
Click to collapse

hi i was wondering which method are you using, because i cant delete those files at all

---------- Post added at 07:06 PM ---------- Previous post was at 06:56 PM ----------
Nuh99 said:
I already know about almost all viruses apk now but did not get the time due to musuc recordings.. I will be glad to help.. what seems to be the problem?
Btw did u try ghost push trojan app on those devices?
Click to expand...
Click to collapse

hi i have the same problem
i used ghost push trojan app and it says it safe
but i have files Models.apk and playstoreupdate.apk(which is engrils)
and i can't delete them or change permissions but my phone is rooted and i have root browser, Link2SD, and nothing is working it just says that i don't have permission to change or delete these files
Thank you :)
 
Nuh99

Nuh99

Senior Member
Sep 4, 2015
79
77
Samara
janalam143 said:
I deleted manually all viruse but when I open wifi it's back again.
Click to expand...
Click to collapse

Can you please send me screenshot of your terminal emulator?
Is your phone rooted and busybox installed properly?
The Installation of busybox is not just installing it from playstore but you have to open busybox app click on advance and then install it from inside.. that's how you install busybox properly...
 
Nuh99

Nuh99

Senior Member
Sep 4, 2015
79
77
Samara
bakwie said:
hi i was wondering which method are you using, because i cant delete those files at all

---------- Post added at 07:06 PM ---------- Previous post was at 06:56 PM ----------



hi i have the same problem
i used ghost push trojan app and it says it safe
but i have files Models.apk and playstoreupdate.apk(which is engrils)
and i can't delete them or change permissions but my phone is rooted and i have root browser, Link2SD, and nothing is working it just says that i don't have permission to change or delete these files
Thank you :)
Click to expand...
Click to collapse

Have you installed busybox ?
If not then please read my reply just before this reply to know how to install it.
 
  • Like
Reactions: bakwie
goldenfish

goldenfish

Senior Member
Nov 25, 2011
176
25
Bien Hoa
www.quynhanmobile.com
hi, i got 2 files cannot delete here


this is log



Code: 
[email protected] DP101:/system/xbin # ls -ad .*
ls -ad .*
.360asshole
.df
.ld.js
.ls
.qqasshole
[email protected] DP101:/system/xbin # chattr -iaA .df
chattr -iaA .df
[email protected] DP101:/system/xbin # rm .df
rm .df
[email protected] DP101:/system/xbin # chattr -iaA .ld.js
chattr -iaA .ld.js
[email protected] DP101:/system/xbin # rm .ld.js
rm .ld.js
[email protected] DP101:/system/xbin # chattr -iaA .ls
chattr -iaA .ls
[email protected] DP101:/system/xbin # rm .ls
rm .ls
[email protected] DP101:/system/xbin # chattr -iaA .qqasshole
chattr -iaA .qqasshole
[email protected] DP101:/system/xbin # rm .qqasshole
rm .qqasshole
[email protected] DP101:/system/xbin # ls -ad .*
ls -ad .*
.360asshole
.qqasshole
[email protected] DP101:/system/xbin # chattr -iaA .360asshole
chattr -iaA .360asshole
[email protected] DP101:/system/xbin # rm .360asshole
rm .360asshole
[email protected] DP101:/system/xbin # rm .qqasshole
rm .qqasshole
rm failed for .qqasshole, Operation not permitted
255|[email protected] DP101:/system/xbin # chattr -iaA .qqasshole
chattr -iaA .qqasshole
[email protected] DP101:/system/xbin # rm .qqasshole
rm .qqasshole
[email protected] DP101:/system/xbin # ls -ad .*
ls -ad .*
.360asshole
.qqasshole
[email protected] DP101:/system/xbin # chattr -iaA .*
chattr -iaA .*
[email protected] DP101:/system/xbin # rm .*
rm .*
[email protected] DP101:/system/xbin # ls
ls
BGW
ksud
libmnlp_mt6571
mnld
showmap
supolicy
sysctld
tcpdump
[email protected] DP101:/system/xbin # ls -ad .*
ls -ad .*
.360asshole
.qqasshole
[email protected] DP101:/system/xbin # chattr -iaA .*
chattr -iaA .*
[email protected] DP101:/system/xbin # rm .*
rm .*
[email protected] DP101:/system/xbin # ls -ad .*
ls -ad .*
.360asshole
.qqasshole
[email protected] DP101:/system/xbin #
G:\DROID\TOOL\Mtk_Droid_Tool_v2.5.3\Mtk_Droid_Tool_v2.5.3>


as you see, i was chattr -iaA .* and remove ".360asshole" and ".qqasshole"


but not success, maybe another file is monitor and re-create these file.
 
