Author Topic: JS: Cryptonight [Trj] Found  (Read 36024 times)

0 Members and 1 Guest are viewing this topic.

Offline oineg

  • Newbie
  • *
  • Posts: 16
Re: JS: Cryptonight [Trj] Found
« Reply #15 on: November 28, 2017, 03:13:35 PM »
Excuse my English. I'm italian. Since yesterday the problem is happening equally on my Mac OS Sierra 10.12.6

Offline Jiří Šembera

  • Avast team
  • Jr. Member
  • *
  • Posts: 46
  • Developer/Malware Analyst, former VPS maintainer
Re: JS: Cryptonight [Trj] Found
« Reply #16 on: November 28, 2017, 03:44:44 PM »
Hello oineg,

it is a false positive (due to certain incompatibility of Avast VPS with MacOS Sierra) and a fix for this issue has been submitted for QA. It should get released within a day or two.

Regards
Jiri
« Last Edit: November 28, 2017, 04:12:44 PM by Jiří Šembera »

Offline oineg

  • Newbie
  • *
  • Posts: 16
Re: JS: Cryptonight [Trj] Found
« Reply #17 on: November 28, 2017, 06:42:47 PM »
Thanks for the reply

REDACTED

  • Guest
Re: JS: Cryptonight [Trj] Found
« Reply #18 on: November 29, 2017, 01:37:04 AM »
Not being computer savvy isn’t this problem just cosmetic and what is a VPS update and how to obtain it

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: JS: Cryptonight [Trj] Found
« Reply #19 on: November 29, 2017, 05:39:04 AM »
...and what is a VPS update and how to obtain it
Update of the virus definitions, you should get it automatically.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline michel

  • Newbie
  • *
  • Posts: 14
Re: JS: Cryptonight [Trj] Found
« Reply #20 on: November 29, 2017, 01:30:16 PM »
me too got the same fals positive on my Mac ....

Offline Jcubed1959

  • Newbie
  • *
  • Posts: 1
Re: JS:Cryptonight [Trj] Found
« Reply #21 on: November 29, 2017, 04:58:32 PM »
Yesterday, I was filling out online forms and when I went to certain corporate websites to fill out the forms, I noticed my data entry, i.e., keystrokes, were slow, like twice as so. I suspected a key logger was at work on my MacBookAir. I changed my most import passwords and ran avast full system scan.

After I ran a full system scan last night and avast (version: 12.9, virus definition version: 17112802) found the following virus file: /private/var/db/uuidtext/7B/BC8EE8D09234D99DD8B85A99E46C64 JS: Cryptonight [Trj]

It appears avast will have a VPS update today or tomorrow so solve this false positive, but I am curious if anyone else noticed this behavior on their macs.
« Last Edit: November 29, 2017, 05:19:56 PM by Jcubed1959 »

Offline oineg

  • Newbie
  • *
  • Posts: 16
Re: JS: Cryptonight [Trj] Found
« Reply #22 on: November 30, 2017, 09:30:37 AM »
Avast when to fix this problem?
Sorry for my English

REDACTED

  • Guest
Re: JS: Cryptonight [Trj] Found
« Reply #23 on: November 30, 2017, 09:36:36 AM »
I'd like to add to this, to where many have mentioned this is a false positive, I think this is a catalyst that has let something else in. After reading up on typical behavior of a machine being infected with JS:Cryptonight, my machine is reacting in a similar way. First scan showed me the trojan with the same path. Antivirus said it couldn't quarantine it or delete it. Next antivirus scans are getting stuck, never happened before and mac is all of a sudden slowing down. Does anyone have any ideas on what I should check? I'm thinking to just wipe my machine versus waiting for a vps update.

Offline Jiří Šembera

  • Avast team
  • Jr. Member
  • *
  • Posts: 46
  • Developer/Malware Analyst, former VPS maintainer
Re: JS: Cryptonight [Trj] Found
« Reply #24 on: November 30, 2017, 09:49:57 AM »
Hello,

I've checked the release status and it looks like the fix will be included in tomorrow's VPS. You can add the folder /private/var/db/uuidtext to Filesystem shield exclusions as a workaround.

