# FIX for Monkey Test & Time Service Virus (Without Flashing)



## Nuh99 (Sep 6, 2015)

Hello everyone,
This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this 

To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that. 

Here is how to change that:
Google this: how to get ride and replace kinguser with supersu app (Follow first zidroid link)

I'm not able to submit links so im going to write the exact apps with developer names to download from Playstore.

Busybox Installer by JRummy Apps Inc.
Terminal Emulator by Jack Palevich 
Root Explorer Pro by Speed Software

Once you have installed everything here is what to do in steps:
[Note: USB DEBUGGING MUST BE ENABLED Turn on Usb Debugging by going to settings> developer options> Usb debugging]

1) Turn off wifi/3G/4G,  and then go to settings> apps> all> disable time service and monkey test. (If already frozen via titanium backup or other app) skip this.

2) Open Root explorer go to system/xbin and see if there is any file starting with a dot (eg: .ext.base) also note that every (.) file has diff permission then the rest of other files. So just remember those files with dots because those are the one that you're going to remove in terminal emulator.

3) Go back to system and then go to Priv-app folder and look for these two files 
[1] cameraupdate.apk [2] providerCertificate.apk and also notice permission of these two files are different then the rest of Apks so these two are the base of MT TS virus and needs to be deleted. 

4) Open Terminal Emulator OR if you have access to your device via adb from a computer.

5) WHAT TO TYPE IN TERMINAL EMULATOR or ADB (CMD Windows) 

adb devices (Type this line if you're using adb Windows)
adb shell
su 
mount -o remount,rw /system
cd system/priv-app
chattr -iaA providerCertificate.apk
rm providerCertificate.apk
chattr -aA cameraupdate.apk
rm cameraupdate.apk
cd ..
cd system/xbin
chattr -iaA .b 
rm .b
chattr -iaA .ext.base
rm .ext.base
chattr -iaA .sys.apk
rm .sys.apk
[NOTE: If you are using older version than KK you need not to type priv-app just type cd system/app]

6) Please make sure you type the file name correctly just as providerCertificate C is capital otherwise permission wont change.

7) Exit Emulator/ADB 

8) Go to settings> apps> all> send me the screenshot if you have Monkey test or Time Service there 

9) I'm 100% sure if you've followed everything as I mentioned you are good as new and you don't need to flash.

10) I'm not a developer and That's it!


----------



## drdkundu (Sep 6, 2015)

*Money test and time service virus removal*

In karbonn A 30
x-bin has these files :
.b  
.ext.base
.sys.apk
root/system has no priv-app but app file, it has two files:
SettingProvider.apk
cameraupdate.apk

I have given command cd system/app
followed by 
chattr -iaA SettingProvider.apk
....Error...
chattr-iaA not found
WHAT TO DO ?


----------



## Nuh99 (Sep 7, 2015)

drdkundu said:


> In karbonn A 30
> x-bin has these files :
> .b
> .ext.base
> ...

Click to collapse



If you don't have a priv-app folder than you are not on Kitkat and you have to delete files from system/app folder.
Well anyway you have to delete cameraupdate.apk and providerCertificate.apk
and you are deleting SettingProvider.apk which I never said you have to. 
Please look closely


----------



## drdkundu (Sep 7, 2015)

Nuh99 said:


> If you don't have a priv-app folder than you are not on Kitkat and you have to delete files from system/app folder.
> Well anyway you have to delete cameraupdate.apk and providerCertificate.apk
> and you are deleting SettingProvider.apk which I never said you have to.
> Please look closely

Click to collapse



Dearest,
It is 4.0.4 ics  , in app folder there is no providerCertificate.apk but SettingProvider.apk which is newer (as per date also AVG prompted it as malware and tried to uninstall but failed) than the original SettingProvider.apk ,i tried to insert screenshots,but prevented by forum thanks if you may share with me your email address i may be able to post
command : chatter... gives error message, is there different procedure for ics ?
Secondly,
I have searched out that karbonn A 30 is a rebranded version of vsun I 1S ,and original rom based on kitkat is available on their site, is it safe to flash vsun rom on it or shall I go for abacada rom available on xda?


----------



## Nuh99 (Sep 7, 2015)

drdkundu said:


> Dearest,
> It is 4.0.4 ics  , in app folder there is no providerCertificate.apk but SettingProvider.apk which is newer (as per date also AVG prompted it as malware and tried to uninstall but failed) than the original SettingProvider.apk ,i tried to insert screenshots,but prevented by forum thanks if you may share with me your email address i may be able to post
> command : chatter... gives error message, is there different procedure for ics ?
> Secondly,
> I have searched out that karbonn A 30 is a rebranded version of vsun I 1S ,and original rom based on kitkat is available on their site, is it safe to flash vsun rom on it or shall I go for abacada rom available on xda?

Click to collapse



Send me screenshot or personally talk to me on www(.)facebook(.)com/99nuh
Btw you are unable to remove providersettings.apk because you might be typing wrong attributes for it. 
To see its attribute cd system/app [enter]
then type lsattr to look for attributes of providersettings.apk
and then use those attributes with - and rm that file. 

And If you want  to flash your phone/tablet go with your brand official rom.


----------



## drdkundu (Sep 7, 2015)

*screenshots*



Nuh99 said:


> Send me screenshot or personally talk to me on www(.)facebook(.)com/99nuh
> Btw you are unable to remove providersettings.apk because you might be typing wrong attributes for it.
> To see its attribute cd system/app [enter]
> then type lsattr to look for attributes of providersettings.apk
> ...

Click to collapse



Screenshots below: 
please add http.. before
//photos(dot)google(dot)com/photo/AF1QipNuigMsljp-1jsPLPqo_QuG_27vDUHS-DzSZZi-
//photos(dot)google(dot)com/photo/AF1QipMUmGdmU7TyETRaomzJzzKSuFYOiW7e53urGT6P
//photos(dot)google(dot)com/photo/AF1QipMRD8sJA0j84yHIzYSohk4KDggUTw2iTcGKZ7mU
//photos(dot)google(dot)com/photo/AF1QipNZQ7TTbDGrDNSMKMAtCt5I7P8_1QFQMyVRi6-_


----------



## Nuh99 (Sep 7, 2015)

drdkundu said:


> Screenshots below:
> please add http.. before
> //photos(dot)google(dot)com/photo/AF1QipNuigMsljp-1jsPLPqo_QuG_27vDUHS-DzSZZi-
> //photos(dot)google(dot)com/photo/AF1QipMUmGdmU7TyETRaomzJzzKSuFYOiW7e53urGT6P
> ...

Click to collapse



They are not opening. Error!
Kindly send me @ my fb.


----------



## agzpur (Sep 7, 2015)

Thanks, its work, no more monkey test and Time service on my android.
before: my Malwarebytes detect there are virus cameraupdate.apk;MusicProvider.apk;
LiveWallpaper.apk;SistemCertificate.apk and providerCertificate.apk .so i delete all on system/app.  all can delete except cameraupdate.apk

I try your way but i have different case  on my ColorOS android 4.2.2
Using App Master(EasyApps Studio) i find that :
monkey test refer to sytem/app/cameraupdate.apk
but time service refer to data/app/com.android.hardware.ext0-1.apk 
so i add
cd data/app
chattr -iaA com.android.hardware.ext0-1.apk
rm com.android.hardware.ext0-1.apk
with Root explorer browse root directory and sd card search cameraupdate.apk and com.android.hardware.ext0-1.apk after find check list all then delete.
No need clear cache just delete
/data/dalvik-cache/[email protected]@[email protected]
/data/dalvik-cache/[email protected]@com.android.hardware.ext0-1.apk @classes.dex
This work
Thanks

Note:
if you find ...Error... chattr -iaA not found
WHAT TO DO ? its mean you only install app not yet istall busybox
after install Busybox Installer by JRummy Apps Inc. from play store open app
on tab installer, select busybox ver1.2 select intall location /system/xbin/ then touch Install


----------



## Nuh99 (Sep 7, 2015)

agzpur said:


> Thanks, its work, no more monkey test and Time service on my android.
> before: my Malwarebytes detect there are virus cameraupdate.apk;MusicProvider.apk;
> LiveWallpaper.apk;SistemCertificate.apk and providerCertificate.apk .so i delete all on system/app.  all can delete except cameraupdate.apk
> 
> ...

Click to collapse



Yes you don't need cache clear but doing it on a safe side is better.
If this post helped you please give a thumbs up!


----------



## dsamivai (Sep 8, 2015)

*i can't change the permission on root explorer.*



Nuh99 said:


> Hello everyone,
> This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this
> 
> To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.
> ...

Click to collapse



i can't change the permission on root explorer. can you help me to fix it..it says failed to change permission because your sdcard..........something..

plz help me


----------



## Nuh99 (Sep 8, 2015)

dsamivai said:


> i can't change the permission on root explorer. can you help me to fix it..it says failed to change permission because your sdcard..........something..
> 
> plz help me

Click to collapse



You can't change it with Root Explorer you have to change permissions with Terminal Emulator by the entering the commands I've mentioned in my guide.


----------



## jdy11 (Sep 8, 2015)

Nuh99 said:


> You can't change it with Root Explorer you have to change permissions with Terminal Emulator by the entering the commands I've mentioned in my guide.

Click to collapse



Hi, Im a user of 8.31 O+ phone. Ive downloaded all the 3 apps youve mentioned. But after installing busybox (the app) I cant install any version of it.. thats why everytime I'll type the commands in emulator indicated above, it says error... 

please help... thank you


----------



## joshuas_79 (Sep 8, 2015)

Nuh99 said:


> Hello everyone,
> This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this
> 
> To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.
> ...

Click to collapse



I get also the message : chattr: not found

I tried from adb and terminal

Any idea?


----------



## optimumpro (Sep 8, 2015)

Nuh99 said:


> I'm not a developer and That's it!

Click to collapse



Forgive me, but your statement quoted above is the only one that makes sense here.  You were booted from Security Discussion thread and you move here.  

You confuse people, give nonsensical advice and don't seem to know what you are talking about.  First of all the chattr command is not supposed to work on Android ext4, so, no wonder people can't remove files this way.  And anyway, your prolong instructions are not worth the "paper" they are written on.  Even if someone would succeed following them, there is no guarantee they remove the virus.  The proper way is to completely reformat your phone including internal SD and external SD, which you do  in recovery by formatting System, Cache, Dalvik cache, Data and both sd cards.  Period.   And for the future, don't install any third party apps unless you compile them from source by yourself or someone you trust.


----------



## Nuh99 (Sep 8, 2015)

OK


----------



## Nuh99 (Sep 8, 2015)

joshuas_79 said:


> I get also the message : chattr: not found
> 
> I tried from adb and terminal
> 
> Any idea?

Click to collapse



If you are having this error it means you have installed busybox app not busy box.
To do this open busybox app in your device, select busybox ver1.2, select intall location /system/xbin/ and tap install. 
Then try the procedure


----------



## joshuas_79 (Sep 8, 2015)

optimumpro said:


> Forgive me, but your statement quoted above is the only one that makes sense here.  You were booted from Security Discussion thread and you move here.
> 
> You confuse people, give nonsensical advice and don't seem to know what you are talking about.  First of all the chattr command is not supposed to work on Android ext4, so, no wonder people can't remove files this way.  And anyway, your prolong instructions are not worth the "paper" they are written on.  Even if someone would succeed following them, there is no guarantee they remove the virus.  The proper way is to completely reformat your phone including internal SD and external SD, which you do  in recovery by formatting System, Cache, Dalvik cache, Data and both sd cards.  Period.   And for the future, don't install any third party apps unless you compile them from source by yourself or someone you trust.

