Korean Job Discussion Forums

[Draven]

Recently I've had a program asking (through my firewall) for internet access. The program's name is test1 module and I have no idea what it is, so I denied it access. In the task manager I have a new process running called msadmin.exe, also no idea what it does. When I run msconfig and check the programs that load at start up, it's there when it wasn't before (like a couple of days ago). I disable it, but everytime I reboot, it's there again.

I googled msadmin.exe and got very few hits, one in Korean which I had my wife translate for me. She's not that computer savvy and I think something was lost in the translation. But the indication is that it's somehow virus related.

So last night I navigated to the registry entry listed in the msconfig menu and just deleted it. But this morning it was back, loading at startup.

Lastly (and I don't know if this is related or not, but I wouldn't be surprised if it was), but we're having issues with windows/msn messengers. We've configured msn messenger to load at startup and automatically connect. Window messenger, in the options menu of that program is not configured that way. But it starts anyway. So windows messenger logs in, the msn messenger starts and logs me out of windows messenger, then the reverse happens. Eventually I get and stay logged in with msn messenger. But to people in my contacts list, it shows me coming online and going offline three times in the span of a minute.

The windows messenger seems to be hidden also. It's running, but it doesn't show up in the task manager or system tray. But when I choose it from the start menu, it opens right away already running. When I sign off from windows messenger and right click to close it in the system tray, it tells me that I first must close another program that is running the program, be it msn explorer, outlook, outlook express or internet explorer. Well, we have outlook express, but don't use it; don't have outlook or msn explorer, and I can't seem to find an association with internet explorer.

We're running winxp pro, fyi. If anyone has any ideas, I'd appreciate it.

Thanks.

[barrybrown]

Yep!

You got it. Most likely by opening an attachment from an e-mail. Update your anti-virus programs and scan for viruses.

[Draven]

[Draven]

This is the "I'm still looking for help" bump.

[Giant]

Well, if your AV is up to date, then I would say go and let is access. It probably is not a problem if Nortons does not pick it up as a problem, also try running nortons in safe mode. Have you done any system updates recently? Like as in software updates from MS?

[Draven]

[Draven]

Oh yeah, one more thing. As I've been perplexed by this problem for several days, I've been trying different things. As part of the problem was parts of Windows Messenger loading when I didn't want it to, I figured "why not just get rid of it?" because I'm not using it anyway. So I did. It's gone. Yet not only is it still in the list of programs shown by my firewall, it's shown as RUNNING. Amazing. I don't even have the program, yet it's still active and running on my system.

There must be some sort of association going on that I don't know about. I know that contacts in messenger can be accessed with outlook and outlook express, but I checked and that association is disabled.

[Demophobe]

I tried to search for you, but came up with very little.

Some questions:

- Does the computer behave the same if you deny or allow the program "Test1 module" to access the net? This sounds like a virus, or some kind of trojan.

Don't forget that in Korea, all kinds of script kiddies are very active. Not always on Norton's list. Some viruses attack the msadmin function...trying for admin passwords, I believe. This function is tied to many Windows components. Why people use Internet explorer is beyond me. It open up your whole system. Mozilla rocks.

- Did you kill messenger through the administrative services menu? Don't use msconfg to kill services...the admin functions override this.

www.grc.com has a proggie called "shoot the messenger"..good stuff.

[Draven]

[Demophobe]

are you familiar with registry editing? It can really mess up your machine, so beware.

Anyways, sometimes virus programs sit here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

or in the "run once" area of the registry. This entry might also be in the

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

area of the registry. You need to locate the install sorce of this "Test1 module" and eradicate it.

The registry is the start place, but try to find all related files on the computer. Find the ".exe" of that prog and check the properties by right-clicking and looking at the bottom tab. Thius may tell you a bit about where the host folder for the program is. If you can find that, safe mode, delete, and reg edit.

Try to think of any recent software installs or anything that might have led to this little bandit showing up on your system.

In the "run" area of the registry can be liitle devils hiding that don't show up in the "msconfig" (which should be identical). If there is a strange entry there, back up the registry to your hard drive (the entire registry, not only that entry) and then delete it.

You really need to find the roots of that "test1 module". If you find it's origins, then you can probably boot into safe mode to get rid of it.

Man, I really want to help...this kind of thing is difficult to explain remotely. Not saying that I could help in person, but ....

Yeah, best not to let it access the net, though. Never know what it will do.

[wylde]

[jazblanc77]

I had this problem EXACTLY so maybe I can help you out a bit. First of all, Demo is right but this is not a virus, it is simply malware. I know because I submitted it to McAfee AVERT and they analysed it for me. Your McAfee virus scanner might pick it up on a future .dat set but it won't clean it so don't expect it to.

This is what I did: first, I used a programme called HijackThis to analyse my computer. NOTE: When you run this programme, run it from it's own folder on the C:\, NOT from the desktop or else the restore function won't work. I selected msadmin.exe and fixed it. I then rebooted into 'safe-mode' and simply deleted these files and the problem was solved. Do a search on Msadmin and you will find several files on you computer. I found one in c:\windows\system32, c:\windows\system32\1003, and c:\windows\system32\wbem if my memory serves me right. Each of the files there bore the description of 'test 1 module'. I then rebooted again and used Tuneup Utilities 2004 and Fix It Utilities 4.0M to fix/clean my registry. You can get trial versions of both for free, I believe.
This took care of the problem as far as I know.

Be VERY CAREFUL when you use HijackThis as you could do major damage to your computer if you 'fix' something that is legitimate. If you have more questions about what is legit and what is not, I would suggest posting your log on http://boards.cexx.org/viewforum.php?f=1&sid=8206eb0b9e829fd4659337a6c4f8e132.\

You should also get Spybot, Spy Sweeper, Adaware, and SpyBlaster running on your computer as they will scan/stop anything like this from running on your computer now or in the future. Oh yeah, and keep that firewall running with a block on that programme, it's the only thing saving your butt right now.

Good luck!

[Demophobe]

Good call jazblanc77...malware never even crossed my mind.

[Draven]

[Draven]