IYOGI

General Topics
1

???
Anyone have any experience with IYOGI? They are telling me that my Avast will not work due to conflicts. Are they legit?
Thanks

2

They are the 3rd party support for avast. But watch out for them digging around in the event viewer and trying to tell you that you have a problem and need to purchase an annual support contract.

Personally you would be better off explaining your problem here on the forums where other avast users can try and help.

So what was the problem that you contacted them about ?

It was you who contacted them and not them who contacted you ?
As there has recently been some telephone scam where people ring you purporting to be from iYogi/Dell support, etc. that you system is reporting errors/malware, etc. etc.

Someone will have to pick up on this as is it after 4:15am here and I’m calling it a night.

3

Hi
I contacted IYOGI after experiencing a problem with Avast. Up to 2 days ago, Avast did not uncover any problem. Yesterday Avast interupted an email saying it was a problem. So I deleted it and deleted the delete. Last night I ran a scan and it found the email and put it in the Chest. It also found 15 threats and they were in the log and not the chest as directed. I could not do anything with the 15 threats. I could not delete them or transfer them to the Chest. So I called the help number, which was IYOGI. The tech found ‘conflicts’ in the registry and tried to sell me a program. He said the conflicts prohibited Avast from operating normally and I should have been able to delete the threats. I did not order anything and wrote the message in the WEBForum.
He also pointed out a phantom entry in the start up list which I deleted today. This afternoon I did a boot scan and Avast did not find anything. Was it the phantom start up causing the problem?
He also put a Bomgar cleanup item in the start up which I unchecked.

4

What was the scan that you did, custom scan with memory scan included by any chance ?
e.g. My guess is that you are doing a Custom scan in which you have elected to scan Memory and that all these detections are in memory or are listings of files that can’t be scanned (password protected, etc.). Since they aren’t physical files they can’t be moved to the chest, deleted, etc. so there is no action that can be taken, hence the Apply button being greyed out.

The detections in memory are frequently other security applications loading unencrypted virus signatures into memory.

So if you can give some examples of the items in the list, the malware name and the type of scan you did it will help us to help you.

What other security applications do you have installed ?

@@@@
By your comment “you couldn’t do anything with them,” what do you mean ?
e.g. couldn’t move to chest/delete error message, Apply button inactive, etc.

Without knowing what the unknown startup entry was there is no way to say, but I doubt it would have been responsible for 15 threats (which is why I asked about these threats).

5

Yes, I did a custom scan on the c drive and included memory (I really do not know much about the pc since I am an ultra senior) so your guess was correct.

They all said the following with the ‘1A’ also being 1B, 1C, etc. and then the following threat.

Process 1768[MSMP.EXE]memory block 0x000000001A60000 block size 262144

Threat Win32:ADLOADER-AC[Trj]
Threat HTML:Script-INF
Threat Win32:Fraudload-P[Trj]

I had McAfee, Norton, Trend, & Karpinski

@@@@ yes, could not move to chect, delete, etc. and yes the APPLY button was grayed out.

6

See http://www.bleepingcomputer.com/startups/msmp.exe-19745.html

The msmp.exe file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.

So if this was the unknown startup entry, then there is every possibility it was responsible for these elements in memory, if they also related to the msmp.exe process.

Considering this msmp.exe is “A variant of the Rbot family of worms and IRC backdoor Trojans.” You may need to do some further analysis/scanning.

Do you have a firewall ?
This would seek to circumvent your firewall by opening a backdoor into your system. However, if the startup entry was for that may have put a crimp in it.

####
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

Whilst this might seem a lot, take it a step at a time first deal with the MBAM download, scan and log report.