Click to collapse



but my problem is that I can't find firmware for my tablet: engel tb0725ips


----------



## optimumpro (Sep 8, 2015)

joshuas_79 said:


> but my problem is that I can't find firmware for my tablet: engel tb0725ips

Click to collapse



Get a custom rom. If there is no custom rom, then do a factory reset and then format external and internal sd cards.


----------



## drdkundu (Sep 9, 2015)

Brother Nuh has helped me solving cameraupdate and time service android malwares without flashing, may the Almighty bless him abundantly I really learnt some new things from him Thumbs Up for Brother Nuh:good:


----------



## joshuas_79 (Sep 9, 2015)

optimumpro said:


> Get a custom rom. If there is no custom rom, then do a factory reset and then format external and internal sd cards.

Click to collapse



I can't find a custom recovery either, so only stock recovery with not many options.  :crying:


----------



## tulasi574 (Sep 9, 2015)

*rm action failed*

i tried all u said but rm action was failed and giving error message as read only file system. 
I am attaching screenshot link too





Please help me i want to get rid of those malware's.


----------



## joshuas_79 (Sep 9, 2015)

well. I finally have been able to remove those files (now I'm testing the tablet to confirm it's clean)

I wasn't  able to use command chattr because it wasn't on my /system/bin folder. If you have the same problem, install the app called: "Busybox on the rails", then open it and press "install" ( I think you have to do it twice). After that, you'll be able to use command chattr and rm without issues.
Ex XDA user called Samuaz helped me to find it out.


----------



## syafiq812 (Sep 10, 2015)

sir it cant remove.. cameraupdate.apk cannot be deleted because read-only


----------



## killfrenzy05 (Sep 10, 2015)

Basically, it cannot be remove easily even on factory reset or uninstall in the setting. According to Norton, this is a malware that can consume enough space and drain your battery. The best way is to flash firmware or stock rom .  This also help to freeze this app. Read more http://www.androidcribs.com/2015/08/tutalternative-way-to-remove-monkey.html


----------



## optimumpro (Sep 10, 2015)

killfrenzy05 said:


> Basically, it cannot be remove easily even on factory reset or uninstall in the setting. According to Norton, this is a malware that can consume enough space and drain your battery. The best way is to flash firmware or stock rom .  This also help to freeze this app. Read more http://www.androidcribs.com/2015/08/tutalternative-way-to-remove-monkey.html

Click to collapse



If the apps come back after factory reset and you have original manufacturer provided firmware, then those programs are part of Android and not viruses.  Monkey test is a known Android test application that is used for debugging purposes.  Camera update is a little app that checks manufacturer's site for update.  Time service is an app that takes care of your device having correct time and provided by such manufacturers as Qualcomm and others.  Contrary to claims made by the OP,  neither Norton nor other anti-virus web site talks about these apps as viruses.  There is one or 2 posts on Norton community and they look like written by the same person who posted here.  So, no official confirmation that any of those programs is a virus.  There is absolutely no proof they do anything illegitimate.  If you don't like them, just freeze them in Titanium or any other similar app.  

To the OP:  please stop spamming the board with this nonsense.

P.S. Both Norton and Mcafee are known for numerous false positives.  Also, there is a little known secret about those:  they can never prevent new viruses: first the virus has to spread/infect, then it becomes known and then it is finally added to their database...


----------



## Nuh99 (Sep 11, 2015)

*Oh I see*


----------



## Nuh99 (Sep 11, 2015)

killfrenzy05 said:


> Basically, it cannot be remove easily even on factory reset or uninstall in the setting. According to Norton, this is a malware that can consume enough space and drain your battery. The best way is to flash firmware or stock rom .  This also help to freeze this app. Read more http://www.androidcribs.com/2015/08/tutalternative-way-to-remove-monkey.html

Click to collapse



Goodluck with that :good:


----------



## Nuh99 (Sep 11, 2015)

joshuas_79 said:


> well. I finally have been able to remove those files (now I'm testing the tablet to confirm it's clean)
> 
> I wasn't  able to use command chattr because it wasn't on my /system/bin folder. If you have the same problem, install the app called: "Busybox on the rails", then open it and press "install" ( I think you have to do it twice). After that, you'll be able to use command chattr and rm without issues.
> Ex XDA user called Samuaz helped me to find it out.

Click to collapse



Good advice dear. Thanks for being a sidekick on this journey of thrones  

Love and respect :good:


----------



## syafiq812 (Sep 11, 2015)

Nuh99 said:


> Hello everyone,
> This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this
> 
> To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.
> ...

Click to collapse



Thank you very very much nuh99.. god Thank you very very much nuh99.. god bless you.. this method is working without flashing


----------



## syafiq812 (Sep 11, 2015)

Nuh99 said:


> Hello everyone,
> This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this
> 
> To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.
> ...

Click to collapse



:good: :good:


----------



## joelzed (Sep 13, 2015)

I did all as said but the problem still persists as I reboot android is upgrading and monkey test and time service are there in my app list pls help


----------



## Axislan (Sep 13, 2015)

I have same problem about time services and Monkey test, but when i enter a command  for remove cameraupdate.apk it said
*rm failed for cameraupdate.apk, Operation not permitted*
and I have One more Monkey test (*com.android.wp.net.log.apk*)
when i removing this apk then same failed command :-
*rm failed for com.android.wp.net.log.apk, Operation not permitted*
what i should do.This viruses hanging my mobile.
My mobile's android version is 4.2.2


----------



## Nuh99 (Sep 14, 2015)

Axislan said:


> I have same problem about time services and Monkey test, but when i enter a command  for remove cameraupdate.apk it said
> *rm failed for cameraupdate.apk, Operation not permitted*
> and I have One more Monkey test (*com.android.wp.net.log.apk*)
> when i removing this apk then same failed command :-
> ...

Click to collapse



Did u install busybox from inside the busybox app? If no then do it.. if problem still persist try installing busybox on rail and install it twice as it mentioned in a reply by Joshua on 3rd page.


----------



## Nuh99 (Sep 14, 2015)

joelzed said:


> I did all as said but the problem still persists as I reboot android is upgrading and monkey test and time service are there in my app list pls help

Click to collapse



I'm sure you must have missed something, Either busybox installation or SuperSu. So Plz review positive replies on this post or review negative replies and flash your phone.


----------



## EliardoM (Sep 14, 2015)

very good this tutorial helped.


----------



## One*Star (Sep 16, 2015)

Install titanium backup pro, tap backup/restore, select monkey test and time service provider and tap freeze. NB: your phone should be rooted.

Sent from my itel_it1503 using XDA Free mobile app


----------



## Nuh99 (Sep 17, 2015)

Sorry to interrupt but this guide is not about FREEZING monkey test and time service. 
Please make another thread? Thank you!


----------



## One*Star (Sep 17, 2015)

When the viruses are frozen, they don't operate, you can also uninstall them in the titanium backup pro by tapping on them and pressing uninstall.

Sent from my itel_it1503 using XDA Free mobile app


----------



## Nuh99 (Sep 17, 2015)

One*Star said:


> When the viruses are frozen, they don't operate, you can also uninstall them in the titanium backup pro by tapping on them and pressing uninstall.
> 
> Sent from my itel_it1503 using XDA Free mobile app

Click to collapse



No you can't this one  
Please make your own thread and see how many people are able to uninstall it like you mentioned. 
NONE so don't make a thread and never write what you don't know about.


----------



## One*Star (Sep 17, 2015)

Nuh99 said:


> No you can't this one
> Please make your own thread and see how many people are able to uninstall it like you mentioned.
> NONE so don't make a thread and never write what you don't know about.

Click to collapse



I did the same and it worked well for me, why would I post something I don't know? try and see for yourself before commenting.

Sent from my itel_it1503 using XDA Free mobile app

---------- Post added at 10:11 AM ---------- Previous post was at 09:54 AM ----------




Nuh99 said:


> No you can't this one
> Please make your own thread and see how many people are able to uninstall it like you mentioned.
> NONE so don't make a thread and never write what you don't know about.

Click to collapse



Titanium backup pro stops the virus from operating and I think that's what most people want. After freezing, you can scan your phone with an antivirus and you will find out that it's free from malware.

Sent from my itel_it1503 using XDA Free mobile app


----------



## waseemahmed345 (Sep 17, 2015)

i have an issue to delete dot files in xbin folder. 
Error: Chattr: setting flags on .b: Read-only file system


----------



## Nuh99 (Sep 17, 2015)

Goodbye One*Star ^_^


----------



## Nuh99 (Sep 17, 2015)

waseemahmed345 said:


> i have an issue to delete dot files in xbin folder.
> Error: Chattr: setting flags on .b: Read-only file system

Click to collapse



Hello waseemahmed with telenor code.. did u find and deleted the corrupt apks? if yes then try reinstall busybox... or busybox on rails..


----------



## One*Star (Sep 17, 2015)

Nuh99 said:


> Goodbye One*Star ^_^

Click to collapse



Why are you upset about me trying to share what worked for me? It maybe helpful to them. Visit androidcribs.com and read about it; there are many ways to kill a cat.


----------



## One*Star (Sep 17, 2015)

I'm sorry for trying to assist guys in your thread, I just wanted to  share the little I know. My aim here, is to learn and share to others, hope you will forgive me.


----------



## Nuh99 (Sep 17, 2015)

One*Star said:


> I'm sorry for trying to assist guys in your thread, I just wanted to  share the little I know. My aim here, is to learn and share to others, hope you will forgive me.

Click to collapse



It's not that I'm angry on you or something if you feel that way I'm more sorry than you are. All I meant to say that it's not possible if it solved your problem I wonder how cause this virus is very tricky and I also learned from here and various forums and when I finally removed it from my tablet then I wrote this guide. I tried your method when MT & TS first hit my device. It just froze both services with no uninstall or even if you are able to uninstall them they raise their head again. Titanium is very good solution for freezing but It also doesn't help removing it completely and if I had a perfect ROM for my device I wouldn't bother finding the solution. So please forgive me if any of my words hurt you in anyway.

Thanks and Love.
-Nuh


----------



## reuben27 (Sep 18, 2015)

*hi mines lenovo vibex kitkat...*

n i hav same virus monkey test n time service...
i hav reched step 5.terminal...n when i type adb shell it says 
error device not found
so what 2 do..???


----------



## najrazlug (Sep 18, 2015)

*Plz Chek Fail to delte .b and etc files*

http://forum.xda-developers.com/general/general/chattr-seeting-flag-permission-denied-t3202818


----------



## Chun Vanda (Sep 18, 2015)

Easy way to stop timeservice and monkeytest on andriod best result:
1/ go to setting
2/ go to App manager => all =>find timeservices and monkeytests.
3/ disable it all.
4/ enjoy your android working fluently. 
  More info: +855318409000 or [email protected]


----------



## reuben27 (Sep 18, 2015)

Chun Vanda said:


> Easy way to stop timeservice and monkeytest on andriod best result:
> 1/ go to setting
> 2/ go to App manager => all =>find timeservices and monkeytests.
> 3/ disable it all.
> ...