  • Like
Reactions: clashofking
N

nhene007

Member
Dec 1, 2012
19
0
Can't Remove This Apk

hello guys, i'm having trouble removing this apk.

bcfservice or GloablBCServiceInfo.apk <------ suspected virus

i've tried removing it with system app remover, but, it just restored instantly
i've tried removing it via adb (busybox installed, of course)
*chattr -iaA GloablBCServiceInfo.apk
*rm GloablBCServiceInfo.apk
still the same.... xD
scanned with Ghost Push Trojan Killer, malwarebytes, and avast, no luck.

My last resort is disabling it, but, it has a way of enabling it again, occassionally, it reboot the device to enable the said apk.

Hope you can help me, thanks..
 
Nuh99

Nuh99

Senior Member
Sep 4, 2015
79
77
Samara
nhene007 said:
hello guys, i'm having trouble removing this apk.

bcfservice or GloablBCServiceInfo.apk <------ suspected virus

i've tried removing it with system app remover, but, it just restored instantly
i've tried removing it via adb (busybox installed, of course)
*chattr -iaA GloablBCServiceInfo.apk
*rm GloablBCServiceInfo.apk
still the same.... xD
scanned with Ghost Push Trojan Killer, malwarebytes, and avast, no luck.

My last resort is disabling it, but, it has a way of enabling it again, occassionally, it reboot the device to enable the said apk.

Hope you can help me, thanks..
Click to expand...
Click to collapse

Check the date created for those Apk and then see that if you have other apks that have the same date.. then rm
them..
 
N

nhene007

Member
Dec 1, 2012
19
0
Nuh99 said:
Check the date created for those Apk and then see that if you have other apks that have the same date.. then rm
them..
Click to expand...
Click to collapse

xD, there are more than a hundred apks stored in that device...
do i have to check them one by one? or only those who don't have an odex (inside system/app | system/priv-app)
 
Nuh99

Nuh99

Senior Member
Sep 4, 2015
79
77
Samara
nhene007 said:
xD, there are more than a hundred apks stored in that device...
do i have to check them one by one? or only those who don't have an odex (inside system/app | system/priv-app)
Click to expand...
Click to collapse

Sort them by type in root explorer and then see only apks date of the same date as those virus apks.. if you find any similiar one delete its odex and then rm it in Terminal.. It's not very hard even if you have hundreds and quick processing mind..
Listen this song "Dying to live" by Poets of the fall while you are doing this.
 
A

Ahmed4D

New member
Jan 19, 2016
1
0
Thank You Very Much

I used your info to solve very similar problem with another android virus, app name:
SecurityService
FirewallService
APK files are ".gma.aph - .gmp.apk and .gmtgp.apk" in /system/priv-app
.gap - .gap.a in /system/xbin

:D thanks alot

Nuh99 said:
Hello everyone,
This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this

To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.

Here is how to change that:
Google this: how to get ride and replace kinguser with supersu app (Follow first zidroid link)

I'm not able to submit links so im going to write the exact apps with developer names to download from Playstore.

Busybox Installer by JRummy Apps Inc.
Terminal Emulator by Jack Palevich
Root Explorer Pro by Speed Software

Once you have installed everything here is what to do in steps:
[Note: USB DEBUGGING MUST BE ENABLED Turn on Usb Debugging by going to settings> developer options> Usb debugging]

1) Turn off wifi/3G/4G, and then go to settings> apps> all> disable time service and monkey test. (If already frozen via titanium backup or other app) skip this.

2) Open Root explorer go to system/xbin and see if there is any file starting with a dot (eg: .ext.base) also note that every (.) file has diff permission then the rest of other files. So just remember those files with dots because those are the one that you're going to remove in terminal emulator.

3) Go back to system and then go to Priv-app folder and look for these two files
[1] cameraupdate.apk [2] providerCertificate.apk and also notice permission of these two files are different then the rest of Apks so these two are the base of MT TS virus and needs to be deleted.

4) Open Terminal Emulator OR if you have access to your device via adb from a computer.

5) WHAT TO TYPE IN TERMINAL EMULATOR or ADB (CMD Windows)

adb devices (Type this line if you're using adb Windows)
adb shell
su
mount -o remount,rw /system
cd system/priv-app
chattr -iaA providerCertificate.apk
rm providerCertificate.apk
chattr -aA cameraupdate.apk
rm cameraupdate.apk
cd ..
cd system/xbin
chattr -iaA .b
rm .b
chattr -iaA .ext.base
rm .ext.base
chattr -iaA .sys.apk
rm .sys.apk
[NOTE: If you are using older version than KK you need not to type priv-app just type cd system/app]

6) Please make sure you type the file name correctly just as providerCertificate C is capital otherwise permission wont change.

7) Exit Emulator/ADB

8) Go to settings> apps> all> send me the screenshot if you have Monkey test or Time Service there

9) I'm 100% sure if you've followed everything as I mentioned you are good as new and you don't need to flash.