Jiri

REDACTED

  • Guest
Re: JS: Cryptonight [Trj] Found
« Reply #25 on: November 30, 2017, 04:30:18 PM »
1.Ran Bitdefender and Avast simultaneously Avast found JS:Cryptonight Bitdefender didn’t.
2. Placed JS:Cryptonight in Bitdefender's virus removal tool and it was not found.
3.On Bitdefender suggestion,after deleting JS:Cryptonight and uninstalling Avast ran Bitdefender which found nothing. Reinstalled Avast and it found JS:Cryptonight.
3.Sent scan logs to Bitdefender.
4.Sent /private/var/db/7B/BCBEE...........64 to Bitdefender along with a copy from console after I deleted aforementioned file. Also informed them of this forum and Frostbites link.
5. 12/3 running definition 17120300 and the odd thing is that the file no longer appears in the 7B folder. I can see Avast making a change that doesn't label the BCBEE8D09234D99DD8B85A99E46C64 as a cryptonight virus but why wouldn't my Mac keep generating this file?
6. As of 12/5 Bitdefender is sending the BCBEE.....64 file I sent to them to their virus lab. I wouldn't get all warm and fuzzy about this being a false positive quite yet as they apparently haven't dismissed it as such.
7. 12/13 finally received a confirmation from Bitdefender that this is a false positive.
« Last Edit: December 13, 2017, 08:28:28 PM by havesail1 »

REDACTED

  • Guest
Re: JS: Cryptonight [Trj] Found
« Reply #26 on: November 30, 2017, 07:31:06 PM »
Avast is pissing me off on this.  We shouldn't have to play virus detective like this.  They ought to at least have a way to contact them and get an answer.  I am paying them for security and they should be doing it.  I shouldn't have to ferret around on forums to TRY to figure out what the should actually be DOING.

Offline drake145

  • Jr. Member
  • **
  • Posts: 45
Re: JS: Cryptonight [Trj] Found
« Reply #27 on: November 30, 2017, 08:40:41 PM »
I'd like to add to this, to where many have mentioned this is a false positive, I think this is a catalyst that has let something else in. After reading up on typical behavior of a machine being infected with JS:Cryptonight, my machine is reacting in a similar way. First scan showed me the trojan with the same path. Antivirus said it couldn't quarantine it or delete it. Next antivirus scans are getting stuck, never happened before and mac is all of a sudden slowing down. Does anyone have any ideas on what I should check? I'm thinking to just wipe my machine versus waiting for a vps update.

Ryan,

I have not experienced not being able to quarantine or delete the file, but I suggest that you attempt the following before re-formatting your mac:

1) Downloading Malwarebytes and running a scan to see if it detects anything.
2) Re-install Avast to see if it fixes the hanging scans.

You could also wait for the VPS update tomorrow to see if things improve.
« Last Edit: November 30, 2017, 08:54:38 PM by drake145 »

Offline drake145

  • Jr. Member
  • **
  • Posts: 45
Re: JS:Cryptonight [Trj] Found
« Reply #28 on: November 30, 2017, 08:54:12 PM »
Yesterday, I was filling out online forms and when I went to certain corporate websites to fill out the forms, I noticed my data entry, i.e., keystrokes, were slow, like twice as so. I suspected a key logger was at work on my MacBookAir. I changed my most import passwords and ran avast full system scan.

After I ran a full system scan last night and avast (version: 12.9, virus definition version: 17112802) found the following virus file: /private/var/db/uuidtext/7B/BC8EE8D09234D99DD8B85A99E46C64 JS: Cryptonight [Trj]

It appears avast will have a VPS update today or tomorrow so solve this false positive, but I am curious if anyone else noticed this behavior on their macs.

Jcubed1959,

If Avast did not detect anything else in your system, I would suggest that you download, and run a scan, with Malwarebytes to see if it finds anything.

REDACTED

  • Guest
Re: JS: Cryptonight [Trj] Found
« Reply #29 on: December 01, 2017, 12:54:59 AM »
Thanks Drake, I already have MBAM and MBAM does not come up with anything. After restarting the machine, the file comes back but I am now able to quarantine it. My mac is running considerably slower than normal. I may try re installing antivirus but have read that running updates and downloading anything helps fuel the fire with this JS: Cryptonight.