How do I check when a folder IS created?

[DjGamewon]

Right, so I have this virus which installs a ethereum miner, the way i can check is by going to appdata -> local and see if the ethash folder is there. I deleted the folder once(November 27th) and it reappeared on december 4th - exactly a week after. So i'm wondering, if there's any way to check real-time when the folder is created, just so i delete it now and when it reappears i can instantly react and check what program made it.

Thanks in advance!

 

[jetfighter545]

Another annoying thing with these type of programs is that they can be classified as a PUP so antimalware doesn't detect it. Windows defender usually does though.

 

[Ralston18]

Take a look via Task Scheduler. See if anything turns up there.

 

[DjGamewon]

Nothing in the task scheduler, there is this thing "060184C3-9766-46a0-B258-F4518A0B2633" which is cscript.exe, but from what i've read it's something from windows. Quick scan for windows defender found nothing, gonna perform a full scan now.

 

[DjGamewon]

The scan came up with nothing.

 

[Ralston18]

The creation time on Saturdays changed (11 pm to 9 pm) and now the creation time and date has changed to Thurday, 4 pm.

Made me wonder if some server is connecting back to your pc. I did a guick "google" search and found a link indicating that port 17020 is ethash's port. 12020 was also mentioned.

Reference:

https/forum.ethereum.org/discussion/5431/ethereum-mining-pool-hub-0-fee-pays-all-kind-of-mining-rewards-supports-all-miner-programs/p14

Are those ports open on your computer? Can you close/block them?

 

[DjGamewon]

No ports like that, neither in outbound or inbound. Also, a new file appeared just yesterday at 11:04pm (14th january)

 

[DjGamewon]

Oh, turns out i only scanned 1 drive with malwarebytes, and that drive isn't my main one, so probably gonna scan it later today.

 

[Ralston18]

Interesting.... Good catch!

Also double-check your MalwareBytes settings. Be sure that nothing is being excluded and that all detections/protections are in place.

If the folder continues to appear at predictable/defned times you might try taking the computer offline an hour or so beforehand. See if that stops the folder from being created or if the folder appears again some "x"amount of time after the computer is back online. That would indicate some external access to your computer.

 

[DjGamewon]

Scanned the main drive, had like 600 virus files, most of them were in some kind of PCAppStore, which i think didn't do much, there were like 15 bitcoin mining files and 2 Trojans, so i'm gonna hope this fixed it. Gotta make a reminder to check this thread and check for the Ethash folder - I always forget.

 

[Ralston18]

In the meantime, do some additonal AV scans with another AV application if viable. Also keep checking for and installing any new AV updates for code or AV files.

Make it easy to check for the folder: e.g., create a desktop/"handy" shortcut icon to C:\Users\User\AppData\Local\Ethash.

Clicking the icon should result in an error if the folder does not exist. However, if the folder returns then you will see it and know.....

Delete the shortcut when all is over and done with.

 

[DjGamewon]

Well, saturday has just passed for me, no ethash folder! It was created on other days, but that was around 1 or 2 times out of 10 so i think its fixed!