Click to collapse



bt every tym it restarts it comes again..


----------



## Nuh99 (Sep 18, 2015)

reuben27 said:


> n i hav same virus monkey test n time service...
> i hav reched step 5.terminal...n when i type adb shell it says
> error device not found
> so what 2 do..???

Click to collapse



Open busybox app in your device and install busybox from inside and make sure you have SuperSu before you give commands.


----------



## Den130 (Sep 19, 2015)

i can't install any version of busybox from "busybox installer app"  it said :Busybox installation failed .. wt to do ? 

plzzz help


----------



## Yasminatarik (Sep 20, 2015)

*Time service and monkey test*

This is really useful if you guys follow these steps you're gonna get rid of this virus for sure! 
Thanks for this huge help<3


----------



## freeandroid (Sep 20, 2015)

im install busybox root with supersu but when type this commend chattr -iaA providerCertificate.apk this say: setting flags on provider.....apk read-only file system


----------



## Nuh99 (Sep 20, 2015)

Yasminatarik said:


> This is really useful if you guys follow these steps you're gonna get rid of this virus for sure!
> Thanks for this huge help<3

Click to collapse



Thank you! 
You have been the sharpest girl ever


----------



## Nuh99 (Sep 20, 2015)

freeandroid said:


> im install busybox root with supersu but when type this commend chattr -iaA providerCertificate.apk this say: setting flags on provider.....apk read-only file system

Click to collapse



Dear friend - Root your phone again with kingoroot and then Superuser to Supersu. Install busybox and then try.. Make sure you have usb debugging enabled and busybox installed properly.
Also check your Xbin folder, Priv-app or app folder files permission by typing lsattr.
some devices have different permission write down those permission on and Chattr them.


----------



## Igor Alter (Sep 21, 2015)

*Igor Alter*

Thank you, Nuh99!
You are legend! 
I have spend days, trying to get rid of this annoying malware.
Just wanted to add something FYI:
You most likely have been infected to SnapPea (Windows/Android) software: 
Google for:



> Adware or APT – SnapPea Downloader – An Android Malware that implements 12 different exploits

Click to collapse



If while deleting *.apk files you get "read only" message and file cannot be deleted - you have to remount your /system partition be mounted as a read/write partition.
What you need to do is:


```
# mount -o remount,rw /system
```


----------



## Den130 (Sep 21, 2015)

thank you very much Nuh99 u saved my phone


----------



## macon157 (Sep 22, 2015)

*help me*

i did as u said, when i typed
...
chattr -iaA providerCertificate.apk [enter]
notice: chattr: Read-only file system while setting flag on providerCertificate.apk
rm providerCertificate.apk
notice: rm failed for providerCertificate.apk, Read-only file system
...
and i can get rit of those malware
 it also happen with cameraupdate, .b, .ext.base, .sys.apk


----------



## Nuh99 (Sep 23, 2015)

macon157 said:


> i did as u said, when i typed
> ...
> chattr -iaA providerCertificate.apk [enter]
> notice: chattr: Read-only file system while setting flag on providerCertificate.apk
> ...

Click to collapse



Kindly follow this :



Igor Alter said:


> Thank you, Nuh99!
> You are legend!
> I have spend days, trying to get rid of this annoying malware.
> Just wanted to add something FYI:
> ...

Click to collapse


----------



## Axy_Nekoi (Sep 23, 2015)

*Thanks!!*

After so many attemps, on try and error, finally i can get rid of those annoying malware. Thank you so much for helping us!!


----------



## shalinsurana (Sep 24, 2015)

*virus partially gone*



Nuh99 said:


> Hello everyone,
> This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this
> 
> To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.
> ...

Click to collapse








thank you for this method bro.
i had like 2 monkey tests and 4 time service disabled.
now i still have one time service left and i dont know what is that time service named (eg: other time services were like com.android. etc.)
and i also have a problem that whenever i reboot my phone hola launcher and 2 more apps keep getting installed automatically everytime and some new apps also get installed when i am using my net.
please help.

you can contact me on my email-id : [email protected]


----------



## Nuh99 (Sep 24, 2015)

shalinsurana said:


> thank you for this method bro.
> i had like 2 monkey tests and 4 time service disabled.
> now i still have one time service left and i dont know what is that time service named (eg: other time services were like com.android. etc.)
> and i also have a problem that whenever i reboot my phone hola launcher and 2 more apps keep getting installed automatically everytime and some new apps also get installed when i am using my net.
> ...

Click to collapse



Hello
Im glad it helped you.
What OS you have kitkat or jelly bean? 
If KK send me screenshot of all apps from system/Priv-app
If JB then system/apps on my fb link given in my profile.
Note: In root explorer sort files by type to align all apks in order for screenshots. 

Thank you


----------



## shalinsurana (Sep 24, 2015)

*screenshot of system app*



Nuh99 said:


> Hello
> Im glad it helped you.
> What OS you have kitkat or jelly bean?
> If KK send me screenshot of all apps from system/Priv-app
> ...

Click to collapse



i am using 4.2.2 jellybean
the link to the screenshots is http://forum.xda-developers.com/album.php?u=6961795
thanks.


----------



## Nuh99 (Sep 24, 2015)

shalinsurana said:


> i am using 4.2.2 jellybean
> the link to the screenshots is http://forum.xda-developers.com/album.php?u=6961795
> thanks.

Click to collapse



I assume this virus attacked you on 23rd August.
Well these are the files you need to remove from apps:
Models.apk
Launcher0920bx6jPec.apk
Launcher0923LJ7ThCa.apk

Be very aware of Small or Capital letters while typing these apk names or they wont be removed.

If it solves your problem let me know and if it doesn't then also delete these files but first make a backup of these files in your computer or elsewhere.

providerdown.apk
SecurityCertificate.apk
SettingProvider.apk

(REMINDER : SpeLLinG)

Happy hunting


----------



## Dkvyas007 (Sep 24, 2015)

*Do we require our device to be rooted to use "su" command?*



Nuh99 said:


> Hello everyone,
> This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this
> 
> To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.
> ...

Click to collapse



--------------
Hello ..i m a newbie to android..pl clarify me that Do we require our device to be rooted to use "su" command?


----------



## Nuh99 (Sep 24, 2015)

Dkvyas007 said:


> --------------
> Hello ..i m a newbie to android..pl clarify me that Do we require our device to be rooted to use "su" command?

Click to collapse



Yes sir Yes! you have to root your device to use SuperSu.


----------



## BoxerGames (Sep 25, 2015)

dsamivai said:


> i can't change the permission on root explorer. can you help me to fix it..it says failed to change permission because your sdcard..........something..
> 
> plz help me

Click to collapse



same here


----------



## freeandroid (Sep 26, 2015)

Thank you my friend.
finally deleted!!
after this line "su"
i use this  " mount -o remount,rw /system"
and other lines and its work for me.


----------



## thisisgulshan (Sep 29, 2015)

*Monkey Test & Time Service Removal Explained in Detail*

Refer : 
onlinesurprises(dot)com
Enjoy ...


----------



## Nuh99 (Sep 29, 2015)

thisisgulshan said:


> Refer :
> onlinesurprises(dot)com
> Enjoy ...

Click to collapse



Very good effort but it would be great if you give credits where its due ?
Anyway there is an apk coming soon that will uninstall MT & TS with one tap. 
I am also going to name out every app from apps or priv-app folder and dot files from xbin folder.
Thank you!


----------



## thisisgulshan (Sep 29, 2015)

shalinsurana said:


> thank you for this method bro.
> i had like 2 monkey tests and 4 time service disabled.
> now i still have one time service left and i dont know what is that time service named (eg: other time services were like com.android. etc.)
> and i also have a problem that whenever i reboot my phone hola launcher and 2 more apps keep getting installed automatically everytime and some new apps also get installed when i am using my net.
> ...

Click to collapse



Check onlinesurprises(dot)com post for the detailed solution with the meaning of each command which need to enter on Terminal Emulator


----------



## thisisgulshan (Sep 30, 2015)

*Refer this also*



Nuh99 said:


> Hello everyone,
> This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this
> 
> To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.
> ...

Click to collapse



onlinesurprises(dot)com/2015/09/remove-monkey-test-time-service-virus-without-flashing/


----------



## Nuh99 (Sep 30, 2015)

thisisgulshan said:


> onlinesurprises(dot)com/2015/09/remove-monkey-test-time-service-virus-without-flashing/

Click to collapse



You want to be famous? 
Do something original.


----------



## thisisgulshan (Oct 1, 2015)

*Monkey Test & Time Service Fix without flashing*



Nuh99 said:


> You want to be famous?
> Do something original.

Click to collapse



Below are few of the website links which have exactly same solution as you have given:
abdroid4g(dot)blogspot(dot)sg/2015/09/fix-for-monkey-test-time-service-virus_6(dot)html
smartphone(dot)erudisi(dot)com/cara-mengatasi-malware-monkey-test-dan-time-service/
www(dot)openeduusa(dot)com/2015/09/06/fix-for-monkey-test-time-service-virus-without-flashing/

Now you knows better who has copied from where. 

Apart from that,  you mentioned "I'm not a developer and That's it!"
I will tell you that I am a Programmer and I know the meaning of each and every command entered on Terminal Emulator. That's why I explained the meaning of each command in my post onlinesurprises(dot)com/2015/09/remove-monkey-test-time-service-virus-without-flashing/). Because I believe that users should know what and why they are doing rather then blindly following the steps that are just specific to a particular version of android and infected apps.
And yes I took help from this post to fix my phone but I did it in my way.
Thanks


----------



## Nuh99 (Oct 1, 2015)

thisisgulshan said:


> Below are few of the website links which have exactly same solution as you have given:
> abdroid4g(dot)blogspot(dot)sg/2015/09/fix-for-monkey-test-time-service-virus_6(dot)html
> smartphone(dot)erudisi(dot)com/cara-mengatasi-malware-monkey-test-dan-time-service/
> www(dot)openeduusa(dot)com/2015/09/06/fix-for-monkey-test-time-service-virus-without-flashing/
> ...

Click to collapse



Hello programmer, 
Well the things you have posted on your site are exactly the same words as mine. I guess you were too much busy in programming that you forgot how to write. Who wrote this reply for you that you just pasted here? 
and mr programmer why did you need help from my post to fix your phone when you had those three links that I just came to know about... 

(*BTW two of those links are juts a copy paste from my guide by some unknown want to be known guys or whatever. I have seen so many guys faking it like they wrote the whole procedure, anyway if you are a programmer and you understand any kind of language you can compare this reply and my whole guide and you will get the idea* 

Now please make your own thread and please stop pasting your link here... I fixed more than 600 devices now... and I'm still not a programmer and the way you are keep posting your link here that is kinda making you look hungry to be noticed.. I have noticed you and you are famous..
Farewell....


