qemu-system-x86_64 runs 100% CPU

After some digging, since I also have the same thing, I found that it is a crypto mining malware that can be bundled with software, notably pirated softs.

I checked out `"/usr/local/Cellar/qemu/3.0.0/bin/qemu-system-x86_64"` and found other files.

Check around for a couple other files. I found a background agent that is linked at `"/usr/libexec/AppleQEMUGuestAgent"`, which leads also to a .plist file at `"/System/Library/LaunchDaemons/com.apple.AppleQEMUGuestAgent.plist"`. Judging by the lines inside the plist, it probably is. Also, If you find that your mac fan is throttling but you are not using and heavy apps, it is also a very clear indicator that cryptocurrency mining malware is present. Good thing you deleted the binary.

Pressing `Command-Shift-G` and typing `"/System"` (no brackets for any of the directories). I then put in the search bar "qemu" and clicked on the "system" button instead of This Mac, and that is how I found a plist file that is stated. BUT PLEASE READ. Instead of searching qemu, I searched instead `"x86_64"` (no brackets). This brought up a couple files, like 8. Delete them too. If you check them out, they all seem to be linked to mining. check the files out yourself in an app such as TextEdit, and hopefully you will see the same. (CRED TO "edgytwelvie" for this)

ALL OF THE FILES STATED HERE SHOULD BE DELETED, well, at least I did. If you do not have nessasary perms, even when sudo, try disabling SIP, deleting the files, then RE-ENABLE SIP.

Hope this helps someone.

