Prevx destroyed my snapshots

[overangry]

Hi Joe,

I was into a three day trial of RollBack Rx when Prevx detected C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL and the associated files. I selected clean, after the scan I was told to reboot as I had an MBR Rootkit. Unfortunately the Rootkit turned out to be a critical component of RollBack Rx.
All of my snapshots were removed I was luckily rebooted to the initial Baseline image

I can no longer access RB Rx or uninstall it.
I was surprised that this could happen, first of all that RB Rx didn't prevent this from happening and that Prevx had caused this to happen.

Is it now dangerous to perform an AV scan whilst using RB Rx? Have any other users experienced similar issues?

Admittedly I should/could have payed more attention to the warning, that said my mother would have pressed BLOCK, as would most other average users have done.

Unfortunately I can't provide more details as most of them are with my snapshots

I have mailed RB Rx support for assistance in the above.

Just thought I would share my expiereance.

[LoneWolf]

Happened to me back in April, never will I simply trust a blacklisting software again without thoroughly checking for a FP.

[BlueZannetti]

Quote:

Originally Posted by LoneWolf

Happened to me back in April, never will I simply trust a blacklisting software again without thoroughly checking for a FP.

I think one of the realities that a RollBackRx (or related product) user must face is that there are some operational stability issues that come with the technical approach that this product class (i.e. Rollback Rx/EAZ-Fix/AyRecovery/Comodo Time Machine) employs. I really don't see this as inherently tied to blacklisting vs. other malware control measures, it's due to overlaying a phantom file system on top of the "real" one and having to deal with the fact that any operation performed outside the scope of that "phantom" environment leads to potential large scale corruption.

Blue

[Longboard]

This seems to be a small in number but big in effect problem
cf:
http://www.wilderssecurity.com/showthread.php?t=254644
http://www.wilderssecurity.com/showthread.php?t=245772
http://www.wilderssecurity.com/showthread.php?t=239719
and
http://www.wilderssecurity.com/showp...9&postcount=21
? Not restrictedto RB technology, but something to do with any changes in MBR ??

( never happens with FDISR )

[TonyW]

PrevxHelp has already said in a previous thread that RollBack Rx employs rootkit-like technologies. It doesn't mean the program is malicous per se; it's just unfortunate the way it works produces the results it does when scanned.

The reason it doesn't happen with FD-ISR is most likely because it uses different techniques to RollBack Rx.

[overangry]

Quote:

Originally Posted by PrevxHelp

I still disagree that this is a FP Rollback Rx <is> using a rootkit on the MBR to hide the sectors. We are able to scan extremely low in the system to get at the real data which other antirootkit programs cannot do currently.

If the other antirootkit programs were able to scan as low as we are, they would have the same FP. And the fact that we are able to clean the system out from under Rollback Rx shows that they have a major flaw in that they don't block all writes to the disk which means that malware could do the same

I wish I had seen this earlier and the numerous posts pointed out by Longboard. I really like RB Rx, but the above quote also makes allot of sense.

I was going to purchase RB Rx, but may now wait until I receive a response from RollBack Rx support.

One more question; I noticed that on all the snapshots (provided by Longboard) seems to be the same MBR Rootkit (Prevx's definition) being shown, isn't there a way to eliminate this particular FP

[starfish_001]

Quote:

Originally Posted by BlueZannetti

I think one of the realities that a RollBackRx (or related product) user must face is that there are some operational stability issues that come with the technical approach that this product class (i.e. Rollback Rx/EAZ-Fix/AyRecovery/Comodo Time Machine) employs. I really don't see this as inherently tied to blacklisting vs. other malware control measures, it's due to overlaying a phantom file system on top of the "real" one and having to deal with the fact that any operation performed outside the scope of that "phantom" environment leads to potential large scale corruption.

Blue

Quote above hits the nail on the head - and is why I dont use my RB RX lics...................... glad I bought FR ISR which is much more robust

[PrevxHelp]

Quote:

Originally Posted by overangry

I wish I had seen this earlier and the numerous posts pointed out by Longboard. I really like RB Rx, but the above quote also makes allot of sense.

I was going to purchase RB Rx, but may now wait until I receive a response from RollBack Rx support.