----------



## didhiy (Oct 5, 2015)

optimumpro said:


> If the apps come back after factory reset and you have original manufacturer provided firmware, then those programs are part of Android and not viruses.  Monkey test is a known Android test application that is used for debugging purposes.  Camera update is a little app that checks manufacturer's site for update.  Time service is an app that takes care of your device having correct time and provided by such manufacturers as Qualcomm and others.  Contrary to claims made by the OP,  neither Norton nor other anti-virus web site talks about these apps as viruses.  There is one or 2 posts on Norton community and they look like written by the same person who posted here.  So, no official confirmation that any of those programs is a virus.  There is absolutely no proof they do anything illegitimate.  If you don't like them, just freeze them in Titanium or any other similar app.
> 
> To the OP:  please stop spamming the board with this nonsense.
> 
> P.S. Both Norton and Mcafee are known for numerous false positives.  Also, there is a little known secret about those:  they can never prevent new viruses: first the virus has to spread/infect, then it becomes known and then it is finally added to their database...

Click to collapse



I don't believe this problem too just like you... Hard to believe that an OEM rom suddenly have some new apks in system app folder.
Unfortunately all the posts being wrote in this thread were true, it happened to my friend's phone. His phone is Lenovo a369i. I think there was a bug in mtk devices that make them can be easily exploited and infected by some malware apps.


----------



## bouyett (Oct 5, 2015)

Do i need computer to carryout the operation


----------



## Nuh99 (Oct 5, 2015)

bouyett said:


> Do i need computer to carryout the operation

Click to collapse



No you don't.. but you can also do it with computer through adb but that's another topic..


----------



## gandolf007 (Oct 6, 2015)

hi everyone 
dear Nuh99 , thank you for your tips !! 
a question ?: how to rm directory in my storage till starting with a dot (eg: .ext.base)!!!? 
i cant delete that, and i cant format my storage in settings menu ! 
log :


> [email protected]:/ # cd storage
> cd storage
> [email protected]:/storage # ctattr -iaA .android.analytics
> ctattr -iaA .android.analytics
> ...

Click to collapse



busybox installed .

do you know any commands for remove folder on my storage to remove this malware

tanx alot


----------



## One*Star (Oct 8, 2015)

Axy_Nekoi said:


> After so many attemps, on try and error, finally i can get rid of those annoying malware. Thank you so much for helping us!!

Click to collapse



Nuh99 has really helped android  user suffering from monkey test and time service malware.

Sent from my itel_it1503 using Tapatalk


----------



## Nuh99 (Oct 9, 2015)

One*Star said:


> Nuh99 has really helped android  user suffering from monkey test and time service malware.
> 
> Sent from my itel_it1503 using Tapatalk

Click to collapse



Thanks for your reply and not giving up :good:


----------



## One*Star (Oct 9, 2015)

Welcome.

Sent from my itel_it1503 using Tapatalk

---------- Post added at 02:09 AM ---------- Previous post was at 01:51 AM ----------

I want to try this guide with king user, what do you think of it? 

Sent from my itel_it1503 using Tapatalk


----------



## Nuh99 (Oct 9, 2015)

One*Star said:


> Welcome.
> 
> Sent from my itel_it1503 using Tapatalk
> 
> ...

Click to collapse



I have tried myself many times but kingroot superuser does not fully root the system.. it's for basic rooting or you can say safe rooting..  It didn't let me install busybox which is essential... but you can try and please let me know if you succeed.  :fingers-crossed:


----------



## One*Star (Oct 9, 2015)

I was able to install busybox after rooting with the latest version of kingroot. When I get clockworkmod recovery, I will do a  nandroid backup and use this guide to completely remove these viruses. 

Sent from my itel_it1503 using Tapatalk


----------



## khamees_xi (Oct 10, 2015)

C:\Users\khame\Desktop\Minimal ADB and Fastboot>adb shell
[email protected]:/ $ su
su
[email protected]:/ # adb shell
adb shell
* daemon not running. starting it now on port 5038 *
* daemon started successfully *
error: device not found
1|[email protected]:/ # mount -o remount,rw /system
mount -o remount,rw /system
[email protected]:/ # cd system/app
cd system/app
[email protected]:/system/app # chattr -iaA providerdown.apk
chattr -iaA providerdown.apk
[email protected]:/system/app # rm providerdown.apk
rm providerdown.apk
[email protected]:/system/app # chattr -iaA com.android.wp.net.log.apk
chattr -iaA com.android.wp.net.log.apk
[email protected]:/system/app # rm com.android.wp.net.log.apk
rm com.android.wp.net.log.apk
[email protected]:/system/app # chattr -iaA com.android.Markserver.apk
chattr -iaA com.android.Markserver.apk
chattr: stat com.android.Markserver.apk: No such file or directory
[email protected]:/system/app # chattr -iaA com.android.Markserv.apk
chattr -iaA com.android.Markserv.apk
chattr: stat com.android.Markserv.apk: No such file or directory
[email protected]:/system/app # chattr -iaA com.android.hardware.ext.0.apk
chattr -iaA com.android.hardware.ext.0.apk
chattr: stat com.android.hardware.ext.0.apk: No such file or directory
[email protected]:/system/app # chattr -iaA com.android.hardware.ext0.apk
chattr -iaA com.android.hardware.ext0.apk
[email protected]:/system/app # rm com.android.hardware.ext0.apk
rm com.android.hardware.ext0.apk
[email protected]:/system/app # chattr -iaA com.android.psync.apk
chattr -iaA com.android.psync.apk
[email protected]:/system/app # rm com.android.psync.apk
rm com.android.psync.apk
[email protected]:/system/app # chattr -iaA com.android.psetting.apk
chattr -iaA com.android.psetting.apk
[email protected]:/system/app # rm com.android.psetting.apk
rm com.android.psetting.apk
[email protected]:/system/app # chattr -iaA com.google.model.mi.apk
chattr -iaA com.google.model.mi.apk
[email protected]:/system/app # rm com.google.model.mi.apk
rm com.google.model.mi.apk
[email protected]:/system/app # chattr -iaA com.google.fk.json.slo.apk
chattr -iaA com.google.fk.json.slo.apk
[email protected]:/system/app # rm com.google.fk.json.slo.apk
rm com.google.fk.json.slo.apk
[email protected]:/system/app # chattr -iaA com.android.pumo.apk
chattr -iaA com.android.pumo.apk
[email protected]:/system/app # rm com.android.pumo.apk
rm com.android.pumo.apk
[email protected]:/system/app # chattr -iaA BatteryControl.apk
chattr -iaA BatteryControl.apk
[email protected]:/system/app # rm BatteryControl.apk
rm BatteryControl.apk
[email protected]:/system/app # chattr -iaA com.android.aoml.apk
chattr -iaA com.android.aoml.apk
[email protected]:/system/app # rm com.android.aoml.apk
rm com.android.aoml.apk


----------



## Riowald (Oct 12, 2015)

*Thanks!*

Thank you Nuh99! :good::good::good:

I followed everything you said and the removal worked perfectly on my Xiaomi Mi4S. :laugh:

One thing I just wanted to add though was that TimeService on my device was in a different package, *com.android.provider.down2*. Removing *providerdown.apk* (via chattr & rm) in system/app did the trick though. Just mentioning this in case TimeService changed for anyone else.


----------



## Nuh99 (Oct 12, 2015)

Riowald said:


> Thank you Nuh99! :good::good::good:
> 
> I followed everything you said and the removal worked perfectly on my Xiaomi Mi4S. :laugh:
> 
> One thing I just wanted to add though was that TimeService on my device was in a different package, *com.android.provider.down2*. Removing *providerdown.apk* (via chattr & rm) in system/app did the trick though. Just mentioning this in case TimeService changed for anyone else.

Click to collapse



Thank you for reporting back brother.
When I started this thread I only knew few packages, Every device has its own packages. The whole guide is an idea how to get rid of it and you know IDEA lives forever... Glad it helped you... Love  

-Nuh


----------



## aamszia (Oct 12, 2015)

C:\Program Files\Minimal ADB and Fastboot>adb shell
su
mount -o remount,rw /system
cd system/app
chattr -iaA providerdown.apk
su
rm providerdown.apkmount -o remount,rw /system
cd system/app
chattr -iaA providerdown.apk
[email protected]:/ $ su
[email protected]:/ # mount -o remount,rw /system
[email protected]:/ # cd system/app
[email protected]:/system/app # chattr -iaA providerdown.apk
k_shell/2000:6028: chattr: not found
127|[email protected]:/system/app #


----------



## Nuh99 (Oct 13, 2015)

aamszia said:


> C:\Program Files\Minimal ADB and Fastboot>adb shell
> su
> mount -o remount,rw /system
> cd system/app
> ...

Click to collapse



Are you performing this from adb? 
What seems to be the problem? if you are on stock rom... install abdb insecure and enable it from inside then try these commands..


----------



## kamal1437 (Oct 16, 2015)

There is no any files starting with dot in system/xbin
And in private app folder also there is no cameraupdate.apk and providerCertificate.apk still i have time service app which i have disabled as mention by you .and have a file name com.android.hardware.ext0-1.apk in data/app which enables time service .and i cannot delete that file.even if i uninstall it it gets back after some time .


----------



## Nuh99 (Oct 16, 2015)

kamal1437 said:


> There is no any files starting with dot in system/xbin
> And in private app folder also there is no cameraupdate.apk and providerCertificate.apk still i have time service app which i have disabled as mention by you .and have a file name com.android.hardware.ext0-1.apk in data/app which enables time service .and i cannot delete that file.even if i uninstall it it gets back after some time .

Click to collapse



If you uninstall it will come back because its apk has immutable permission set in data/app:
You have to remove  com.android.hardware.ext0-1.apk manually by following the procedure 

In emulator go to data/app and check its permission by typing :
# lsattr com.android.hardware.ext0-1.apk
see its permissions and then chattr and rm.


----------



## wargr (Oct 16, 2015)

at end say (devices directory) what is this and monkey test and time services already here. not deleted


----------



## Nuh99 (Oct 17, 2015)

wargr said:


> at end say (devices directory) what is this and monkey test and time services already here. not deleted

Click to collapse



Could you be more specific and share screenshot because I didn't understand what you said ?


----------



## icedeocampo (Oct 17, 2015)

wherever the apk are... you can type "ls -al | grep more" (excluding the quotes)... and you can see all the file dates and attributes.... in my case i typed "ls -al | grep 2015" ... since all the files in my /system/app are 2013 (Jelly bean era)... so the 2015 files standout.


----------



## kamal1437 (Oct 19, 2015)

It's saying when I type data/app》
[email protected]:/ $ data/app
/system/bin/sh: data/app: can't execute: Is a directory
126|[email protected]:/ $


----------



## Nuh99 (Oct 20, 2015)

kamal1437 said:


> It's saying when I type data/app》
> [email protected]:/ $ data/app
> /system/bin/sh: data/app: can't execute: Is a directory
> 126|[email protected]:/ $

Click to collapse



Hello kamal,
If you have installed everything as I mentioned then type this in Terminal:

adb shell
su 
mount -o remount,rw /system
cd data/app
lsattr com.android.hardware.ext0-1.apk
(*See the file permission e.g: ---------i--a---A (Whatever permission you see type after chattr as written in the next line*)
chattr -iaA com.android.hardware.ext0-1.apk
rm com.android.hardware.ext0-1.apk

Let me know okay ? v:fingers-crossed:


----------



## TheDarkLord098 (Oct 20, 2015)

*Reallyneed help badly*



Nuh99 said:


> Hello everyone,
> This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this
> 
> To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.
> ...

