Jump to content

cjvmoore

Members
  • Content Count

    18
  • Joined

  • Last visited

About cjvmoore

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. It wasn't sufficient Clockc was installed. I'll report back if I find the culprit. For the moment I suspect 104.28.4.13:80.
  2. @Akos When "NoRoot Firewall" is active, a key icon appears at the top of my screen. In your screenshot it is not present. Are you sure that it is active? After running successfully for a few days blocking the "System UI" category, I googled some of the blocked IP addresses. It seems that 204.11.56.48 is known as a malware vector. In fact it seems that Malwarebytes should block it. Maybe it can't if the access is from a system application. Anyway I am currently just blocking 204.11.56.48:443 in "Global Filters/Pre-Filter". For the moment I have no malware but I shall only be certain after a few more days.
  3. @Akos Thank you. I also installed "NoRoot Firewall" and blocked the category with "System UI". it seems to be a good workaround
  4. I had the same problem I read somewhere that you can't edit a post until you have posted 25 (or 50?) times. IMHO this is stupid
  5. PS I just noticed that my phone is in 6.0 but this seems to be for 7.1.2 and may well be incompatible
  6. Thank you. It looks interesting I would give it a try but I don't think I can just replace it in place as my telephone is not rooted. I guess it could be replaced in the original ROM and flashed but I am rather afraid of reflashing my telephone. Any ideas on how to easily replace it?
  7. Thank you, Nathan. Unfortunately this is the same build number as that on my telephone. So I guess it is also infected It would be great if you could find a clean System UI which I can install (my phone isn't rooted).
  8. On the 4pda.ru site there is a THL T9 Pro forum topic with a link to what is claimed to be virus-free firmware. I haven't tried it but it may be worth a try. Unfortunately I can't read Russian and the Google translation is often unintelligible
  9. SystemUI is indeed in /system/priv-app/ (Initially I thought "priv" was for private but I guess it must be for privileged.) I bit the bullet and attacked com.android.systemui. I first tried "pm disable" but I got a "Permission Denial". (I suppose this is because my telephone isn't rooted.) So I tried "pm uninstall -k --user 0". I got the repeated message "Unfortunately System UI has stopped." and was unable even to reboot via the telephone. So I rebooted via adb. On rebooting luckily there were icons on screen but I lost the top pull down menu and the bottom pull up software keys (last apps, home and back IIRC). I started Malwarebytes: it no longer detected any malware which is logical as the principal malware was in System UI. However it was *very* slow and took 10 minutes to scan. Unfortunately in this state my telephone was unusable as I wasn't even able to exit Malwarebytes So I tried "pm install -r --user 0 /system/priv-app/SystemUI/SystemUI.apk" and rebooted via adb. Luckily my telephone was back to normal. (I say normal but it still has the System UI malware.) I repeated a Malwarebytes scan and this time it took 1 minute instead of 10. To be continued... @Akos is your telephone rooted? If so what procedure did you use?
  10. Bad news: TelephonyDev (com.conterx.umora) was automatically installed today. It locks itself full screen in the foreground So I am back to square one Also, unlike Coordinator, it isn't detected as malware by Malwarebytes I have sent an Apps Report and I received the ticket 2458794. So it looks as though I must attack com.android.systemui Googling seems to indicate that without it the system won't boot completely. I guess systemui is System User Interface so there will probably be no touchscreen. If this is the case do you think that adb will still work? I was thinking of trying a "pm disable", hoping that if this is catastrophic I shall be able to recover with a "pm enable". Also will a "pm install -k --user 0" (or "pm install --user 0") undo a "pm uninstall -k --user 0"?
  11. Actually they show up as "Not installed for this user". (Translated from French.) Thank you for your detailed explanation.
  12. Thank you for your PM. The situation is much better after uninstalling com.adups.fota and com.adups.fota.sysoper I watched Coordinator for a while and it did start using a small quantity of data So I uninstalled it yesterday. Since then no new malware has been installed I shall avoid messing with com.android.systemui unless the situation deteriorates. I notice that "pm uninstall -k --user 0" doesn't actually uninstall the package but just seems to disable its use, I suppose by user 0 (I guess 0 is system or root). There is also a "pm disable" command. What is the difference? (Sorry, I am not very familiar with the Android SDK.) Thank you very much for your help.
  13. Actually there does seem to be an improvement: Coordinator was installed but seems to be dormant. It no longer locks itself full screen in the foreground and hasn't yet consumed any data Malwarebytes detects it as malware (Android/Trojan.HiddenAds.Moo). In that case shouldn't Malwarebytes have prevented its installation?
  14. The download on the THL website has the same version as that on my telephone. So I guess it also has the malware
  15. Unfortunately Coordinator was installed overnight It seems to be in the com.peony.mochi package. I have sent the Apps Report you requested and I received the ticket 2457510. If you wish I could also send a screenshot and even possibly the apk. So uninstalling com.adups.fota and com.adups.fota.sysoper is not sufficient. Is it safe to uninstall com.android.systemui or will I brick my telephone?
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.