qemu-system-x86_64 runs 100% CPU

After some digging, since I also have the same thing, I found that it is a crypto mining malware that can be bundled with software, notably pirated softs.

I checked out `"/usr/local/Cellar/qemu/3.0.0/bin/qemu-system-x86_64"` and found other files.

Check around for a couple other files. I found a background agent that is linked at `"/usr/libexec/AppleQEMUGuestAgent"`, which leads also to a .plist file at `"/System/Library/LaunchDaemons/com.apple.AppleQEMUGuestAgent.plist"`. Judging by the lines inside the plist, it probably is. Also, If you find that your mac fan is throttling but you are not using and heavy apps, it is also a very clear indicator that cryptocurrency mining malware is present. Good thing you deleted the binary.

Pressing `Command-Shift-G` and typing `"/System"` (no brackets for any of the directories). I then put in the search bar "qemu" and clicked on the "system" button instead of This Mac, and that is how I found a plist file that is stated. BUT PLEASE READ. Instead of searching qemu, I searched instead `"x86_64"` (no brackets). This brought up a couple files, like 8. Delete them too. If you check them out, they all seem to be linked to mining. check the files out yourself in an app such as TextEdit, and hopefully you will see the same. (CRED TO "edgytwelvie" for this)

ALL OF THE FILES STATED HERE SHOULD BE DELETED, well, at least I did. If you do not have nessasary perms, even when sudo, try disabling SIP, deleting the files, then RE-ENABLE SIP.

Hope this helps someone.

