Author Topic: JS: Cryptonight [Trj] Found  (Read 6971 times)

0 Members and 1 Guest are viewing this topic.

Offline viristim

  • Newbie
  • *
  • Posts: 3
Re: JS: Cryptonight [Trj] Found
« Reply #30 on: December 01, 2017, 08:53:50 AM »
Hi,

Pardon my English.
I have the same problem. Avast scan found two issues on my computer.
Has anyone else had this Cryptonight in mobilebackups as well? Photo in attachments.
Also, this morning when I opened the computer I got a notification that my computee's IP number in being used by another computer. So, I restarted the computer and this time I didn't get the message. Wonder what that was about? I'm not a tech person, so hopefully Avast get this thing sorted out soon.

Offline Jiří Šembera

  • Avast team
  • Jr. Member
  • *
  • Posts: 29
  • Malware Analyst, former VPS maintainer
Re: JS: Cryptonight [Trj] Found
« Reply #31 on: December 01, 2017, 09:05:44 AM »
Hello everyone,

as long as this detection triggers in /private/var/db/uuidtext/ folder, it's a Avast-specific issue caused by incompatibility of Avast VPS with the latest MacOS (including the effect of triggering after reboot). The workaround  mentioned above - adding the folder /private/var/db/uuidtext/ to exclusions should resolve the problem.

Also the fix has passed the QA and will get released in today's VPS (I'll post an update with the VPS number). If the issue persists after VPS update, you may need to purge MacOS logs as advised in this superuser.com post: https://superuser.com/questions/1271760/avast-on-macos-high-sierra-claims-it-has-caught-the-windows-only-cryptonight-v


@viristim: The detection triggerend on the same file (just in different folders) and it is caused by the aforementioned bug so it is safe to ignore the detection.

UPDATE: The fix has been released in VPS 17120100 (will be available in a couple of minutes once it gets distributed to update servers)


Jiri
« Last Edit: December 01, 2017, 09:54:21 AM by Jiří Šembera »

Offline sam53143

  • Newbie
  • *
  • Posts: 6
Re: JS: Cryptonight [Trj] Found
« Reply #32 on: December 01, 2017, 04:25:40 PM »
Just ran a scan and it's still showing....  @Jiri Sembera  It's been awhile since you posted that the fix will be released in a few minutes.  Was there a problem and the release held up?   Thank you for your help!
« Last Edit: December 01, 2017, 04:39:24 PM by sam53143 »

Offline drake145

  • Newbie
  • *
  • Posts: 14
Re: JS: Cryptonight [Trj] Found
« Reply #33 on: December 01, 2017, 04:47:56 PM »
Just ran a scan and it's still showing....  @Jiri Sembera  It's been awhile since you posted that the fix will be released in a few minutes.  Was there a problem and the release held up?   Thank you for your help!

Sam,

Do you have VPS 17120100?

Offline sam53143

  • Newbie
  • *
  • Posts: 6
Re: JS: Cryptonight [Trj] Found
« Reply #34 on: December 01, 2017, 04:54:15 PM »
@drake145, how can I tell?  I did download an update before I ran the scan..


I am running VPS 17120100...
« Last Edit: December 01, 2017, 05:17:57 PM by sam53143 »

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33742
Re: JS: Cryptonight [Trj] Found
« Reply #35 on: December 01, 2017, 05:52:14 PM »
@drake145, how can I tell?  I did download an update before I ran the scan..


I am running VPS 17120100...
Did you run the scan as soon as it was downloaded?
Some AV use a minute or two to unpack and install it ...

Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Jiří Šembera

  • Avast team
  • Jr. Member
  • *
  • Posts: 29
  • Malware Analyst, former VPS maintainer
Re: JS: Cryptonight [Trj] Found
« Reply #36 on: December 01, 2017, 06:36:10 PM »
Sam,

the detected file is part of system logging/diagnostic database and some signature fragments have leaked into due to a bug in the VPS. Therefore even after VPS update the detection may trigger if such file is present on your system. But the fix resolves the issue with leaking signature fragments so new files that trigger the detection should not appear unless MacOS recreates the old files that have been already detected and deleted. In such case you will need to purge the logging/diagnostic database (as mentioned in my previous post)


Jiri
« Last Edit: December 01, 2017, 08:36:28 PM by Jiří Šembera »

Offline sam53143

  • Newbie
  • *
  • Posts: 6
Re: JS: Cryptonight [Trj] Found
« Reply #37 on: December 01, 2017, 08:05:11 PM »
@Pondus and @Jiri Sembera,   I ran the scan again and everything seems to be ok.  Thank you for your help!