Click to collapse



I've got a similar virus like yours too but it's much more different. So this is how I got it, when I got vShare for Android installed, I opened and then an app called India Sexy Story 2 started to download and install the software. Then, when I launched later on after I read my tablet got slow and CM warned that there is a virus called Ghost Push Trojan Horse, which I read on the internet and affected more than 900,000 people worldwide. I was really shocked and I can really see I caught the virus. I used Stubborn Ghost Push Trojan Horse by Cheetah Mobile and killed, then after I rebooted, it's back. When I used root explorer pro then navigated to /system/priv-app there are these virus apks that I CAN'T DELETE! I used Root Browser and the apks are named, appstarts.apk (engriks), Models.apk (mobileOcr), playstoreupdate.apk (catstudio), and lastly providerdown (txvpn). Now this is really getting weird, I managed to delete those with Root Browser, now, when I refresh, it comes back! What the hell! So now, I can infer that these virus apps or so called apk have infected my ROM, why? I did a factory reset, clear cache, hard reset everything, no luck! So, I can see the virus has been made just a week ago with the improved version and I caught it, you see. Well since you have made this tutorial for this virus too, would you mind giving me a hand? I badly need your help, cause some ads and my tablet is not fully functional with this virus!


----------



## kamal1437 (Oct 20, 2015)

Nuh99 said:


> Hello kamal,
> If you have installed everything as I mentioned then type this in Terminal:
> 
> adb shell
> ...

Click to collapse



It's done. thanks the file in data/app is no more .still in setting disabled apps  time service change to Com.android.hardware.ext0 about 44 kb ,could I Uninstall it ?


----------



## Nuh99 (Oct 20, 2015)

kamal1437 said:


> It's done. thanks the file in data/app is no more .still in setting disabled apps  time service change to Com.android.hardware.ext0 about 44 kb ,could I Uninstall it ?

Click to collapse




l:victory:
See if you can uninstall it or try titanium backup pro.. but first restart your phone and check if its still there


----------



## kamal1437 (Oct 20, 2015)

Nuh99 said:


> l:victory:
> See if you can uninstall it or try titanium backup pro.. but first restart your phone and check if its still there

Click to collapse



Thanks . it's UNINSTALLED SUCCESSFULLY.


----------



## jcase (Oct 21, 2015)

Do you have a sample of this malware?


----------



## Nuh99 (Oct 22, 2015)

jcase said:


> Do you have a sample of this malware?

Click to collapse



I don't have sample but this virus comes with mostly adult apps, ads of non reliable apps and Chinese apps.
One guy told me he installed  p*rnhub app and then he tapped on a ad inside and that was an apk of another adult videos, he installed it and got infected right away...


----------



## joehendricks (Oct 22, 2015)

i also have engriks,pro,txvpn,measure,catstudio on my phone and cant remove it..pls help me here....my phone is now haywire

---------- Post added at 11:47 AM ---------- Previous post was at 11:23 AM ----------

kamal,pls i have virtually the same problem as u did...i really dont understand..pls can u explain what u did exactly to permanently uninstall engriks,pro,measure,cat studio etc


----------



## j4jerin (Oct 22, 2015)

*Thankssss.........*

Deleted extra services running along with  monkeystest and timeservices......Before applying these,i have three timer services running and i cant switch on internet beacause of many ads....it was so irritating.....This saved my day.....:good::good:


----------



## kamal1437 (Oct 22, 2015)

joehendricks said:


> i also have engriks,pro,txvpn,measure,catstudio on my phone and cant remove it..pls help me here....my phone is now haywire
> 
> ---------- Post added at 11:47 AM ---------- Previous post was at 11:23 AM ----------
> 
> kamal,pls i have virtually the same problem as u did...i really dont understand..pls can u explain what u did exactly to permanently uninstall engriks,pro,measure,cat studio etc

Click to collapse



Sorry.but I am not a developer, and actually I had only one app/virus it was time service and with the help of nuh99 I had solved the issue.Nuh99 will surely answer ur problem. He had given me some steps which are on the previous page which I followed and the problem solved,see to it,may help you out. ?sorry Joe.


----------



## mekato (Oct 23, 2015)

*Simply, run this script*

More simply, open notepad, paste this:



```
@echo off
color 2f
:menu
adb kill-server
taskkill /f /im adb.exe
cls
echo.
echo --------------------------------------------------------------------
echo [*] Before begin:  
echo     (1) Enable USB Debugging
echo     (2) Enable '"Unknown sources'"
echo     (3) Root your device
echo     (4) Install Busybox (open it an tap on install)
echo --------------------------------------------------------------------
adb -a wait-for-device>nul
echo Device detected, press any key to coninue...
echo.
echo.
pause>nul
 
echo Deleting apk from /system/app
echo.
 
adb shell "su -c 'mount -o rw,remount /system'"
 
adb shell "su -c 'chattr -iaA /system/app/com.android.wp.net.log.apk'"
adb shell "su -c 'rm /system/app/com.android.wp.net.log.apk'"
 
adb shell "su -c 'chattr -iaA /system/app/Models.apk'"
adb shell "su -c 'rm /system/app/Models.apk'"
 
adb shell "su -c 'chattr -iaA /system/app/com.google.fk.json.slo.apk'"
adb shell "su -c 'rm /system/app/com.google.fk.json.slo.apk'"
 
adb shell "su -c 'chattr -iaA /system/app/com.android.hardware.ext0.apk'"
adb shell "su -c 'rm /system/app/com.android.hardware.ext0.apk'"
 
adb shell "su -c 'chattr -iaA /system/app/providerdown.apk'"
adb shell "su -c 'rm /system/app/providerdown.apk'"
 
adb shell "su -c 'chattr -iaA /system/app/providerCertificate.apk'"
adb shell "su -c 'rm /system/app/providerCertificate.apk'"
 
adb shell "su -c 'chattr -iaA /system/app/cameraupdate.apk'"
adb shell "su -c 'rm /system/app/cameraupdate.apk'"
 
adb shell "su -c 'chattr -iaA /system/app/playstoreupdate.apk'"
adb shell "su -c 'rm /system/app/playstoreupdate.apk'"
 
echo.
echo Deleting files from /system/xbin
echo.
 
adb shell "su -c 'chattr -iaA /system/xbin/.b'"
adb shell "su -c 'rm /system/xbin/.b'"
 
adb shell "su -c 'chattr -iaA /system/xbin/.df'"
adb shell "su -c 'rm /system/xbin/.df'"
 
adb shell "su -c 'chattr -iaA /system/xbin/.ext.base'"
adb shell "su -c 'rm /system/xbin/.ext.base'"
 
adb shell "su -c 'chattr -iaA /system/xbin/.ld.js'"
adb shell "su -c 'rm /system/xbin/.ld.js'"
 
adb shell "su -c 'chattr -iaA /system/xbin/.ls'"
adb shell "su -c 'rm /system/xbin/.ls'"
 
adb shell "su -c 'chattr -iaA /system/xbin/.sys.apk'"
adb shell "su -c 'rm /system/xbin/.sys.apk'"

echo.
echo Finishied, press any key to exit.
pause>nul
exit
```


 Save as a .bat file, copy this file in "C:\Program Files\Java\android-sdk-windows\tools"  then run. 

Did this works for you? Hit Thanks!


----------



## faisalasghar18 (Oct 24, 2015)

*I Have an Easy Solution for All and 100% Working*

I Have an Easy Solution for All and 100% Working

Everyone Please Listen Carefully
I Tried all methods mentioned Here But Some are not Working and some are very Difficult so I myself Created a Post which has worked for me and many of my viewers who are thanking me in return.
Please Read Full Post Here at
pkhelper18.blogspot.com/search?q=monkey+test

It is working and please share it with all .


----------



## Niaz muhammad (Oct 27, 2015)

tested report need    i slove with full flash


----------



## Nuh99 (Oct 27, 2015)

joehendricks said:


> i also have engriks,pro,txvpn,measure,catstudio on my phone and cant remove it..pls help me here....my phone is now haywire
> 
> ---------- Post added at 11:47 AM ---------- Previous post was at 11:23 AM ----------
> 
> kamal,pls i have virtually the same problem as u did...i really dont understand..pls can u explain what u did exactly to permanently uninstall engriks,pro,measure,cat studio etc

Click to collapse



Hello Joe,
You have Ghost push virus.. Install "Ghost Push Trojan Killer" from google play store.


----------



## One*Star (Nov 2, 2015)

Thank you Nuh99, though using King user as su binary, I have successfully uninstalled monkey test and time service with this guide.(latest version of king root should be used) Ghost push trojan killer removed all the viruses except cameraupdate.apk; and I used your guide to uninstall it.


Sent from my itel_it1503 using Tapatalk


----------



## azharshaikh (Nov 5, 2015)

Thanks Man !!!!! Worked for me


----------



## FrankSze (Nov 7, 2015)

Ghost Push Trojan Killer does not work against the new mobileocr/engriks etc


----------



## Nuh99 (Nov 7, 2015)

FrankSze said:


> Ghost Push Trojan Killer does not work against the new mobileocr/engriks etc

Click to collapse



Thanks for the info... Please follow the guide for viruses that ghost push unable to remove...


----------



## MrPamungkas (Nov 9, 2015)

Not work with me.. I cant find providerCertificate.apk
And partly initiated by the file system . (Dot) can not to erase. Adb error it was not allowed, and access denied.
And annoying apps still appear. 
I wanted to burn my smart phone. 

Sorry about my bad english.


----------



## Nuh99 (Nov 9, 2015)

MrPamungkas said:


> Not work with me.. I cant find providerCertificate.apk
> And partly initiated by the file system . (Dot) can not to erase. Adb error it was not allowed, and access denied.
> And annoying apps still appear.
> I wanted to burn my smart phone.
> ...

Click to collapse



1: Root your phone again
2: Install busybox and then open busybox inside there tap Advance and tap Install.
3: Make sure you type mount -o remount,rw /system (give a SPACE after rw before /)


----------



## HITMAN-CREED (Nov 15, 2015)

TheDarkLord098 said:


> I've got a similar virus like yours too but it's much more different. So this is how I got it, when I got vShare for Android installed, I opened and then an app called India Sexy Story 2 started to download and install the software. Then, when I launched later on after I read my tablet got slow and CM warned that there is a virus called Ghost Push Trojan Horse, which I read on the internet and affected more than 900,000 people worldwide. I was really shocked and I can really see I caught the virus. I used Stubborn Ghost Push Trojan Horse by Cheetah Mobile and killed, then after I rebooted, it's back. When I used root explorer pro then navigated to /system/priv-app there are these virus apks that I CAN'T DELETE! I used Root Browser and the apks are named, appstarts.apk (engriks), Models.apk (mobileOcr), playstoreupdate.apk (catstudio), and lastly providerdown (txvpn). Now this is really getting weird, I managed to delete those with Root Browser, now, when I refresh, it comes back! What the hell! So now, I can infer that these virus apps or so called apk have infected my ROM, why? I did a factory reset, clear cache, hard reset everything, no luck! So, I can see the virus has been made just a week ago with the improved version and I caught it, you see. Well since you have made this tutorial for this virus too, would you mind giving me a hand? I badly need your help, cause some ads and my tablet is not fully functional with this virus!

