Author Topic: JS: Cryptonight [Trj] Found  (Read 7411 times)

0 Members and 1 Guest are viewing this topic.

Offline Philip4k

  • Newbie
  • *
  • Posts: 2
Re: JS: Cryptonight [Trj] Found
« Reply #45 on: December 02, 2017, 12:33:55 PM »
Hello! I did a virus search this morning and Avast showed me the same "virus" that you've been having trouble with. It was in the "private/var/db/uuidtext" folder so from what you're saying it's not a virus? Should I just ignore it and wait for Avast to come up with a update or what's going on? And should I put the file that it detected to The "quarantine/chest" or delete it? Best regards, Philip

"edit". I deleted the virus file "/private/var/db/uuidtext/7B/BC8EE8D09234D99DD8B85A99E46C64 JS: Cryptonight [Trj]", and did a new search and nothing showed, maybe it's all good then?
« Last Edit: December 02, 2017, 01:03:31 PM by Philip4k »

Offline drake145

  • Newbie
  • *
  • Posts: 14
Re: JS: Cryptonight [Trj] Found
« Reply #46 on: December 02, 2017, 01:47:26 PM »
Philip4k,

Yes, this is a false positive. The VPS update yesterday should have resolved the issue, but it still persists for me. From Jiri's (Avast Team) posts, it appears that the VPS update is more to mitigate future events like this from happening, as the current issues seems rather difficult to fix.

I have not tried purging the logs yet as has been suggested, as another user has reported that the detection came back somewhere else.

I believe if you restart your mac, it will appear again, as the file re-generates (for the reason, see the superuser post: https://superuser.com/questions/1271760/avast-on-macos-high-sierra-claims-it-has-caught-the-windows-only-cryptonight-v).
« Last Edit: December 02, 2017, 01:51:34 PM by drake145 »

Offline Philip4k

  • Newbie
  • *
  • Posts: 2
Re: JS: Cryptonight [Trj] Found
« Reply #47 on: December 02, 2017, 02:58:44 PM »
Ah I see @Drake145! Thanks for the Reply! Glad that it's not anything dangerous! Now I can stop worrying about this and focus on my work ;)!

I will restart my Mac later and then run a virus scan and see if anything pops up!
« Last Edit: December 02, 2017, 03:00:43 PM by Philip4k »

Offline danton2

  • Newbie
  • *
  • Posts: 3
Re: JS: Cryptonight [Trj] Found
« Reply #48 on: December 02, 2017, 05:23:16 PM »
This whole problem seems to be cosmetic without functional ramifications .  What is wrong with uninstalling avast and using a different product leaving behind some remnants in the log file ? Or maybe I’m missing something.

Offline viristim

  • Newbie
  • *
  • Posts: 3
Re: JS: Cryptonight [Trj] Found
« Reply #49 on: December 03, 2017, 07:43:04 AM »
Hi,

Thought I just let you know that Avast scan does not find anymore the "fake virus" on my mac. As I wrote earlier: I updated Avast, purged logs with OnyX and run Malwarebytes. Then I restarted the computer, and at first, the fake virus was found again. Then later the day, when I restarted the computer again and run Avast scan, the fake virus was gone. So, maybe Avast took some time to update or something, but now everything seems good and clean.
« Last Edit: December 03, 2017, 07:45:39 AM by viristim »

Offline drake145

  • Newbie
  • *
  • Posts: 14
Re: JS: Cryptonight [Trj] Found
« Reply #50 on: December 03, 2017, 04:03:35 PM »
Hi,

Thought I just let you know that Avast scan does not find anymore the "fake virus" on my mac. As I wrote earlier: I updated Avast, purged logs with OnyX and run Malwarebytes. Then I restarted the computer, and at first, the fake virus was found again. Then later the day, when I restarted the computer again and run Avast scan, the fake virus was gone. So, maybe Avast took some time to update or something, but now everything seems good and clean.