One more question; I noticed that on all the snapshots (provided by Longboard) seems to be the same MBR Rootkit (Prevx's definition) being shown, isn't there a way to eliminate this particular FP

There is, and we should have corrected it a few months ago (and haven't had any reports recently besides this one. Rollback Rx does modify the system in ways 100% identical to MBR rootkits: GMER, RootRepeal, and a number of other rootkit scanners all find the same "FP".

Regarding the reported detection: C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL - that is not a FP, but a component of My Web Search, an adware/spyware program frequently bundled with other software. I do not believe that My Web Search employs any MBR-rootkit-like technology but it would be useful to see what the Prevx Cleanup log says if you click "Total Infections Cleaned" on the front screen of Prevx so that we can try and narrow down what happened.

Thank you, and sorry for the inconvenience

[overangry]

Quote:

Originally Posted by PrevxHelp

it would be useful to see what the Prevx Cleanup log says

I agree, can you help me find the snapshot where that information is stored

[PrevxHelp]

Quote:

Originally Posted by overangry

I agree, can you help me find the snapshot where that information is stored

I'm not sure The MBR rootkit cleanup involves rewriting only 512 bytes of disk data so we definitely do not erase the snapshots. I'm really not familiar enough with how Rollback Rx works to try and give an answer on how to restore the MBR but perhaps someone else would be more qualified

[overangry]

Quote:

Originally Posted by PrevxHelp

I'm not sure The MBR rootkit cleanup involves rewriting only 512 bytes of disk data so we definitely do not erase the snapshots. I'm really not familiar enough with how Rollback Rx works to try and give an answer on how to restore the MBR but perhaps someone else would be more qualified

That would be good if they're still on my system, I am still waiting for a response from RB Rx support to help me retrieve the snapshots.
I also require help re-installing Rx, Looks like I will have to wait until I receive a reply from Rx support.
As soon as I have the info you asked for, I will make these available to the Prevx team.

[Peter2150]

Hi OverAngry

Sorry to hear about your problems. I am gathering, that you can not reinstall Rollback as well as uninstall it.

Two realities you might need to prepare for. One that is highly likely your snapshots are gone for good. Windows doesn't see them as they aren't Windows files. They are merely used sectors on the disk that were strictly known to Rollback. Also if you are currently using the machine, then there is a good chance windows may over write those sectors since it sees them as empty.

Finally if you can't reinstall Rollback, you might need to restore an image if you have one. If not you might be facing a format and reinstall of windows as worst case.

Pete

[overangry]

Quote:

Originally Posted by Peter2150

Hi OverAngry

Sorry to hear about your problems. I am gathering, that you can not reinstall Rollback as well as uninstall it.

Two realities you might need to prepare for. One that is highly likely your snapshots are gone for good. Windows doesn't see them as they aren't Windows files. They are merely used sectors on the disk that were strictly known to Rollback. Also if you are currently using the machine, then there is a good chance windows may over write those sectors since it sees them as empty.

Finally if you can't reinstall Rollback, you might need to restore an image if you have one. If not you might be facing a format and reinstall of windows as worst case.

Pete

Thanks Peter, I initially had the same thoughts, I'll surely hear from Rollback Rx support in the next couple of days. I hope with a positive outcome

[overangry]

An update...
I was able to uninstall RB Rx with Revo uninstaller
I did not let it remove the registry leftovers or files. Then I reinstalled RB Rx, only this time Prevx alerted me to the "Rootkit" during RB's installation

Only this time Being fully aware of this, I chose to trust always(I hope this is the right thing to do). All is working well so far.
Then I saved a log file, after looking it over I realized that there was no mention of the "Rootkit" nor was there a mention of me overriding Prevxs FP, is this normal
I hope this issue is fixed ASAP, it was reported as fixed a number of times
OTHERS WILL BE CAUGHT

[PrevxHelp]

Quote:

Originally Posted by overangry

Then I saved a log file, after looking it over I realized that there was no mention of the "Rootkit" nor was there a mention of me overriding Prevxs FP, is this normal

Thank you for this crucial piece of information! We have found a logic issue which could trigger this issue unintentionally but we will have this fixed in the next software update.

The warning on installation of the MBR change won't cause problems as that is just a notification but it would be worth clicking Trust Always in that case as well.

[overangry]

Thanks for your help and replys