Questions on Trojan.Multi.BroSubsc.gen

[SlimeMine349]

My antivirus software Kaspersky detected a file in the system memory that is called "Trojan.Multi.BroSubsc.gen". Is this a false positive or is this adware or an actual trojan? See the attachment below. Thanks!

[Berny]

@SlimeMine349

Please see these suggestions

Also :

 

 

 

[SlimeMine349]

Hi, thank you for responding. I couldn't find any other forum or discussion that talked about whether or not this detection is a false positive, adware, or an actual trojan? Since Kaspersky is the only one picking this up, I was wondering what it was really.

[Berny]

@SlimeMine349 Your are welcome.

Please see Kaspersky Threats → Trojan.Multi.BroSubsc
"Malware of this family is installed on browsers deceptively after the user visits fraudulent or advertising resources.
This malware displays advertising messages even if a browser is inactive."

Kaspersky blocked the malicious object before it reached your browser.
Are you still getting unwanted adds ?
Can you please check your reports and post a screenshot from the detection.

[SlimeMine349]

Hi,

I never got any unwanted ads ever so that's what's really confusing me. Beyond unwanted ads, does the malware give backdoor access? That's my biggest concern. Attached below is the photo of my detection screenshot from logs.

[Berny]

@SlimeMine349

Can you please go to Kaspersky → Security → Reports and provide the full screen from the detection.

[SlimeMine349]

I'm using the application that I downloaded from here: https://www.kaspersky.com/downloads/free-virus-removal-tool. There is no path to the Reports from there. Can I give you my Log file?

[Guest]

I think that detection is Ransomware, but if your files arent encrypted your fine.

Your probably clean

[Berny]

@SlimeMine349

Please download and run AdwCleaner (*) as ADMIN.

 

1)  ⚠️ Don’t fix eventual detections
2) Please attach the TXT Log in your next post

(*) No installation required.

[SlimeMine349]

How do I get the TXT log? I don't see an option.

[SlimeMine349]

On 6/25/2023 at 6:26 PM, Xeno2ig said:

I think that detection is Ransomware, but if your files arent encrypted your fine.

Your probably clean

If the detection is ransomware, and my files aren't encrypted, does this mean my detection was a false positive?

Edited June 27, 2023 by SlimeMine349

[Berny]

@SlimeMine349

5 hours ago, SlimeMine349 said:

How do I get the TXT log? I don't see an option.

Please see screenshot below.
→ Click "View Scan Log File"
→ Save the TXT file
→ Attach the TXT file in your next post

Spoiler

 

[Berny]

@SlimeMine349

5 hours ago, SlimeMine349 said:

Does this mean my detection was a false positive?

Ransomware  encrypts files and renames the files by changing their extension,
also all encrypted files cannot be opened any more.
Only Kaspersky Virus Lab can confirm or deny a False Positive.
 

Kaspersky Threats is classifying Trojan.Multi.BroSubsc as malware installed on Browsers.
An AdwCleaner  Log could provide more details about your issue, please don't clean eventual detection !

[NikitaDob]

Just go to your browser's site settings and disable notification access for unfamiliar sites (or better yet, all of them). That's all, you don't need anything else, it's not a ransomware.

[Guest]

Im not fully sure if it was ransomware, you should probably just go along with what their saying.

[Berny]

@SlimeMine349

This is definitely not a Ransomware issue , please see advice from @Danila T.

→ What to do if Kaspersky detects trojan.multi.brosubsc.gen

[SlimeMine349]

On 6/27/2023 at 5:15 AM, Berny said:

@SlimeMine349

Please see screenshot below.
→ Click "View Scan Log File"
→ Save the TXT file
→ Attach the TXT file in your next post

  Hide contents

 

Hi, in my original post that started this thread, the screenshot of my detection also showed that I disinfected and cured the Trojan.Multi.brosubsc.gen detection already. Do you want me to post a screenshot of a scan again but in Malwarebytes Adware cleaner?

