CH alerts on new System Mechanic V7

[Storm]

Hi there!

Shortly after the installation of the new System Mechanic V7 Cyberhawk
jumped in my face alerting me that the System Mechanic-Service (IOLODMVSVC.EXE) was hiding itself from task manager.

CH log says: "Process hidden", "Thread injected into another program" and "Data injected into another program".

I've confirmed CHs suspicion with rootkitunhooker. Indeed the service is "hidden from Windows API".

What could be the reason to use such techniques in a simple system utilities suite?


Andreas

edit: added some more information

[PassMark]

We have also seen problems with System Mechanic 7. It is stopping programs from starting. From what we can see, the cause of the problem seems to be that System Mechanic 7 contains a Windows service called, iolo DMV Service, IOLODMVSVC.EXE. This service starts itself when windows boots up.

Once started this iolo DMV Service seems to be inserting code into other processes causing them to endlessly loop, using up 100% of the CPU.

We have detailed these problems with System Mechanic 7 and the iolo DMV Service in our forum.

Even after you uninstall System Mechanic 7, Iolo leaves this DMV Service running on your system. If anyone had details of what this service should be doing that would be helpful. I assume it has some real function and doesn't exist just to make my life miserable.

[nick s]

Hi,

Looks like ioloDMVSvc.exe is loading mchlnjDrv.sys (Madshi) which, in turn, permits the injection of ioloHL.dll. I've seen Madshi user-mode hooking utilized by various security and system maintenance apps...and some malware as well. In my experience, it does seem to weigh heavily on system performance (CPU usage) depending on what other apps you run.

When I set the DMVS service to start manually and removed the \Run autostart entry, System Mechanic did not complain (although I did not test all of its features). For me, it uninstalled cleanly.

Nick

[Storm]

Hi!

As I've written in my first post, this service not only does dll-injection, but it actively hides itself from Windows-APIs (=invisible in task-manager)

If they are really using madshi now, I have to consider to demand a refund...
I had only bad experiences with programs using madshi

I am not sure if this might be a false positive, but Spycop identified the service as keylogger (perfect keylogger or something similar)

About a week ago I wrote a message to IOLO support asking about the rootkit behaviour of their system service... no answer until now...

Greets
Andreas

[PassMark]

We also tried to contact Iolo support. But only got their automated canned reply so far. :-(

Even if System Mechanic 7 worked without errors (and it doesn't), you might still want you money back as their support is pretty poor.

[IanUSA]

It prevents my Norton AV 2006 from using LiveUpdate. The error number on Symantec web site states that LiveUpdate is corrupted. There is a tool to repair it, however, it happened again. This time the error message stated that and all Norton products had to be removed and then re-installed. I only considered Sys Mech 7 after I uninstalled and re-installed NAV 2006. I noticed a big difference after I shutdown/disabled the ioloDMVSvc.exe service and the application start-up process.

In addition, I also noticed the high CPU usage initially after bootup that runs for a couple minutes before it settles down. My wireless connection has also been affected. I have a 54-Mbps wireless-G NIC. My connection speed goes all over the place: 54 to 36 to 24 down to 5.5 and back up again.

[Rivalen]

I have had two false poritives from CH2 lately for totally legit programs - CH saying they are keyloggers.

CH support says they will release a new version within week/weeks to correct this.

Maybe the hunt to detect all keyloggers has gone a bit overboard. Just speculation.

Best Regards

[RejZoR]

Quote:

Originally Posted by nick s

Hi,

Looks like ioloDMVSvc.exe is loading mchlnjDrv.sys (Madshi) which, in turn, permits the injection of ioloHL.dll. I've seen Madshi user-mode hooking utilized by various security and system maintenance apps...and some malware as well. In my experience, it does seem to weigh heavily on system performance (CPU usage) depending on what other apps you run.

When I set the DMVS service to start manually and removed the \Run autostart entry, System Mechanic did not complain (although I did not test all of its features). For me, it uninstalled cleanly.

Nick

This is a driver for Themida protected (packed) EXE files if i remember correctly... Obviously they protected their executable with Themida...