39
15
Yesterday I ran a full system scan using my Avast antivirus software and it found a infection file. The file's location is :
/private/var/db/uuidtext/7B/BC8EE8D09234D99DD8B85A99E46C64
Avast categorizes the infection file as :
JS:Cryptonight [Trj]
So, after deleting the file I did several more full system scans to check to see if there were any more files. I found nothing, until I restarted my macbook pro today. The file reappeared in the same location. So I decided to let Avast put it in the virus chest, restarted the laptop, and again the file was in the same location again. Therefore the virus is re-creating the file every restart of the laptop.
I want to avoid wiping the laptop and re-installing everything, so that is why I am here. I researched the file path and cryptonight and found out that cryptonight is/can be malicious code that can run in the background of someone's computer to mine cryptocurrency. I've been monitoring my CPU usage, Memory, and Network and I haven't seen a single odd process running. My CPU is running below 30%, my RAM is generally below 5GB (installed 16GB), and my network hasn't had any processes sending out/receiving large amount of data. So if something is mining in the background, I can't tell at all. I have no clue what to do.
My Avast runs full system scans every week, so this just recently became an issue this week. I checked all of my chrome extensions and nothing is out of order, I haven't downloaded anything special within the past week, besides the new Mac operating system (macOS High Sierra 10.13.1). So I have no clue where this has came from to be honest and I have no clue how to get rid of it. Can someone please help me out.
I suspect that this supposed “virus” is coming from the Apple update and that it is just a pre-installed file that is created and runs every time the OS is booted/rebooted. But I am unsure since I only have one MacBook and no one else that I know that has a mac has updated the OS to High Sierra. But Avast keeps labeling this as a potential “Cryptonight” virus and no one else online has posted anything about this issue. Therefore, a common virus removal forum isn't helpful in my situation, since I've already attempted to remove it with both Avast, malwarebytes, and manually.
5It’s most likely a false positive. – JakeGould – 2017-11-26T04:23:10.893
1That's what I am coming to the conclusion to, but I want reassurance so that is what it is. – Lonely Twinky – 2017-11-26T04:24:40.583
5
@LonelyTwinky
– JakeGould – 2017-11-26T04:39:11.773BC8EE8D09234D99DD8B85A99E46C64
Seems to be a magic number! See my answer for details.1What makes you think that cryptonight is windows-only? After a preliminary googling of "JS:Cryptonight" I get the impression that it's platform agnostic. It's an asm.js "trojan" used by some websites to steal your CPU time while you're visiting their pages and use it to mine cryptocurrency. Nothing about that is windows-specific. – bcrist – 2017-11-26T23:44:41.733
2
@bcrist The algorithm alone is platform agnostic, but the only Mac miners I can find that use Cryptonight are not JavaScript; they are all clearly system level binaries such as this one. More details on the C implementations here and here. If this were purely a JavaScript threat, then Linux users would be complaining as well. Besides, Macs have horrible video cards by default so they make terrible coin miners.
– JakeGould – 2017-11-27T03:03:52.6373I've contacted Avast about the file being a false positive, I will post an update on their response whenever they contact me back. – Lonely Twinky – 2017-11-27T05:26:17.333
Good you contacted Avast. Avast employees: note that before this question was "protected" 4 "me too" posts were already deleted, and 3 duplicates have been closed too, while this question already has 4.7k views. Also note 1 deleted post says "I am also running macOS High Sierra 10.13.1 but only updated after Avast had detected the file, so it did not come from the update." – Arjan – 2017-11-27T18:28:25.197