You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

PLS HELP. Cryptocurrency miner taking all my cpu

"qemu-system-x86_64" has been taking 100% of my CPU since I downloaded a dodgy plug in. Un able to rid of it as it re opens as soon as i force quit it from inside activity monitor. it's user is "root" so its really got itself inside. im not sure if its some kind of miner or whatever but im now trying to back up all important files incase i have to wipe everything. Will copying files to an external hard drive carry this virus over? is there any way to rid of this thing? any help would be appreciated, cheers. (ps have also ran malwarebytes and it doesn't find anything)

macbook pro 13" early 2011. High Sierra 10.13.6. 8gb ram, 500gb samsung SSD.

Also tried finding location through terminal. "user$ ps aux | grep qemu-system-x86


root             21968 100.1  0.7  4556264  56456   ??  R     9:50am  18:33.49 /usr/local/bin/qemu-system-x86_64 -M accel=hvf --cpu host /Library/Application Support/.Qemusys/sys00_1-disk001.qcow2 -display none"


can not find this file in application support folder.

MacBook Pro

Posted on Jan 4, 2019 3:18 PM

Reply
Question marked as Top-ranking reply

Posted on Jan 4, 2019 3:28 PM

There are a couple of solutions in this thread: qemu-system-x86_64 runs 100% CPU - Apple Community


No one there responded to a request for an EtreCheck report. We could give you more accurate information with that and avoid a system reinstall. Here’s my blurb...


I wrote a little diagnostic program to help show what adware is installed. Download EtreCheck from https://www.etrecheck.com and run it. Create a new reply and use the "Notes" tool below to add your EtreCheck report. Using the link above, you can download EtreCheck from the Mac App Store or download EtreCheckPro directly.


If adware is installed, EtreCheck will help you remove it, although you may have to supply a password. If you aren’t comfortable with that, just post the EtreCheck report here and other helpers can tell you exactly what files need to be deleted and how to do so.


Disclaimer: EtreCheck is my own app. EtreCheck is free to use but has in-app purchases available. Downloading EtreCheck or using it could give me some form of compensation, financial or otherwise.


Similar questions

12 replies
Question marked as Top-ranking reply

Jan 4, 2019 3:28 PM in response to aussiejoel666

There are a couple of solutions in this thread: qemu-system-x86_64 runs 100% CPU - Apple Community


No one there responded to a request for an EtreCheck report. We could give you more accurate information with that and avoid a system reinstall. Here’s my blurb...


I wrote a little diagnostic program to help show what adware is installed. Download EtreCheck from https://www.etrecheck.com and run it. Create a new reply and use the "Notes" tool below to add your EtreCheck report. Using the link above, you can download EtreCheck from the Mac App Store or download EtreCheckPro directly.


If adware is installed, EtreCheck will help you remove it, although you may have to supply a password. If you aren’t comfortable with that, just post the EtreCheck report here and other helpers can tell you exactly what files need to be deleted and how to do so.


Disclaimer: EtreCheck is my own app. EtreCheck is free to use but has in-app purchases available. Downloading EtreCheck or using it could give me some form of compensation, financial or otherwise.


Jan 5, 2019 1:30 PM in response to aussiejoel666

I think you should remove com.buildtools.tools-service.plist too. A generic name installed into a hidden directory? And you still have something running at 100% CPU?


I've posted the report in reply to the etrecheck developer if you'd like to read


Thanks! That’s very helpful. I’ll add both com.modulesys.qemuservice.plist and com.buildtools.tools-service.plist to EtreCheck’s blacklist. This is the problem with EtreCheck’s adware detection. It can point out unusual and suspicious things, but sometimes it can’t definitively call it adware. It requires the user to inspect those unsigned files themselves. After I add these items to be blacklist, they will be definitively called adware in the next version of EtreCheck.

Jan 4, 2019 11:47 PM in response to etresoft

EtreCheck version: 5.1 (5020)

Report generated: 2019-01-05 18:32:03

Download EtreCheck from https://etrecheck.com

Runtime: 2:54

Performance: Excellent

Sandbox: Enabled

Full drive access: Disabled

 

Problem: Other problem

Description: 

        process named qemu-system-x86_64 using 100% of cpu after dodgy file was downloaded.

 

Major Issues: None

 

Minor Issues:

    These issues do not need immediate attention but they may indicate future problems. 

 

    Clean up- There are orphan files that could be removed.

    Unsigned files- There are unsigned software files installed. They appear to be legitimate but should be reviewed.

    Vintage hardware- This machine may be considered vintage.

    32-bit Apps- This machine has 32-bits apps that may have problems in the future.

    Limited drive access- More information may be available with Full Drive Access.

 

Hardware Information:

    MacBook Pro (13-inch, Early 2011) - Vintage!

    MacBook Pro Model: MacBookPro8,1

    1 2.3 GHz Intel Core i5 (i5-2415M) CPU: 2-core

    8 GB RAM - At maximum

    BANK 0/DIMM0 - 4 GB DDR3 1333 ok

    BANK 1/DIMM0 - 4 GB DDR3 1333 ok

    Battery: Health = Normal - Cycle count = 196

 

Video Information:

    Intel HD Graphics 3000 - VRAM: 512 MB

    Color LCD 1280 x 800

 

Drives:

    disk0 - Samsung SSD 850 EVO 500GB 500.11 GB (Solid State - TRIM: No)

    Internal SATA 6 Gigabit Serial ATA

        disk0s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

        disk0s2 [APFS Container] 499.90 GB

            disk1 [APFS Virtual drive] 499.90 GB (Shared by 4 volumes)

                disk1s1 - Macintosh HD (APFS) (Shared - 387.48 GB used)

                disk1s2 - Preboot (APFS) [APFS Preboot] (Shared)

                disk1s3 - Recovery (APFS) [Recovery] (Shared)

                disk1s4 - VM (APFS) [APFS VM] (Shared - 5.37 GB used)

 

Mounted Volumes:

    disk1s1 - Macintosh HD 499.90 GB (106.34 GB free)

        APFS

        Mount point: /

 

    disk1s4 - VM [APFS VM] (Shared - 5.37 GB used)

        APFS

        Mount point: /private/var/vm


Jan 4, 2019 3:31 PM in response to aussiejoel666

Post a report from this please...


EtreCheck is a simple little app to display the important details of your system configuration and allow you to copy that information to the Clipboard. It is meant to be used with Apple Support Communities to help people help you with your Mac.


http://www.etresoft.com/etrecheck


There is also Malwarebytes…


https://www.malwarebytes.com/mac/

Jan 4, 2019 11:54 PM in response to etresoft

The report is way over the 5000 character limit? should i paste the report in multiple replies or would you recommend something easier?


EDIT: i found the add additional notes option

EDIT 2: I know for a fact it came in "iZotope Neutron 2 Activator" which is listed in downloads in last 30 days

EDIT 3: im almost certain that this is the location of the culprit. but i cant find it and yes i have hidden files in finder shown.


/Library/Application Support/.Qemusys/sys00_1-disk001.qcow2 -display none

PLS HELP. Cryptocurrency miner taking all my cpu

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.