How do I check when a folder IS created?

Status
Not open for further replies.

DjGamewon

Commendable
Mar 5, 2016
17
0
1,560
Right, so I have this virus which installs a ethereum miner, the way i can check is by going to appdata -> local and see if the ethash folder is there. I deleted the folder once(November 27th) and it reappeared on december 4th - exactly a week after. So i'm wondering, if there's any way to check real-time when the folder is created, just so i delete it now and when it reappears i can instantly react and check what program made it.

Thanks in advance!
 
Solution
Interesting.... Good catch!

Also double-check your MalwareBytes settings. Be sure that nothing is being excluded and that all detections/protections are in place.

If the folder continues to appear at predictable/defned times you might try taking the computer offline an hour or so beforehand. See if that stops the folder from being created or if the folder appears again some "x"amount of time after the computer is back online. That would indicate some external access to your computer.
Agree with rdg1101.

You may need to try another anti-malware product or two.

That said, depending on how much you are willing to delve into things, you could set up some sort of script that runs at startup.

Powershell could do such a test for you.

E.g.:

https://technet.microsoft.com/en-us/library/ff730955.aspx

You would need to add in "if-then" to delete the folder if the Test-Path results are true.

The real start should be to identify the software the creates the folder.

Use Task Manager to check Startups, Processes, Details, and Services. Look for some unexpected "Name" and then try to determine the source.

Search the registry for some reference. I.e. "ethash". The objective is to find more information or details about the ethash folder.

Any such information or details can be googled. Or posted accordingly.


 

DjGamewon

Commendable
Mar 5, 2016
17
0
1,560
Right, update - it gets created every saturday, 11pm for me. It's not a start up, it's something that's running that creates it at exactly this time. How do i know what created it?
 
My starting point would be the Event Viewer logs; beginning with the Applications Logs and next the Applications and Services logs.

Look for some informational entry whose entry time is just before or at 11 pm on Saturdays. Double click any given entry for details.

If nothing is found in Applications or Applications and Services then look in the other sections. There is also a Find option under Action (right side screen) that you may be able to take advantage of. Search for ehash, etherum, or miner - versus trying to just eyeball the search.

Be aware that if there are many entries it may take a few moments to display any records - sans an immediate "Number of events:0" at the top of the selected Event folder window.

Failing that carefully search the registry for "ethash" via regedit. May find a clue or two therein.

Hopefully if nothing malicious is involved (where specific information or logged details could be masked) the source of the folder creation should show up.
 
What are those events? Process, service, application?

Can you associate them with some update or backup attempt? One particular Office application? Any codes or error numbers? Some file or utility?

Almost appears that etherum miner, for whatever reason, may have left some "component" behind...

One thing that would be interesting to try is to temporarily reset your system clock and date to 10:50pm on Dec 10th. Wait 20 minutes or and see if the folder shows up. And likewise the events.

Could trigger some backup or automatic update attempt so just be aware of that.

 

DjGamewon

Commendable
Mar 5, 2016
17
0
1,560
It didn't create this week, which is weird, usually creates on Saturday. Anyways the office events are some associated to saving and stuff. Also sorry for the long delay, i forget about things quickly.
 

DjGamewon

Commendable
Mar 5, 2016
17
0
1,560
The event was saving a file, i searched up ethash in the event viewer - nothing, i looked at each section but nothing at that time.

Do you mean the drive path to the Ethash folder? If so it's C:\Users\User\AppData\Local\Ethash and it is not shared.
 

jetfighter545

Estimable
May 20, 2015
17
0
4,570
Someone here was having the same problem. They seem to have located a program called rthdcpl.exe which was responsible for creating the miner program. Try to locate it using task manager. They believe that antimalware couldn't find it because it is a PUP instead of malware.
 

DjGamewon

Commendable
Mar 5, 2016
17
0
1,560



I'll try to when i get home, which will be either tommorow or monday. A lot of people were having this issue as well, some of them had ctfhost, i don't so im hoping this is the one.
 

DjGamewon

Commendable
Mar 5, 2016
17
0
1,560
Nothing. Searched thru my disks for rthdcpl and ethash, also searched thru registry, nothing. The Ethash folder has no files in it (I only deleted the files to see if leaving the folder there speeds anything up), and so far nothing has been created. I check the Ethash folder every day once or twice.
 

DjGamewon

Commendable
Mar 5, 2016
17
0
1,560
There it is again, created yesterday at 4PM. This time i'm not gonna delete it and check the size. Just so i have a place to check, i'll put the size here - 1835008KB
 

jetfighter545

Estimable
May 20, 2015
17
0
4,570
We could prevent the miner from running, maybe even installing, but that would leave the obvious problem that the something that installs it is still in your computer. Try a full scan from windows defender if you haven't already tried that. After that, if you know when the miner will appear, watch task manager for specific programs using disk activity.
 
Status
Not open for further replies.