Prevx destroyed my snapshots

Discussion in 'Prevx Releases' started by overangry, Oct 3, 2009.

Thread Status:
Not open for further replies.
  1. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    Prevx destroyed my snapshots ****UPDATE****

    Hi Joe,

    I was into a three day trial of RollBack Rx when Prevx detected C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL and the associated files. I selected clean, after the scan I was told to reboot as I had an MBR Rootkit. Unfortunately the Rootkit turned out to be a critical component of RollBack Rx.
    All of my snapshots were removed I was luckily rebooted to the initial Baseline image:thumb:

    I can no longer access RB Rx or uninstall it.
    I was surprised that this could happen, first of all that RB Rx didn't prevent this from happening and that Prevx had caused this to happen.

    Is it now dangerous to perform an AV scan whilst using RB Rx? Have any other users experienced similar issues?

    Admittedly I should/could have payed more attention to the warning, that said my mother would have pressed BLOCK, as would most other average users have done.

    Unfortunately I can't provide more details as most of them are with my snapshots:)

    I have mailed RB Rx support for assistance in the above.

    Just thought I would share my expiereance.
     
    Last edited: Oct 4, 2009
  2. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Happened to me back in April, never will I simply trust a blacklisting software again without thoroughly checking for a FP.
     
  3. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I think one of the realities that a RollBackRx (or related product) user must face is that there are some operational stability issues that come with the technical approach that this product class (i.e. Rollback Rx/EAZ-Fix/AyRecovery/Comodo Time Machine) employs. I really don't see this as inherently tied to blacklisting vs. other malware control measures, it's due to overlaying a phantom file system on top of the "real" one and having to deal with the fact that any operation performed outside the scope of that "phantom" environment leads to potential large scale corruption.

    Blue
     
  4. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
  5. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    PrevxHelp has already said in a previous thread that RollBack Rx employs rootkit-like technologies. It doesn't mean the program is malicous per se; it's just unfortunate the way it works produces the results it does when scanned.

    The reason it doesn't happen with FD-ISR is most likely because it uses different techniques to RollBack Rx.
     
  6. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    I wish I had seen this earlier and the numerous posts pointed out by Longboard. I really like RB Rx, but the above quote also makes allot of sense.

    I was going to purchase RB Rx, but may now wait until I receive a response from RollBack Rx support.

    One more question; I noticed that on all the snapshots (provided by Longboard) seems to be the same MBR Rootkit (Prevx's definition) being shown, isn't there a way to eliminate this particular FPo_O
     
  7. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Quote above hits the nail on the head - and is why I dont use my RB RX lics...................... glad I bought FR ISR which is much more robust
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    There is, and we should have corrected it a few months ago (and haven't had any reports recently besides this one. Rollback Rx does modify the system in ways 100% identical to MBR rootkits: GMER, RootRepeal, and a number of other rootkit scanners all find the same "FP".

    Regarding the reported detection: C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL - that is not a FP, but a component of My Web Search, an adware/spyware program frequently bundled with other software. I do not believe that My Web Search employs any MBR-rootkit-like technology but it would be useful to see what the Prevx Cleanup log says if you click "Total Infections Cleaned" on the front screen of Prevx so that we can try and narrow down what happened.

    Thank you, and sorry for the inconvenience :doubt:
     
  9. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    I agree, can you help me find the snapshot where that information is storedo_O
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'm not sure :doubt: The MBR rootkit cleanup involves rewriting only 512 bytes of disk data so we definitely do not erase the snapshots. I'm really not familiar enough with how Rollback Rx works to try and give an answer on how to restore the MBR but perhaps someone else would be more qualified :doubt:
     
  11. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    That would be good if they're still on my system, I am still waiting for a response from RB Rx support to help me retrieve the snapshots.
    I also require help re-installing Rx, Looks like I will have to wait until I receive a reply from Rx support.
    As soon as I have the info you asked for, I will make these available to the Prevx team.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    Hi OverAngry

    Sorry to hear about your problems. I am gathering, that you can not reinstall Rollback as well as uninstall it.

    Two realities you might need to prepare for. One that is highly likely your snapshots are gone for good. Windows doesn't see them as they aren't Windows files. They are merely used sectors on the disk that were strictly known to Rollback. Also if you are currently using the machine, then there is a good chance windows may over write those sectors since it sees them as empty.

    Finally if you can't reinstall Rollback, you might need to restore an image if you have one. If not you might be facing a format and reinstall of windows as worst case.

    Pete
     
  13. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    Thanks Peter, I initially had the same thoughts, I'll surely hear from Rollback Rx support in the next couple of days. I hope with a positive outcome:doubt:
     
  14. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    An update...
    I was able to uninstall RB Rx with Revo uninstaller:D
    I did not let it remove the registry leftovers or files. Then I reinstalled RB Rx, only this time Prevx alerted me to the "Rootkit" during RB's installation:doubt:

    Only this time Being fully aware of this, I chose to trust always(I hope this is the right thing to do). All is working well so far.
    Then I saved a log file, after looking it over I realized that there was no mention of the "Rootkit" nor was there a mention of me overriding Prevxs FP, is this normalo_O
    I hope this issue is fixed ASAP, it was reported as fixed a number of times:eek:
    OTHERS WILL BE CAUGHT:shifty:
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thank you for this crucial piece of information! We have found a logic issue which could trigger this issue unintentionally but we will have this fixed in the next software update.

    The warning on installation of the MBR change won't cause problems as that is just a notification but it would be worth clicking Trust Always in that case as well.
     
  16. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    Thanks for your help and replys:D :thumb:
     
Thread Status:
Not open for further replies.