How do I check when a folder IS created?

Page 2 - Seeking answers? Join the Tom's Guide community: where nearly two million members share solutions and discuss the latest tech.
Status
Not open for further replies.

DjGamewon

Commendable
Mar 5, 2016
17
0
1,560
Right, so I have this virus which installs a ethereum miner, the way i can check is by going to appdata -> local and see if the ethash folder is there. I deleted the folder once(November 27th) and it reappeared on december 4th - exactly a week after. So i'm wondering, if there's any way to check real-time when the folder is created, just so i delete it now and when it reappears i can instantly react and check what program made it.

Thanks in advance!
 
Solution
Interesting.... Good catch!

Also double-check your MalwareBytes settings. Be sure that nothing is being excluded and that all detections/protections are in place.

If the folder continues to appear at predictable/defned times you might try taking the computer offline an hour or so beforehand. See if that stops the folder from being created or if the folder appears again some "x"amount of time after the computer is back online. That would indicate some external access to your computer.

DjGamewon

Commendable
Mar 5, 2016
17
0
1,560
Nothing in the task scheduler, there is this thing "060184C3-9766-46a0-B258-F4518A0B2633" which is cscript.exe, but from what i've read it's something from windows. Quick scan for windows defender found nothing, gonna perform a full scan now.
 
The creation time on Saturdays changed (11 pm to 9 pm) and now the creation time and date has changed to Thurday, 4 pm.

Made me wonder if some server is connecting back to your pc. I did a guick "google" search and found a link indicating that port 17020 is ethash's port. 12020 was also mentioned.

Reference:

https://forum.ethereum.org/discussion/5431/ethereum-mining-pool-hub-0-fee-pays-all-kind-of-mining-rewards-supports-all-miner-programs/p14

Are those ports open on your computer? Can you close/block them?
 
Interesting.... Good catch!

Also double-check your MalwareBytes settings. Be sure that nothing is being excluded and that all detections/protections are in place.

If the folder continues to appear at predictable/defned times you might try taking the computer offline an hour or so beforehand. See if that stops the folder from being created or if the folder appears again some "x"amount of time after the computer is back online. That would indicate some external access to your computer.
 
Solution

DjGamewon

Commendable
Mar 5, 2016
17
0
1,560
Scanned the main drive, had like 600 virus files, most of them were in some kind of PCAppStore, which i think didn't do much, there were like 15 bitcoin mining files and 2 Trojans, so i'm gonna hope this fixed it. Gotta make a reminder to check this thread and check for the Ethash folder - I always forget.
 
In the meantime, do some additonal AV scans with another AV application if viable. Also keep checking for and installing any new AV updates for code or AV files.

Make it easy to check for the folder: e.g., create a desktop/"handy" shortcut icon to C:\Users\User\AppData\Local\Ethash.

Clicking the icon should result in an error if the folder does not exist. However, if the folder returns then you will see it and know.....

Delete the shortcut when all is over and done with.
 
Status
Not open for further replies.