Hello,
I am having this issue with two tasks in Activity Monitor draining my CPU continuously running at 100%+ both.
qemu-system-x86_64
tools-service
Haven't seen these two before, I've run malware-adware programs but my system seems clear.
Also tried to force quit but it runs again right after.
Anyone with knowledge on this issue?
Thank you all in advance.
MacBook Pro TouchBar and Touch ID, macOS Mojave (10.14), null
After some digging, since I also have the same thing, I found that it is a crypto mining malware that can be bundled with software, notably pirated softs.
I checked out `"/usr/local/Cellar/qemu/3.0.0/bin/qemu-system-x86_64"` and found other files.
Check around for a couple other files. I found a background agent that is linked at `"/usr/libexec/AppleQEMUGuestAgent"`, which leads also to a .plist file at `"/System/Library/LaunchDaemons/com.apple.AppleQEMUGuestAgent.plist"`. Judging by the lines inside the plist, it probably is. Also, If you find that your mac fan is throttling but you are not using and heavy apps, it is also a very clear indicator that cryptocurrency mining malware is present. Good thing you deleted the binary.
Pressing `Command-Shift-G` and typing `"/System"` (no brackets for any of the directories). I then put in the search bar "qemu" and clicked on the "system" button instead of This Mac, and that is how I found a plist file that is stated. BUT PLEASE READ. Instead of searching qemu, I searched instead `"x86_64"` (no brackets). This brought up a couple files, like 8. Delete them too. If you check them out, they all seem to be linked to mining. check the files out yourself in an app such as TextEdit, and hopefully you will see the same. (CRED TO "edgytwelvie" for this)
ALL OF THE FILES STATED HERE SHOULD BE DELETED, well, at least I did. If you do not have nessasary perms, even when sudo, try disabling SIP, deleting the files, then RE-ENABLE SIP.
Hope this helps someone.
Sources(if u wanna check them out, i also did my own searching):
```
https://discussions.apple.com/thread/8602989
______
https://apple.stackexchange.com/questions/346172/what-is-this-strange-process-qemu-connecting-to-minergate-com/359046#359046
______
https://forums.developer.apple.com/thread/109460
______
some of the files that come up when i search i cant delete because they're part of the OS. Should i just accept that? is that normal? i have however deleted the original qemu file
It is running as root. That means you gave it your administrator password at some point. Did you make note of how to remove it? It is open source, so it could have come from anywhere and in any other software package. Even if you could find uninstallation instructions, it could break something else if you try to remove it.
The first step is to identify exactly what you installed. Did you install qemu directly? Or is this part of something else? What did you install recently that required your administrator password?
No i haven't installed qemu directly, i am not sure for how long this runs without knowing. Can't recall what i have installed lately except some yamaha firmware and software for my digital piano and a VST plug in for synthesizer sounds.
You could have installed it years ago and it only started misbehaving when you upgraded to Mojave.
It is running as root. It is effectively part of your operating system. And you don't recall having ever installed it? Do you recall ever having installed anything to run Windows or Linux software on your Mac? Ever?
Never, no other operating systems other than OSX that is. So am guessing my only option is to have a clean install of Mojave, if i can't find which program is responsible for this task. No way to find out which program is behind this?
I doubt that will help. I assume you would restore from backup, which would just reinstall the same software. If you didn't restore, you would probably want reinstall your software, and that would likely put it right back again.
When you install software using your administrator password, you give full control over your computer, and all of your data, to the developer of that software. You are going to have to find out to whom you've given this level of control. qemu is not malware or anything. But you have given control over your machine to some unknown developers. You need to find out who now owns your computer and your data. They will give it back to you if you ask. But you need to find that out.
Start by finding out what software you have installed. All of it. You can go to Apple menu > About this Mac > System Report > Installations. That will list most of them, but maybe not all. Maybe you will get lucky and it will be listed.
qemu is open source software. As such, it is almost certainly going to require the Terminal to uninstall. I'm really not too eager to start handing out the commands necessary to uninstall. That gives me full control over your computer and all of your data. Plus it makes me responsible for any typos you might make.
Speaking of backups, do you have one? This is likely to be a very long thread. Attempting to manually remove this kind of low-level system modification when you don't even known how it got there is likely to go horribly wrong and require a restore from backup.
