Pretty serious problem - Prevx rendered my system unusable

Discussion in 'Prevx Releases' started by incognitus, Nov 19, 2010.

Thread Status:
Not open for further replies.
  1. incognitus

    incognitus Registered Member

    Joined:
    Nov 19, 2010
    Posts:
    3
    I have just spend more than one hour to get my system usable again after Prevx (paid version) started to crash out of the blue continuously and would not stop. Windows 7 x64 here.

    It all started a few weeks ago with frequent entries (multiple times a day) in windows event log indicating that the CSI module stopped unexpectedly.

    Sometimes, the entry was accompanied by a second message:

    Reading this forum set my mind at ease somewhat, as I learned that this behavior was "normal". Well, ok.

    The next weird issue was when I tried today to scan an entire external hard drive, a message box popped up (no screenshot unfortunately) that just gave me the insightful error message...

    ...plus an "OK" button. Beautiful.

    A few hours later, trying to use the scanner produced the following crash message:

    http://yfrog.com/2sprevxj

    Plus, I started seeing this in my event viewer:

    At that point, I tried to repair/reinstall Prevx, but after clicking on the uninstaller, the same message would pop up, and now would keep popping up every few seconds. Every. Few. Seconds.

    I rebooted, but immediately when the service started, this message started to pop up every few seconds. I had some work to do tonight, brilliant.

    I fired up sysinternals autoruns and unchecked all the boxes for prevx drivers and services that I could find, and rebooted.

    At that point, my keyboard was dead. I could not even log into Windows.

    Rebooted again, this time into safe mode. Same problem.

    Rebooted again, and booted with the "last known good configuration" option. This worked, I could get into windows again, but the Prevx error message would pop up again every few seconds. Needless to say that my desperate attempts to delete prevx.exe or other related files did not work as they were locked.

    At that point I booted into a separate Windows install from an eSata HD and deleted every file related to Prevx I could find on my main install, as well as doing a manual search/delete in my main install's registry remotely from my good Windows install. It took some time...

    That brought back the computer. I then reinstalled Prevx and immediately uninstalled it again, and executed the removal tool, to remove all traces I might have missed. Even after that I found leftover entries in my registry for various Prevx services that were not removed automatically. Looking at my Windows event logs showed that in the 60 minutes I struggled with the recovery of my PC there were 1669 (!) new event messages, including many errors, in the logs. Many of them were related to prevx, but others were seemingly random messages about other services and windows components failing. Horrible...


    Gentlemen, I am seriously unimpressed. I believe the concept of Prevx is superior to signature based products, I bought the full version, and I really really want to like the product.

    But - this was the by far worst experience I ever had in my 20+ years of PC usage in regards to anti-malware (or malware, for that matter). Never ever has (anti-)malware managed to compromise my system so deeply that I had to jump through hoops to get it working again.

    I hope this does not come across as a mere rant - I sincerely hope Prevx continues to refine the product, and will watch it's evolution - but after this experience I will likely file this under "experimental software", take a seat on the fence and buy something more prime time ready.

    PS: No, I did not catch a malware infection which would then cause this. I have scanned the repaired install from 1) Linux Bootdisk with Avira Antivir 2) From a separate, offline Windows box with GDATA Antivirus, MBAM and HitmanPro. Zero results.
     

    Attached Files:

    Last edited: Nov 19, 2010
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    I'm very sorry to hear of the issues you had here. I have not heard of any user having issues at this level but as a word of caution - removing Prevx components manually could indeed break functionality within the operating system. We strongly recommend going through the normal uninstall routines.

    The correct path to go down was indeed using the removal tool and then running the normal uninstall process if you found yourself in this "broken" state. The error message you received would sound like an error from our database but it's hard to say specifically what it was. If you would like myself or one of our engineers to walk through your installation to ensure everything works properly, we can certainly do so to ensure you don't run into issues like this in the future.

    Sorry again and please let me know if you have any questions.
     
  3. incognitus

    incognitus Registered Member

    Joined:
    Nov 19, 2010
    Posts:
    3
    Hi PrevxHelp,

    first of all, thanks for your prompt response !

    It happened exactly as I described. The uninstall routine would do nothing, in fact, it crashed repeatedly. The Prevx Removal Tool did not crash but would not do anything to help the problem. I went through many reboots to find that out. I tried everything by the book before being forced to manually delete stuff.
    During all of this, my system was pretty unusable due to prevx.exe spamming error messages and taking focus every few seconds.

