avast sees dropbox as malware

I searched around a bit but was unable to find a topic addressing this.

I recently purchased a new laptop running windows 7 home premium. I then installed both dropbox and the free version of avast. The problem is, every time I start dropbox, a get notifications about every minute that avast has blocked malware coming from dropbox. It’s associated with the dropbox.exe *32 process. Avast repeatedly moves a temp file to the virus chest, saying that it is a Win32:Trojan-gen. I’m not sure if this is a false positive or not, but I’ve never had problems between avast and dropbox before. To get the pop-ups to stop I just start task manager and kill the dropbox.exe *32 process, but it would be nice of course to use the program. Here’s the name of the file that avast keeps moving to the virus chest:

C:\Users<username>\Dropbox.dropbox.cache~e84ddb1c.tmp

Any ideas? Thanks in advance!

Test it at VT (https://www.virustotal.com/) and post the result.

Here’s the report from virustotal.com:

SHA256: 205f0caedf82989588eda2d4a292557697f07d7eb11bc5cf126c8153a2f8036b
SHA1: 57bb7ef65c549f3c9d547cdbc387591c94774e85
MD5: cc541892fabf1aba5b7172cf1f50e6cd
File size: 29.0 KB ( 29743 bytes )
File name: ~e84ddb1c.tmp
File type: Win32 EXE
Detection ratio: 15 / 36
Analysis date: 2012-11-24 13:21:25 UTC ( 1 minute ago )
00
Less details
Analysis
Comments
Votes
Additional information
Antivirus Result Update
Agnitum - 20121124
AntiVir - 20121124
Antiy-AVL - 20121123
Avast Win32:Trojan-gen 20121124
AVG - 20121124
BitDefender - 20121124
ByteHero - 20121116
CAT-QuickHeal - 20121124
ClamAV - 20121124
Commtouch W32/Backdoor2.HMDI 20121124
Comodo UnclassifiedMalware 20121124
Emsisoft - 20121124
ESET-NOD32 - 20121124
F-Prot W32/Backdoor2.HMDI 20121124
F-Secure - 20121124
Fortinet W32/Barys.A6AA!tr 20121124
GData Win32:Trojan-gen 20121124
Ikarus Trojan-Dropper.Win32.KGen 20121124
Jiangmin Trojan/Generic.aayzx 20121124
K7AntiVirus Backdoor 20121123
Kingsoft - 20121119
Microsoft - 20121124
MicroWorld-eScan - 20121124
nProtect - 20121124
Panda Trj/CI.A 20121124
PCTools Trojan.Gen 20121124
Rising - 20121123
Sophos - 20121124
SUPERAntiSpyware - 20121124
Symantec Trojan.Gen 20121124
TheHacker Posible_Worm32 20121124
TotalDefense - 20121123
TrendMicro TROJ_GEN.RCBZ1JR 20121124
TrendMicro-HouseCall TROJ_GEN.RCBZ1JR 20121124
VIPRE - 20121124
ViRobot - 20121124

much easier to just post the scan link :wink:
https://www.virustotal.com/file/205f0caedf82989588eda2d4a292557697f07d7eb11bc5cf126c8153a2f8036b/analysis/

seems like it is correct

First seen by VirusTotal
2012-03-10 14:35:19 UTC ( 8 måneder, 2 uker ago )

Whoops, sorry about that. I’m new to this stuff. ;D

Okay, so it’s a real virus. Next question then, how do I get it to stop popping up every minute? The file is never permanently removed but just gets created over and over again. Any ideas on that?

I have dropbox on my system and Avast is quite happy with it plus there is not a folder/file with that name in my folder

So I would suspect that there is an infection in there somewhere

Ok, I guess I’m not sure what to do about it. I scanned the entire dropbox folder, and no threats were found. Then I thought the program itself was the problem, so I uninstalled it, deleted all my synced info, and re-downloaded and re-installed the program. Same result, except this time the temp file has a different name. Also checked that one on virustotal.com, and interestingly enough, it stated it was the same file as the one I had tried earlier today.

So what to do? The problem isn’t with the files I have on dropbox, and it’s not with the program itself. I don’t disagree that there’s an infection, but I don’t know how to find and permanently remove it.

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%username%/dropbox /s
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Ok, here are the logs. Thanks for the guidance on this!

OK numpty used the wrong switch

Run OTL again and paste the following line in the custom scans box and press run scan. There will be just one log this time

C:\Users\ben\Dropbox*.* /s

Hmmm… tried attaching the log but was rejected because the file size is too big (680 kb) for attachments. Is there a way around that limitation?

split the log on two…and use two posts :wink:

I ended up uploading it mediafire. Here’s the link:

http://www.mediafire.com/view/?634np53sjc9wunh

I tried my own link, but didn’t get the file, so here it is split in two as you suggested.

Part 2

Essexboy is in bed now…but back tomorrow :wink:

Ta … Found it … Lets see if OTL can kill it

You will need to resynch on completion as removal from the computer should then remove it from online

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
[2012/11/24 21:35:17 | 000,026,879 | ---- | M] () -- C:\Users\ben\Dropbox\.dropbox.cache\IF8Mrt-CmJWI7aLUopJVdpfwfX6xG8XPEmyBU6L4A2s

:Files
C:\Users\ben\Dropbox\.dropbox.cache

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I’ve got two logs for you - one OTL produced after running the fix, then one after the quick scan. Unfortunately, it didn’t work. After the reboot, dropbox also started automatically, and the popups started coming again one after another.

OK lets use a stronger tool for this

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here’s the log. After reboot, the result is the same. Still get the popups when Dropbox tries to sync.