Jump to content

Why do I keep getting Pier1 flagged as a Trogan?


Recommended Posts

  • Staff
30 minutes ago, Alicia said:

Here's the file:

 

Pier1.txtPier1.txt 722 B · 5 downloads

Is this a valid infection? If so how do I get rid of it?

Hello- This is a valid IP block: 64.190.63.111 | Sedo GmbH | AbuseIPDB

This IP address has been reported a total of 134 times from 32 distinct sources. 64.190.63.111 was first reported on April 17th 2022, and the most recent report was 1 week ago.

Link to post
Share on other sites

@Alicia

Please do the following so that we may take a closer look at your system.

Do these 2 steps FIRST so that files and folders are set to SHOW, plus also, Turn OFF Windows Fast Start.

Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool. The tool also downloads and runs a file called FRSTEnglish. Please allow it to run.
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine 


image.png.79d4442a821713608fa60808a98c2e69.png 

image.png.98d86a6c3017d2bbba48877ea4f6ba45.png

  • A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply

     

Thank you

Link to post
Share on other sites

  • Root Admin

Thank you for the logs @Alicia

Please do the following

[ 1 ]

Please download and run the ESET uninstaller tool

https://support.eset.com/en/kb2289-uninstall-eset-manually-using-the-eset-uninstaller-tool

 

[ 2 ]

Please go to Control Panel, Programs, Programs and Features, Uninstall a program

Then right-click and uninstall the following

  • Bonjour
     

[ 3 ]

Not sure what is going on here. You have multiple program installations that the installer says is Version: 1.0 - Google\Chrome) 

Did you install some type of Extension or other tool that does this?

 

Link to post
Share on other sites

  • Root Admin

Yes, there is an entry in the logs saying that the tool from ESET should be run. No problem, we can look at it further and manually remove anything left over from ESEET

Notice how many of these end in Google Chrome even though they're not related to Google Chrome

 

image.png

 

This link seems to indicate the same or similar behavior saying that Google Chrome has been hacked.

https://borncity.com/win/2023/08/24/chrome-browser-installs-apps-shortcuts-on-windows-clients-automatically-without-user-consent/

 

Over on the Bitdefender forum someone had something similar as well

https://community.bitdefender.com/en/discussion/97287/why-some-google-apps-are-being-automatically-installed

 

 

Please follow the directions from the following topic for a more extensive article on cleaning Google Chrome

Resetting Google Chrome to clear unexpected issues
 

Thank you

 

Link to post
Share on other sites

Ok a late night instead. I read thru those links.

I removed most extensions from chrome except ABP and Malwarebytes Browser Ext.

I also trimmed by search engines to google and default duckduckgo.

I also used the directions from one link to force a reset of Chrome. 

Now I wait?

Link to post
Share on other sites

I did a force reset of google chrome from that page. 

The printer works in my laptop and cell phone. It used to work on the desktop.

Even if I save a file to the desktop it doesn't work.

In the printers and scanners section it shows the printer Not connected.

The pier1 block my malwarebytes is no longer popping up, so at least I got rid of that. 

I'd really like the printer to work. I don't think that's a chrome issue. 

 

 

Link to post
Share on other sites

  • Root Admin

Please restart the computer and run these scans

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes:

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans:

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes 
       RESTART the computer
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 
     

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

 

Thank you

 

Link to post
Share on other sites

  • Root Admin

I really don't know how to fix this issue. As you can see, you have a lot of entries that are not related to Google\Chrome but the Control Panel, Programs, Programs and Features has them listed and associated with Google\Chrome

 

