Diskmanager service is it a virus

Secure Home | Search | About

Lost Password?

Microsoft Antivirus Discussions

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

Diskmanager service is it a virus

ThatsIT.net.au

09-25-2008

Re: Diskmanager service is it a virus

David H. Lipman

09-25-2008

Re: Diskmanager service is it a virus

ThatsIT.net.au

09-25-2008

Re: Diskmanager service is it a virus

David H. Lipman

09-25-2008

Posted by ThatsIT.net.au on September 25, 2008, 11:46 am

If you were Registered and logged in, you could reply and use other advanced thread options

I just noticed a service called diskmanager running on one of my servers.
This is not the logical diskmanager service.
I noticed this service because the description field had a load of garbage
characters in it.
I'm running windows 2000 SBS, I have several other machines running the same
software that do not have this service.
I can not stop it and I cant disable it.

Has anybody heard of it?
How can I delete it?
Should I delete it?

Any ideas?

Thanks in advance

Posted by David H. Lipman on September 25, 2008, 5:07 pm

If you were Registered and logged in, you could reply and use other advanced thread options

| I just noticed a service called diskmanager running on one of my servers.
| This is not the logical diskmanager service.
| I noticed this service because the description field had a load of garbage
| characters in it.
| I'm running windows 2000 SBS, I have several other machines running the same
| software that do not have this service.
| I can not stop it and I cant disable it.

| Has anybody heard of it?
| How can I delete it?
| Should I delete it?

| Any ideas?

| Thanks in advance

Please provide more detals.

The name of the NT Service
A description if provided
Any dependencies
The fully qualified name and path to the executable/driver and load time switch
paramters
Any other information you can see and provide.

Can you stop the NT Service ?

Can you copy the excutable or driver (*.EXE or *.SYS) file ?

If you can...

Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Posted by ThatsIT.net.au on September 25, 2008, 8:21 pm

If you were Registered and logged in, you could reply and use other advanced thread options

> | I just noticed a service called diskmanager running on one of my

> servers.

> | This is not the logical diskmanager service.

> | I noticed this service because the description field had a load of

> garbage

> | characters in it.

> | I'm running windows 2000 SBS, I have several other machines running the

> same

> | software that do not have this service.

> | I can not stop it and I cant disable it.

> | Has anybody heard of it?

> | How can I delete it?

> | Should I delete it?

> | Any ideas?

> | Thanks in advance

> Please provide more detals.

> The name of the NT Service

Diskmanager

> A description if provided

the decription is garbage like "@#!%@#$^#&$%&%$&^#$%&#$&"

> Any dependencies

None

> The fully qualified name and path to the executable/driver and load time

> switch paramters

C:\WINNT\system32\svchost.exe -k DiskManager

> Any other information you can see and provide.

> Can you stop the NT Service ?

No, can not disable it either just returns to auto

> Can you copy the excutable or driver (*.EXE or *.SYS) file ?

> If you can...

> Please submit a sample to Virus Total --

> http://www.virustotal.com/flash/index_en.html

> The submission will then be tested against many different AV vendor's

> scanners.

> That will give you an idea what it is and who recognizes it. In addition

> Virus

> Total will provide the sample to all participating vendors.

> You can also submit a suspect, one at a time, via the following email

> URL...

> mailto:scan@virustotal.com?subject=SCAN

> When you get the report, please post back the exact results.

I saved a copy of the page you can see it here, looks ok
http://www.thatsit.net.au/test/scan.htm

Antivirus Version Last Update Result
AhnLab-V3 2008.9.25.0 2008.09.24 -
AntiVir 7.8.1.34 2008.09.24 -
Authentium 5.1.0.4 2008.09.24 -
Avast 4.8.1195.0 2008.09.24 -
AVG 8.0.0.161 2008.09.24 -
BitDefender 7.2 2008.09.24 -
CAT-QuickHeal 9.50 2008.09.24 -
ClamAV 0.93.1 2008.09.24 -
DrWeb 4.44.0.09170 2008.09.25 -
eSafe 7.0.17.0 2008.09.24 -
eTrust-Vet 31.6.6105 2008.09.24 -
Ewido 4.0 2008.09.24 -
F-Prot 4.4.4.56 2008.09.25 -
F-Secure 8.0.14332.0 2008.09.24 -
Fortinet 3.113.0.0 2008.09.23 -
GData 19 2008.09.24 -
Ikarus T3.1.1.34.0 2008.09.24 -
K7AntiVirus 7.10.470 2008.09.24 -
Kaspersky 7.0.0.125 2008.09.25 -
McAfee 5391 2008.09.24 -
Microsoft 1.3903 2008.09.24 -
NOD32 3469 2008.09.24 -
Norman 5.80.02 2008.09.24 -
Panda 9.0.0.4 2008.09.24 -
PCTools 4.4.2.0 2008.09.24 -
Prevx1 V2 2008.09.25 -
Rising 20.63.22.00 2008.09.24 -
Sophos 4.33.0 2008.09.24 -
Sunbelt 3.1.1668.1 2008.09.24 -
Symantec 10 2008.09.24 -
TheHacker 6.3.0.9.092 2008.09.24 -
TrendMicro 8.700.0.1004 2008.09.24 -
VBA32 3.12.8.6 2008.09.25 -
ViRobot 2008.9.24.1390 2008.09.24 -
VirusBuster 4.5.11.0 2008.09.24 -
Webwasher-Gateway 6.6.2 2008.09.24 -
Additional information
File size: 7952 bytes
MD5...: 9e64ad53cfd9da2d22e8a924f8c6e62c
SHA1..: a225e6e600f276eb30fc34ec370555550bcc0056
SHA256: ba8ce5fe8c2a408c832180bc549c5d73c21ae3b31e6e4cb95a8dbb2fedacd8d1
SHA512: db77316376e75c9a664bbd042569c4127a4022a9423212f39aac31c84844fc65
3000754a7f9ec016ce60c93880fe28ba13d15dabcd78979a5b18712f690b7732
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10010b8
timedatestamp.....: 0x3814ad86 (Mon Oct 25 19:20:38 1999)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x14a8 0x1600 5.91 891d4157da2257e9285ff5448b0e9ea4
.data 0x3000 0x30 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x4000 0x3e0 0x400 3.30 7908b14c43d9558d0e92520bd61a0cfa