Click to collapse


*+1
Is there any Solution??*


----------



## T2rnanog (Nov 15, 2015)

Very usefull thanks


----------



## Nuh99 (Nov 15, 2015)

HITMAN-CREED said:


> *+1
> Is there any Solution??*

Click to collapse



This guy sent me private message which is:
I finally killed the virus using the latest update and definition of Stubborn Ghost Push Trojan Killer! I'm so happy!


----------



## HITMAN-CREED (Nov 16, 2015)

Nuh99 said:


> This guy sent me private message which is:
> I finally killed the virus using the latest update and definition of Stubborn Ghost Push Trojan Killer! I'm so happy!

Click to collapse



Yeah, Me too.
I freezed those apps,  then killed with Stubborn Ghost Push Trojan Killer, and finally they have been killed..


----------



## TheDarkLord098 (Nov 17, 2015)

HITMAN-CREED said:


> Yeah, Me too.
> I freezed those apps,  then killed with Stubborn Ghost Push Trojan Killer, and finally they have been killed..

Click to collapse



Glad to hear that!


----------



## sentim35 (Nov 18, 2015)

*thx 100% working*



Nuh99 said:


> Hello Joe,
> You have Ghost push virus.. Install "Ghost Push Trojan Killer" from google play store.

Click to collapse



 thanks Nuh , it worked 100% for me...:good:


----------



## seijidinzuala (Nov 18, 2015)

A little more virus lists , OP you might wanna add them on the first post. :
They are all located on priv-app folder

1. appstarts.apk
2. com.android.hardware.ext0.apk
3. com.android.wp.net.log.apk
4. Models.apk
5. playstoreupdate.apk
6. providerdown.apk

Lol, kinda funny how these apps try to disguise themselves and fool us as the real system apps. A good way to spot viruses in system folder is with a file explorer like Root Explorer, look at the time they were added in that folder. Bloat apps (apps that originally came with the phone) will be all added at the same time and date (ie. when the OS was loaded into the phone) while the viruses will be added at a different time.

I'm not a phone repairer but since I play with my phone alot, people in my neighbour always ask me to fix their phone, recently I have fixed two phones which are affected by these viruses by flashing them with a fresh ROM. I still have four different phones with me which still needs fixing, but, unfortunately, they are locally made phones which are not popular at all and their stock ROMs/custom ROMs are nowhere to be found on the internet (as far as I can tell). I have rooted them but cannot delete the viruses as they are read-only files, I cannot change their permissions either.

Freezing them/Disabling them DOESN'T give a permanent solution, and I'm currently lost as your procedure did not work for me. Any help would be greatly appreciated.


----------



## Nuh99 (Nov 19, 2015)

seijidinzuala said:


> A little more virus lists , OP you might wanna add them on the first post. :
> They are all located on priv-app folder
> 
> 1. appstarts.apk
> ...

Click to collapse



I already know about almost all viruses apk now but did not get the time due to musuc recordings.. I will be glad to help.. what seems to be the problem? 
Btw did u try ghost push trojan app on those devices?


----------



## Hadi91 (Nov 19, 2015)

Thx

---------- Post added at 08:25 PM ---------- Previous post was at 08:04 PM ----------

Thx


----------



## k_aravind (Nov 26, 2015)

Thank you for your efforts bro :good:. Just wanna say something. I guess i found a much more simpler way. Now since everyone is reading this thread on XDA, I presume that you all have rooted your phone. Now,
Step 1: install stubborn trojan killer from play store.( This app needs root access)
Step 2: scan and delete the infected files.
Step 3: install cm security.
Step 4: scan and resolve.

That's it. You are done with these crappy malwares for life.


----------



## Nuh99 (Nov 26, 2015)

k_aravind said:


> Thank you for your efforts bro :good:. Just wanna say something. I guess i found a much more simpler way. Now since everyone is reading this thread on XDA, I presume that you all have rooted your phone. Now,
> Step 1: install stubborn trojan killer from play store.( This app needs root access)
> Step 2: scan and delete the infected files.
> Step 3: install cm security.
> ...

Click to collapse



I created this thread September 6 before any antivirus apps came with a solution  
Trojan kille still doesn't remove all the viruses.. But If you learn this manual way you can remove any virus in the future..


----------



## josiahliyam (Nov 27, 2015)

Really affecting virus is a very bad thing, it is the main cause of system hanging. But sorry to say that I have no Idea on your problem, But I know an organization named Sisytech which solve all types of system problem with a shortest time period.


----------



## b45k4r (Dec 8, 2015)

*successfully removed.*

Thank you. i successfully removed those virus(cameraupdate.apk, providerCertificate.apk, providerdown,com.android.wp.net.log.apk,mobileOcr) from my xperia.  

if you found "chattr not found" problem. try to install busy box by "Stephen (Stericson)".


----------



## faisalasghar18 (Dec 10, 2015)

*How To Remove Monkey Test Without Reset~ Easiest for Beginners*



Nuh99 said:


> Hello everyone,
> This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this
> 
> To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.
> ...

Click to collapse



Your Answer is a little difficult to beginners so i suggest beginners to use this method pkhelper18.blogspot.com/2015/10/how-to-remove-monkey-test-time-service-virus-without-resetting-android.html


----------



## Nuh99 (Dec 10, 2015)

faisalasghar18 said:


> Your Answer is a little difficult to beginners so i suggest beginners to use this method pkhelper18.blogspot.com/2015/10/how-to-remove-monkey-test-time-service-virus-without-resetting-android.html

Click to collapse



Wow do you always come so early?
Well anyway Thanks and Bye


----------



## ninrocket (Dec 10, 2015)

Nuh99 said:


> Wow do you always come so early?
> Well anyway Thanks and Bye

Click to collapse



How did you get the Monkey Test & Time virus anyway?


----------



## kenkitt (Dec 10, 2015)

*Cloud_Commander*

Im adding monkey virus remover to Cloud commander .
[DEVS]If you find it's not working kindly submit your own command, I will remove mine in place of yours.
[RECOMMENDATION]Please update tables after donwloading CloudCommander.


----------



## Nuh99 (Dec 11, 2015)

ninrocket said:


> How did you get the Monkey Test & Time virus anyway?

Click to collapse




Honestly I don't remember cause I installed few non market apps :silly: but now I'm sure I ain't gonna be infected by any new virus ever again


----------



## andrew0070 (Dec 12, 2015)

*how to remove engrik and engrils*

Please i need urgent assistance on how to remove engrik and engril after 
I removed fooso a virus from my android i can't remove the rest because 
They are in data/app not priv-app. Please help i don't want to flash my 
Android.


----------



## Nuh99 (Dec 12, 2015)

andrew0070 said:


> Please i need urgent assistance on how to remove engrik and engril after
> I removed fooso a virus from my android i can't remove the rest because
> They are in data/app not priv-app. Please help i don't want to flash my
> Android.

Click to collapse



Did you try Ghost Push Trojan Killer from playstore ?


----------



## danieru20xx (Dec 21, 2015)

Hi XDA Devs! I managed to su, chattr and rm on those apk files named "playstoreupdate" and "com.google.model.mi", all from my rooted MTK device with term emu, no need to use adb which saved my life! thank you OP! 

PS: in Running Processes these showed as "mobileOcr" and "engrils"... Such a nasty malware eh?


----------



## xperia_rebel (Dec 31, 2015)

Hi Team,

i have a Tablet TESCOM BOLT 3G which is infected with this , looks like im  not sure how it entered , but my nephew plays a lot of games   

Now this is an MTK 8312  1.2 GHZ Cortex

How do you think i can root this device to start KILLING SOME MALWARE 

How to Root ?
Hope Gmail Account is not infected ????

Where i can find the official firmware ? 

How did the damn apk engriks get root access and  drilled a hole into the system and settled in


----------



## Nuh99 (Dec 31, 2015)

xperia_rebel said:


> Hi Team,
> 
> i have a Tablet TESCOM BOLT 3G which is infected with this , looks like im  not sure how it entered , but my nephew plays a lot of games
> 
> ...

Click to collapse



Root with kingo root pc or kingo root apk, however you like and then install Ghost push trojan killer. If it solves your problem then be happy otherwise use the guide to remove viruse apks.


----------



## von_philippines (Jan 2, 2016)

Nuh99 said:


> Hello everyone,
> This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this
> 
> To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.
> ...

Click to collapse



nice i'll try this.  :good:


----------



## faisalasghar18 (Jan 2, 2016)

*Easiest Fix without ressting phone is here from PK Helper*



Nuh99 said:


> Hello everyone,
> This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this
> 
> To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.
> ...

Click to collapse



*Things you need are:*
_
Your phone must be rooted, if it is not rooted you can use iroot or kingo root to root your phone in 1 click.
Now install titanium backup on your phone._
Now turn off wifi and data connection.
First stop unknown apps from running applications and then disable them 1 by 1 from all apps. Some of them will be istalled as your system applications but don't worry. disable all of them which you suspect that it might be a virus.
You can find list of all apps on PK Helper18 Blog.
After disabling suspected apps, now time to freeze those apps which have never seen in your phone before using titanium backup.Freeze all those apps which you disabled and stopped before. Use titanium backup for freezing.
At last, delete some of the suspected folders from your sd card and again disable some suspected apps from settings>applications>all. And Its time to cheer.Turn on wifi / data connection without any problem and Enjoy Now.
Don't forget to hit thanks and like my comment.


----------



## danger.ahead (Jan 5, 2016)

I have a Gionee M2, I followed each of your steps correctly... But still the virus was there... Actually apart from 'Monkey Test' and 'Time Service' there are some other viruses, their names are 'iom', 'ceryos' etc.. After following your steps I expected that atleast time service and monkey test will get removed but to my disappointment, none of viruses got removed even not the time service and monkey test.. Please help me what to do next.


----------



## janalam143 (Jan 13, 2016)

*my two mobile useless because of monkey viruse.*

I have two mobile 1st clone note3 n900 and other hisense and I can't find any solution pls help..I request to xda pls made a good tool for this problem.


----------



## Acid2910 (Jan 14, 2016)

Thanks, its work [email protected]!!!!


----------



## Nuh99 (Jan 14, 2016)

janalam143 said:


> I have two mobile 1st clone note3 n900 and other hisense and I can't find any solution pls help..I request to xda pls made a good tool for this problem.

Click to collapse



You can manually delete this virus if you are willing to learn something for now and for the future by following the guide. 
If you face any difficulty you can ask me, but first you have to take a step.


----------



## janalam143 (Jan 14, 2016)

*thank you sir for ur reply.*



Nuh99 said:


> You can manually delete this virus if you are willing to learn something for now and for the future by following the guide.
> If you face any difficulty you can ask me, but first you have to take a step.

Click to collapse



I deleted manually all viruse but when I open wifi it's back again.


----------



## bakwie (Jan 14, 2016)

*HOW??*



b45k4r said:


> Thank you. i successfully removed those virus(cameraupdate.apk, providerCertificate.apk, providerdown,com.android.wp.net.log.apk,mobileOcr) from my xperia.
> 
> if you found "chattr not found" problem. try to install busy box by "Stephen (Stericson)".