Sources(if u wanna check them out, i also did my own searching):

```

https://discussions.apple.com/thread/8602989

______

https://apple.stackexchange.com/questions/346172/what-is-this-strange-process-qemu-connecting-to-minergate-com/359046#359046

______

https://forums.developer.apple.com/thread/109460

______

I've the problem too, but at the end I've solved it. Here's the instructions:

Step 1: Go to Finder and press Shift Command G.

Step 2: Then copy & paste this ( /usr/local/Cellar ) in the text box.

Step 3: Delete the folder call qemu and empty the trash.

Step 4: Restart Your Mac.

Everything should be fine now. After the following the steps ↓

, if not delete everything named qemu in the system files

More than one antivirus app - This machine has multiple antivirus apps installed.

When you have one your Mac will be slow and lose capabilities. When you have more than one, anything the first one does looks like a virus attack in progress and they fight to the death while productivity stops. The correct number of these third-party scanners is Zero -- the Mac protects itself far better and at hugely lower cost than any add-on.

Configuration Files:

File /etc/sysctl.conf exists but not expected

/etc/hosts - Count: 15

sysctl.conf has been know to cause problems. It is a hold-over from long ago, but some software still pays attention to it. It should be removed.

hosts counts this high may indicate that you are using "borrowed" software that requires these changes so that it can't "phone home" properly. Don't bet your business on borrowed software.

/Applications/qbittorrent.app

one notification

Using a bit torrent implies that you are also sourcing chunks of your software for others to use. At best, this punishes performance. Don't run a Bit Torrent.

Antivirus apps: CleanMyMac and MalwareBytes

MalwareBytes usually gets a pass as long as it is set to passive mode,

CleanMyMac is junk, and has no place on a Mac you want to work properly. It has a reputation of guessing badly, and removing Parts of MacOS (which then requires a re-Install.

4 matches to Known adware

not signed -- needs to be removed. legitimate, up-to-date software for the Mac is signed by the Developer certificate, with few exceptions that appear in Etrecheck's WhiteList:

uTorrent

App Player

Launchd: /Library/LaunchDaemons/com.Vermes.plist

Executable: /usr/local/bin/Honzo

Details: Restrictive app permissions - possibly adware

Your disk is encrypted, but you do not appear to have a Time Machine Backup. If you have another backup method to a local disk that you prefer, that is fine. If your drive loses its integrity, there is no way to "salvage" anything from an encrypted disk. ¿What is the date of your most recent backup?

You have WAY too much JUNK on your Mac, and it is running all the time. (Where "junk" in this instance is stuff that may be perfectly good, but you do not happen to need right now, like stuff in the attic.) More stuff adds a lot of complexity for very little payback. It gives your Mac more ways to fail.

Some Users have solved this by creating an add-on Budget, and doing a clean Install: Make a second Backup, erase your drive, re-Install a fresh copy of MacOS, and restore only your User files, no add-ons. Then have a budget for adding things, such as only one addition a day, unless you remove something else.

If you have a current backup, you can Erase and Install clean copy of MacOS, then (at first run) use Setup Assistant and choose to automatically restore certain Groups of things, and then manually restore others:

So for example, you could transfer all Users, but separately restore only the Applications you desired, manually, using TimeMachine.app

--------

The other approach suggested is to post an Etrecheck report, and see if it calls out the errant process and its source. No personally-identifiable information is included in Etrecheck final report.

stoke.monkey wrote:

I'm having the very same issue, following an installation of Albleton 10 from a torrent file. I assume you're referring to a clean install, or does simply removing Ableton and reinstalling OS X resolve the issue?

Assume all your passwords have been compromised, multiple backdoors have been installed, all of your contact data has been compromised, all of the passwords and all of the data in your mail archive has been uploaded and analyzed and that using automated tools for finding credit card information and passwords and other sensitive data, that your email contacts will be receiving spoofed email “from you”, and that your entire cache of photos has been uploaded. Prolly a few other things got swiped, too.

If yu’re very lucky, all of that didn’t happen. Best case, you mined some worthless cryptocurrency, or had your processor enlisted to crack passwords or some such, But given how automated the scammers are getting with their tools, that’s far from a certainty.

Wipe, reinstall, change all your passwords, etc.

qemu is an open source virtual machine software to run other operating systems in your Mac. This is not surprising behaviour. I suggest you uninstall it.

It is running as root. That means you gave it your administrator password at some point. Did you make note of how to remove it? It is open source, so it could have come from anywhere and in any other software package. Even if you could find uninstallation instructions, it could break something else if you try to remove it.

The first step is to identify exactly what you installed. Did you install qemu directly? Or is this part of something else? What did you install recently that required your administrator password?

I doubt that will help. I assume you would restore from backup, which would just reinstall the same software. If you didn't restore, you would probably want reinstall your software, and that would likely put it right back again.

When you install software using your administrator password, you give full control over your computer, and all of your data, to the developer of that software. You are going to have to find out to whom you've given this level of control. qemu is not malware or anything. But you have given control over your machine to some unknown developers. You need to find out who now owns your computer and your data. They will give it back to you if you ask. But you need to find that out.

Start by finding out what software you have installed. All of it. You can go to Apple menu > About this Mac > System Report > Installations. That will list most of them, but maybe not all. Maybe you will get lucky and it will be listed.

qemu is open source software. As such, it is almost certainly going to require the Terminal to uninstall. I'm really not too eager to start handing out the commands necessary to uninstall. That gives me full control over your computer and all of your data. Plus it makes me responsible for any typos you might make.

Speaking of backups, do you have one? This is likely to be a very long thread. Attempting to manually remove this kind of low-level system modification when you don't even known how it got there is likely to go horribly wrong and require a restore from backup.

Step 1: Make a backup

Step 2: Follow the instructions above to list your installed software. Maybe we'll get lucky and something will be listed that can be tracked back to an official uninstaller.

Step 3: You begin the process to learn the UNIX command line. Hopefully we can avoid this step.

Are you serious dude? This is the EXACT same thing I did. I was trying to install Ableton Live 10 as well, since my Ableton Live 9 wasn't updating. Did you use this tutorial by any chance? ABLETON LIVE 10 FREE DOWNLOAD - Mac OS X - SUITE 2018 - EASY INSTALLATION - DIRECT DOWNLOAD - YouTube

I also realised my mistake, never torrenting ever again!

Okay, once you have complete and current backups if those aren’t already available, it’s time for an inventory: download the etrecheck tool, run it, and cut-and-paste the report here.

https://www.etrecheck.com/

You may be able to find where it is starting with:

etrecheck

Download etrecheck. Click on the download link at the bottom of the screen. http://etrecheck.com/

Run etrecheck. The first five runs are free.

How to post etrecheck findings:

1) click on "Share report"

2) click on "Copy report"

3) Paste the information into an ASC forum reply.

Using EtreCheck by etresoft, the author https://discussions.apple.com/docs/DOC-11591

Stamp of approval https://discussions.apple.com/docs/DOC-8181

MALWAREBYTES FOR MAC

Proven Malwarebytes technology crushes the growing threat of Mac malware. So you are protected and your machine keeps running silky smooth. Finally, cybersecurity smart enough for the Mac.

https://www.malwarebytes.com/pricing/mac/

Keep checking. There may be another qemu folder somewhere, in case you found and removed the first one.

I would suggest looking in /Library/Application Support and also /usr/local/Cellar/.

Actually, /usr/local/Cellar/ would be a rather clever place to put it. Tech savvy people would probably look at it and think it was a dependency needed for something installed through Homebrew, and non-tech savvy people would have no clue what it was.

Had the same problem and I have now solved it.

1) located the two .plist files in MacbookAir/Library/LaunchDaemons and deleted them (killed the processes in activity monitor, but qemu-system would always show up);

2) Deleted a few of my apps that I was suspicious of: iZotope RX7 and Soda Player (don't know if this helped or not, but thought I should share this info);

3) Restarted the system.

4) Went to activity monitor, and no more of those two CPU elephants.

Qemu is used to run a cryptocurrency miner on your computer, within an emulated OS. Chances are you picked it up downloading something from a less than reputable site.