[SlimeMine349]

On 6/27/2023 at 5:15 AM, Berny said:

@SlimeMine349

Please see screenshot below.
→ Click "View Scan Log File"
→ Save the TXT file
→ Attach the TXT file in your next post

  Hide contents

 

I still have the original report from the screenshot that started this thread that's in the ENC1 file extension, but it won't let me submit it here because the file type isn't accepted.

[Berny]

@SlimeMine349 Yes , but if possible please save the AdwCleaner TXT Log and attach it in your next post.

[SlimeMine349]

This is my log.

Spoiler

 # -------------------------------
# Malwarebytes AdwCleaner 8.4.0.0
# -------------------------------
# Build:    08-30-2022
# Database: 2022-10-10.1 (Cloud)
# Support: https ://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    06-30-2023
# Duration: 00:00:08
# OS:       Windows 10 (Build 19045.3086)
# Scanned:  32098
# Detected: 28

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy             HKCU\Software\APN PIP
PUP.Optional.Legacy             HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wlkyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dotomi.com
PUP.Optional.Legacy             HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wlkyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\dotomi.com
PUP.Optional.Legacy             HKLM\Software\Classes\Interface
PUP.Optional.Legacy             HKLM\Software\Classes\Interface
PUP.Optional.Legacy             HKLM\Software\Classes\TypeLib
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Classes\Interface\
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Classes\Interface\
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Classes\TypeLib\
PUP.Optional.WinRepairPro       HKCU\Software\win

***** [ Chromium (and derivatives) ] *****

PUP.Optional.Legacy             Sprucemarks - fakeocdnmmmnokabaiflppclocckihoj

***** [ Chromium URLs ] *****

Adware.SearchDimension          Search Dimension
Adware.SearchDimension          Search Dimension

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

Preinstalled.CyberLinkService   Folder   C:\Program Files (x86)\CYBERLINK\SHARED FILES\PLUGIN\NEWBLUE
Preinstalled.CyberLinkShellExtension   Registry   HKLM\Software\Classes\CLSID\
Preinstalled.DellCustomerConnect   Folder   C:\Program Files (x86)\DELL CUSTOMER CONNECT
Preinstalled.DellCustomerConnect   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall
Preinstalled.DellFoundationServices   Registry   HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\
Preinstalled.DellSupportAssistAgent   Folder   C:\Program Files (x86)\DELL\SUPPORTASSISTAGENT
Preinstalled.DellSupportAssistAgent   Folder   C:\Program Files\DELL\SAREMEDIATION\AUDIT
Preinstalled.DellSupportAssistAgent   Folder   C:\Program Files\DELL\SAREMEDIATION\PLUGIN
Preinstalled.DellSupportAssistAgent   Folder   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ALIENWARE\SUPPORTASSIST
Preinstalled.DellUpdateforWindows10   Folder   C:\Program Files (x86)\ALIENWARE UPDATE
Preinstalled.DellUpdateforWindows10   Folder   C:\Program Files (x86)\DELL\UPDATESERVICE
Preinstalled.DellUpdateforWindows10   Folder   C:\ProgramData\DELL\UPDATE
Preinstalled.DellUpdateforWindows10   Folder   C:\ProgramData\DELL\UPDATESERVICE
Preinstalled.LenovoPower2Go   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield
Preinstalled.LenovoPower2Go   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\

 

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S04].txt ##########

 

 

[Berny]

@SlimeMine349

Thank you for the Log, please proceed as follows :

1. Backup your registry
2. Run AdwCleaner as Admin
3. ⚠️ Keep the "Preinstalled Software" entries
4. ⚠️Clean the "PUPs" (Potentially Unwanted Programs) entries
5. Reboot

[SlimeMine349]

Got it! So, my question is was Trojan.Multi.BroSubsc an actual Trojan that gave backdoor access?

[Berny]

@SlimeMine349

In your case Kaspersky Threats as well  as AdwCleaner is pointing to Adware.

[Berny]

@SlimeMine349

Also, I suppose you proceeded with the correct action :
→  How to select the action on threat detection in Kaspersky Virus Removal Tool 2015

Your screenshot above (and on another Forum) doesn't show the  KVRT detection window ?

[SlimeMine349]

I cropped out the detection window, is that fine?