Offline AnotherUsername

  • Newbie
  • *
  • Posts: 5
Re: JS: Cryptonight [Trj] Found
« Reply #38 on: December 01, 2017, 10:12:22 PM »
I just had an alert for a Windows machine.  I then immediately found this thread.   

Threat Description: JS:Cryptonight [Trj]
Threat Severity: Infection
Threat Shield: Antivirus
Object Name: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb
Client Version:17.7.2526
Virus DB Version:171129-2

It sounds like a Virus DB update might help?

We're an old AVG client that has been on this horrible AVG > Avast ride.  To say that Avast has been unimpressive would be a drastic understatement.

« Last Edit: December 01, 2017, 10:15:37 PM by AnotherUsername »

Offline Sher3

  • Newbie
  • *
  • Posts: 4
Re: JS: Cryptonight [Trj] Found
« Reply #39 on: December 02, 2017, 03:53:33 AM »
I got that message (JS: Cryptonight [Trj]) on the first screen shot 2 days ago and again today. I put the infections in the virus chest, deleted them, and emptied the trash.

Today Apple Support suggested I run the scan again, which I'm doing now, and the same virus is coming up with a different path.

2 screen shots attached - the path that came up earlier and the path that's coming up now. I'm on macOS Sierra 10.12.6.

I'm not that skilled so I don't know what to do. Please help. Thanks.


Offline Sher3

  • Newbie
  • *
  • Posts: 4
Re: JS: Cryptonight [Trj] Found
« Reply #40 on: December 02, 2017, 03:57:52 AM »
I also use MBAM; the infection doesn't show up on that scan. If I uninstall Avast after I finish the current scan and delete the virus, will that stop it from happening again or has damage already been done?
Thanks.

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33742
Re: JS: Cryptonight [Trj] Found
« Reply #41 on: December 02, 2017, 09:37:30 AM »
I also use MBAM; the infection doesn't show up on that scan. If I uninstall Avast after I finish the current scan and delete the virus, will that stop it from happening again or has damage already been done?
Thanks.
Did you read all the posts here? speciffically from those posters that have Avast Team / avast logo in there name
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Sher3

  • Newbie
  • *
  • Posts: 4
Re: JS: Cryptonight [Trj] Found
« Reply #42 on: December 02, 2017, 09:50:51 AM »
I did read all the posts. I don't know how to delete logs. That's way I'm asking for help.

Offline viristim

  • Newbie
  • *
  • Posts: 3
Re: JS: Cryptonight [Trj] Found
« Reply #43 on: December 02, 2017, 10:54:52 AM »
Hi again,

I have the latest Avast virus updates downloaded, I did run Malwarebytes (didn't find anything), and I purged all the caches with OnyX as suggested. Yet, when I run Avast scan, the same virus is coming up with mobilebackups path. Advice?
« Last Edit: December 02, 2017, 10:56:26 AM by viristim »

Offline Asyn

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 49358
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: JS: Cryptonight [Trj] Found
« Reply #44 on: December 02, 2017, 11:00:56 AM »
Hi again, I have the latest Avast virus updates downloaded, I did run Malwarebytes (didn't find anything), and I purged all the caches with OnyX as suggested. Yet, when I run Avast scan, the same virus is coming up with mobilebackups path. Advice?
Best you wait for Jiri...
Win 8.1 [x64] - Avast Premier 17.9.2320.Beta#2 - CC 5.37 [OD] - MCS [OD] - EEK [OD] - FF ESR 52.5.2 [NS5/uBO] - Thunderbird 52.5 [EM]
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen und Infos): https://forum.avast.com/index.php?topic=60523.0