PLS HELP. Cryptocurrency miner taking all my cpu

Question

PLS HELP. Cryptocurrency miner taking all my cpu

"qemu-system-x86_64" has been taking 100% of my CPU since I downloaded a dodgy plug in. Un able to rid of it as it re opens as soon as i force quit it from inside activity monitor. it's user is "root" so its really got itself inside. im not sure if its some kind of miner or whatever but im now trying to back up all important files incase i have to wipe everything. Will copying files to an external hard drive carry this virus over? is there any way to rid of this thing? any help would be appreciated, cheers. (ps have also ran malwarebytes and it doesn't find anything)

macbook pro 13" early 2011. High Sierra 10.13.6. 8gb ram, 500gb samsung SSD.

Also tried finding location through terminal. "user$ ps aux | grep qemu-system-x86

root 21968 100.1 0.7 4556264 56456 ?? R 9:50am 18:33.49 /usr/local/bin/qemu-system-x86_64 -M accel=hvf --cpu host /Library/Application Support/.Qemusys/sys00_1-disk001.qcow2 -display none"

can not find this file in application support folder.

MacBook Pro

Posted on Jan 4, 2019 3:18 PM

Reply

Answer 1

Best reply

etresoft

Level 8

47,616 points

Jan 4, 2019 3:28 PM in response to aussiejoel666

There are a couple of solutions in this thread: qemu-system-x86_64 runs 100% CPU - Apple Community

No one there responded to a request for an EtreCheck report. We could give you more accurate information with that and avoid a system reinstall. Here’s my blurb...

I wrote a little diagnostic program to help show what adware is installed. Download EtreCheck from https://www.etrecheck.com and run it. Create a new reply and use the "Notes" tool below to add your EtreCheck report. Using the link above, you can download EtreCheck from the Mac App Store or download EtreCheckPro directly.

If adware is installed, EtreCheck will help you remove it, although you may have to supply a password. If you aren’t comfortable with that, just post the EtreCheck report here and other helpers can tell you exactly what files need to be deleted and how to do so.

Disclaimer: EtreCheck is my own app. EtreCheck is free to use but has in-app purchases available. Downloading EtreCheck or using it could give me some form of compensation, financial or otherwise.

Reply

Answer 2

etresoft

Level 8

47,616 points

Jan 5, 2019 1:30 PM in response to aussiejoel666

I think you should remove com.buildtools.tools-service.plist too. A generic name installed into a hidden directory? And you still have something running at 100% CPU?

I've posted the report in reply to the etrecheck developer if you'd like to read

Thanks! That’s very helpful. I’ll add both com.modulesys.qemuservice.plist and com.buildtools.tools-service.plist to EtreCheck’s blacklist. This is the problem with EtreCheck’s adware detection. It can point out unusual and suspicious things, but sometimes it can’t definitively call it adware. It requires the user to inspect those unsigned files themselves. After I add these items to be blacklist, they will be definitively called adware in the next version of EtreCheck.

Reply

Answer 3

Jan 4, 2019 11:47 PM in response to etresoft

EtreCheck version: 5.1 (5020)

Report generated: 2019-01-05 18:32:03

Download EtreCheck from https://etrecheck.com

Runtime: 2:54

Performance: Excellent

Sandbox: Enabled

Full drive access: Disabled

Problem: Other problem

Description:

process named qemu-system-x86_64 using 100% of cpu after dodgy file was downloaded.

Major Issues: None

Minor Issues:

These issues do not need immediate attention but they may indicate future problems.

Clean up- There are orphan files that could be removed.

Unsigned files- There are unsigned software files installed. They appear to be legitimate but should be reviewed.

Vintage hardware- This machine may be considered vintage.

32-bit Apps- This machine has 32-bits apps that may have problems in the future.

Limited drive access- More information may be available with Full Drive Access.

Hardware Information:

MacBook Pro (13-inch, Early 2011) - Vintage!

MacBook Pro Model: MacBookPro8,1

1 2.3 GHz Intel Core i5 (i5-2415M) CPU: 2-core

8 GB RAM - At maximum

BANK 0/DIMM0 - 4 GB DDR3 1333 ok

BANK 1/DIMM0 - 4 GB DDR3 1333 ok

Battery: Health = Normal - Cycle count = 196

Video Information:

Intel HD Graphics 3000 - VRAM: 512 MB

Color LCD 1280 x 800

Drives:

disk0 - Samsung SSD 850 EVO 500GB 500.11 GB (Solid State - TRIM: No)

Internal SATA 6 Gigabit Serial ATA

disk0s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk0s2 [APFS Container] 499.90 GB

disk1 [APFS Virtual drive] 499.90 GB (Shared by 4 volumes)

disk1s1 - Macintosh HD (APFS) (Shared - 387.48 GB used)

disk1s2 - Preboot (APFS) [APFS Preboot] (Shared)

disk1s3 - Recovery (APFS) [Recovery] (Shared)

disk1s4 - VM (APFS) [APFS VM] (Shared - 5.37 GB used)

Mounted Volumes:

disk1s1 - Macintosh HD 499.90 GB (106.34 GB free)

APFS

Mount point: /

disk1s4 - VM [APFS VM] (Shared - 5.37 GB used)

APFS

Mount point: /private/var/vm

Rest of Report

Reply

Answer 4

Jan 5, 2019 4:00 PM in response to etresoft

how do i go about finding and removing either of these? sorry if this seems like a dumb question but even with hidden files being shown in finder i cant find the folders/files that are causing these problems. cheers

also just for reference this is the activity monitor.

Reply

Answer 5

BDAqua

Level 10

241,013 points

Jan 4, 2019 3:31 PM in response to aussiejoel666

Post a report from this please...

EtreCheck is a simple little app to display the important details of your system configuration and allow you to copy that information to the Clipboard. It is meant to be used with Apple Support Communities to help people help you with your Mac.

http://www.etresoft.com/etrecheck

There is also Malwarebytes…

https://www.malwarebytes.com/mac/

Reply

Answer 6

Jan 4, 2019 11:54 PM in response to etresoft

The report is way over the 5000 character limit? should i paste the report in multiple replies or would you recommend something easier?

EDIT: i found the add additional notes option

EDIT 2: I know for a fact it came in "iZotope Neutron 2 Activator" which is listed in downloads in last 30 days

EDIT 3: im almost certain that this is the location of the culprit. but i cant find it and yes i have hidden files in finder shown.

/Library/Application Support/.Qemusys/sys00_1-disk001.qcow2 -display none

Reply

Answer 7

etresoft

Level 8

47,616 points

Jan 5, 2019 1:35 PM in response to BDAqua

Have you tried Malwarebytes…

The OP tried that first.

Some days it is very tempting to pull out EtreCheck’s adware detection logic and sell it by itself on the Mac App Store. But I just can’t bring myself to do that.

Reply

Answer 8

Jan 5, 2019 4:49 PM in response to BDAqua

you absolute legends, after finding them with Find any File and deleting them, restarting computer, it seems to have removed the problem. cant thank you guys enough. hopefully its not laying dormant somewhere else but ill be sure to let you know if anything happens. fuck yeah cheers.

Reply