Jump to content

Dropbox files false positive?


Recommended Posts

when we install DropBox, the Google maintenance task file comes back.  If its not caused by installing DropBox, is it possible that the malware is in DropBox in the cloud and then once Dropbox syncs w/ the computer, the computer is infected?  Also I see lots of detailed information about the issue you linked but how do we get rid of the malware

Link to post
Share on other sites

Although I will not be directly assisting you, a malware removal expert will be along to assist after you do the following.

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes: Please pay close attention the the instructions in all of the following links.

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point  <<<<< Important.
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup   Windows 8 and newer only <<<<< Important.
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans: Please pay close attention the the instructions in all of the following links.

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes
       RESTART the computer <<<<< Important.
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

Then be patient for the next expert to take your case. <<<<< Important.

 

Thank you

Link to post
Share on other sites

  • Root Admin

Let's do a full uninstall of DropBox

Then once that is done, go ahead and restart the computer and get me NEW, fresh logs and we'll look at cleaning the computer some and then try the reinstall again. @briantorchbjj

 

 

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/


Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/


Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

 

 

 

Link to post
Share on other sites

  • Root Admin

Thank you for the logs @briantorchbjj

Please follow the steps below

 

[ 1 ]

Your DNS Servers: 75.75.75.75 - 75.75.76.76    

Please consider changing your default DNS server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

Pick just one of these 5 providers. And be aware that you need to modify 1 time for IPv4 & a 2nd pass for IPv6

  • Quad 9 Public DNS  IPv4  9.9.9.9 and 149.112.112.112  IPv6  2620:fe::fe  and  2620:fe::9  (one of the best for most users)
  • Google Public DNSIPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • CloudflareIPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNSIPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCHIPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b


The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

[ 2 ]

What is the Model name of your Dell computer and is it a Laptop or Desktop?

The Trusted Platform Module (TPM) is having an issue that a BIOS update from Dell might be able to correct

 

BIOS: Dell Inc. 1.9.3 03/08/2018
Motherboard: Dell Inc. 0DW6V0

Processor: Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz
Percentage of memory in use: 64%
Total physical RAM: 16013.73 MB

 

System errors:
=============
Error: (09/27/2024 08:24:03 AM) (Source: TPM) (EventID: 15) (User: NT AUTHORITY)
Description: The device driver for the Trusted Platform Module (TPM) encountered a non-recoverable error in the TPM hardware, which prevents TPM services (such as data encryption) from being used. For further help, please contact the computer manufacturer.

 

 

[ 3 ]

Did you set up and enable these Proxy settings on purpose?

ProxyEnable: [S-1-5-21-2174044441-1976494247-2274181304-1002] => Proxy is enabled.
ProxyServer: [S-1-5-21-2174044441-1976494247-2274181304-1002] => https=localhost:2104
ManualProxies: 1https=localhost:2104 <==== ATTENTION

 

[ 4 ]

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled. Though they can be helpful they can also potentially be risky

Edge Notifications: Default -> hxxps://www.facebook.com

CHR Notifications: Default -> hxxps://10xgrowthcon.com; hxxps://activity.yesware.com; hxxps://amidoctors.pushcrew.com; hxxps://app.glip.com; hxxps://app.hubspot.com; hxxps://app.podium.com; hxxps://app.ringcentral.com; hxxps://app.slack.com; hxxps://app.textmagic.com; hxxps://app.textrecruit.com; hxxps://app.tracki.com; hxxps://app.zipwhip.com; hxxps://b-www.facebook.com; hxxps://book.qantas.com; hxxps://business.facebook.com; hxxps://calendar.google.com; hxxps://chargebacks911.com; hxxps://chat.indeed.com; hxxps://coa.pushcrew.com; hxxps://directionstab.com; hxxps://drive.google.com; hxxps://help.bill.com; hxxps://helpx.adobe.com; hxxps://infusionsoft.app; hxxps://integrateyourclinic.zotabox.me; hxxps://internationalliving.com; hxxps://landline.zipwhip.com; hxxps://meet.google.com; hxxps://member.angieslist.com; hxxps://moneyinc.com; hxxps://my.textmagic.com; hxxps://nomadgate.com; hxxps://people.com; hxxps://plus.google.com; hxxps://thechefpick.com; hxxps://tickets-center.com; hxxps://viral.checknewsonline.com; hxxps://web.skype.com; hxxps://www.adzuna.com; hxxps://www.bhphotovideo.com; hxxps://www.cnet.com; hxxps://www.emedevents.com; hxxps://www.facebook.com; hxxps://www.foxnews.com; hxxps://www.glassdoor.com; hxxps://www.ihireadvancedpractitioners.com; hxxps://www.immigrationspain.es; hxxps://www.instagram.com; hxxps://www.investing.com; hxxps://www.jobcase.com; hxxps://www.jobilize.com; hxxps://www.makealivingwriting.com; hxxps://www.messenger.com; hxxps://www.myclientline.net; hxxps://www.netflix.com; hxxps://www.newsbreak.com; hxxps://www.newstrackr.co; hxxps://www.nextjobs.me; hxxps://www.parents.com; hxxps://www.pcmag.com; hxxps://www.point2homes.com; hxxps://www.thedailybeast.com; hxxps://www.ticketmaster.com; hxxps://www.travelmerry.com; hxxps://www.usatoday.com; hxxps://www.wayfair.com; hxxps://www.wsj.com; hxxps://www.youtube.com; hxxps://www2.otel.com; hxxps://za.investing.com