    What would you strongly recommend in this case ? :)

    Thanks for the offer. I am not too worried about fixing my system, I can do that myself and in the worst case scenario just restore an image.

    What I don't feel particularly warm and fuzzy about is that the fail case for something as deeply hooked into my system as an anti-malware product is to trash my system on such an all-encompassing level.

    First of all, it should not be accepted as "normal operation" that CSI constantly creates high category error events. Not sure if this had anything to do with this particular failure, but nevertheless this is not very elegant.

    Secondly, as with any other software that hooks into system functions, it would be very advisable if the failure case would be to shut itself off rather than killing the system. I.e. I don't like the thought of not being able to use my keyboard anymore at all and being completely locked out of my system because a Prevx file is missing - after all, this could happen just based upon simple file corruption, which is not a completely uncommon problem. This seems to me to be rather bad design.

    I am happy to help pinpointing the problem, just let me know which (log) files you need. I would rather not enable remote access to my system, though.

    Again, I don't want this to be seen as a rant, if you want we can take the discussion offline ?
     
    Last edited: Nov 19, 2010
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    You are indeed correct. At the moment, the uninstall tool is largely unable to uninstall the product if it does come into a scenario like this because the product is still applying self protection over its file and we don't even allow our own uninstall tool through self protection. Certainly the best way around this will be to prevent the installation from becoming corrupted in the first place, but there are a lot of variables which could potentially prevent that from being possible. We're looking into providing a different uninstall tool which will allow you to remove Prevx components, however, you would have more success if you boot into Safemode and then run the uninstall tool as Prevx's components won't be loaded at that point.

    I am a bit perplexed by this in general - Prevx itself doesn't actually write any error events in any case so any event you see is being generated automatically by the OS. We have little to no control over it at that point and I'd be curious as to if this was something triggered by an outside process to start with. Could you let me know if you've made any software changes recently, specifically if you've installed any HIPS software?

    Without trying to sound too much like the devil's advocate here, this actually isn't our problem, rather, a fundamental issue in the OS itself. I've raised this complain many times, but essentially the issue is that if any driver in the driver stack can't be loaded or loads with an error, that driver stack will not load. At the moment, to protect the keyboard, Prevx installs a keyboard filter driver (pxkbf.sys) and if this file is manually removed without removing the entry in the registry, the OS will indeed prevent any keyboard from working. I can understand some of the logic behind why, at a technical level, this would be required, but I would personally appreciate a bit of a less draconian response from the operating system in this case, and in my opinion, this "feature" is one of the largest shortcomings of Windows.

    However, with Prevx 4, we've found a way around this completely so we'll no longer have to install a keyboard filter. To prove that it isn't just me trying to defend Prevx, Google around for a few other products with similar features - unfortunately this is a very pervasive issue.

    I think there is value in leaving the discussion online as you did have a legitimate issue and we certainly aren't going to try to hide issues like this. Substantial issues are extremely rare with Prevx but we try to treat every one of them very seriously.

    I hope that helps clarify the issues a bit - let me know if you have any questions, and sorry again for the inconvenience.
     
  5. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Incognitus: I experienced the same thing with Panda Cloud Antivirus. It totally messed up my netbook.
     
  6. aldo777

    aldo777 Registered Member

    Joined:
    Feb 21, 2011
    Posts:
    4
    Serious problems with PrevX too !
    I did install Prevx on two different computer (1 & 2) both running under Win2000 SP4 with wired mouse and keyboard.

    **** computer 1 ****

    I installed Prevx in order to get rid of virus pzq.exe (operating with a aaqxzz2x.dll file and registry entry) following this link
    After installing the software (3.0.5.220) and pay ~15$ to get the full licensed removal procedure I removed the virus.

    but...

    when I had to reboot to achieve the removal procedure, I had no keyboard and no mouse connection and was not able to log in... same thing in safe mode.... as already described in this thread.

    I was able to boot only by calling the "Last Known Good Configuration" procedure...
    Virus is gone... but now I do have to use "Last Known Good Configuration" each time I am rebooting.

    ...I haven't try to uninstall anything in case I would loose everything !! (see problems encountered with Prevx software on another computer (2) below)

    ***** computer 2 *****


    I also installed the Prevx trial version on ANOTHER computer with Win2000 just to test it. (It seems to work fine, and was not aware of the potential software threat described in this Forum...)
    I did ran a routine analysis, nothing was found... so far so good !

    but....

