Diskmanager service is it a virus

September 25, 2008

I just noticed a service called diskmanager running on one of my servers.

This is not the logical diskmanager service.

I noticed this service because the description field had a load of garbage

characters in it.

I'm running windows 2000 SBS, I have several other machines running the same

software that do not have this service.

I can not stop it and I cant disable it.

Has anybody heard of it?

How can I delete it?

Should I delete it?

Any ideas?

Thanks in advance

September 25, 2008

From: "ThatsIT.net.au" <me@work>

| I just noticed a service called diskmanager running on one of my servers.

| This is not the logical diskmanager service.

| I noticed this service because the description field had a load of garbage

| characters in it.

| I'm running windows 2000 SBS, I have several other machines running the same

| software that do not have this service.

| I can not stop it and I cant disable it.

| Has anybody heard of it?

| How can I delete it?

| Should I delete it?

| Any ideas?

| Thanks in advance

Please provide more detals.

The name of the NT Service

A description if provided

Any dependencies

The fully qualified name and path to the executable/driver and load time switch paramters

Any other information you can see and provide.

Can you stop the NT Service ?

Can you copy the excutable or driver ( .EXE or .SYS) file ?

If you can...

Please submit a sample to Virus Total --

http://www.virustotal.com/flash/index_en.html

The submission will then be tested against many different AV vendor's scanners.

That will give you an idea what it is and who recognizes it. In addition Virus

Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...

mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

September 26, 2008

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:enUm6K1HJHA.4816@TK2MSFTNGP06.phx.gbl...

> From: "ThatsIT.net.au" <me@work>

>

> | I just noticed a service called diskmanager running on one of my

> servers.

> | This is not the logical diskmanager service.

> | I noticed this service because the description field had a load of

> garbage

> | characters in it.

> | I'm running windows 2000 SBS, I have several other machines running the

> same

> | software that do not have this service.

> | I can not stop it and I cant disable it.

>

> | Has anybody heard of it?

> | How can I delete it?

> | Should I delete it?

>

> | Any ideas?

>

> | Thanks in advance

>

> Please provide more detals.

>

> The name of the NT Service

Diskmanager

> A description if provided

the decription is garbage like "@#!%@#$^#&$%&%$&^#$%$&"

> Any dependencies

None

> The fully qualified name and path to the executable/driver and load time

> switch paramters

C:\WINNT\system32\svchost.exe -k DiskManager

> Any other information you can see and provide.

>

> Can you stop the NT Service ?

No, can not disable it either just returns to auto

>

> Can you copy the excutable or driver ( .EXE or .SYS) file ?

>

> If you can...

>

> Please submit a sample to Virus Total --

> http://www.virustotal.com/flash/index_en.html

> The submission will then be tested against many different AV vendor's

> scanners.

> That will give you an idea what it is and who recognizes it. In addition

> Virus

> Total will provide the sample to all participating vendors.

>

> You can also submit a suspect, one at a time, via the following email

> URL...

> mailto:scan@virustotal.com?subject=SCAN

>

> When you get the report, please post back the exact results.

>

I saved a copy of the page you can see it here, looks ok

http://www.thatsit.net.au/test/scan.htm

Antivirus Version Last Update Result

AhnLab-V3 2008.9.25.0 2008.09.24 -

AntiVir 7.8.1.34 2008.09.24 -

Authentium 5.1.0.4 2008.09.24 -

Avast 4.8.1195.0 2008.09.24 -

AVG 8.0.0.161 2008.09.24 -

BitDefender 7.2 2008.09.24 -

CAT-QuickHeal 9.50 2008.09.24 -

ClamAV 0.93.1 2008.09.24 -

DrWeb 4.44.0.09170 2008.09.25 -

eSafe 7.0.17.0 2008.09.24 -

eTrust-Vet 31.6.6105 2008.09.24 -

Ewido 4.0 2008.09.24 -

F-Prot 4.4.4.56 2008.09.25 -

F-Secure 8.0.14332.0 2008.09.24 -

Fortinet 3.113.0.0 2008.09.23 -

GData 19 2008.09.24 -

Ikarus T3.1.1.34.0 2008.09.24 -

K7AntiVirus 7.10.470 2008.09.24 -

Kaspersky 7.0.0.125 2008.09.25 -

McAfee 5391 2008.09.24 -

Microsoft 1.3903 2008.09.24 -

NOD32 3469 2008.09.24 -

Norman 5.80.02 2008.09.24 -

Panda 9.0.0.4 2008.09.24 -

PCTools 4.4.2.0 2008.09.24 -

Prevx1 V2 2008.09.25 -

Rising 20.63.22.00 2008.09.24 -

Sophos 4.33.0 2008.09.24 -

Sunbelt 3.1.1668.1 2008.09.24 -

Symantec 10 2008.09.24 -

TheHacker 6.3.0.9.092 2008.09.24 -

TrendMicro 8.700.0.1004 2008.09.24 -

VBA32 3.12.8.6 2008.09.25 -

ViRobot 2008.9.24.1390 2008.09.24 -

VirusBuster 4.5.11.0 2008.09.24 -

Webwasher-Gateway 6.6.2 2008.09.24 -

Additional information

File size: 7952 bytes

MD5...: 9e64ad53cfd9da2d22e8a924f8c6e62c

SHA1..: a225e6e600f276eb30fc34ec370555550bcc0056

SHA256: ba8ce5fe8c2a408c832180bc549c5d73c21ae3b31e6e4cb95a8dbb2fedacd8d1

SHA512: db77316376e75c9a664bbd042569c4127a4022a9423212f39aac31c84844fc65

3000754a7f9ec016ce60c93880fe28ba13d15dabcd78979a5b18712f690b7732

PEiD..: -

TrID..: File type identification

Win32 Executable Generic (42.3%)

