qemu-system-x86_64 runs 100% CPU

I am using Time Machine with a dedicated external hard drive over 2x larger than my disk space on my Macbook Pro. My only issue is time, and the possibility that if I clean my Macbook, and start fresh again, the backup will have the stored processes that are causing me the issue right now.

This is why I would prefer finding the source of this virtual machine process, removing it for good and then running Time Machine again so I can maintain consistent backups of my file.

In regards, etrecheck, I am not entirely comfortable posting my logs (even if they don't include personal info). Is there a way, someone who is not extremely techincally savvy to review the data and remove any respective files without breaking the OS?

M.

There’s a reasonable chance that sensitive data, credit card data, contact information, and pretty much anything that can be sold, spammed or scammed has also been uploaded to the folks that provided the ”free (cracked) app.

More than a few folks have paid dearly for “free” (bootleg) software.

So too have some of their friends and family, who then got scammed by spoofed mail messages.

There’s also a good chance a backdoor can be left. If a backdoor wasn’t left, then somebody will probably eventually decide to add one in some future cracked app.

Are you serious dude? This is the EXACT same thing I did. I was trying to install Ableton Live 10 as well, since my Ableton Live 9 wasn't updating. Did you use this tutorial by any chance? ABLETON LIVE 10 FREE DOWNLOAD - Mac OS X - SUITE 2018 - EASY INSTALLATION - DIRECT DOWNLOAD - YouTube

I also realised my mistake, never torrenting ever again!

There are a lot of unrelated system things that might contain x86_64. I would try to see if you could get by without removing those names.

In general, you cannot completely remove things that are part of the running system (it would crash badly) so you can place them in the Trash, but not empty the Trash until after a Restart. When you do the Restart, those items now in the Trash will not be included in the running MacOS any more, so once it comes back up, you can empty the Trash and wave goodbye to those items forever.

Hello edgytwelvie,

Your solution worked for me and I only removed the exe file, with the file name: qemu-system-x86_64 after searching its path from the "sample" in finder.

I did not see any "qemu" related files in system, but will look out for it and any other strange behaviours.

Thank you so much!

M.

Keep checking. There may be another qemu folder somewhere, in case you found and removed the first one.

I would suggest looking in /Library/Application Support and also /usr/local/Cellar/.

Actually, /usr/local/Cellar/ would be a rather clever place to put it. Tech savvy people would probably look at it and think it was a dependency needed for something installed through Homebrew, and non-tech savvy people would have no clue what it was.

I'm having the very same issue, following an installation of Albleton 10 from a torrent file. I assume you're referring to a clean install, or does simply removing Ableton and reinstalling OS X resolve the issue?

stoke.monkey wrote:

I'm having the very same issue, following an installation of Albleton 10 from a torrent file. I assume you're referring to a clean install, or does simply removing Ableton and reinstalling OS X resolve the issue?

Assume all your passwords have been compromised, multiple backdoors have been installed, all of your contact data has been compromised, all of the passwords and all of the data in your mail archive has been uploaded and analyzed and that using automated tools for finding credit card information and passwords and other sensitive data, that your email contacts will be receiving spoofed email “from you”, and that your entire cache of photos has been uploaded. Prolly a few other things got swiped, too.

If yu’re very lucky, all of that didn’t happen. Best case, you mined some worthless cryptocurrency, or had your processor enlisted to crack passwords or some such, But given how automated the scammers are getting with their tools, that’s far from a certainty.

Wipe, reinstall, change all your passwords, etc.

hello i solved this issue oleeyy :) . so first you need to sample ( not quit ) qemu in activity monitor . and you will get the file direction . then you need to search in finder only x86_64 and you can access the folder contains it. it is in usr/ local/cellar was in my Mac . hope it will work for you

Had the same problem and I have now solved it.

1) located the two .plist files in MacbookAir/Library/LaunchDaemons and deleted them (killed the processes in activity monitor, but qemu-system would always show up);

2) Deleted a few of my apps that I was suspicious of: iZotope RX7 and Soda Player (don't know if this helped or not, but thought I should share this info);

3) Restarted the system.

4) Went to activity monitor, and no more of those two CPU elephants.

Hi,

I had the problem since yesterday, after some investigation I found the solution by removing the following files from my system.

Just open a Terminal windows and use the following commands.

sudo rm -R /usr/local/cellar/qemu

sudo rm -R /Library/Application Support/.Qemusys

sudo rm -R /Library/Application Support/.System-Monitor

sudo rm /Library/LaunchDaemons/com.buildtools.system-monitor.plist

sudo rm /library/LaunchDaemons/com.buildtools.tools-service.plist

sudo rm /Library/LaunchDaemons/com.modulesys.qemuservice.plist

sudo rm /Library/LaunchDaemons/com.systools.cpumonitor.plist

then goto

cd /usr/local/bin/

sudo rm -R .Tools-Service

sudo rm cpumonitor

sudo rm system-monitor

sudo rm tools-service

Please be careful with these commands, they are dangerous if you enter them wrong.

Best is to cut and paste them on the command line.

And next time, buy software instead of ....

In my case, it was not necessary to do a clean install. But it's a little bit depending of what files has been installed.

Maybe you can check with a Pacifist (software that makes it possible to check/open a PKG file) if everything has been deleted.

More than one antivirus app - This machine has multiple antivirus apps installed.

When you have one your Mac will be slow and lose capabilities. When you have more than one, anything the first one does looks like a virus attack in progress and they fight to the death while productivity stops. The correct number of these third-party scanners is Zero -- the Mac protects itself far better and at hugely lower cost than any add-on.

