I loaded Avast Anita virus. Submitted: 5 months ago. Category: Mac. Ask Your Own Mac Question. I do have time machine and an external hard drive. 4,711 satisfied customers. Apple certified on desktop and portable, help desk qualified.

Yesterday I ran a full system scan using my Avast antivirus software and it found a infection file. The file's location is :

• Backup4all for U3 is a portable backup solution for Windows. Using Backup4all for U3 you can easily backup to any local or network drive, backup to FTP (with support for SSL encryption, proxy server, passive mode), backup to CD/DVD, or back up to USB drives.
• 'Avast Internet Security 2016 Crack & License Key has Intelligent Antivirus, Anti-malware Protection, Safe Zone, Automatic computer code Updater.' 'Avast Internet Security 2018 Crack is a robust security suite that houses numerous tools to protect your system.

Avast categorizes the infection file as :

So, after deleting the file I did several more full system scans to check to see if there were any more files. I found nothing, until I restarted my macbook pro today. The file reappeared in the same location. So I decided to let Avast put it in the virus chest, restarted the laptop, and again the file was in the same location again. Therefore the virus is re-creating the file every restart of the laptop.

I want to avoid wiping the laptop and re-installing everything, so that is why I am here. I researched the file path and cryptonight and found out that cryptonight is/can be malicious code that can run in the background of someone's computer to mine cryptocurrency. I've been monitoring my CPU usage, Memory, and Network and I haven't seen a single odd process running. My CPU is running below 30%, my RAM is generally below 5GB (installed 16GB), and my network hasn't had any processes sending out/receiving large amount of data. So if something is mining in the background, I can't tell at all. I have no clue what to do.

My Avast runs full system scans every week, so this just recently became an issue this week. I checked all of my chrome extensions and nothing is out of order, I haven't downloaded anything special within the past week, besides the new Mac operating system (macOS High Sierra 10.13.1). So I have no clue where this has came from to be honest and I have no clue how to get rid of it. Can someone please help me out.

I suspect that this supposed “virus” is coming from the Apple update and that it is just a pre-installed file that is created and runs every time the OS is booted/rebooted. But I am unsure since I only have one MacBook and no one else that I know that has a mac has updated the OS to High Sierra. But Avast keeps labeling this as a potential “Cryptonight” virus and no one else online has posted anything about this issue. Therefore, a common virus removal forum isn't helpful in my situation, since I've already attempted to remove it with both Avast, malwarebytes, and manually.

1 Answer

Pretty sure there is no virus, malware or trojan at play and his is all a highly coincidental false positive.

It’s most likely a false positive since /var/db/uuidtext/ is related to the new “Unified Logging” subsystem that was introduced in macOS Sierra (10.2). As this article explains:

The first file path (/var/db/diagnostics/) contains the log files. These files are named with a timestamp filename following the pattern logdata.Persistent.YYYYMMDDTHHMMSS.tracev3. These files are binary files that we’ll have to use a new utility on macOS to parse them. This directory contains some other files as well including additional log *.tracev3 files and others that contain logging metadata. The second file path (/var/db/uuidtext/) contains files that are references in the main *.tracev3 log files.

But in your case the “magic” seems to come from the hash:

Just check out this reference for known Windows malware files that references that one specific hash. Congratulations! Your Mac has magically created a filename that matches a known vector that has been primarily seen on Windows systems… But you are on a Mac and this filename is just a hash that is connected to the “Unified Logging” database system’s file structure and it is completely coincidental that it matches that malware filename and should not mean anything.

And the reason that specific file seems to regenerate is based on this detail from the above explanation:

The second file path (/var/db/uuidtext/) contains files that are references in the main *.tracev3 log files.

So you delete the file in /var/db/uuidtext/, but all it is is a reference to what is in /var/db/diagnostics/. So when you reboot, it sees it is missing and recreates it in /var/db/uuidtext/.

As for what to do now? Well, you can either tolerate the Avast alerts or you can download a cache cleaning tool such as Onyx and just force the logs to be recreated by truly purging them from your system; not just that one BC8EE8D09234D99DD8B85A99E46C64 file. Hopefully the hash names of the files it regenerates after a full cleaning won’t accidentally match a known malware file again.

UPDATE 1: It seems like Avast staff acknowledges the issue in this post on their forums:

I can confirm this is a false positive. The superuser.com post describes the issue quite well - MacOS seems to have accidentally created a file that contains fragments of malicious cryptocurrency miner which also happen to trigger one of our detections.

Now what is really odd about this statement is the phrase, “…MacOS seems to have accidentally created a file that contains fragments of malicious cryptocurrency miner.”

