Avast Alerts For Using Chrome Mac

Posted on
Active1 year, 8 months ago

Yesterday I ran a full system scan using my Avast antivirus software and it found a infection file. The file's location is :

Hi there, I am using Avast (free version) and MalwareBytes. (free version). I am getting constant Avast notifications that they detected a threat, saying it's Chrome (google). Apple fans using Chrome on alert for Mac malware. November 2016. Google AdWords has been spewing software nasties. I use Google Chrome on my Mac running Avast at home and have no issues with Web shield giving false positives. I use Google Chrome on my Mac laptop running Avast on many other networks and have no issues with Web shield giving false positives. My Chrome was updated to version 44.0.2403.155 as shown on the alert by this new file. So whilst Avast and the world are in the dark about this Chrome updater file, my Chrome is now bang up-to-date. So whilst Avast and the world are in the dark about this Chrome updater file, my Chrome is now bang up-to-date.

In the keychain access application I can see the Avast certificate is installed In the System group with some other custom certificates. Firefox does not see them though it only appears to see certificates in the SystemRoot group. Safari and Chrome both had no issue using the Avast certificate. I even installed Chrome fresh just to be sure. Avast Security Pro instantly alerts you when someone joins your Wi-Fi network. This helps you keep hackers out, and stops neighbors from bringing your network to a crawl with their unwelcome video streaming. Avast Cleanup Pro for Mac. Cleaning Alerts. Thousands of junk files. Gone in just a click. Avast recommends using the FREE Chrome™ internet browser.

Avast categorizes the infection file as :

So, after deleting the file I did several more full system scans to check to see if there were any more files. I found nothing, until I restarted my macbook pro today. The file reappeared in the same location. So I decided to let Avast put it in the virus chest, restarted the laptop, and again the file was in the same location again. Therefore the virus is re-creating the file every restart of the laptop.

I want to avoid wiping the laptop and re-installing everything, so that is why I am here. I researched the file path and cryptonight and found out that cryptonight is/can be malicious code that can run in the background of someone's computer to mine cryptocurrency. I've been monitoring my CPU usage, Memory, and Network and I haven't seen a single odd process running. My CPU is running below 30%, my RAM is generally below 5GB (installed 16GB), and my network hasn't had any processes sending out/receiving large amount of data. So if something is mining in the background, I can't tell at all. I have no clue what to do.

My Avast runs full system scans every week, so this just recently became an issue this week. I checked all of my chrome extensions and nothing is out of order, I haven't downloaded anything special within the past week, besides the new Mac operating system (macOS High Sierra 10.13.1). So I have no clue where this has came from to be honest and I have no clue how to get rid of it. Can someone please help me out.

I suspect that this supposed “virus” is coming from the Apple update and that it is just a pre-installed file that is created and runs every time the OS is booted/rebooted. But I am unsure since I only have one MacBook and no one else that I know that has a mac has updated the OS to High Sierra. But Avast keeps labeling this as a potential “Cryptonight” virus and no one else online has posted anything about this issue. Therefore, a common virus removal forum isn't helpful in my situation, since I've already attempted to remove it with both Avast, malwarebytes, and manually.

JakeGould
35k10 gold badges109 silver badges151 bronze badges
Lonely TwinkyLonely Twinky

1 Answer

Pretty sure there is no virus, malware or trojan at play and his is all a highly coincidental false positive.

It’s most likely a false positive since /var/db/uuidtext/ is related to the new “Unified Logging” subsystem that was introduced in macOS Sierra (10.2). As this article explains:

The first file path (/var/db/diagnostics/) contains the log files. These files are named with a timestamp filename following the pattern logdata.Persistent.YYYYMMDDTHHMMSS.tracev3. These files are binary files that we’ll have to use a new utility on macOS to parse them. This directory contains some other files as well including additional log *.tracev3 files and others that contain logging metadata. The second file path (/var/db/uuidtext/) contains files that are references in the main *.tracev3 log files.

But in your case the “magic” seems to come from the hash:

Just check out this reference for known Windows malware files that references that one specific hash. Congratulations! Your Mac has magically created a filename that matches a known vector that has been primarily seen on Windows systems… But you are on a Mac and this filename is just a hash that is connected to the “Unified Logging” database system’s file structure and it is completely coincidental that it matches that malware filename and should not mean anything.

And the reason that specific file seems to regenerate is based on this detail from the above explanation:

The second file path (/var/db/uuidtext/) contains files that are references in the main *.tracev3 log files.

So you delete the file in /var/db/uuidtext/, but all it is is a reference to what is in /var/db/diagnostics/. So when you reboot, it sees it is missing and recreates it in /var/db/uuidtext/.

As for what to do now? Well, you can either tolerate the Avast alerts or you can download a cache cleaning tool such as Onyx and just force the logs to be recreated by truly purging them from your system; not just that one BC8EE8D09234D99DD8B85A99E46C64 file. Hopefully the hash names of the files it regenerates after a full cleaning won’t accidentally match a known malware file again.