( 5 imports )

> ADVAPI32.DLL: SetSecurityDescriptorGroup, SetSecurityDescriptorOwner,

> SetSecurityDescriptorDacl, InitializeSecurityDescriptor,

> GetTokenInformation, OpenProcessToken, OpenThreadToken, RegCloseKey,

> RegOpenKeyExW, StartServiceCtrlDispatcherW, RegQueryValueExW

> KERNEL32.DLL: GetLastError, WriteFile, GetStdHandle, HeapAlloc, HeapFree,

> OutputDebugStringA, WideCharToMultiByte, lstrlenW, GetCurrentProcess,

> GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection,

> lstrcmpW, EnterCriticalSection, lstrcpyW, ExpandEnvironmentStringsW,

> lstrcmpiW, GetCommandLineW, ExitProcess, InitializeCriticalSection,

> GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter

> OLE32.DLL: CoInitializeEx, CoInitializeSecurity

> NTDLL.DLL: DbgPrint, NtQueryInformationThread

> USER32.DLL: CharLowerW, wvsprintfA

( 0 exports )

ThreatExpert info:
http://www.threatexpert.com/report.aspx?md5=9e64ad53cfd9da2d22e8a924f8c6e62c

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Posted by David H. Lipman on September 25, 2008, 11:01 pm

If you were Registered and logged in, you could reply and use other advanced thread options

>> | I just noticed a service called diskmanager running on one of my

>> servers.

>> | This is not the logical diskmanager service.

>> | I noticed this service because the description field had a load of

>> garbage

>> | characters in it.

>> | I'm running windows 2000 SBS, I have several other machines running the

>> same

>> | software that do not have this service.

>> | I can not stop it and I cant disable it.

>> | Has anybody heard of it?

>> | How can I delete it?

>> | Should I delete it?

>> | Any ideas?

>> | Thanks in advance

>> Please provide more detals.

>> The name of the NT Service

| Diskmanager

>> A description if provided

| the decription is garbage like "@#!%@#$^#&$%&%$&^#$%&#$&"

>> Any dependencies

| None

>> The fully qualified name and path to the executable/driver and load time

>> switch paramters

| C:\WINNT\system32\svchost.exe -k DiskManager

>> Any other information you can see and provide.

>> Can you stop the NT Service ?

| No, can not disable it either just returns to auto

>> Can you copy the excutable or driver (*.EXE or *.SYS) file ?

>> If you can...

>> Please submit a sample to Virus Total --

>> http://www.virustotal.com/flash/index_en.html

>> The submission will then be tested against many different AV vendor's

>> scanners.

>> That will give you an idea what it is and who recognizes it. In addition

>> Virus

>> Total will provide the sample to all participating vendors.

>> You can also submit a suspect, one at a time, via the following email

>> URL...

>> mailto:scan@virustotal.com?subject=SCAN

>> When you get the report, please post back the exact results.

OK. As I thought, this isn't good as it looks like a RootKit. I didn't know
for sure so
I asked some peers.

I was given the folowing information...

'svchost -k DiskManager' is used instead of the standard windows service such as
'svchost -k netsvcs' is to cause svchost to "act as a container" for a given
malware
process. What you have may look like what you can see in the following URL...

http://www.antidu.cn/html/1/2008/3/antidu_2008317102025.html

Please post all the above in the below expert forum where you can get expert
assistance.

http://www.thespykiller.co.uk/index.php?board=3.0
NOTE: Registration is REQUIRED in the forum before posting.

Note in your post that I sent you there.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Similar Threads	Posted
how to remove "service manager" virus?	May 11, 2006, 10:30 pm
McAfee virus removal service - Genuine?	February 27, 2008, 3:19 am
Virus create an unknown user, service, enccrypted files	August 9, 2006, 5:42 am
Virus create an unknown user, service, enccrypted files	August 9, 2006, 6:04 am
"Messenger Service" pop up box	July 31, 2006, 11:27 pm
Messenger Service Popups	July 19, 2005, 5:33 am
XP Service Pack 2 Uninstalled?	June 13, 2006, 10:30 pm
Where does AVG's Resident Shield 'service' run?	November 27, 2007, 10:58 am
System Service Inspector shows an ID/String	January 9, 2008, 11:07 am
sobbing quetly trojan in my winxp pro service pro serv. pack 1	December 10, 2007, 10:32 pm

The site map in XML format XML site map