RetiredChief Posted November 3, 2020 ID:1418300 Share Posted November 3, 2020 This is a copy of the message I posted in the general forum, which elicited a reply to post various files in this forum: "I am starting here, as I really don't know what this is about. Perhaps a false positive, perhaps a non-false, perhaps something else. "Starting several weeks ago, Malwarebytes starting blocking ytr.email. A search of my computer found that in Firefox.exe, but a search on-line found no relevant information. I did find that ytr.com itself is blocked by MWB, which may in fact be a correct blocking, but if not, then perhaps a post in the false positive module would be appropriate. "There was then a period of perhaps two weeks with no MWB blocking, and the computer search did not turn up anything, so I surmised that whatever ytr.email might be had gone away, only to have it reappear yesterday, but now in Thunderbird.exe rather than in Firefox.exe. Adding further to the curious nature of this, the computer search still does find any such entry. It has arisen once so far today. "Thus, I think you can understand why I started in this forum, given that I cannot find out what ytr.email on my computer is nor where it comes from, nor much of anything else. That led me to start here, to see if anyone knows about or can find anything about this oddity." This is in response to the above text.FRST.txt Three files uploaded, but one log file is a .json, not a permissible file type, so instructions for that requested. Not at all sure what has caused one link in wrong place, another expanded, but then not being sure is a specialty.... Addition.txt MBAMSERVICE.LOGhttps://forums.malwarebytes.com/applications/core/interface/file/attachment.php?id=310967 MBAMSERVICE.LOG Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 3, 2020 ID:1418303 Share Posted November 3, 2020 Hi, My name is Maurice. I will be helping and guiding you, going forward on this case. Let me know what first name you prefer to go by. Please follow my directions as we go along. Please do not do any changes on your own without first checking with me. Please only just attach all report files, etc that I ask for as we go along. I would appreciate getting some key details from this machine in order to help you forward. NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system. Do have patience while the report tool runs. It may take several minutes. Just let it run & take its time. You may want to close your other open windows so that there is a clear field of view.Download Malwarebytes Support Tool Once the file is downloaded, open your Downloads folder/location of the downloaded file Double-click mb-support-1.80.848.exe to run the report Once it starts, you will see a first screen with 2 buttons. Click the one on the left marked "I don't have an open support ticket". You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent. Place a checkmark next to Accept License Agreement and click Next Now click the left-hand side pane "I do not have an open support ticket" You will be presented with a page stating, "Get Started!" Do NOT use the button “Start repair” ! But look instead at the far-left options list in black. Click the Advanced tab on the left column Click the Gather Logs button A progress bar will appear and the program will proceed with getting logs from your computer. Please do have patience. It takes several minutes to gather. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK. Then Exit the tool. Please attach the ZIP file in your next reply. Please know I help here as a volunteer. and that I am not on 24 x 7. Help on this forum is one to one. Again, please be sure to ONLY attach report files with your reply (s) as we go along. Do not do a copy / paste into main body. Thank you, Sincerely. Link to post Share on other sites More sharing options...
RetiredChief Posted November 4, 2020 Author ID:1418421 Share Posted November 4, 2020 First name John is fine. Please permit me to tease you a little bit: You state that, as a volunteer, you are not on 24 x 7. I am not sympathetic: As a volunteer firefighter and volunteer fire chief, I was for many years *always* "on", as it were. I am not sure that my wife has ever quite understood why I left the house one Christmas morning to respond to an emergency, with a boy no more than six years old in the house enjoying his special day, but as volunteer fire chief I had no choice. mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 4, 2020 ID:1418462 Share Posted November 4, 2020 Hi, John. All first responders are to be hailed and praised. Especially these days. Most especially the fire medics and all medical folks. Just so you know, I include my blurb only because some folks have presumptions as to how soon they may get a reply here on this board. We all need a normal balanced life. {Though you would be surprised to notice that most of the volunteer helpers on this board help out 7 days a week, every week, as a regular practice, all unpaid). Thanks for the zip report file. The first thing I would like you to do is to make real sure to do a Update run with Malwarebytes so that the Malwarebytes for Windows gets updated to Version 4.2.2 Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Now, click the tab marked GENERAL. Look for the button marked "Check for Updates" and click it. Be sure to follow all prompts. Lets be sure it is up-to-date. That will hopefully insure that the program has the very latest Component Update. Close Malwarebytes when done. . I would suggest to download, Save, and then run Malwarebytes ADWCLEANER. ( Just be sure that Thunderbird is closed when yu run this.) Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan. Adwcleaner detects factory Preinstalled applications too! Please download Malwarebytes AdwCleaner https://downloads.malwarebytes.com/file/adwcleaner Be sure to Save the file first, to your system. Saving to the Downloads folder should be the default on your system. Go to the folder where you saved Adwcleaner. Double click Adwcleaner to start it. At the prompt for license agreement, review and then click on I agree. You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner). Then click on Dashboard button. Click the blue button "Scan Now". allow it a few minutes to finish the Scan. Let it remove what it finds. NOTE: When it comes to the section " Pre-installed applications You can skip that. Please find and send the Adwcleaner "C" clean report. In Adwcleaner, click the "Reports" button. Look at the list of reports for the latest date & type "Clean". Double Click that line & it will open in Notepad. Save the file to your system and then Attach that with your reply. That C clean report will be the one with the most recent Date and time at folder C:\AdwCleaner\Logs Thanks. Keep me advised. Let me know if the IP block events have stopped. IMPORTANT NOTES: The block event about 'ytr.email' is happening when Thunderbird is in use. The block is about an attempt outbound to reach the IP address "195.22.26.248". My guess is that there is one or more emails that has an embedded link. It is likely to be some sort of adware with a reference to that IP. The real-time Web protection STOPS any such attempt. It is keeping the system safe from potential hard. The Block notice does not mean that there is any sort of infection. Matter of fact the last scan with Malwarebytes reports no malware. Link to post Share on other sites More sharing options...