Click to collapse



hi i was wondering which method are you using, because i cant delete those files at all

---------- Post added at 07:06 PM ---------- Previous post was at 06:56 PM ----------




Nuh99 said:


> I already know about almost all viruses apk now but did not get the time due to musuc recordings.. I will be glad to help.. what seems to be the problem?
> Btw did u try ghost push trojan app on those devices?

Click to collapse



hi i have the same problem
i used ghost push trojan app and it says it safe
but i have files Models.apk and playstoreupdate.apk(which is engrils)
and i can't delete them or change permissions but my phone is rooted and i have root browser, Link2SD, and nothing is working it just says that i don't have permission to change or delete these files
Thank you


----------



## Nuh99 (Jan 15, 2016)

janalam143 said:


> I deleted manually all viruse but when I open wifi it's back again.

Click to collapse



Can you please send me screenshot of your terminal emulator?
Is your phone rooted and busybox installed properly?
The Installation of busybox is not just installing it from playstore but you have to open busybox app click on advance and then install it from inside.. that's how you install busybox properly...


----------



## Nuh99 (Jan 15, 2016)

bakwie said:


> hi i was wondering which method are you using, because i cant delete those files at all
> 
> ---------- Post added at 07:06 PM ---------- Previous post was at 06:56 PM ----------
> 
> ...

Click to collapse



Have you installed busybox ?
If not then please read my reply just before this reply to know how to install it.


----------



## bakwie (Jan 15, 2016)

*Thank you *



Nuh99 said:


> Have you installed busybox ?
> If not then please read my reply just before this reply to know how to install it.

Click to collapse



I eventually ended up flashing the phone with a stock ROM and thats how i resolved it
thank you anyway


----------



## goldenfish (Jan 16, 2016)

hi, i got 2 files cannot delete here 


this is log




```
[email protected] DP101:/system/xbin # ls -ad .*
ls -ad .*
.360asshole
.df
.ld.js
.ls
.qqasshole
[email protected] DP101:/system/xbin # chattr -iaA .df
chattr -iaA .df
[email protected] DP101:/system/xbin # rm .df
rm .df
[email protected] DP101:/system/xbin # chattr -iaA .ld.js
chattr -iaA .ld.js
[email protected] DP101:/system/xbin # rm .ld.js
rm .ld.js
[email protected] DP101:/system/xbin # chattr -iaA .ls
chattr -iaA .ls
[email protected] DP101:/system/xbin # rm .ls
rm .ls
[email protected] DP101:/system/xbin # chattr -iaA .qqasshole
chattr -iaA .qqasshole
[email protected] DP101:/system/xbin # rm .qqasshole
rm .qqasshole
[email protected] DP101:/system/xbin # ls -ad .*
ls -ad .*
.360asshole
.qqasshole
[email protected] DP101:/system/xbin # chattr -iaA .360asshole
chattr -iaA .360asshole
[email protected] DP101:/system/xbin # rm .360asshole
rm .360asshole
[email protected] DP101:/system/xbin # rm .qqasshole
rm .qqasshole
rm failed for .qqasshole, Operation not permitted
255|[email protected] DP101:/system/xbin # chattr -iaA .qqasshole
chattr -iaA .qqasshole
[email protected] DP101:/system/xbin # rm .qqasshole
rm .qqasshole
[email protected] DP101:/system/xbin # ls -ad .*
ls -ad .*
.360asshole
.qqasshole
[email protected] DP101:/system/xbin # chattr -iaA .*
chattr -iaA .*
[email protected] DP101:/system/xbin # rm .*
rm .*
[email protected] DP101:/system/xbin # ls
ls
BGW
ksud
libmnlp_mt6571
mnld
showmap
supolicy
sysctld
tcpdump
[email protected] DP101:/system/xbin # ls -ad .*
ls -ad .*
.360asshole
.qqasshole
[email protected] DP101:/system/xbin # chattr -iaA .*
chattr -iaA .*
[email protected] DP101:/system/xbin # rm .*
rm .*
[email protected] DP101:/system/xbin # ls -ad .*
ls -ad .*
.360asshole
.qqasshole
[email protected] DP101:/system/xbin #
G:\DROID\TOOL\Mtk_Droid_Tool_v2.5.3\Mtk_Droid_Tool_v2.5.3>
```


as you see, i was chattr -iaA .* and remove ".360asshole" and ".qqasshole" 


but not success, maybe another file is monitor and re-create these file.


----------



## nhene007 (Jan 17, 2016)

*Can't Remove This Apk*

hello guys, i'm having trouble removing this apk.

bcfservice or GloablBCServiceInfo.apk <------ suspected virus

i've tried removing it with system app remover, but, it just restored instantly
i've tried removing it via adb (busybox installed, of course)
*chattr -iaA GloablBCServiceInfo.apk
*rm GloablBCServiceInfo.apk
still the same.... xD
scanned with Ghost Push Trojan Killer, malwarebytes, and avast, no luck.

My last resort is disabling it, but, it has a way of enabling it again, occassionally, it reboot the device to enable the said apk.

Hope you can help me, thanks..


----------



## Nuh99 (Jan 18, 2016)

nhene007 said:


> hello guys, i'm having trouble removing this apk.
> 
> bcfservice or GloablBCServiceInfo.apk <------ suspected virus
> 
> ...

Click to collapse



Check the date created for those Apk and then see that if you have other apks that have the same date.. then rm
 them..


----------



## nhene007 (Jan 18, 2016)

Nuh99 said:


> Check the date created for those Apk and then see that if you have other apks that have the same date.. then rm
> them..

Click to collapse



xD, there are more than a hundred apks stored in that device...
do i have to check them one by one? or only those who don't have an odex (inside system/app | system/priv-app)


----------



## Nuh99 (Jan 19, 2016)

nhene007 said:


> xD, there are more than a hundred apks stored in that device...
> do i have to check them one by one? or only those who don't have an odex (inside system/app | system/priv-app)

Click to collapse



Sort them by type in root explorer and then see only apks date of the same date as those virus apks.. if you find any similiar one delete its odex and then rm it in Terminal.. It's not very hard even if you have hundreds and quick processing mind.. 
Listen this song "Dying to live" by Poets of the fall while you are doing this.


----------



## nhene007 (Jan 19, 2016)

oh, I see, thanks bro, i'll do that
and i'll check that song. xD


----------



## Ahmed4D (Jan 19, 2016)

*Thank You Very Much*

I used your info to solve very similar problem with another android virus, app name:
SecurityService
FirewallService
APK files are ".gma.aph - .gmp.apk and .gmtgp.apk" in /system/priv-app
.gap - .gap.a in /system/xbin

 thanks alot



Nuh99 said:


> Hello everyone,
> This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this
> 
> To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.
> ...

Click to collapse


----------



## clashofking (Jan 20, 2016)

my phone samsung mini2 6500D custom rom virus removes. Great Work. Very thank you.

---------- Post added at 09:26 AM ---------- Previous post was at 08:52 AM ----------




bakwie said:


> hi i was wondering which method are you using, because i cant delete those files at all
> 
> ---------- Post added at 07:06 PM ---------- Previous post was at 06:56 PM ----------
> 
> ...

Click to collapse



It is remove easy . I am same problem. But I am removing.

Install 
1. busy box.apk ( system/xbin)
2. Termunal Emulator.apk
3. Root explorer is used
 (system/app) 
virus file name records.(eg engrils.apk...)

Command Used..

( su )  -
( mount -o remount,rw /system ) -
( cd system/app ) -
( chattr -iaA engrils.apk ) -
(rm engrils.apk ) -


******
{{Note: If commond used "no direction file " show , root explorer used virus file " rename " change. replay code used }}
next:
*******

root explorer used : ( system/xbin)( . )dot hidden file name records. eg: ( .la , .b , .ls , .[[  , ...)
Commond Used

( cd ) -
( cd system/xbin ) -
( chattr -iaA .b ) -
(chattr -iaA .ls ) -

***** 
if hidden file no delete ( rename change ) replay code used
*****


----------



## arealmanzter_2 (Jan 20, 2016)

when I am on this part
_chattr -iaA providerCertificate.apk_

I always get the "no direction file "


----------



## clashofking (Jan 21, 2016)

Ok brother test

su -
mount -o remount,rw /system -
cd system/app -
chattr -iaA engril.apk            

( No such file or directory))
**** Root browser virus file rename change. {Eg 1.apk, 2.apk } reutrn code. ****

 chattr -iaA 1.apk




Sent from my GT-S6500D using xda app-developers app


----------



## NeoDarkness (Jan 23, 2016)

Thanks bro its work 

Sent from my 2014817 using Tapatalk


----------



## clashofking (Feb 2, 2016)

*GloablBCServiceInfo.apk   Delete.*

'' GloablBCServiceInfo.apk '' Delete for I am code used
commond code

su -
mount -o remount,rw /system -
cd /system/app -

chattr -ia system/app/GloablBCServiceInfo.apk -
rm /system/app/GloablBCServiceInfo.apk -

I am look system/app virus is not see. I am happy.

Note: Some model brand (system/priv-app) code used test.


----------



## Can70 (Feb 3, 2016)

Thank you.


----------



## nhene007 (Feb 7, 2016)

clashofking said:


> '' GloablBCServiceInfo.apk '' Delete for I am code used
> commond code
> 
> su -
> ...

Click to collapse



Didn't work man,  it just restored itself instantly


----------



## Demonlink14 (Feb 17, 2016)

nhene007 said:


> Didn't work man,  it just restored itself instantly

Click to collapse



I was dealing with this problem as well. Tried Root explorer, tried Root App Remover... I was about to lose hope. But luckily, I thought about using Titanium Backup (from Play Store). So, I opened it, looked for "bcfservice", selected it and pressed "uninstall"... so far, after 3 reboots and 1 power off, it hasn't come back. Hopefully, this can help you remove this atrocious hell of a virus.


----------



## PAPalinskie (Mar 21, 2016)

There is new exploit in android system that is always installed in system partition and always renamed the package itself and the application name and filename. Therefore, it must avoid to download any apps that invades the android system and your privacy. i will try this method for newer exploits.


----------



## syahazu (Mar 21, 2016)

Brother nuh, thanks for the guide. I've deleted the malwares in system/app successfully and also the binaries, xbin... Obvious file weren't they hahaha..
Kind to remember, some malwares like this also integrates in data partition, which does not removed after the malwares in system/app are deleted,..
So guys, if u already cleaned out the mess in the system, try to check out in data/data... There might be some or maybe not , for some cases com.android.apps.start2-1.apk still exists there,,
Use the same method as OP had posted, only change into this param (mount -o remount,rw /data)..
Hope I help some of u, thanks


----------



## Nuh99 (Mar 22, 2016)

PAPalinskie said:


> There is new exploit in android system that is always installed in system partition and always renamed the package itself and the application name and filename. Therefore, it must avoid to download any apps that invades the android system and your privacy. i will try this method for newer exploits.

Click to collapse



Thanks for the info.. 
If you do it right you can remove any kind of exploit with this..

Please thumbs up if it helped you.

