UAC being turned off once a day on Windows 7



I have strange problem on my HP laptop. This began to happen recently. Whenever I start my machine, Windows 7 Action Center displays the following warning:

You need to restart your computer for UAC to be turned off.

Actually, this does not happen if it happened once on a specific day. For example, when I start the machine in the morning, it shows up; but it never shows up in the subsequent restarts within that day. On the next day, the same thing happens again.

I never disable UAC, but obviously some rootkit or virus causes this. As soon as I get this warning, I head for the UAC settings, and re-enable UAC to dismiss this warning. This is a bothersome situation as I can't fix it.

First, I have run a full scan on the computer for any probable virus and malware/rootkit activity, but TrendMicro OfficeScan said that no viruses have been found. I went to an old Restore Point using Windows System Restore, but the problem was not solved.

What I have tried so far (which couldn't find the rootkit):

  • TrendMicro OfficeScan Antivirus
  • Malwarebytes' Anti-malware
  • Ad-Aware
  • Vipre Antivirus
  • GMER
  • TDSSKiller (Kaspersky Labs)
  • HiJackThis
  • RegRuns
  • UnHackMe
  • SuperAntiSpyware Portable
  • Tizer Rootkit Razor (*)
  • Sophos Anti-Rootkit
  • SpyHunter 4
  • ComboFix

There are no other strange activities on the machine. Everything works fine except this bizarre incident.

What could be the name of this annoying rootkit? How can I detect and remove it?

EDIT: Below is the log file generated by HijackThis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:07:04, on 17.01.2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal

Running processes:
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\LightningFAX\LFclient\lfsndmng.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Microsoft LifeCam\LifeExp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\mimio\mimio Studio\system\aps_tablet\atwtusb.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Babylon IE plugin - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [lfsndmng] C:\Program Files\LightningFAX\LFclient\LFSNDMNG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [AgentUiRunKey] "C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe" -ni -sss -e http://localhost:16386/
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: mimio Studio.lnk = C:\Program Files\mimio\mimio Studio\mimiosys.exe
O8 - Extra context menu item: Microsoft Excel'e &Ver - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate this web page with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
O8 - Extra context menu item: Translate with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O9 - Extra 'Tools' menuitem: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) -
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O18 - Protocol: qcom - {B8DBD265-42C3-43E6-B439-E968C71984C6} - C:\Program Files\Common Files\Quest Shared\CodeXpert\qcom.dll
O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences\FencesMenu.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: AgentService - Iron Mountain Incorporated - C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: BMFMySQL - Unknown owner - C:\Program Files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SMS Task Sequence Agent (smstsmgr) - Unknown owner - C:\Windows\system32\CCM\TSManager.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

End of file - 8204 bytes

As suggested in this very similar question, I have run full scans (+boot time scans) with RegRun and UnHackMe, but they also did not find anything. I have carefully examined all entries in the Event Viewer, but there's nothing wrong.

Now I know that there is a hidden trojan (rootkit) on my machine which seems to disguise itself quite successfully. Note that I don't have the chance to remove the HDD, or reinstall the OS as this is a work machine subjected to certain IT policies on a company domain.

Despite all my attempts, the problem still remains. I strictly need a to-the-point method or a pukka rootkit remover to remove whatever it is. I don't want to monkey with the system settings, i.e. disabling auto runs one by one, messing the registry, etc.

EDIT 2: I have found an article which is closely related to my trouble:

Malware can turn off UAC in Windows 7; “By design” says Microsoft. Special thanks(!) to Microsoft.

In the article, a VBScript code is given to disable UAC automatically:

'// 1337H4x Written by _____________ 
'//                    (12 year old)

Set WshShell = WScript.CreateObject("WScript.Shell")

'// Toggle Start menu

'// Search for UAC applet
WshShell.SendKeys("change uac")

'// Open the applet (assuming second result)

'// Set UAC level to lowest (assuming out-of-box Default setting)

'// Save our changes

'// TODO: Add code to handle installation of rebound
'// process to continue exploitation, i.e. place something
'// evil in Startup folder

'// Reboot the system
'// WshShell.Run "shutdown /r /f"

Unfortunately, that doesn't tell me how I can get rid of this malicious code running on my system.

EDIT 3: Last night, I left the laptop open because of a running SQL task. When I came in the morning, I saw that UAC was turned off. So, I suspect that the problem is not related to startup. It is happening once a day for sure no matter if the machine is rebooted.

EDIT 4: Today, I immediately started "Process Monitor" as soon as Windows was started to hopefully catch the guilty one (thanks to @harrymc for the idea). At 9:17, UAC slider was slided to the bottom (Windows 7 Action Center gave the warning). I investigated all the registry actions between 9:16 and 9:18. I saved the Process Monitor log file (70MB containing only that 2 minutes interval). There are lots of EnableLUA = 0 (and the other) entries. I'm posting the screenshots of the properties windows of the first 4 below. It says svchost.exe is doing this, and gives some thread and PID numbers. I don't know what I should infer about them:

enter image description here enter image description here enter image description here enter image description here

1As an extra thing to investigate, this could possibly be a setting that is being applied by the Group Policy from your domain controller. It may be that they (for some reason) have it set to reset UAC on a daily basis. Of course if they're enabling it using group policies and malware is disabling it, then that is bad. I'd have a chat with your IT guys, that is if they're the talkative kind. – Mokubai – 2011-01-21T13:34:24.743

@Mokubai: Thanks for your suggestion. I talked to the other colleagues in the company, and none of them is having such an issue. I'm sure our IT has not disabled UAC, as they are very sensitive on security issues. The interesting thing is, how did that (possible) rootkit befool the antivirus or other security measures put in place by IT? – Mehper C. Palavuzlar – 2011-01-21T14:33:27.663

As to how you may have gotten this possible infection in the first place, at it's simplest any malware protection you may have is generally reactive in nature, though proactive detection is possible it is not reliable. Someone dreams up a way to break into a system, then a company spots it and writes up a way to detect or remove it, action and reaction. If you do indeed have an infection it could very well be a completely new strain that hasn't been seen by the AV companies yet. As to how you got it there are too many security holes in places you wouldn't expect to give any idea... – Mokubai – 2011-01-21T17:07:05.940

HijackThis is clean. You might want to consider to get a filewall. Please try Autoruns and Process Monitor as described by Harry. – Tamara Wijsman – 2011-02-03T19:29:00.537

Have you tried looking in the Task Scheduler? (Start -> Control Panel -> Administrative Tools -> Task Scheduler) Click "Task Scheduler Library" to see Tasks set up by by things like the Google Updater. It is possible that your daily UAC reset is somewhere in there as tasks can be set up at a particular time and then be set to run X minutes after login if that time has already passed... I would have to say though, it could be a long and arduous task searching through the thousands of items in there. – Mokubai – 2011-02-06T19:21:16.240

@Mokubai: Yes. Please see my latest comments under harrymc's answer.

– Mehper C. Palavuzlar – 2011-02-06T21:33:29.197



You should first check if the Security Center service can start, and if not - which one of its dependencies is to blame. Look also for error messages in the Event Viewer.

If you have the feeling that your computer is infected, possible solutions may be :

  1. How to Repair Windows 7 System Files with System File Checker.
  2. Startup Repair : How To Easily Repair Windows 7 Boot Problems Using Startup Repair.
  3. The last resort is to reformat the hard disk and reinstall Windows.
    In your case, this might apply : Performing an HP System Recovery in Windows Vista.

Just to remark that Windows is quite capable of destroying itself without any help, which is why Windows Update is more dangerous than any virus. Startup Repair may fix the problem in this case by reinitializing Windows, without requiring the applications to be reinstalled.

If you realy think the problem is rather that of a virus, and you wish to know more about what is happening on your computer, you will need to find out two things :

  1. What change is being done to your system,
  2. What program does this change.

For the first one, if it is a registry change, then the key is probably HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, item EnableLUA, whose value is 0 for Disabling and 1 for Enabling.

Once you have located the change being done to your system, you can use Process Monitor and its Enable Boot Logging option (see help) to log all accesses to the key.

I would first boot in Safe mode, and see if this is also happening. If not, then another attack-vector is to use Autoruns to disable startup items in a binary search for the product (since this might be a legitimate product causing the problem, rather than a virus).


Thanks for your suggestions. I've already performed sfc /scannow and it says Windows Resource Protection Did Not Find Any Integrity Violations. Step 2 is risky for me as this is a company laptop subjected to IT policies. If I somehow mess the boot process, I will be in more trouble. Step 3 is out of question for me. – Mehper C. Palavuzlar – 2011-02-03T12:15:11.973

IT policies problem understood. Any results from my 1st paragraph? – harrymc – 2011-02-03T12:23:36.580

Security Center starts without problems in Normal Mode. I have carefully examined all entries in the Event Viewer (all available dates till now), but there's nothing wrong, as I stated within my question. I have also separately checked all running services, startup processes, registry entries, and .dll files using various antivirus and antimalware programs. – Mehper C. Palavuzlar – 2011-02-03T14:15:46.097

OK, I have added more info. In any case, if you think your computer is infected, I am sure that IT policies require you to announce it to IT before you infect the entire company. – harrymc – 2011-02-03T16:23:06.720

A few minutes ago, I have checked the value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA, and it's 1. Now I'll follow your suggestion about Process Monitor and Autoruns. As for checking the situation in Safe Mode: Since the problem occurs once a day, I don't have enough time to spend on Safe Mode to confirm if it happens there. Since this is a work PC, it has to be on Normal Mode during the whole day. One chance maybe to leave it at Safe Mode at night and check back in the morning. I'll inform you if any progress happens. – Mehper C. Palavuzlar – 2011-02-04T09:29:45.797

I have mistakenly edited your answer whereas I should have edited the question. Please see the "Edit 3" in the question. – Mehper C. Palavuzlar – 2011-02-04T09:39:28.547

Interesting. You might check to see if there something in the Task Scheduler. Autoruns can also disable/re-enable scheduled tasks. – harrymc – 2011-02-04T09:58:05.087

I have investigated the Scheduled Tasks using Autoruns, and they were all normal. However, when I open the built-in Task Scheduler of Windows 7, there are lots of entries in the subfolders under the folder tree on the left panel. I will try to confirm them one by one. – Mehper C. Palavuzlar – 2011-02-06T12:16:26.343

In your Edit 3, was UAC really off, or was it waiting for restart? If off : (1) how did you know that it's off, and (2) were there any signs of a restart? – harrymc – 2011-02-06T15:59:12.027

In Edit 3 and in all cases, UAC is set to off and it is waiting to restart. Actually it's not really off unless I restart, so as soon as I get the warning in the taskbar via Action Center, I head for the UAC settings and re-enable UAC by sliding the slider up. This is what happens every time. This (possible) rootkit only downs the UAC slider. It is unable to restart the machine (fortunately). – Mehper C. Palavuzlar – 2011-02-06T21:38:56.987

Since EnableLUA stays 1, then it might be that the registry key being changed is actually ConsentPromptBehaviorAdmin in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. See "Registry key settings" in UAC Group Policy Settings and Registry Key Settings.

– harrymc – 2011-02-08T08:29:45.780

I checked the value of ConsentPromptBehaviorAdmin, and it's 5 (Default) = Prompt for consent for non-Windows binaries. – Mehper C. Palavuzlar – 2011-02-08T09:28:03.263

The concerned keys are EnableLUA, ConsentPromptBehaviorAdmin, PromptOnSecureDesktop. If they all have the right values, this is puzzling. Maybe better verify their values in Safe boot. Are you sure that your "virus" is not trying to turn UAC back on? To test if UAC is really on, you can do regedit and see if you get the UAC prompt. – harrymc – 2011-02-08T10:30:18.783

Today I started the machine. A few minutes later, UAC warning was displayed via Action Center. I went to regedit and checked the related keys. Here are the results: EnableLUA = 0; ConsentPromptBehaviorAdmin = 0; PromptOnSecureDesktop = 1. Now I need to find out what's changing these values. – Mehper C. Palavuzlar – 2011-02-09T07:30:41.043

This is a screenshot of the current regedit window. After I changed UAC setting to normal, it became this. – Mehper C. Palavuzlar – 2011-02-09T07:33:55.893

1Yup, something is turning UAC off. (1) Do you get an elevation prompt when running regedit? If you don't then UAC is already off after the boot. (2) What is the situation after a boot in Safe mode? (3) Just to remark that the Action Center message can be displayed because of a change in ConsentPromptBehaviorAdmin and not only for EnableLUA. – harrymc – 2011-02-09T09:05:06.837

(1) Yes. I get the prompt. For (2) and (3), I'll do it and let you know. (It's a busy day for me...) – Mehper C. Palavuzlar – 2011-02-09T09:52:45.867

Once it's clear which registry changes are being done, maybe it's time for Process Monitor at boot, which will locate the guilty process. Even if this is svchost, this can still give you a lead via the pid. – harrymc – 2011-02-09T11:21:24.243

(2) This morning, I booted directly into Safe Mode. I checked regedit, and the values were the same as this one. I've waited for about half an hour, and nothing happened. The values did not change. Then I rebooted in the normal mode, and after a few minutes, the daily warning showed up again: You need to restart your computer for UAC to be turned off. Now I'll use Process Monitor at boot as you suggested.

– Mehper C. Palavuzlar – 2011-02-10T07:44:21.417

Anyway, the bounty is yours as you've spent too much effort to help me. – Mehper C. Palavuzlar – 2011-02-10T07:49:18.903

Thanks, and please continue adding comments here about what you find. – harrymc – 2011-02-10T08:15:39.317

I've added some info to my question. Please see Edit 4. – Mehper C. Palavuzlar – 2011-02-11T08:13:40.727

localservicenetworkrestricted handles several system services, most interesting among them is Security Center. Puzzle 1: for the UAC dialog the process name is dllhost.exe, not svchost. Puzzle 2: Why don't you get an elevation prompt (supposedly unavoidable). I believe that the UAC change is done either by (1) Windows itself being corrupted (so manages to avoid the UAC prompt), or (2) a rootkit too-clever for all antiviruses. My guess is on (1). In both cases what is called for is total reformat and reinstallation of Windows. It would take a Microsoft developer to go any further than that. – harrymc – 2011-02-11T10:54:32.477

I see you have accepted my answer. How did you solve the problem after all this? – harrymc – 2012-02-08T17:41:45.440

Case closed because my laptop has been replaced with a new one. You really did help me to understand what may have been going on. Thanks again. – Mehper C. Palavuzlar – 2012-02-08T18:26:02.657


In my case it was domain policy that was being applied once per day. Same problem. Diagnosis was easier because UAC turning off occurred only when logging in to the domain, or connecting over VPN. Thus it was discovered that the domain policy included some script to turn UAC off. I contacted my system admins and they confirmed that. So you better consult with your administrators of domain or validate profile local policies and scripts if you are not in domain.

Option 1: Disable all programs in Startup. (Start >Run > Msconfig. Disable everything under startup).

Option 2: Install AVAST home edition and schedule a boot time scan. Better yet, disconnect the hard disk from your machine and connect it to another one and scan it from there using AVAST.

Option 3. Another option is to run HijackThis. Generate the report and share it here for analysis.


1Yor startup items looks fine. All the same, disable the startup items and check again. I would strongly suggest you to install Avast and schedule a boot time scan, preferably after connecting the hard disk to another machine. – bobbyalex – 2011-01-17T11:14:39.507

There is another thing you can try: create a non administrative user and login as that user. If a program is trying to run then you should get a UAC prompt. – bobbyalex – 2011-01-17T11:16:35.540

This is a work PC on a company domain, so I'm not authorized to create new users. BTW, I tried Avast boot time scan as well, but it didn't find any viruses. – Mehper C. Palavuzlar – 2011-01-18T12:00:31.790


Please install Microsoft Security Essentials and do a full system scan. Since MSE makes use of OS APIs and hooks, it might be able to locate the malware, if it is actually some sort of malware. Also, if MSE is unable to actually install or run, then we know for sure system is compromised.

Since, you've run so many AV and Anti-Malware programs to check your system, I highly doubt that your computer has been compromised. Instead of installing the AV and Anti-Malware programs and then doing a boot scan, use another computer to scan the drive. Attach the drive to another system as a slave and then run the scans. You should do the boot scan by booting off of a CD or DVD and not from the hard drive itself since that truly prevents the OS from ever starting up and the root-kit from running during the actual scan.

Honestly though, if you are sure your system has been comprised by a root-kit, then nuke the hard drive and start from scratch. Ask your IT department to do this. This is the only fool proof way to be sure that your system is clean.


Posted 2011-01-17T08:12:44.490

Reputation: 411

First, thanks for your suggestions. Removing the HDD is not an option (see the question as to why). I think MSE is worth a try. Tomorrow I'll check and share the result. A boot scan by booting off of an optical disk seems quite reasonable to me. Can you recommend me a link to some image file to burn to disc? Again, nuking the HDD is the last resort for me. I need to solve the case without doing it. I know it is an absolute solution, but let's see what we can do. – Mehper C. Palavuzlar – 2011-02-06T12:06:57.287

I did a quick search. Here's a link that has information about bootable virus scans from different vendors. Try them out.

– Metril – 2011-02-06T19:04:45.460

MSE did not find anything. Now I'll try a bootable rescue CD. – Mehper C. Palavuzlar – 2011-02-08T15:00:25.177


I recommend that you create another user account on your computer. Don't make this account an administrator; keep it as a standard user. Use this new account instead of your administrator account. If you do need admin rights, UAC will always prompt you for your admin credentials. That way, malware won't be able to disable UAC and run evil stuff...

Try to Disable UAC without Admin Rights

This won't get rid of the virus, but it will at least stop it from getting worse. Then, when your anti-virus gets new definitions to detect it, it will be able to remove it.


The problem is, this is a work PC on a company domain and I don't have rights to create a new user. – Mehper C. Palavuzlar – 2011-02-06T23:36:58.120


Before you move onto more complicated measures, please do install AVG Anti-Virus Free Edition 2011. Let it perform a whole computer scan. Recently, I've had a similar problem, and no other anti-virus programs but the aforementioned one could fix it with its Anti-Rootkit measures.


I'll try it today and let you know. – Mehper C. Palavuzlar – 2011-02-09T07:57:59.180

Found nothing... – Mehper C. Palavuzlar – 2011-02-10T16:31:23.790


This is a rather interesting issue. I would have to say this would be caused by one or two different issues:

1) Most people have suspected a virus, and rightly so, viruses love getting into windows and tinkering with the settings.

You have a comprehensive amount of scans already run. Any virus should be caught by the ones already run, so I believe it is a windows fowl up.

2) Windows is fowled up. I would reccommend you run a disk check on your computer. Two different methods that render similar results.

-- Open my computer, and then rightclick on your hard drive that windows loads off of. Next, select the tools tab and click on the button that says Disk Check [or something similar]. Now tick the two option boxes if they already aren't. Your computer should ask you to restart your computer, if it doesn't you did not tick the option boxes. Let that scan run. It should clean up any fowl ups within your Windows installation.

Now, if that scan fails, insert your operating system installation disk. If using XP, hit R when the blue screen shows up asking what task you wish to do. Now, select what hard drive your operating system is on, and hit enter after entering the appropriate number. Afterwards, enter the password for the Administrator account [usually this is blank]. Now, enter into the command console: chkdsk /r

this should do the same scan, however it can fix more issues because the scan is being run off the installation disk.

if running the scan for a VISTA or SEVEN machine, insert the disk and select the repair option. Afterwards, hit cancel and it should bring up a new window, in which you can do more operations. The last option should say "Console window" or something of the sort.

enter into the command console "chkdsk /r C:"

Hope this helps.


I'm running Windows 7 (please see the question tags). I have run chkdsk /r C: at boot and it took about 1 hour. No problems were found. – Mehper C. Palavuzlar – 2011-02-10T09:30:10.423


I have just encountered this very msg. this morning. Java has been trying to update itself for awhile now so I changed the notification settings to "do not notify" and immediately received the msg that I had to restart my cpu to turn off control. I went in and reset the notification level and the issue was resolved. Hope that helps


Win 10 using Malwarebytes. Malware apparently was turning off the UAC at startup. Stopped loading it at startup and the issue appeared to resolve. Then adjusted startup to delay in Malwarebytes setup and it appeared to work.

Maleware can Byte UAC

Wouldn't delaying the startup of malware detection software increase the chances that actual malware can hide itself? – Arjan – 2015-08-16T12:32:12.017

The question explicitly asks about Windows 7, so I'm not sure why you're addressing Windows 10. Also, it's not clear that your suggestion actually solves the problem, rather than just hiding it. – David Richerby – 2015-08-16T13:35:07.633