CH alerts on new System Mechanic V7

Discussion in 'other anti-malware software' started by Storm, Jan 9, 2007.

Thread Status:
Not open for further replies.
  1. Storm

    Storm Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    46
    Hi there!

    Shortly after the installation of the new System Mechanic V7 Cyberhawk
    jumped in my face alerting me that the System Mechanic-Service (IOLODMVSVC.EXE) was hiding itself from task manager.

    CH log says: "Process hidden", "Thread injected into another program" and "Data injected into another program".

    I've confirmed CHs suspicion with rootkitunhooker. Indeed the service is "hidden from Windows API".

    What could be the reason to use such techniques in a simple system utilities suite?


    Andreas

    edit: added some more information
     
    Last edited: Jan 9, 2007
  2. PassMark

    PassMark Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    8
    System Mechanic V7 Endless loop - 100% CPU

    We have also seen problems with System Mechanic 7. It is stopping programs from starting. From what we can see, the cause of the problem seems to be that System Mechanic 7 contains a Windows service called, iolo DMV Service, IOLODMVSVC.EXE. This service starts itself when windows boots up.

    Once started this iolo DMV Service seems to be inserting code into other processes causing them to endlessly loop, using up 100% of the CPU.

    We have detailed these problems with System Mechanic 7 and the iolo DMV Service in our forum.

    Even after you uninstall System Mechanic 7, Iolo leaves this DMV Service running on your system. If anyone had details of what this service should be doing that would be helpful. I assume it has some real function and doesn't exist just to make my life miserable.
     
  3. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi,

    Looks like ioloDMVSvc.exe is loading mchlnjDrv.sys (Madshi) which, in turn, permits the injection of ioloHL.dll. I've seen Madshi user-mode hooking utilized by various security and system maintenance apps...and some malware as well. In my experience, it does seem to weigh heavily on system performance (CPU usage) depending on what other apps you run.

    When I set the DMVS service to start manually and removed the \Run autostart entry, System Mechanic did not complain (although I did not test all of its features). For me, it uninstalled cleanly.

    Nick
     

    Attached Files:

  4. Storm

    Storm Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    46
    Hi!

    As I've written in my first post, this service not only does dll-injection, but it actively hides itself from Windows-APIs (=invisible in task-manager):ninja:

    If they are really using madshi now, I have to consider to demand a refund...
    I had only bad experiences with programs using madshi :doubt:

    I am not sure if this might be a false positive, but Spycop identified the service as keylogger (perfect keylogger or something similar) :blink:

    About a week ago I wrote a message to IOLO support asking about the rootkit behaviour of their system service... no answer until now...

    Greets
    Andreas
     
  5. PassMark

    PassMark Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    8
    We also tried to contact Iolo support. But only got their automated canned reply so far. :-(

    Even if System Mechanic 7 worked without errors (and it doesn't), you might still want you money back as their support is pretty poor.
     
  6. IanUSA

    IanUSA Registered Member

    Joined:
    Feb 1, 2007
    Posts:
    1
    It prevents my Norton AV 2006 from using LiveUpdate. The error number on Symantec web site states that LiveUpdate is corrupted. There is a tool to repair it, however, it happened again. This time the error message stated that and all Norton products had to be removed and then re-installed. I only considered Sys Mech 7 after I uninstalled and re-installed NAV 2006. I noticed a big difference after I shutdown/disabled the ioloDMVSvc.exe service and the application start-up process.

    In addition, I also noticed the high CPU usage initially after bootup that runs for a couple minutes before it settles down. My wireless connection has also been affected. I have a 54-Mbps wireless-G NIC. My connection speed goes all over the place: 54 to 36 to 24 down to 5.5 and back up again.
     
  7. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    I have had two false poritives from CH2 lately for totally legit programs - CH saying they are keyloggers.

    CH support says they will release a new version within week/weeks to correct this.

    Maybe the hunt to detect all keyloggers has gone a bit overboard. Just speculation.

    Best Regards
     
  8. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    This is a driver for Themida protected (packed) EXE files if i remember correctly... Obviously they protected their executable with Themida...
     
Loading...
Thread Status:
Not open for further replies.