@@@@
Not really sure what this Bomgar Cleanup was about either, or what it is meant to clean up so I guess I wouldn’t have allowed it to run either unless they said specifically what it was going to do.

~~~~
I don’t know if you still have multiple anti-virus applications installed (not advisable) or if these were previously installed and subsequently uninstalled ?

7

Hi,
First I want to thank you for the help you are providing…it is appreciated.

I do have windows XP firewall and the Avast firewall in addition to a wireless router hardware firewall.
I do not have any other anti virus program installed. There are the remnants of the old ones in the registry.
I do have an run MBAM and will run it tonight once more. I have never picked up anything as yet.
I will load and run SAS after MBAM is completed.
How do I get rid of the 15 msmp.exe files in memory?
I will let you know the results of the scans.
Thanks again

8

By your mention of the avast firewall, I take it that you have the avast internet security application as the other versions don’t have a firewall ?

Also see http://thewebatom.net/uninstallers/security-software/, this has a collection of manufactures removal tools, so that should remove any remnants, registry, etc.

You will have the msmp.exe process entries in memory as long as the msmp.exe is running. I had asked if this was the unknown startup program that was removed, as I had hoped it was and this would remove the memory entries if it was no longer running.

This was also why I suggested the other anti-spyware tools to see if they found it, as clearly avast doesn’t detect it. Try and find the msmp.exe file location on your system if send it to avast for analysis, see #### below. I would also advise uploading it to virustotal for scanning also, see ~~~~ below.

You can open Task Manager and see if the msmp.exe is listed in the running Processes, you can end the process.

Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update. Note: manually adding to the chest doesn’t remove them from the original location, so they still have to be dealt with in that location.

You could also check the offending/suspect file at: [url=http://www.virustotal.com/][b]VirusTotal - a Multi engine on-line virus scanner[/b][/url] and [b]report the findings here, post the URL in the Address bar of the VT results page[/b].
9

I spent a while sending you data and the program said it was too large and deleted it all.
so:
The line in the start up menu is BLANK with not info at all. I erased it with a program called StartUpControlPanel 2.8 but when I went back to System Config it is still there.

I am afraid that I gave you the wrong file name. It is not msmp.exe, but it is msmpend.exe
Avast still calls it a threat and I am attaching a screen shot of the Avast log.

Also the Task Manager does not list msmp.exe or msmpeng.exe

10

Part 2
I ran MBAM and found nothing and ran SpyBot and found nothing. I ran SAS and found 68 threats. I am sending you a screen shot of the SAS scan in 2 posts due to the size of the file. I erased these files. Also I noticed that Google Chrome is listed in many of the threats. I do not have chrome in my PC. I did have it as a beta way back when it first came out but it slowed my PC to a crawl, so I used their ‘do not wnat it’ erase feature.

I do have Avast Internet Security prohram installed in my machine as you guessed.

I do not have anything in the Chest to send as you suggested. However, I did send the msmpeng.exe file using the Virus Total scanner and have not received a response. The msmpeng.exe is in my Windows Defender program folder. Why is it creating a threat?

11

Part 3
Attached is more of the SAS log which I have to erase part of the meet the 200k requirement.

Also, I will be running the removal tool next to get rid of the rest of the security programs that are still in my machine.

Thanks again for all you time and help. You are teaching this old man something…

12

It is by far easier to copy and past the contents of a log file, or attach the log file (just copy and paste it into notepad and save the file) than to create images to post. In the case of SAS, just open the Main window and click View Scan Logs.

Your first avast scan is nothing to worry about; when you do a Custom scan in which you have elected to scan Memory and that all these detections are in memory or are listings of files that can’t be scanned. Since they aren’t physical files they can’t be moved to the chest, deleted, etc. so there is no action that can be taken, hence the Apply button being greyed out.

The detections in memory are frequently other security applications loading unencrypted virus signatures into memory. The msmpeng.exe is Microsoft Windows Defender Antispyware and it has loaded signatures into memory.

EDIT: So if this mspm.exe that you were talking about before, is actually msmpeng.exe then you have nothing further to worry about. I would suggest that you only do Quick or Full System Scan, not a custom scan with memory scan and save yourself a whole heap of worry.

The second part of that scan, those are are files in old virus definitions folders and avast is doing some housecleaning to keep the size used on the hard disk to a minimum. This just happens to have occurred between the time you started the scan and it reaching that old defs folder.

The 2nd and 3rd image - As I said cookies are nothing to worry about:

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

You aren’t actually sending anything to me, but to avast, I’m just another avast user like yourself.

13

You do not need Windows Defender on XP and it is best to remove it.

14

Thanks for all the help. I learned a great deal and appreciate it.
And I think I will remove Defender. I never use it with all the other programs that I have doing the same thing.
Thanks again

15

You’re welcome.