  • [KB2289] Manually uninstall your ESET product using the ESET uninstaller tool (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\6f0b8c354295d53922581ae0a43587a4) (Version: 1.0 - Google\Chrome)
  • Acclaim Hotel Calgary Airport (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\4091b81d177c4cf2d92e5cdc45bb3e61) (Version: 1.0 - Google\Chrome)
  • Amazon.ca : travel alarm clock battery operated (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\1c3dfa478c50f66dc2eabf9a9ca847b4) (Version: 1.0 - Google\Chrome)
  • calgary flames schedule 2024 at DuckDuckGo (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\bf6676819bb9e35278c6083dd9d0c9d9) (Version: 1.0 - Google\Chrome)
  • Calgary Home and Garden Show: Countertop refresh | Calgary Herald (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\8a144119cebeda71b8854dc718393a3e) (Version: 1.0 - Google\Chrome)
  • Canadian Tire (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\9c72f0f528c47fcb4ba425bdb6d604b9) (Version: 1.0 - Google\Chrome)
  • Carriage House Hotel & Conference Center - South Calgary, AB (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\0e7558f6c8f3c92318620ef690f4421a) (Version: 1.0 - Google\Chrome)
  • Carriage House Hotel & Conference Centre, Calgary (AB) | 2024 Updated Prices, Deals (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\ae0a0bd7db02bf1aac9a4b5603c8cdf3) (Version: 1.0 - Google\Chrome)
  • Carriage House Hotel and Conference Centre, Calgary – Updated 2024 Prices (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\5b57bc85de6d7d38318650215e6aeb76) (Version: 1.0 - Google\Chrome)
  • changing display name of email account windows 11 - Microsoft Community (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\745d6ea25602fb48e5d9e61bdb942e58) (Version: 1.0 - Google\Chrome)
  • CONTOUR NEXT Website (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\a07842b8faee6097fcc7ced02d8bcb98) (Version: 1.0 - Google\Chrome)
  • CTV | Shows | Watch Full-Length Episodes Online For Free (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\2cda57eff40682874b48f376759dc4da) (Version: 1.0 - Google\Chrome)
  • Direct and Non-Stop Flights | WestJet official site (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\21005fe171c26b2bd1521ded90b81919) (Version: 1.0 - Google\Chrome)
  • Download K-Lite Codec Pack Standard (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\8ce31a87f31e6f7e230bd8193854802d) (Version: 1.0 - Google\Chrome)
  • FAMICOZY Compact Travel Alarm Clock (Black-02) : Amazon.ca: Home (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\2b50fad1ac0239b587d0a477e37b178e) (Version: 1.0 - Google\Chrome)
  • GlucoContro (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\eae4e82d450ccdb1a91f022236609ca5) (Version: 1.0 - Google\Chrome)
  • London Drugs (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\da9a70f0e1447253b6830c064fec5876) (Version: 1.0 - Google\Chrome)
  • Malwarebytes Forums (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\5d89b5c957d470128848b8b721dbeac4) (Version: 1.0 - Google\Chrome)
  • Medeo (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\02fba2c6371630d22636274605cb5237) (Version: 1.0 - Google\Chrome)
  • Medeo (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\5ced022f0a8d554fb937aadb66c1a3c1) (Version: 1.0 - Google\Chrome)
  • Myhealthrecords (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\d37f45f5518ea41c6a711c5a2dd4692c) (Version: 1.0 - Google\Chrome)
  • PC Optimum (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\092fcd187fdb9eb7c7fe901c3ecfcdd8) (Version: 1.0 - Google\Chrome)
  • Pomelo Platform (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\bc1de312d97bfa593ac94f87afa52bf7) (Version: 1.0 - Google\Chrome)
  • Pomelo Platform (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\be31533c26f1aa20f37e49d677779beb) (Version: 1.0 - Google\Chrome)
  • Pork Chop & Cabbage Skillet – West IGA (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\8f52fd197db479765d28d3cdd92d3b88) (Version: 1.0 - Google\Chrome)
  • Sportchek (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\2ef14610e2ec740755676c10e5aed664) (Version: 1.0 - Google\Chrome)
  • Telus Modem (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\14a766a3c9285f007d86ab207bc477c4) (Version: 1.0 - Google\Chrome)
  • Telus Security (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\b018bc279fc5caed53e546c1b9c72e4f) (Version: 1.0 - Google\Chrome)
  • Windows 11 Forum (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\2a7e8741f93ec7f24600918b24f83dbc) (Version: 1.0 - Google\Chrome)
  • Your Orders (HKU\S-1-5-21-363461579-3019574216-2445903484-1001\...\bb6bdbfeb5cb1388b21ae7465edb502c) (Version: 1.0 - Google\Chrome)

 

If I was sitting there at the keyboard I might be able to clean it up by hand but a rather long and daunting task. I'll check with other colleagues and see if they have an idea or know of a tool to fix this and get back to you

 

Link to post
Share on other sites

Under the start menu there is a listing for Chrome apps NEW. It's location is AppData/Roaming/Microsoft/Windows/StartMenu/Programs

I can delete this folder and it will get recreated as I visit websites. There is also a list of sites visited in the Control Panel uninstall program list

I have no idea why Chrome does this.

 

Link to post
Share on other sites

  • Root Admin

Yes, understood. I've posted to my other colleagues asking if any of them have seen this before or not.

We may end up having to do a full uninstall of Google Chrome and then run a clean up script to remove the leftover traces of Chrome.

Then see what we can do about the Control Panel entries before reinstalling Chrome. But I'd like to wait and here back from other in case there is a better or easier way to correct.

 

Link to post
Share on other sites

  • Root Admin

Please save the attached FIXLIST.TXT file to the following folder  C:\Users\trixi\Desktop  

fixlist.txt

 

Then right-click over the Farbar program and select to Run as administrator

C:\Users\trixi\Desktop\FRSTEnglish.exe  

The click on the FIX button. When done it will create a file named FIXLOG.TXT please attach that log on your next reply

Thank you @Alicia

 

 

 

Link to post
Share on other sites

  • Root Admin

Thank you for the log. A colleague pointed out these appear to be valid, but I'm still checking on the mechanism that allows it to be recreated, and why it keeps adding sites on what appears to be automatic without you doing it.

Do you recall installing something like this or some web extension add-on?

https://en.wikipedia.org/wiki/Progressive_web_app

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.