UPDATE 1: It seems like Avast staff acknowledges the issue in this post on their forums:

I can confirm this is a false positive. The superuser.com post describes the issue quite well - MacOS seems to have accidentally created a file that contains fragments of malicious cryptocurrency miner which also happen to trigger one of our detections.

Now what is really odd about this statement is the phrase, “…MacOS seems to have accidentally created a file that contains fragments of malicious cryptocurrency miner.

What? Is this implying that someone on the core macOS software development team at Apple somehow “accidentally” setup the system so it generates neutered fragments of a known malicious cryptocurrency miner? Has anyone contacted Apple directly about this? This all seems a bit crazy.

UPDATE 2: This issue is further explained by someone Radek Brich the Avast forums as simply Avast self-identifying itself:

Hello, I'll just add a bit more information.

Avast Extension For Chrome

The file is created by MacOS system, it's actually part of 'cpu usage' diagnostic report. The report is created because Avast uses the CPU heavily during the scan.

The UUID (7BBC8EE8-D092-34D9-9DD8-B85A99E46C64) identifies a library which is a part of Avast detections DB (algo.so). The content of the file is debugging information extracted from the library. Unfortunately, this seems to contain a string which is in return detected by Avast as a malware.

(The 'rude' texts are probably just names of malware.)

JakeGouldJakeGould
35k10 gold badges109 silver badges151 bronze badges

protected by CommunityNov 26 '17 at 20:07

Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?

Not the answer you're looking for? Browse other questions tagged macosmacvirusanti-virusavast or ask your own question.

Active3 years, 5 months ago

I am not knowledgeable on how to find adware/malware beyond scanning for it with whatever protection software I have. I avoid suspicious websites and often get popups from Avast if a page is infected and leave immediately. I recently have been receiving alerts that Avast stopped malware from:

http:// nano-adrouting-exchange (dot) info//Router//routing..

I could be just reading an article, not surfing, and the alert pops up. I have received 5 popups since they first began 3/2. I sense that some malware is actively trying to get through to my computer and I'm not sure how to stop it.

Review of Avast Free Antivirus for Mac Avast is one of the most popular free antivirus programs, and they have a version for Mac OS X. But, how well does it work? Avast Free Antivirus for Mac offers most of the same features, is free to download, doesn’t include advertisements, and is generally unobtrusive. Avast for mac clean features.

I'm on Chrome on Mac if that helps.

BeerBeardBeerBeard

2 Answers

Alerts

Lead developer of MacScan here! Hopefully I can shed some light on what I think is happening. I found a reference to the site you mentioned over on VirusTotal, and from other domains associated with that IP address it looks like this is the case of a fake antivirus alert scam popup. Basically, what happens is these scammers buy ad space on a number of sites (or through third party ad providers), and through the magic of javascript pop up an alert notifying you that your system is infected, and that you should call their 1-800 number to get it fixed.

Avast chrome browser

Obviously, your system isn't really infected, but the pop-ups can be quite persistent, getting to the point of locking up your web browser by respawning the minute you close one out. If you call the 1-800 number, the scammers will have you install remote access software so they can take control of your system to 'fix' the problem. They usually charge between $200 to $400 for this 'service.'

What I think is happening is that Avast has a content filter component, and is basically blocking those scam popups from appearing while you surf the web. Since the popups originate from ads on various websites, this would explain the behavior that you're seeing. If you're encountering the alert repeatedly on the same websites, you might want to e-mail the admin for the website and let them know that some of the ads they're serving are the scammy fake antivirus popups.

Hopefully this information can give you some peace of mind, but if you'd like to double-check for the presence of any adware or malware on your system causing problems, feel free to contact our support team and we'd be happy to investigate the issue further.

Avast Alerts For Using Chrome Mac

nptaceknptacek

The advice on How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC? is good advice generally, even though it's aimed at Windows rather than Mac, but before going to the extremes suggested there of cleaning down the entire machine..

As that's an adware site you're being prevented from visiting, the only thing you are likely to be suffering from is a bad cookie, rather than a virus-infested machine.

In that case, I'd recommend three things, two of which are free/donationware.

  • Get Malwarebytes [freeware] which is an on-demand checker - it runs only when you tell it, rather than continually in the background. It won't conflict with Avast.

  • Install AdBlock, which you can get from the Chrome Extensions page .. Chrome menu > Preferences > Extensions

  • [Most expensive - so completely optional] Install MacScan [$50 annual subscription] & set it to run daily scans.

Avast Mac Download

No affiliation with any of the above.

Avast For Chrome Os

Community
TetsujinTetsujin
19.3k6 gold badges44 silver badges72 bronze badges

Avast Chrome Download

Not the answer you're looking for? Browse other questions tagged google-chromevirusanti-virusmalware or ask your own question.