After reading the above, I quarantined the file, deleted it, re-started, and, curiously, the log did not regenerate.

Offline drake145

  • Newbie
  • *
  • Posts: 14
Re: JS: Cryptonight [Trj] Found
« Reply #51 on: December 03, 2017, 04:11:10 PM »
This whole problem seems to be cosmetic without functional ramifications .  What is wrong with uninstalling avast and using a different product leaving behind some remnants in the log file ? Or maybe I’m missing something.

Yes, this issue may not have any functional ramifications, but a false positive may cause unneeded stress, and if someone does not come to the forums first to see if others are having the same issue, they may end up spending time, and monetary resources, going to a computer technician in order to troubleshoot a non-consequential issue.

Also, false positives are not exclusive to Avast. If you look at the virustotal link (https://www.virustotal.com/#/file/4b263d8b55c3478f4e9d9d1af37ee277d59200cf5b6eb22ecd343eef25b0627b/detection) that I  posted, you will see that, as of this post, 4 other AVs flag this file. When I originally submitted the file, it was only 2.
« Last Edit: December 03, 2017, 04:15:15 PM by drake145 »

Offline Jiří Šembera

  • Avast team
  • Jr. Member
  • *
  • Posts: 30
  • Malware Analyst, former VPS maintainer
Re: JS: Cryptonight [Trj] Found
« Reply #52 on: December 04, 2017, 02:03:20 PM »
Hello viristim,

your problem seems to be caused by MacOS' MobileBackup tool. It looks like it has picked up the detected file and keeps restoring it. This might help: https://discussions.apple.com/thread/7333209?start=0&tstart=0

Jiri

Offline gbp_bnc

  • Newbie
  • *
  • Posts: 2
Re: JS: Cryptonight [Trj] Found
« Reply #53 on: December 06, 2017, 01:55:52 AM »
I have the issue on my windows7 PC. The URL aborted keeps changing Avast says:

JS: cryptonight [Trj]

URL: http://94.130.97.189/m/g367thgwe29fhe4r/build.js
(The next time was 94.130.98.207)

Process: C;\Program Files (x86)\Google\Chrome\Application\chrome.exe

Detected by: Web shield

Status: Connection aborted

Offline drake145

  • Newbie
  • *
  • Posts: 14
Re: JS: Cryptonight [Trj] Found
« Reply #54 on: December 08, 2017, 04:57:34 PM »
I have the issue on my windows7 PC. The URL aborted keeps changing Avast says:

JS: cryptonight [Trj]

URL: http://94.130.97.189/m/g367thgwe29fhe4r/build.js
(The next time was 94.130.98.207)

Process: C;\Program Files (x86)\Google\Chrome\Application\chrome.exe

Detected by: Web shield

Status: Connection aborted

I think this may need to be posted on the Windows forum, as this looks like something different than what is being discussed in this post.

Offline Jiří Šembera

  • Avast team
  • Jr. Member
  • *
  • Posts: 30
  • Malware Analyst, former VPS maintainer
Re: JS: Cryptonight [Trj] Found
« Reply #55 on: December 11, 2017, 05:34:34 PM »
I have the issue on my windows7 PC. The URL aborted keeps changing Avast says:

JS: cryptonight [Trj]

URL: http://94.130.97.189/m/g367thgwe29fhe4r/build.js
(The next time was 94.130.98.207)

Process: C;\Program Files (x86)\Google\Chrome\Application\chrome.exe

Detected by: Web shield

Status: Connection aborted

Hello gbp_bnc,

in this case it is a legitimate blocking of malicious crypto miner which uses your computer to mine crypto currencies using your computer. It results in lower computer performance, shorter battery life and higher electricity bills.

Jiri

Offline gbp_bnc

  • Newbie
  • *
  • Posts: 2
Re: JS: Cryptonight [Trj] Found
« Reply #56 on: Yesterday at 12:46:59 AM »
Thank you. It was in one of the Chrome extensions.