Win32 Dynamic Link Library (generic) (37.6%)

Generic Win/DOS Executable (9.9%)

DOS Executable Generic (9.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x10010b8

timedatestamp.....: 0x3814ad86 (Mon Oct 25 19:20:38 1999)

machinetype.......: 0x14c (I386)

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

..text 0x1000 0x14a8 0x1600 5.91 891d4157da2257e9285ff5448b0e9ea4

..data 0x3000 0x30 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

..rsrc 0x4000 0x3e0 0x400 3.30 7908b14c43d9558d0e92520bd61a0cfa

( 5 imports )

> ADVAPI32.DLL: SetSecurityDescriptorGroup, SetSecurityDescriptorOwner,

> SetSecurityDescriptorDacl, InitializeSecurityDescriptor,

> GetTokenInformation, OpenProcessToken, OpenThreadToken, RegCloseKey,

> RegOpenKeyExW, StartServiceCtrlDispatcherW, RegQueryValueExW

> KERNEL32.DLL: GetLastError, WriteFile, GetStdHandle, HeapAlloc, HeapFree,

> OutputDebugStringA, WideCharToMultiByte, lstrlenW, GetCurrentProcess,

> GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection,

> lstrcmpW, EnterCriticalSection, lstrcpyW, ExpandEnvironmentStringsW,

> lstrcmpiW, GetCommandLineW, ExitProcess, InitializeCriticalSection,

> GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter

> OLE32.DLL: CoInitializeEx, CoInitializeSecurity

> NTDLL.DLL: DbgPrint, NtQueryInformationThread

> USER32.DLL: CharLowerW, wvsprintfA

( 0 exports )

ThreatExpert info:

http://www.threatexpert.com/report.aspx?md...2e8a924f8c6e62c

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>

>

September 26, 2008

From: "ThatsIT.net.au" <me@work>

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

| news:enUm6K1HJHA.4816@TK2MSFTNGP06.phx.gbl...

>> From: "ThatsIT.net.au" <me@work>

>> | I just noticed a service called diskmanager running on one of my

>> servers.

>> | This is not the logical diskmanager service.

>> | I noticed this service because the description field had a load of

>> garbage

>> | characters in it.

>> | I'm running windows 2000 SBS, I have several other machines running the

>> same

>> | software that do not have this service.

>> | I can not stop it and I cant disable it.

>> | Has anybody heard of it?

>> | How can I delete it?

>> | Should I delete it?

>> | Any ideas?

>> | Thanks in advance

>> Please provide more detals.

>> The name of the NT Service

| Diskmanager

>> A description if provided

| the decription is garbage like "@#!%@#$^#&$%&%$&^#$%$&"

>> Any dependencies

| None

>> The fully qualified name and path to the executable/driver and load time

>> switch paramters

| C:\WINNT\system32\svchost.exe -k DiskManager

>> Any other information you can see and provide.

>> Can you stop the NT Service ?

| No, can not disable it either just returns to auto

>> Can you copy the excutable or driver ( .EXE or .SYS) file ?

>> If you can...

>> Please submit a sample to Virus Total --

>> http://www.virustotal.com/flash/index_en.html

>> The submission will then be tested against many different AV vendor's

>> scanners.

>> That will give you an idea what it is and who recognizes it. In addition

>> Virus

>> Total will provide the sample to all participating vendors.

>> You can also submit a suspect, one at a time, via the following email

>> URL...

>> mailto:scan@virustotal.com?subject=SCAN

>> When you get the report, please post back the exact results.

OK. As I thought, this isn't good as it looks like a RootKit. I didn't know for sure so

I asked some peers.

I was given the folowing information...

'svchost -k DiskManager' is used instead of the standard windows service such as

'svchost -k netsvcs' is to cause svchost to "act as a container" for a given malware

process. What you have may look like what you can see in the following URL...

http://www.antidu.cn/html/1/2008/3/antidu_2008317102025.html

Please post all the above in the below expert forum where you can get expert assistance.

http://www.thespykiller.co.uk/index.php?board=3.0

NOTE: Registration is REQUIRED in the forum before posting.

Note in your post that I sent you there.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Sign In

Diskmanager service is it a virus

Recommended Posts

Guest ThatsIT.net.au

Popular Days

Popular Days

Guest David H. Lipman

Guest ThatsIT.net.au

Guest David H. Lipman

Join the conversation

Browse

Activity

Support