RetiredChief Posted November 4, 2020 Author ID:1418498 Share Posted November 4, 2020 Please explain "...normal balanced life"; I am not familiar with that concept.... I would click on the "Reports" if there were one, but I don't see any. I am sending you the log report; the PUP is an Amazon extension for Firefox, and is not malicious and in fact popped up a short while ago. MWB updated. It is not registered. I did see one block earlier today (at least I think it was today, perhaps yesterday.) AdwCleaner[S00].txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 5, 2020 ID:1418571 Share Posted November 5, 2020 Thabks for the report. Did you allow Adwcleaner to Clean / remove the PUP.Optional.Legacy that it founs? You sent me the S00 report. Did you see one named Adwcleaner[C00[.txt ? . Question: When you have seen the block events on 'ytr.email' what was Thunderbird doing ? Reading Email ??? . I just want to do a check to insure that this machine has no malware. I would like you to do a new scan with Malwarebytes for Windows. One of the major goals here is to have it remove all that it detects. If it finds anything that is. Start Malwarebytes from the Windows Start menu. Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window. Then click the Security tab. Look for the section "Automatic Quarantine". Be sure it is clicked On ( to the far right side) Then scroll down to the section Potentially Unwanted items. We need the next 2 lines ( for P U P & for P U M) to be set to "Always ( Recommended) ". You can make the change by clicking on the down-arrow selection list-control. We want all P U P & P U M to be marked for removal. Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). Then click on Quarantine selected. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 On your next reply, let me know a general sense of How things stand. Regards. 🙂 Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 12, 2020 ID:1420396 Share Posted November 12, 2020 Good morning. How is it going ? I have not heard from you in several days. Link to post Share on other sites More sharing options...
RetiredChief Posted November 12, 2020 Author ID:1420419 Share Posted November 12, 2020 I appreciate your continuing to watch this thread. Please define "it"....As I have had nothing to report, that is what I have not reported. Maybe that is an "it". Seriously, ytr.email has disappeared. I may never know what it was, where it came from, nor where it went. Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted November 12, 2020 Solution ID:1420427 Share Posted November 12, 2020 I am very glad to know the issue of 'ytr-email' has gone away. That is what I was wanting to know. That 'reference' / that 'domain' was likely some link that was on a visited web page, or else, a link on a email that was being read. It is just great that it has not re-appeared. So now, if your web browsers do not have the Malwarebytes Browser Guard ( which does block dodgy sites) you should add it to each browser you use. Here are tips on keeping your web browsers safer. Please make time and read all of this. apply the tips. See this article on our Malwarebytes Bloghttps://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/ You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera. Scroll down to the tips section "How do I disable them". If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome. To get & install the Malwarebytes Browser Guard extension for Chrome, Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee Then proceed with the setup. . For Mozilla Firefox, to get & install the Malwarebytes Browser Guard Firefox extension. Open this link in your Firefox browser: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/ Then proceed with the setup. That link is for English US. There are other language version. Just go to the very bottom right of the page and look at “Change language” list drop down. Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 13, 2020 ID:1420619 Share Posted November 13, 2020 We can wrap up this case. Cleaning up on the tools I had you use before: To remove the FRSTENGLISH tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe . Then run that ( double click on it) to begin the cleanup process. Delete the downloaded file mb-support-1.80.848.exe Delete mbst-grab-results.zip on the Desktop. Any other download file I had you save, you may delete. I am glad to have helped you. I wish you all the best. Sincerely, Maurice Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 13, 2020 ID:1420620 Share Posted November 13, 2020 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts