Windows Malicious Software Removal Tool update causes a profile change

[wither 2]

About a month ago, I started using my wife's Win 7 system because my workstation with Win 7 had a problem which I hadn't had time to resolve. Last night (11/09) I shut it down and it said it was installing an update, which I thought was strange since there shouldn't be any updates. This morning, when I restarted it, it said that I was using a temporary profile and that any files I created wouldn't be saved upon restart. It said I should log off and wait for changes to be made (I'll post the actual message if necessary). Logging off or restarting had no effect.

When I looked at Windows updates, what it had installed was the Windows Malicious Software Removal Tool, KB890830, v.95. Further investigation revealed it had installed the .94 version a week ago but there was no indication to me back then that it was being installed.

When i tried to launch IE 11, it acted like I had never installed or customized it. When looking at user accounts, the only ones listed are my wife's and a guest account.

When I attempted to uninstall the update to restore the system to before the update the update wasn't listed. I hadn't set up restore points for her system so that route is futile.

Anyone have a suggestion how to remedy this situation?

 

[torchwood]

Hi Wither,

MSRT isn't really a true update, for want of a better name, its a one off Anti-Virus scan. i hide it
logs can be found here - C:\Windows\Debug\mrt.log

It should not affect user profiles, have a look at this tutorial

https://www.google.com/url?client=i...cQFnoECAAQAg&usg=AOvVaw1A9921eBMvhM8zSgtfjrQS

Now as for IE11, you can reset it by going to features and turning it OFF then REBOOT, then reversing the proceedure

I would not be using it, as its not being updated by MS, and certain sites will report it back as unsupported, ie most financial institutions.

To be on the safe side i would recommend you perform a 3rd party virus scan

 

[wither 2]

Thanks for your insight and links.

Before I logged in here this morning, I remembered that Windows sets a restore point before running updates. I ran the system restore but it didn't change anything.

I ran Norton Security per your suggestion. Nothing was found.

I decided to run Option 1 in the linked article even though I have never see the message about not being able to access the user profile.

From experience, I set a system restore point (I saw later that the article suggests that).

I had two SIDs with the long identical numbers and one without the .bak and one with it. The one without had the path set to C:\Windows\Temp. The other had the path to the C:\Users folder for my User Account. I made the mentioned changes for that situation. Everything went fine but, when I got done, the new .bak folder was still there in contrast to it being absent after the changes shown in the article. Anyhow, when I rebooted, I then got the error about not being able to access the user profile and couldn't boot into Windows.

I then went into Safe Mode (using F8 on this HP system during the boot) and ran the system restore point I had created. That got me back into Windows without the error message but still with the temporary user profile problem.

I went back into Safe Mode and ran regedit to look at the ProfileList entry. There was only one SID with the long number and the path was to my user account, as it should be.

I guess I'll have to try option 2. Hope to get to it tomorrow or Saturday.

- - - Updated - - -

I haven't done anything with this for two reasons:

First- I didn't have the error message in the link provided until I carried out the instructions in Option 1. The update changed something in Windows besides the registry since the registry while in safe mode is correct.

Second- Since I uninstalled the offending update to no avail, it seems to me that the change in Windows would still be there after changing the User Account per Option 2.

Perhaps you have some thoughts on this.

 

[torchwood]

Hi Wither,

couple of extra thoughts
System Restore USUALLY contains more "points" than INITAILLY shown, hit the show more restore points option, bottom left if i remember correctly.

i would then run sfc /scannow and chkdsk/r

as a matter of interest do you have either of these programs installed Macrium/Ameobi, if so you should be able to restore from them

 

[wither 2]

Hi torchwood-

Thanks for the ideas.

I had already run sfc and no problems were found. I will try the disk check.

The computer is one that I bought for my wife so that she could go to Facebook. I did little else with it (because she didn't want me to mess with it) so there are no prior restore points and I didn't do any backups. I only touched it when she was having a problem. My other Win 7 system went down so I was using hers temporarily and, from out of no where, this problem occurred.

I could probably do a factory restore on it without hurting anything since I only installed a few extra programs like Norton on it. Didn't want to do that if I didn't have to. I have a Win 7 repair disc but am not sure what I would do with it.

 

[wither 2]

I ran the disk check and everything was okay.

I confirmed what you said about the removal tool not being an Windows update. It's confusing because it's updated via a KB. I finally found the removal tool entries in Windows- they were in C:\Windows\System32 as a MRT and MRT-KB............. folder- and deleted them. I then ran the disk cleanup utility and emptied the recycle bin. Upon reboot, the problem still exists. Even tried resetting the registry as before, to no avail.

Being stubborn, I haven't tried a new User Account yet. Still trying to understand what's going on.

 

[wither 2]

Well, I still haven't figured this one out. I enabled the guest account, which works, and tried a few things regarding the Ntuser.dat file to no avail, in regards to the administrator user profile not being accessible during startup. I had set system restore points before doing anything but somehow they got corrupted so, right now, I'm using a standard user account without administrator rights. Strange thing is that when I try to do some things, it says I need administrator rights and brings up the administrator name. When I click on Yes, it does what I want to do. Apparently, the designation of an administrator isn't incorporated in the Ntuser.dat file. So, I'm still at square one with regards to the administrator account but at least I can use the standard user account. Would really like to get this fixed. I guess I could give the new account administrator rights and delete the old one.

 

[wither 2]

Now it's getting bizarre. I've been using the computer about every 3 or 4 days since I switched to the standard user account. This morning, when I used that account, it's says the same thing that started this thread- it's using a temporary profile. Ironically, the original administrator account is now working.