What? Is this implying that someone on the core macOS software development team at Apple somehow “accidentally” setup the system so it generates neutered fragments of a known malicious cryptocurrency miner? Has anyone contacted Apple directly about this? This all seems a bit crazy.

UPDATE 2: This issue is further explained by someone Radek Brich the Avast forums as simply Avast self-identifying itself:

Hello, I'll just add a bit more information.

The file is created by MacOS system, it's actually part of 'cpu usage' diagnostic report. The report is created because Avast uses the CPU heavily during the scan.

The UUID (7BBC8EE8-D092-34D9-9DD8-B85A99E46C64) identifies a library which is a part of Avast detections DB (algo.so). The content of the file is debugging information extracted from the library. Unfortunately, this seems to contain a string which is in return detected by Avast as a malware.

(The 'rude' texts are probably just names of malware.)

protected by Community♦Nov 26 '17 at 20:07

Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?

Not the answer you're looking for? Browse other questions tagged macosmacvirusanti-virusavast or ask your own question.

Blood Test Shows Virus

Every Avast antivirus (Free Antivirus, Pro Antivirus, Internet Security, Premier), even the free version, offers a great feature which can search for any viruses and malware on your computer before it even starts. It’s called a Boot-Time Scan and below are the steps how to perform it in the latest 2018 version. It works great even with the latest Windows 10 release.

Technically boot-time scan runs before the Windows are loaded, so it doesn’t give malware any chance to hide. From our experience we recommend running a full boot-time scan at least once a month, to make sure your computer is clean.

Quick Summary

1. Open Avast interface and go to ‘Protection‘ » ‘Scans‘
2. Select ‘Boot-Time Scan’ and click on ‘Run on next PC reboot’
3. Restart your Windows and the boot-time scan will take place

Avast For Mac Shows Virus With Drive Genius 5 Coupon Code

Read more detailed steps and other options including screenshots below.

1. Schedule a Boot-Time Scan

Open interface of your program and navigate to tab ‘Protection‘ » ‘Scans‘ in the left menu. Once the scan overview shows click on ‘Boot-Time Scan‘ option.

Running a Boot-time Scan in Avast 2018 – Scan Overview

On the Boot-time Scan window click on ‘Install specialized definitions‘ to add special virus definitions which detects malware on inaccessible places for Windows. Once done click on the green button ‘RUN ON NEXT PC REBOOT‘ and you are set.

Running a Boot-time Scan in Avast 2018 – Boot-time Scan

Also, the message will change to ‘Scan will run on next boot‘. To cancel boot-time scan simply click on the ‘Cancel scheduled scan‘ link.

2. Advanced Settings of the Boot-Time Scan

For more advanced options click on the cog-wheel icon in the Boot-time Scan tile on the Other Scans overview (second screenshot in this article). In the boot-time scan settings you can select following options:

• Areas to scan – All hard disks, only system drive, or auto-start programs
• Heuristics sensitivity (analysis which detects not yet known viruses) – Off, low, normal, high (recommended though it may increase amount of false-positives found)
• What do to do if a threat is found – Ask, move to chest, repair, delete, no action, or fix automatically
• Others – Scan for potentially unwanted programs (PUPs), unpack archive files

Changing any of the settings or just confirming doesn’t make the boot-time scan scheduled. You still need to perform the steps above.

Running a Boot-time Scan in Avast 2018 – Boot-time Scan Settings

Please note the boot-time scan isn’t happening in Windows but before Windows are loaded. Below you can see the example of how the boot-time scan looks in the Avast antivirus 2016.

Running a Boot-time Scan in Avast 2018 – Boot-time Scan In Progress

Your Windows will boot automatically if there is no virus found. If Avast founds a virus, you can perform one of the actions below by pressing a relevant number on your keyboard

• 1 – Fix automatically
• 2 – Fix all automatically
• 3 – Move to Chest
• 4 – Move all to Chest
• 5 – Delete
• 6 – Delete all
• 7 – Repair
• 8 – Repair all
• 9 – Ignore
• 0 – Ignore all

If the infected file is in the folder you also need to confirm the action by pressing

• 1 – Yes
• 2 – Yes all
• 3 – No

You can always press ‘Esc‘ key to cancel the scan and continue with the boot. After the boot-time scan is complete, you can find its report in ‘Scan‘ » ‘Scan for viruses‘ » ‘Scan history‘. Alternatively, you can navigate to report by going to ‘C:ProgramDataAVAST SoftwareAvastreportaswBoot.txt‘.

Additional Notes

Although we have used Avast Free Antivirus 2019 screenshots in this article, these steps are also applicable for all Avast Antivirus solutions (i.e. also for Avast Pro Antivirus, Avast Internet Security, or Avast Premier) running the latest version available.

Steps are relevant for all Windows versions – Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 (including Anniversary Update).