 

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

[ 5 ]

Please double-check and set the following

Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

 

[ 6 ]

The logs indicate you have the following duplicated downloads of Dropbox installers. Please delete these

 

C:\Users\Brian\Downloads\DropboxInstaller (10).exe
C:\Users\Brian\Downloads\DropboxInstaller (11).exe
C:\Users\Brian\Downloads\DropboxInstaller (12).exe
C:\Users\Brian\Downloads\DropboxInstaller (12).zip
C:\Users\Brian\Downloads\DropboxInstaller (7).exe
C:\Users\Brian\Downloads\DropboxInstaller (8).exe
C:\Users\Brian\Downloads\DropboxInstaller (9).exe

 

 

 

[ 7 ]

 

Based upon some of your responses above we'll work on a new FIXLIST.txt file.

 

Thank you

 

 

 

 

Link to post
Share on other sites

1- sure we can do this but I doubt very much this is going to fix the issue.

2-Dell Latitude 5580 laptop.  Windows and Dell Command Update (which updates drivers) are both 100% updated

3- where did you get that proxy info?

4- I agree w/ your suggestions as far as best practices but I dont think this is related.  I will disable notifications just to be sure.

5- already did this as part of the tasks we did yesterday

6- OK we can do that 

is there a possibility that the malware is in DropBox cloud and that is why it isnt detected until we install DropBox?  I am starting to think we should contact DropBox support about this.

I realize that the directory with the questionable file is not synced w/ DropBox but it still seems like this cannot be a coincidence?  

Thanks!

 

Link to post
Share on other sites

  • Root Admin

No, in 99.99% of every proxy I've ever seen by customers is due to some type of malware threat. Just wanted to make sure before we remove it.

Those entries show in the logs you sent me.

I will add them for removal in the FIX after we run a new scan with Malwarebytes

 

Please open Malwarebytes and check for updates and do a new Threat scan and post back the new log

 

Scan with Malwarebytes
https://forums.malwarebytes.com/topic/304827-scan-with-malwarebytes/

 

 

 

 

 

As for the BIOS, from what I can find on the Dell support site your version is not the latest.

 

BIOS: Dell Inc. 1.9.3 03/08/2018
Motherboard: Dell Inc. 0DW6V0

 

Dell Precision 3520 and Latitude 5280/5288/5480/5488/5580 System BIOS

Fixes & Enhancements
- This release contains security updates as disclosed in the Dell Security Advisories DSA-2024-260 and DSA-2024-243. For more information, see Dell Security Advisories and Notices.

https://www.dell.com/support/security

DSA-2024-243: Security Update for Dell Client Platform for Intel® Platform Update 2024.3 Advisories
https://www.dell.com/support/kbdoc/en-us/000225475/dsa-2024-243-security-update-for-dell-client-platform-for-intel-platform-update-2024-3-advisories

DSA-2024-260: Security Update for Dell Client Platform BIOS for an Improper Input Validation Vulnerability
https://www.dell.com/support/kbdoc/en-us/000225776/dsa-2024-260-security-update-for-dell-client-platform-bios-for-an-improper-input-validation-vulnerability


Dell Latitude 5580
https://www.dell.com/support/home/en-us/product-support/product/latitude-15-5580-laptop/drivers


Dell Precision 3520 and Latitude 5280/5288/5480/5488/5580 System BIOS
https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=pgr8r&oscode=wt64a&productcode=latitude-15-5580-laptop

Version: 1.37.0, 1.37.0

Release date: 18 Aug 2024

Direct download link
https://dl.dell.com/FOLDER11811999M/1/Latitude_5X80_Precision_3520_1.37.0.exe

 

 

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.