Step 1: Make a backup
Step 2: Follow the instructions above to list your installed software. Maybe we'll get lucky and something will be listed that can be tracked back to an official uninstaller.
Step 3: You begin the process to learn the UNIX command line. Hopefully we can avoid this step.
Okay, once you have complete and current backups if those aren’t already available, it’s time for an inventory: download the etrecheck tool, run it, and cut-and-paste the report here.
Hi there,
I noticed my Macbook Pro is not running the way it used and found my way to Activity Monitor to see:
- qemu-system-x86_64 running over 100% CPU
- tools-service running over 100%
I have tried to Force Quit both, but qemu keeps coming back.
Is there no way to trace and remove these processes, without having to erase and start all over again? I tried to see if the "Open Files and Ports" tab in Activity Monitor would show some info, but it is not there.
My Macbook has been in use for quite a few years now and has a lot that needs to be backed if I proceed this way...trying to find an alternative option before doing this. I also installed many music VST/AU plugins recently, as I transitioned to FL Studio which was released for macOS. Prior to this, I was using Bootcamp for music production.
Majority of plugins are free too, available online and commonly used. Although some did require security permission to allow me to use the app, as perhaps they were from an unknown developer. I used a tutorial online which shows how to: How to Allow Apps from Anywhere.
I guess there is a risk. But there must be a way to completely quit this processes and remove it, if it is not essential for running macOS.
I will try to review the installed programs list to see if it is somewhere there too.
M.
I am using Time Machine with a dedicated external hard drive over 2x larger than my disk space on my Macbook Pro. My only issue is time, and the possibility that if I clean my Macbook, and start fresh again, the backup will have the stored processes that are causing me the issue right now.
This is why I would prefer finding the source of this virtual machine process, removing it for good and then running Time Machine again so I can maintain consistent backups of my file.
In regards, etrecheck, I am not entirely comfortable posting my logs (even if they don't include personal info). Is there a way, someone who is not extremely techincally savvy to review the data and remove any respective files without breaking the OS?
M.
There’s a reasonable chance that sensitive data, credit card data, contact information, and pretty much anything that can be sold, spammed or scammed has also been uploaded to the folks that provided the ”free (cracked) app.
More than a few folks have paid dearly for “free” (bootleg) software.
So too have some of their friends and family, who then got scammed by spoofed mail messages.
There’s also a good chance a backdoor can be left. If a backdoor wasn’t left, then somebody will probably eventually decide to add one in some future cracked app.
Are you serious dude? This is the EXACT same thing I did. I was trying to install Ableton Live 10 as well, since my Ableton Live 9 wasn't updating. Did you use this tutorial by any chance? ABLETON LIVE 10 FREE DOWNLOAD - Mac OS X - SUITE 2018 - EASY INSTALLATION - DIRECT DOWNLOAD - YouTube
I also realised my mistake, never torrenting ever again!
There are a lot of unrelated system things that might contain x86_64. I would try to see if you could get by without removing those names.
In general, you cannot completely remove things that are part of the running system (it would crash badly) so you can place them in the Trash, but not empty the Trash until after a Restart. When you do the Restart, those items now in the Trash will not be included in the running MacOS any more, so once it comes back up, you can empty the Trash and wave goodbye to those items forever.
Hello edgytwelvie,
Your solution worked for me and I only removed the exe file, with the file name: qemu-system-x86_64 after searching its path from the "sample" in finder.
I did not see any "qemu" related files in system, but will look out for it and any other strange behaviours.
Thank you so much!
M.
Keep checking. There may be another qemu folder somewhere, in case you found and removed the first one.
I would suggest looking in /Library/Application Support and also /usr/local/Cellar/.
Actually, /usr/local/Cellar/ would be a rather clever place to put it. Tech savvy people would probably look at it and think it was a dependency needed for something installed through Homebrew, and non-tech savvy people would have no clue what it was.
I'm having the very same issue, following an installation of Albleton 10 from a torrent file. I assume you're referring to a clean install, or does simply removing Ableton and reinstalling OS X resolve the issue?
qemu-system-x86_64 runs 100% CPU
