Hi, I'm informing you about this both to let you know that Dropbox may be being used as a means to get through firewalls, and to get this on the record for other people having the same issue. I will also be informing BitDefender.
I have Dropbox installed at
"C:\Program Files (x86)\Dropbox"
and within the
"C:\Program Files (x86)\Dropbox\Update"
folder, the executable is named
"DropboxUpdate.exe"
Above details the legitimate Dropbox install. However, there has recently been a second Dropbox presence on my PC, presumably using Dropbox credentials to walk through my firewall. I use BitDefender.
The second presence is located at
"C:\Program Files\Dropbox\DropboxUpdater\123.0.6299.61"
and is named
"updater.exe"
I initially didn't see it as suspicious due to the "Dropbox"-named folder in it's path. However, whenever it connected to the internet, it downloaded a file, then created a folder named
"C:\Program Files\chrome_unpacker_beginunzipping33496_1121615137\"
The number string was different for each file, but followed the same pattern of 5 and 10 numbers.
This folder contained a filed named
"dropboxclientinstaller.exe"
which would then connect to the internet, however, it didn't show up in the "Application Access" tab of the Bitdefender Firewall, but did create a new "Rule" in that tab, with access allowed.
It then downloaded a separate .RAR file to the following folder and deleted itself, leaving the "chrome_unpacker*" folder in place.
"C:\Program Files\Dropbox\DropboxUpdater\123.0.6299.61"
Here, I don't know what the files were called, but there were a lot of them there. As soon as I found them, I deleted the lot, as well as all other related folders and files. I required Admin access to do so, and only after I had deleted everything else could I deleted the "updater.exe" file.
