I have never seen the installation of MBAM or SAS interfere with SR or have any special instructions about it and don't know what would happen if it found a problem in an existing RP, but if it ever did report an issue in an existing RP on my system, I would never, ever trust any of them and whack them all and start over with a clean slate. There is nothing "running" when the free versions of MBAM and SAS are installed, so I don't see how they could interfere. I don't know about your other protection methods.
My apologies as I wasn't very clear on this subject. It is not the installation
of MBAM that could cause a problem. So disabling it (if you purchased the "pro" version as there is nothing to disable in the freeware one) will not make any difference. It is when a person scans with MBAM and allows it to remove "infected" restore points that you could end up with a broken SR. This can be true of any scanner that removes files from System Volume Information (SVI), just as it was true for AVG 8.0 when I ran empirical tests on it.
I haven't run tests with MBAM, but I've seen numerous logs in the forums where it quarantines files from SVI. I've also seen numerous logs from AVG's malware scanner, starting when it was first developed under the name of ewido
, then was bought by Grisoft/AVG to become AVG AntiSpyware, and was then integrated into the AVG antivirus engine. It has always removed "infected" restore points from SVI and my tests of AVG 8.0 prove that this breaks SR at least temporarily--and that turning off SR and then turning it back on again to delete all old restore points is an immediate fix.
I would say if you are even remotely suspicious of your RPs or recovered from an infection, assume all RPs are compromised, hold your breath, whack them all, make a new one and test it immediately. It the new one doesn't work, then you have something to troubleshoot with no preexisting possible problems - the maybe, could be, might be kinds of things will not be part of your equation if you start anew.
I agree with this with some exceptions, tho I would phrase it differently. The main exception is that I wouldn't purge SR just on suspicion of infected restore points--or even supposed confirmation by scanners like MBAM. Without a doubt SR should be purged when your system is truly a victim of infection. But it should happen after cleanup of the infection. This is standard procedure in the malware removal forums and also agrees with Bert Kinney:http://bertk.mvps.org/html/spyware.html
Some people and large company’s recommend that System Restore be turned off and all Restore Points deleted before attempting spyware removal. DO NOT DO THIS. If something goes wrong (anything is possible) you will have no way to reverse your actions. You'll want to delete your old Restore Points, but the time to do that is later, not now.
There is also a reason I use quote marks on infected when referring to "infected" restore points. As I established earlier, SR backs up several files and even files by type/extension. Security scanners (antivirus, antimalware, etc.) typically pick up remnants and leftovers of previous infection, even tho the active elements of that infection have been removed. Even evil executables can be stored on your hard drive and won't harm you if they aren't active. Using System Restore won't make make an inactive infection active. In my tests with AVG, I had several inactive malware samples in a small zoo on my hard drive (common practice for those of us who do malware removal) and these were getting backed up by SR. Now this is not a consideration for the average user, but in my case I don't want a scanner breaking SR because I have inactive malware files onboard that I already know about.
But what about false positives and other less worrisome detections. This happens all the time--people break SR not knowing that there was no good reason to do so. Some software gets a bad reputation that follows them around forever. If you go to MBAM's home page, you will see that Adware.MyWebSearch
is the number one "threat" that gets removed. I wouldn't have it on my system, but it is not a threat to anyone and it's not even adware. When it first came out it was bundled with several programs like the free version of Kazaa (and many other free P2P's) so it is foistware and people wanted it removed because they didn't know how it got on their system. But it doesn't do anything other than some tracking--which isn't any more harmful than the tracking that Google does. But many people download it voluntarily because, among other reasons, they like to insert smileys in their emails. I recommend that anyone that has it should remove it--but by uninstalling it just like any other software. You don't need MBAM--or any other scanner for that matter--detecting it and removing restore points from the SVI folder and breaking SR because of it. Plus it makes people worry unnecessarily that they have had something on their system that is going to steal passwords and/or their identity, etc.
Much the same can be said of the PopCap games loader, but I digress...
Here's the bottom line: The kind of error Bub12 is asking about is usually caused by a corrupted System Restore cache. To fix it, you just have to bite the bullet/cut your losses and delete all your previous restore points by turning System Restore off and then back on again. You don't have to create a restore point to test if SR works. When you turn on SR again (and assuming the problem is a corrupted cache) a new Restore point gets created. So you can just use that new restore point to test if SR works or not. Whatever problems you were having that you wanted to use SR to resolve you will have to find a fix another way--but at least now you have the safety net of a working SR.
If this doesn't fix the problem, then you can look into reinstalling SR if that is what further troubleshooting indicates.
Norton most certainly can interfere and if they didn't, they would not have written a KB about what to do about it, but you say you are not using it and I believe that!
I'm a bit confused here. I've been looking in this thread for where anyone said Norton won't interfere with SR but can't find it. Could you point that out for me?
MS suggests in a few places if SR fails, "try" it in Safe Mode. I am not a tryer and it would seem to me that it should work in normal mode. If I ever saw that it only worked in Safe Mode, then I would be compelled to figure out what the deal was and it would annoy me to know end until I figured it out and fixed it.
I'm confused again. Tests are by definition trials. So how can you advocate testing and refuse to try things? How can you "figure out what the deal was" if you don't run tests? Running a trial of System Restore in Safe Mode and always running System Restore in safe mode are two different things. In itself it is troubleshooting, figuring out what the deal is. If System Restore works in Safe Mode and not in Normal mode, then it is an indication that a process (like maybe Norton) is interfering with SR. That is what safe mode is for and why it is also known as diagnostic mode. Don't get me wrong, I understand the frustration of people just saying try it in safe mode without letting you know that it is should be done for diagnostic purposes, not a routine procedure, but as stated, your comments sound contradictory and closed minded.
Now to get back on topic. Bub12
, if any of your security scanners has quarantined anything from the SVI folder let us know. Whether or not that is the case I suggest you do the following to get System Restore back.
1. Turn SR off then back on again. You can find instructions on how to disable and re-enable System Restore here:Windows XP System Restore Guide
2. Once your system has rebooted, test SR. There should only be one Restore point and if you test it immediately there won't be any changes to reverse. Just see if SR works. Report back here any message you get other than that the Restoration was successful.
Or you can use Bert Kinney's test to make sure that files are handled correctly:http://bertk.mvps.org/html/tips.html#3