10) I'm not a developer and That's it!
Click to expand...
Click to collapse
 
C

clashofking

New member
Jan 20, 2016
4
0
my phone samsung mini2 6500D custom rom virus removes. Great Work. Very thank you.

---------- Post added at 09:26 AM ---------- Previous post was at 08:52 AM ----------
bakwie said:
hi i was wondering which method are you using, because i cant delete those files at all

---------- Post added at 07:06 PM ---------- Previous post was at 06:56 PM ----------



hi i have the same problem
i used ghost push trojan app and it says it safe
but i have files Models.apk and playstoreupdate.apk(which is engrils)
and i can't delete them or change permissions but my phone is rooted and i have root browser, Link2SD, and nothing is working it just says that i don't have permission to change or delete these files
Thank you :)
Click to expand...
Click to collapse

It is remove easy . I am same problem. But I am removing.

Install
1. busy box.apk ( system/xbin)
2. Termunal Emulator.apk
3. Root explorer is used
(system/app)
virus file name records.(eg engrils.apk...)

Command Used..

( su ) -
( mount -o remount,rw /system ) -
( cd system/app ) -
( chattr -iaA engrils.apk ) -
(rm engrils.apk ) -


******
{{Note: If commond used "no direction file " show , root explorer used virus file " rename " change. replay code used }}
next:
*******

root explorer used : ( system/xbin)( . )dot hidden file name records. eg: ( .la , .b , .ls , .[[ , ...)
Commond Used

( cd ) -
( cd system/xbin ) -
( chattr -iaA .b ) -
(chattr -iaA .ls ) -

*****
if hidden file no delete ( rename change ) replay code used
*****
 
Last edited:
C

clashofking

New member
Jan 20, 2016
4
0
Ok brother test

su -
mount -o remount,rw /system -
cd system/app -
chattr -iaA engril.apk

(:) No such file or directory))
**** Root browser virus file rename change. {Eg 1.apk, 2.apk } reutrn code. ****

chattr -iaA 1.apk




Sent from my GT-S6500D using xda app-developers app
 
You must log in or register to reply here.

Similar threads

Anatoly79
BlueStacks Tweaker 6. Tool for modifing BlueStacks 2 & 3 & 3N & 4 & 5
Replies
2K
Views
993K
lieuliau
lieuliau
Ut0p1a
  • Locked
GPRS/Internet Connection Settings for the whole world
Replies
122
Views
608K
orb3000
orb3000
v7
[GUIDE][FIX]Fix SystemUpdateService wakelock on latest Google Play Services
Replies
282
Views
198K
phantomhell
phantomhell
J
PS2 Emulator for Android
Replies
745
Views
696K
J
jackbauer
A
  • Locked
All Opera Mobile/Mini versions: Official thread
Replies
3K
Views
1M
orb3000
orb3000

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 42
    Nuh99
    Nuh99
    Hello everyone,
    This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this

    To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.

    Here is how to change that:
    Google this: how to get ride and replace kinguser with supersu app (Follow first zidroid link)

    I'm not able to submit links so im going to write the exact apps with developer names to download from Playstore.

    Busybox Installer by JRummy Apps Inc.
    Terminal Emulator by Jack Palevich
    Root Explorer Pro by Speed Software

    Once you have installed everything here is what to do in steps:
    [Note: USB DEBUGGING MUST BE ENABLED Turn on Usb Debugging by going to settings> developer options> Usb debugging]

    1) Turn off wifi/3G/4G, and then go to settings> apps> all> disable time service and monkey test. (If already frozen via titanium backup or other app) skip this.

    2) Open Root explorer go to system/xbin and see if there is any file starting with a dot (eg: .ext.base) also note that every (.) file has diff permission then the rest of other files. So just remember those files with dots because those are the one that you're going to remove in terminal emulator.

    3) Go back to system and then go to Priv-app folder and look for these two files
    [1] cameraupdate.apk [2] providerCertificate.apk and also notice permission of these two files are different then the rest of Apks so these two are the base of MT TS virus and needs to be deleted.

    4) Open Terminal Emulator OR if you have access to your device via adb from a computer.

    5) WHAT TO TYPE IN TERMINAL EMULATOR or ADB (CMD Windows)

    adb devices (Type this line if you're using adb Windows)
    adb shell
    su
    mount -o remount,rw /system
    cd system/priv-app
    chattr -iaA providerCertificate.apk
    rm providerCertificate.apk
    chattr -aA cameraupdate.apk
    rm cameraupdate.apk
    cd ..
    cd system/xbin
    chattr -iaA .b
    rm .b
    chattr -iaA .ext.base
    rm .ext.base
    chattr -iaA .sys.apk
    rm .sys.apk
    [NOTE: If you are using older version than KK you need not to type priv-app just type cd system/app]

    6) Please make sure you type the file name correctly just as providerCertificate C is capital otherwise permission wont change.

