ytr.email

[RetiredChief]

This is a copy of the message I posted in the general forum, which elicited a reply to post various files in this forum:

"I am starting here, as I really don't know what this is about. Perhaps a false positive, perhaps a non-false, perhaps something else.

"Starting several weeks ago, Malwarebytes starting blocking ytr.email. A search of my computer found that in Firefox.exe, but a search on-line found no relevant information. I did find that ytr.com itself is blocked by MWB, which may in fact be a correct blocking, but if not, then perhaps a post in the false positive module would be appropriate.

"There was then a period of perhaps two weeks with no MWB blocking, and the computer search did not turn up anything, so I surmised that whatever ytr.email might be had gone away, only to have it reappear yesterday, but now in Thunderbird.exe rather than in Firefox.exe. Adding further to the curious nature of this, the computer search still does find any such entry. It has arisen once so far today.

"Thus, I think you can understand why I started in this forum, given that I cannot find out what ytr.email on my computer is nor where it comes from, nor much of anything else. That led me to start here, to see if anyone knows about or can find anything about this oddity."

This is in response to the above text.FRST.txt

Three files uploaded, but one log file is a .json, not a permissible file type, so instructions for that requested. Not at all sure what has caused one link in wrong place, another expanded, but then not being  sure is a specialty....

 

 

Addition.txt MBAMSERVICE.LOGhttps://forums.malwarebytes.com/applications/core/interface/file/attachment.php?id=310967

MBAMSERVICE.LOG

[Maurice Naggar]

Hi,       
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.   

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
Please only just attach   all report files, etc  that I ask for as we go along.

I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.80.848.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

Thank you,
Sincerely.

[RetiredChief]

First name John is fine.

Please permit me to tease you a little bit: You state that, as a volunteer, you are not on 24 x 7. I am not sympathetic: As a volunteer firefighter and volunteer fire chief, I was for many years *always* "on", as it were. I am not sure that my wife has ever quite understood why I left the house one Christmas morning to respond to an emergency, with a boy no more than six years old in the house enjoying his special day, but as volunteer fire chief I had no choice.

mbst-grab-results.zip

[Maurice Naggar]

Hi, John. All first responders are to be hailed and praised.  Especially these days.  Most especially the fire medics and all medical folks.

Just so you know, I include my blurb only because some folks have presumptions as to how soon they may get a reply here on this board.  We all need a normal balanced life.  {Though you would be surprised to notice that most of the volunteer helpers on this board help out 7 days a week, every week,  as a regular practice, all unpaid).

Thanks for the zip report file.  The first thing I would like you to do is to make real sure to do a Update run with Malwarebytes so that the Malwarebytes for Windows gets updated to Version 4.2.2

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Now, click the tab marked GENERAL.   Look for the button marked "Check for Updates" and click it.  Be sure to follow all prompts.  Lets be sure it is up-to-date.

That will hopefully insure that the program has the very latest Component Update.
Close Malwarebytes when done.

.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.   ( Just be sure that Thunderbird is closed when yu run this.)
Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.
Adwcleaner  detects factory Preinstalled applications too! 

Please download  Malwarebytes AdwCleaner https://downloads.malwarebytes.com/file/adwcleaner

 
Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.
At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).
Then click on Dashboard button.
Click the blue button "Scan Now".

allow it a few minutes to finish the Scan.   Let it remove what it finds.
NOTE:  When it comes to the section "
Pre-installed applications

You can skip that.
Please find and send the Adwcleaner "C" clean report.
In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".
Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs
Thanks.  Keep me advised.

Let me know if the IP block events have stopped.

IMPORTANT NOTES:  The block event about 'ytr.email' is happening when Thunderbird is in use.  The block is about an attempt outbound to reach the IP address "195.22.26.248".   My guess is that there is one or more emails that has an embedded link.  It is likely to be some sort of adware with a reference to that IP.

The real-time Web protection STOPS any such attempt.  It is keeping the system safe from potential hard.

The Block notice does not mean that there is any sort of infection.  Matter of fact the last scan with Malwarebytes reports no malware.

[RetiredChief]

 

Please explain "...normal balanced life"; I am not familiar with that concept....

I would click on the "Reports" if there were one, but I don't see any.  I am sending you the log report; the PUP is an Amazon extension for Firefox, and is not malicious and in fact popped up  a short while ago.

MWB updated. It is not registered.

I did see one block earlier today (at least I think it was today, perhaps yesterday.)

AdwCleaner[S00].txt

[Maurice Naggar]

Thabks for the report.   Did you allow Adwcleaner to Clean / remove the PUP.Optional.Legacy  that it founs?

You sent me the S00 report.   Did you see one named Adwcleaner[C00[.txt  ?

.

Question: When you have seen the block events on 'ytr.email'   what was Thunderbird doing ?   Reading Email ???

.

I just want to do a check to insure that this machine has no malware.

I would like you to do a new scan with Malwarebytes for Windows.  One of the major goals here is to have it remove all that it detects.  If it finds anything that is.

Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the Security tab.   Look for the section "Automatic Quarantine".   Be sure it is clicked On   ( to the far right side)

 

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".

You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

 

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.

Next click the blue button marked Scan.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).

 

Then click on Quarantine selected.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

On your next reply, let me know a general sense of How things stand.

Regards.    🙂

[Maurice Naggar]

Good morning.  How is it going ?   I have not heard from you in several days.

[RetiredChief]

I  appreciate your continuing to watch this thread.

Please define "it"....As I have had nothing to report, that is what I have not reported. Maybe that is an "it".

Seriously, ytr.email has disappeared. I may never know what it was, where it came from, nor where it went.

 

[Maurice Naggar]

I am very glad to know the issue of 'ytr-email' has gone away.  That is what I was wanting to know.   That 'reference' / that 'domain' was likely some link that was on a visited web page, or else, a link on a email that was being read.

It is just great that it has not re-appeared.  So now, if your web browsers do not have the Malwarebytes Browser Guard ( which does block dodgy sites) you should add it to each browser you use.

Here are tips on keeping your web browsers safer.   Please make time  and read all of this.     apply the tips.

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

 

If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

.

For    Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension.

Open this link in your Firefox browser:   

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.

[Maurice Naggar]

We can wrap up this case.   

Cleaning up on the tools I had you use before:

To remove the FRSTENGLISH  tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

 

Delete the downloaded file mb-support-1.80.848.exe 

Delete mbst-grab-results.zip  on the Desktop.

Any other download file I had you save, you may delete.

I am glad to have helped you.  I wish you all the best.

Sincerely,

Maurice

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you