    => I was not able to reboot after that : I had recurring blue screen complaining about pxkbf.sys each I wanted to boot

    = > so I try to reboot again with "Last Known Good Configuration"
    booting OK with only a dialog box complaining about pxkbf.sys (size : 26k found in C:\WINNT\system32\drivers )

    but sadly just after this...

    = > NO MORE boot possible... procedure stops before reaching the F8 key driven boot menu -bye bye "Last Known Good Configuration" option...

    Now I just have a message saying the SYSTEM is damaged,suggesting to reinstall Windows... I am not able to get in anymore.

    I will try to fix that by using an alternate XP boot from another disk...

    Concerning computer 1 -only one boot system- I guess I will try to get rid of Prevx hoping the uninstall procedure won't damage the System, nor alter the "Last known configuration" boot that I am currently using.

    I did try the Prevx support but their response (see below), although quick, was not really relevant, nor helpful... I hope I will have better results here...

     
    Last edited: Feb 21, 2011
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This sounds like some component of the virus had registered itself and is now preventing the system from accessing the keyboard properly. I would suggest uninstalling Prevx from the uninstall program just to ensure that it is not Prevx but first, could you send the entire contents of C:\Documents and Settings\All Users\Application Data\PrevxCSI to report@prevxresearch.com in a password protected rar or 7zip archive? This should shed some light as to what exactly was removed during cleanup.

    Could you let me know exactly what patch level your Windows 2000 PC is at? The last supported version of Windows 2000 is Service Pack 4 with Update Rollup 1 - Prevx requires this as a minimum requirement and could indeed have unintended behavior if it is installed on an unsupported operating system.

    Please let me know your results or if you have any further details. We are sorry for the inconvenience :doubt:
     
  8. aldo777

    aldo777 Registered Member

    Joined:
    Feb 21, 2011
    Posts:
    4
    Thanks for your fast instant reply !

    Find below a part of the Prevx Log file for the qzp.exe virus removal.
    The full log files found in

    D:\documents and settings\All Users.WINNT\Application Data\PrevxCSI

    were sent to Prevx support.... too big to be posted here.

    Computer 2 is also Win2000 SP4.

     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thank you for the scan logs - from them, I am able to determine that Update Rollup 1 is not installed which is why you are experiencing issues as Prevx is incompatible with your operating system. You can either install Update Rollup 1 directly which should correct the issues or you can uninstall Prevx, install the update, and then reinstall Prevx.

    The update was released in 2005 and can be downloaded from here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=b54730cf-8850-4531-b52b-bf28b324c662
     
  10. aldo777

    aldo777 Registered Member

    Joined:
    Feb 21, 2011
    Posts:
    4
    Thank you ! ...when I will do the uninstall, should I run the PrevX online removal tool first before my local uninstall routine, after ... or not at all ?
     
  11. aldo777

    aldo777 Registered Member

    Joined:
    Feb 21, 2011
    Posts:
    4
    System updated with "Update Rollup 1" after uninstalling PrevX with local Uninstal and online forceuninstall.exe...
    Reboot OK with active Mouse and Keyboard... but PrevX still here with the

    C:\WINNT\system32\drivers\pxkbf.sys file

    on my computer altough it seems it was uninstalled....
     
  12. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    That's fine just install a fresh copy of Prevx http://info.prevx.com/downloadcsi.asp and let us know your results!

    TIA,

    TH
     
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It's possible this has occurred because of the update change. Could you try reinstalling Prevx? You now shouldn't experience any problems and the drivers should load properly. If you do wish to uninstall again, I suspect reinstalling and then uninstalling will work properly.

    Let me know your results!
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Have to say i recently also had some VERY serious problems with not being able to boot normally or in safe mode too, and could not get "Last Known Good Configuration" either, which i posted about. After wasting lots of time i had to have a new XP OS Apps etc installed alongside my existing one so i could at least transfer stuff over. MORE time wasted :mad:

    I wasn't sure if it was Prevx at the time as i was testing another app. But having read the above, it makes me wonder !

    Even if it's a Windows design error etc involved, vendors who are aware of these things, as Prevx has stated they are, should make their products recoverable from such disasters. It will be interesting to see how V4 fares ?
     
Thread Status:
Not open for further replies.