Love


----------



## Nuh99 (Mar 22, 2016)

syahazu said:


> Brother nuh, thanks for the guide. I've deleted the malwares in system/app successfully and also the binaries, xbin... Obvious file weren't they hahaha..
> Kind to remember, some malwares like this also integrates in data partition, which does not removed after the malwares in system/app are deleted,..
> So guys, if u already cleaned out the mess in the system, try to check out in data/data... There might be some or maybe not , for some cases com.android.apps.start2-1.apk still exists there,,
> Use the same method as OP had posted, only change into this param (mount -o remount,rw /data)..
> Hope I help some of u, thanks

Click to collapse



Thanks for the info and response brother :good:

When I started this thread most people didn't believe that it's possible without flashing..
but those who tried it right got rid of it w/o flashing thier device.

please thumbs up if it helped you..
Bless you.

Love


----------



## syahazu (Mar 22, 2016)

Ur welcome, one does flashing will loose their data if haven't backup, but most phones are hard to find their stock rom, root users indeed will find this method handy if only they know the steps..  I wonder why my previous root exploit messed up my system, I was using King root.. Ought to have a cloned one perhaps haha


----------



## locomaestro (Apr 11, 2016)

Thank you so much, I had a lot of time working with a cb514 cobia which no stock rom, my client back all the time, just hibernated applications, now could eliminate all the problems we had on the phone.


----------



## lance111 (Apr 15, 2016)

*Im not getting cd system/priv-app its giving me substirution error*



von_philippines said:


> nice i'll try this.  :good:

Click to collapse



Im not getting cd system/priv-app
its giving me substirution error


----------



## sank33rth (Apr 20, 2016)

Nuh99 said:


> Hello everyone,
> This method I'm going to write is tried on my own Lenovo A7600-H Kitkat 4.4.2 tablet, which I did not flash because I'm not sure about stock roms available on the net. If I had found a reliable rom I wouldn't be able learn this
> 
> To remove this virus you need to install busybox, Terminal emulator, Root explorer pro and you must have Supersu not superuser which is installed by Kingoroot. If you have rooted your device with kingoroot, so you need to change that.
> ...

Click to collapse



 thanks a lot bro .. Worked fine for me


----------



## Agus salam MK (Apr 23, 2016)

thanks dude ??


----------



## Nihad pp (Apr 30, 2016)

How to remove bcfservice. Please tell me that


----------



## Nuh99 (Apr 30, 2016)

Nihad pp said:


> How to remove bcfservice. Please tell me that

Click to collapse




Go through all the previous post and you try to find the best answer for you. I'm sure it's somewhere behind.


----------



## xperia_rebel (May 18, 2016)

Solved it by freezing them all and putting CM !! and keep it in heuristic mode

Sent from my CP8676_I02 using XDA-Developers mobile app


----------



## cholopo (Jun 2, 2016)

*Solution please!!!!!!*

Some solution to remove GloablBCServiceInfo.apk of /system/app ?????


----------



## Nuh99 (Jun 3, 2016)

cholopo said:


> Some solution to remove GloablBCServiceInfo.apk of /system/app ?????

Click to collapse



Did you try the rm command ?
If yes then what was the result?


----------



## a.woellert (Jun 5, 2016)

Hello,

i have the same problems with the virus.

With Dr. Web App from Play Store you can find a lot of Virus Files on your Phone. On my Phone over 20 files.

The last one not removable files are 
/system/bin/configopb
/system/app/GloablBCServiceInfo.apk

they restored itself instantly


EDIT: 
I remove GloablBCServiceInfo.apk with chattr and rm

And finaly i remove all Attributes from configopb with FX File Manager + Root Addon.


Now i must test the situation.


----------



## umbrellaCO (Jun 9, 2016)

Hello 

I can not install busybox completely because the system folder is locked  r/o .

I tried to change with root explorer ... but I did not succeed.... and I root. 

At the moment I have all malware frozen... under control, the phone works properly except the detail of the system folder locked to r/o .

Apparently the virus blocking the system folder to avoid being eliminated , there will be some solution to return the system folder r/w ?


----------



## Nuh99 (Jun 9, 2016)

umbrellaCO said:


> Hello
> 
> I can not install busybox completely because the system folder is locked  r/o .
> 
> ...

Click to collapse



Hello,
Please do this in order!
1) Root your phone again with KINGROOT not Kingoroot.
2) Install SuperSume and run that It'll replace Superuser to SuperSU.
3) Install busybox.
4) Report back!


----------



## umbrellaCO (Jun 11, 2016)

Nuh99 said:


> Hello,
> Please do this in order!
> 1) Root your phone again with KINGROOT not Kingoroot.
> 2) Install SuperSume and run that It'll replace Superuser to SuperSU.
> ...

Click to collapse



Hello Nuh99, thanks for the help :good:


I had already rooted with kingroot , then replace Kingroot by SuperSU.

Currently I have root access fully functional and verified.

But I can't complete the installation of bussybox and again cannot change to r/w the system folder.


Thanks again.


----------



## Nuh99 (Jun 11, 2016)

umbrellaCO said:


> Hello Nuh99, thanks for the help :good:
> 
> 
> I had already rooted with kingroot , then replace Kingroot by SuperSU.
> ...

Click to collapse



Try busybox on rails.


----------



## yahanna (Jun 11, 2016)

Nuh99 said:


> Did you install busybox binaries from inside busybox or did you just install it from playstore?

Click to collapse



very strange behavior


----------



## Nuh99 (Jun 11, 2016)

yahanna said:


> very strange behavior

Click to collapse



Well Yeah I just realized how tipsy I was when I did that.

Do you happen to know anything about it ?
Instead of noticing strange behavior ?


----------



## shivambest (Jun 12, 2016)

dsamivai said:


> i can't change the permission on root explorer. can you help me to fix it..it says failed to change permission because your sdcard..........something..
> 
> plz help me

Click to collapse




you cant change the permission on root explorer ,, look for some workaround


----------



## PAPalinskie (Jul 3, 2016)

Newly discovered EXPLOIT:

new exploit replaces system apps. these exploits are from pornclub exploit vulnerability issue due to automatically installing in user and system. you can only remove the exploit by re-flashing your full rom and if you are lucky, without wiping userdata if the exploit level is in system. to prevent this, i recommended that you install an app that can manage to fix system core and some holes that some exploits using it.


----------



## Nuh99 (Jul 5, 2016)

Will you please elaborate what's new about this?
Log or whatever...


----------



## vlad8495 (Jul 10, 2016)

I also have a sky vega that blinks and there is always a go shopping app appearing on it. It always restarts even the battery is fully charged. Keeps the WiFi turning on even if you turn it off.


----------



## PAPalinskie (Jul 20, 2016)

Nuh99 said:


> Will you please elaborate what's new about this?
> Log or whatever...

Click to collapse



these kind of exploit are just like worms that replacing apks from system/app or system/priv-app and replacing very aggressive ad-ware apks in these locations that forces the device to download anything from the web when you open your network and displays ads aggressively even you dont have network. as the diagnosis for some of devices that iv'e fixed recently, system apps that have been replaced by ad-ware apk files cannot be recovered and totally, the android system was infected by ad-ware exploits, unless you have a nandroid backup or a full rom package from your manufacturer/developer that can fix your android system with/without wiping user partition.


----------



## nass08 (Sep 13, 2016)

I'm having trouble removing this 4 virus.

after fallowing the instruction, it was successful.,  but after restart its keep going back.

please help me.


----------



## Nuh99 (Sep 28, 2016)

nass08 said:


> I'm having trouble removing this 4 virus.
> 
> after fallowing the instruction, it was successful.,  but after restart its keep going back.
> 
> please help me.

Click to collapse



Can you please tell me about infected apks in details ?


----------



## makarelo (Nov 12, 2016)

Can't remove .gap file from system/bin.
I tried all of these methods, used the monkey removal software (monyet gila), tried to delete manually but after reboot it comes back.
What I managed to do is to contain the virus, it isn't aggressive as it used to be, it's only constantly trying to open google store.
App Names:
- Phone Service - com.android.base.jinti:daemon
- Local Alarm . com.iduo.tual with three services running:
UClass
SClass
TuaService

I also tried all antiviruses and Stubborn trojan killer but had no success.


----------



## Nuh99 (Nov 13, 2016)

makarelo said:


> Can't remove .gap file from system/bin.
> I tried all of these methods, used the monkey removal software (monyet gila), tried to delete manually but after reboot it comes back.
> What I managed to do is to contain the virus, it isn't aggressive as it used to be, it's only constantly trying to open google store.
> App Names:
> ...

Click to collapse



Freeze the apps and services with titanium backup pro and then try to remove them.


----------



## makarelo (Nov 13, 2016)

Nuh99 said:


> Freeze the apps and services with titanium backup pro and then try to remove them.

Click to collapse



Froze it in Titanium Backup and deinstalled, few seconds later it's back.
No other suspicious apps running at all. Then I froze the app and as soon as it was uninstalled i rebooted the phone, and did a factory reset.
After the reset, it came back up. Local alarm got downloaded by some other app and now it's spamming other apps install.
What I noticed on startup, app called org.snow.down.update was running and it's the app which probably downloaded Local Alarm.

Couple of screenshots:
http://imgur.com/a/vPsAO

Output of 'pm list packages -f':
http://pastebin.com/NhDccihX


----------



## Nuh99 (Nov 13, 2016)

makarelo said:


> Froze it in Titanium Backup and deinstalled, few seconds later it's back.
> No other suspicious apps running at all. Then I froze the app and as soon as it was uninstalled i rebooted the phone, and did a factory reset.
> After the reset, it came back up. Local alarm got downloaded by some other app and now it's spamming other apps install.
> What I noticed on startup, app called org.snow.down.update was running and it's the app which probably downloaded Local Alarm.
> ...

Click to collapse



Did you try to remove org.snow.down.update ?
Anyway I'm gonna upload Monkey Test Virus Checker and Monkey Test Virus Remover apk tomorrow...
I assume you struggled with Windows OS Monkey Test Remover and it didn't help.. If this virus is a part of monkey test the apk will remove it.. Meanwhile you try out removing org.snow.down.update & Let me know!


----------



## makarelo (Nov 13, 2016)

Nuh99 said:


> Freeze the apps and services with titanium backup pro and then try to remove them.

Click to collapse





Nuh99 said:


> Did you try to remove org.snow.down.update ?
> Anyway I'm gonna upload Monkey Test Virus Checker and Monkey Test Virus Remover apk tomorrow...
> I assume you struggled with Windows OS Monkey Test Remover and it didn't help.. If this virus is a part of monkey test the apk will remove it.. Meanwhile you try out removing org.snow.down.update & Let me know!

Click to collapse



Yes, I have removed org.snow.down.update and a vast number of other apps before removing Local Alarm, but Local Alarm and Phone Service keep installing themselves.


----------



## makarelo (Nov 15, 2016)

Today I got an email from ISP that one of my computers has been infected with a botnet (tinba botnet?) and the date corresponds to the date I got this mobile phone. Be sure shutdown / unplug the battery if you're infected.


----------



## TheDarkLord098 (Oct 27, 2017)

Nuh99 said:


> This guy sent me private message which is:
> I finally killed the virus using the latest update and definition of Stubborn Ghost Push Trojan Killer! I'm so happy!

Click to collapse



Thanks for letting him know for me  wasn't be able to be active for quite a while


----------