Sources(if u wanna check them out, i also did my own searching):

```

https://discussions.apple.com/thread/8602989

______

https://apple.stackexchange.com/questions/346172/what-is-this-strange-process-qemu-connecting-to-minergate-com/359046#359046

______

https://forums.developer.apple.com/thread/109460

______

I've the problem too, but at the end I've solved it. Here's the instructions:

Step 1: Go to Finder and press Shift Command G.

Step 2: Then copy & paste this ( /usr/local/Cellar ) in the text box.

Step 3: Delete the folder call qemu and empty the trash.

Step 4: Restart Your Mac.

Everything should be fine now. After the following the steps ↓

, if not delete everything named qemu in the system files

More than one antivirus app - This machine has multiple antivirus apps installed.

When you have one your Mac will be slow and lose capabilities. When you have more than one, anything the first one does looks like a virus attack in progress and they fight to the death while productivity stops. The correct number of these third-party scanners is Zero -- the Mac protects itself far better and at hugely lower cost than any add-on.

Configuration Files:

File /etc/sysctl.conf exists but not expected

/etc/hosts - Count: 15

sysctl.conf has been know to cause problems. It is a hold-over from long ago, but some software still pays attention to it. It should be removed.

hosts counts this high may indicate that you are using "borrowed" software that requires these changes so that it can't "phone home" properly. Don't bet your business on borrowed software.

/Applications/qbittorrent.app

one notification

Using a bit torrent implies that you are also sourcing chunks of your software for others to use. At best, this punishes performance. Don't run a Bit Torrent.

Antivirus apps: CleanMyMac and MalwareBytes

MalwareBytes usually gets a pass as long as it is set to passive mode,

CleanMyMac is junk, and has no place on a Mac you want to work properly. It has a reputation of guessing badly, and removing Parts of MacOS (which then requires a re-Install.

4 matches to Known adware

not signed -- needs to be removed. legitimate, up-to-date software for the Mac is signed by the Developer certificate, with few exceptions that appear in Etrecheck's WhiteList:

uTorrent

App Player

Launchd: /Library/LaunchDaemons/com.Vermes.plist

Executable: /usr/local/bin/Honzo

Details: Restrictive app permissions - possibly adware

Your disk is encrypted, but you do not appear to have a Time Machine Backup. If you have another backup method to a local disk that you prefer, that is fine. If your drive loses its integrity, there is no way to "salvage" anything from an encrypted disk. ¿What is the date of your most recent backup?

You have WAY too much JUNK on your Mac, and it is running all the time. (Where "junk" in this instance is stuff that may be perfectly good, but you do not happen to need right now, like stuff in the attic.) More stuff adds a lot of complexity for very little payback. It gives your Mac more ways to fail.

Some Users have solved this by creating an add-on Budget, and doing a clean Install: Make a second Backup, erase your drive, re-Install a fresh copy of MacOS, and restore only your User files, no add-ons. Then have a budget for adding things, such as only one addition a day, unless you remove something else.

Had the same problem and I have now solved it.

1) located the two .plist files in MacbookAir/Library/LaunchDaemons and deleted them (killed the processes in activity monitor, but qemu-system would always show up);

2) Deleted a few of my apps that I was suspicious of: iZotope RX7 and Soda Player (don't know if this helped or not, but thought I should share this info);

3) Restarted the system.

4) Went to activity monitor, and no more of those two CPU elephants.

In my case, it was not necessary to do a clean install. But it's a little bit depending of what files has been installed.

Maybe you can check with a Pacifist (software that makes it possible to check/open a PKG file) if everything has been deleted.

For what it's worth, I've finally solved the issue without having to do anything crazy. Give it a shot, it might work. Keep in mind I'm not a professional or anything, I just ran through the logical stuff.

STEPS:

1. Launch Activity Monitor and locate "qemu-system-x86_64"

2. Double click on it and on the bottom left of Activity Monitor click "Sample"

3. Once the sample has been taken, you should see lots of random digits which might intimidate you, but one of the subheadings in the sample should be called "Path:". Copy the path you see. My path was something like this: /usr/local/bin/qemu-system-x86_64

4. Launch Finder and simultaneously click "Shift" "Command" "G"

5. Paste the path that you copied from step 3 and click "Go"

6. This should locate a Qemu file, delete that immediately

7. For safe measure, we will now delete everything from your System which contains either the words "qemu" or "x86_64"

8. Press "Shift" "Command" "G" again and in the search box type "/system"

10. Where it says "search" on the top right of your finder, search for "qemu". For me this came up with nothing, but if you look closely that's because it's searching on "This Mac". Click the tab which allows you to search on the "System".

11. If this brings up a number of files, delete all of them. Make sure to empty your trash too.

12. Repeat steps 10 & 11 but instead of searching for "qemu" search for "x86_64"

13. Shut down your computer completely for a period of time. For me it was 10 hours, the time from when I slept to woke up the next day.

Hope this helps!

You may be able to find where it is starting with:

etrecheck

Download etrecheck. Click on the download link at the bottom of the screen. http://etrecheck.com/

Run etrecheck. The first five runs are free.

How to post etrecheck findings:

1) click on "Share report"

2) click on "Copy report"

3) Paste the information into an ASC forum reply.

Using EtreCheck by etresoft, the author https://discussions.apple.com/docs/DOC-11591

Stamp of approval https://discussions.apple.com/docs/DOC-8181

MALWAREBYTES FOR MAC

Proven Malwarebytes technology crushes the growing threat of Mac malware. So you are protected and your machine keeps running silky smooth. Finally, cybersecurity smart enough for the Mac.

https://www.malwarebytes.com/pricing/mac/

Here is my EtreCheck Report. I had downloaded some VST torrents that installed qemu-system-86x_64 and some other things (I force stopped in activity monitor.) I removed the files EtreCheck told me to do manually (EtreCheck said it was unable to do it and just highlighted the file.) It seems that it may have worked but I am unsure if it did or not. The two other things in activity monitor that were using 100+% CPU alongside qemu were called "Palaeoniscus" and "Elateridae".

If you have a current backup, you can Erase and Install clean copy of MacOS, then (at first run) use Setup Assistant and choose to automatically restore certain Groups of things, and then manually restore others:

So for example, you could transfer all Users, but separately restore only the Applications you desired, manually, using TimeMachine.app

--------

The other approach suggested is to post an Etrecheck report, and see if it calls out the errant process and its source. No personally-identifiable information is included in Etrecheck final report.

If you do not have a recent backup, your computer is like a ticking Time bomb. You are only one disk failure away fro losing EVERYTHING! Drives do not last forever. It is not a question of IF it will fail, only WHEN it will fail.

If you are using another direct-to-disk backup method that you prefer, and you currently have a recent backup, that is great. If not, you should consider using Built-in Time Machine. Take steps to acquire an external drive as soon as possible. If you buy one, a drive 2 to 3 times or larger than your boot drive is preferable for long term trouble-free operation. Do not pay extra for a drive that is fast. (You can get by for a while with a "found" smaller drive if necessary, but it will eventually become annoying).

Attach your external drive and use

System preferences > Time machine ...

... to turn on Time Machine. It may ask to initialize the new drive, and that is as expected.

Time Machine may spend all afternoon making your first full backup. You can continue to do your regular work while it does this. The first Full Backup is by far the biggest backup. After that, it will work quietly and automatically in the background, without interrupting your regular work, and only save the incremental changes.

Time machine's "claim to fame" is that it is the backup that gets done, because it does not ruin performance of the rest of the computer while doing its backup operations. You do not have to set aside a "Special Time" when you only do backups. When you need it, your Time machine Backup is much more likely to be there.

How to use Time Machine to Backup or Restore your Mac:

https://support.apple.com/en-us/ht201250

If you choose to connect your backup drive only from time-to-time, try to do so at least every-other day, at minimum. Otherwise, it may take several hours of computation just to decide what needs to be backed up, before any files are transferred.

What happened here might look like what happened to you, and it might even be the same, but these pillagings and plunderings can and do evolve and change.

What will probably clear this? Create a bootable installer, boot that, back up externally, back up a second backup copy, wipe your disk, install macOS, migrate over only your documents and not your apps, re-download apps, change all of your passwords to all of your services, change your passwords to your mail, to your web sites, watch your credit cards; assume everything was uploaded, passwords and contacts and photos and credit card data and all.

no

Whoever you are I love you. I've had this issue forever and I just fixed it. Thanks mate.

If qemu stops showing in activity monitor after completing these steps should you still clean install? or does that resolve the problem