    7) Exit Emulator/ADB

    8) Go to settings> apps> all> send me the screenshot if you have Monkey test or Time Service there

    9) I'm 100% sure if you've followed everything as I mentioned you are good as new and you don't need to flash.

    10) I'm not a developer and That's it!
    View
    2
    Nuh99
    Nuh99
    drdkundu said:
    In karbonn A 30
    x-bin has these files :
    .b
    .ext.base
    .sys.apk
    root/system has no priv-app but app file, it has two files:
    SettingProvider.apk
    cameraupdate.apk

    I have given command cd system/app
    followed by
    chattr -iaA SettingProvider.apk
    ....Error...
    chattr-iaA not found
    WHAT TO DO ?
    Click to expand...
    Click to collapse

    If you don't have a priv-app folder than you are not on Kitkat and you have to delete files from system/app folder.
    Well anyway you have to delete cameraupdate.apk and providerCertificate.apk
    and you are deleting SettingProvider.apk which I never said you have to.
    Please look closely
    View
    2
    Nuh99
    Nuh99
    macon157 said:
    i did as u said, when i typed
    ...
    chattr -iaA providerCertificate.apk [enter]
    notice: chattr: Read-only file system while setting flag on providerCertificate.apk
    rm providerCertificate.apk
    notice: rm failed for providerCertificate.apk, Read-only file system
    ...
    and i can get rit of those malware
    it also happen with cameraupdate, .b, .ext.base, .sys.apk
    Click to expand...
    Click to collapse

    Kindly follow this :

    Igor Alter said:
    Thank you, Nuh99!
    You are legend!
    I have spend days, trying to get rid of this annoying malware.
    Just wanted to add something FYI:
    You most likely have been infected to SnapPea (Windows/Android) software:
    Google for:



    If while deleting *.apk files you get "read only" message and file cannot be deleted - you have to remount your /system partition be mounted as a read/write partition.
    What you need to do is:

    Code: 
                # mount -o remount,rw /system
    Click to expand...
    Click to collapse
    View
    2
    A
    agzpur
    Thanks, its work, no more monkey test and Time service on my android.
    before: my Malwarebytes detect there are virus cameraupdate.apk;MusicProvider.apk;
    LiveWallpaper.apk;SistemCertificate.apk and providerCertificate.apk .so i delete all on system/app. all can delete except cameraupdate.apk

    I try your way but i have different case on my ColorOS android 4.2.2
    Using App Master(EasyApps Studio) i find that :
    monkey test refer to sytem/app/cameraupdate.apk
    but time service refer to data/app/com.android.hardware.ext0-1.apk
    so i add
    cd data/app
    chattr -iaA com.android.hardware.ext0-1.apk
    rm com.android.hardware.ext0-1.apk
    with Root explorer browse root directory and sd card search cameraupdate.apk and com.android.hardware.ext0-1.apk after find check list all then delete.
    No need clear cache just delete
    /data/dalvik-cache/[email protected]@[email protected]
    /data/dalvik-cache/[email protected]@com.android.hardware.ext0-1.apk @classes.dex
    This work
    Thanks

    Note:
    if you find ...Error... chattr -iaA not found
    WHAT TO DO ? its mean you only install app not yet istall busybox
    after install Busybox Installer by JRummy Apps Inc. from play store open app
    on tab installer, select busybox ver1.2 select intall location /system/xbin/ then touch Install
    View
    2
    Nuh99
    Nuh99
    agzpur said:
    Thanks, its work, no more monkey test and Time service on my android.
    before: my Malwarebytes detect there are virus cameraupdate.apk;MusicProvider.apk;
    LiveWallpaper.apk;SistemCertificate.apk and providerCertificate.apk .so i delete all on system/app. all can delete except cameraupdate.apk

    I try your way but i have different case on my ColorOS android 4.2.2
    Using App Master(EasyApps Studio) i find that :
    monkey test refer to cameraupdate.apk
    but time service refer to com.android.hardware.ext0-1.apk
    so i add
    cd data/app
    chattr -iaA com.android.hardware.ext0-1.apk
    rm com.android.hardware.ext0-1.apk
    with Root explorer browse root directory and sd card search cameraupdate.apk and com.android.hardware.ext0-1.apk after find check list all then delete.
    No need clear cache just delete
    /data/dalvik-cache/[email protected]@[email protected]
    /data/dalvik-cache/[email protected]@com.android.hardware.ext0-1.apk @classes.dex
    This work
    Thanks
    Click to expand...
    Click to collapse

    Yes you don't need cache clear but doing it on a safe side is better.
    If this post helped you please give a thumbs up!
    View

New posts