Configuration Files:

File /etc/sysctl.conf exists but not expected

/etc/hosts - Count: 15

sysctl.conf has been know to cause problems. It is a hold-over from long ago, but some software still pays attention to it. It should be removed.

hosts counts this high may indicate that you are using "borrowed" software that requires these changes so that it can't "phone home" properly. Don't bet your business on borrowed software.

/Applications/qbittorrent.app

one notification

Using a bit torrent implies that you are also sourcing chunks of your software for others to use. At best, this punishes performance. Don't run a Bit Torrent.

Antivirus apps: CleanMyMac and MalwareBytes

MalwareBytes usually gets a pass as long as it is set to passive mode,

CleanMyMac is junk, and has no place on a Mac you want to work properly. It has a reputation of guessing badly, and removing Parts of MacOS (which then requires a re-Install.

4 matches to Known adware

not signed -- needs to be removed. legitimate, up-to-date software for the Mac is signed by the Developer certificate, with few exceptions that appear in Etrecheck's WhiteList:

uTorrent

App Player

Launchd: /Library/LaunchDaemons/com.Vermes.plist

Executable: /usr/local/bin/Honzo

Details: Restrictive app permissions - possibly adware

Your disk is encrypted, but you do not appear to have a Time Machine Backup. If you have another backup method to a local disk that you prefer, that is fine. If your drive loses its integrity, there is no way to "salvage" anything from an encrypted disk. ¿What is the date of your most recent backup?

You have WAY too much JUNK on your Mac, and it is running all the time. (Where "junk" in this instance is stuff that may be perfectly good, but you do not happen to need right now, like stuff in the attic.) More stuff adds a lot of complexity for very little payback. It gives your Mac more ways to fail.

Some Users have solved this by creating an add-on Budget, and doing a clean Install: Make a second Backup, erase your drive, re-Install a fresh copy of MacOS, and restore only your User files, no add-ons. Then have a budget for adding things, such as only one addition a day, unless you remove something else.

if anyone else is looking here for answers on this now I was able to remove it completely without reinstalling osx. if you follow these steps given by Edgytwelvie (steps below) (credit to him for savin my butt with this part). When you get to about step 10 and you find a QUEMU file ending in .KEXT and one ending in a .PLIST your mac will not allow you to delete this because they have imbedded themselves as essential to macs OS. so when you try to drag into the trash it might say "this operation cannot be completed because this file is required by OS." So to delete those you must reboot your mac into recovery mode by restarting it then holding command R. Once you are in recovery mode look up top for utilities then hit that and open terminal. you will need to type in csrutil disable it will ask for your password then it should disable it. now restart your mac NORMALLY and locate the qemu KEXT file and the qemu PLIST and throw them in the trash and empty the trash.. now reboot back into recovery mode as you did before.. open terminal and type csrutil enable and press enter... once you reboot normally your problem should be solved.. i would recommend shutting off laptop for a while before using it again.

STEPS:

1. Launch Activity Monitor and locate "qemu-system-x86_64"

2. Double click on it and on the bottom left of Activity Monitor click "Sample"

3. Once the sample has been taken, you should see lots of random digits which might intimidate you, but one of the subheadings in the sample should be called "Path:". Copy the path you see. My path was something like this: /usr/local/bin/qemu-system-x86_64

4. Launch Finder and simultaneously click "Shift" "Command" "G"

5. Paste the path that you copied from step 3 and click "Go"

6. This should locate a Qemu file, delete that immediately

7. For safe measure, we will now delete everything from your System which contains either the words "qemu" or "x86_64"

8. Press "Shift" "Command" "G" again and in the search box type "/system"

10. Where it says "search" on the top right of your finder, search for "qemu". For me this came up with nothing, but if you look closely that's because it's searching on "This Mac". Click the tab which allows you to search on the "System".

11. If this brings up a number of files, delete all of them. Make sure to empty your trash too. (if you cant delete them look up at the first body of text)

12. Repeat steps 10 & 11 but instead of searching for "qemu" search for "x86_64" (if you cant delete them look up at the first body of text)

13. Shut down your computer completely for a period of time. For me it was 10 hours, the time from when I slept to woke up the next day

After some digging, since I also have the same thing, I found that it is a crypto mining malware that can be bundled with software, notably pirated softs.

I checked out `"/usr/local/Cellar/qemu/3.0.0/bin/qemu-system-x86_64"` and found other files.

Check around for a couple other files. I found a background agent that is linked at `"/usr/libexec/AppleQEMUGuestAgent"`, which leads also to a .plist file at `"/System/Library/LaunchDaemons/com.apple.AppleQEMUGuestAgent.plist"`. Judging by the lines inside the plist, it probably is. Also, If you find that your mac fan is throttling but you are not using and heavy apps, it is also a very clear indicator that cryptocurrency mining malware is present. Good thing you deleted the binary.

Pressing `Command-Shift-G` and typing `"/System"` (no brackets for any of the directories). I then put in the search bar "qemu" and clicked on the "system" button instead of This Mac, and that is how I found a plist file that is stated. BUT PLEASE READ. Instead of searching qemu, I searched instead `"x86_64"` (no brackets). This brought up a couple files, like 8. Delete them too. If you check them out, they all seem to be linked to mining. check the files out yourself in an app such as TextEdit, and hopefully you will see the same. (CRED TO "edgytwelvie" for this)

ALL OF THE FILES STATED HERE SHOULD BE DELETED, well, at least I did. If you do not have nessasary perms, even when sudo, try disabling SIP, deleting the files, then RE-ENABLE SIP.

Hope this helps someone.

Sources(if u wanna check them out, i also did my own searching):

```

https://discussions.apple.com/thread/8602989

______

https://apple.stackexchange.com/questions/346172/what-is-this-strange-process-qemu-connecting-to-minergate-com/359046#359046

______

https://forums.developer.apple.com/thread/109460

______