10

I have strange problem on my HP laptop. This began to happen recently. Whenever I start my machine, Windows 7 Action Center displays the following warning:

You need to restart your computer for UAC to be turned off.

Actually, this does not happen if it happened once on a specific day. For example, when I start the machine in the morning, it shows up; but it never shows up in the subsequent restarts within that day. On the next day, the same thing happens again.

I never disable UAC, but obviously some rootkit or virus causes this. As soon as I get this warning, I head for the UAC settings, and re-enable UAC to dismiss this warning. This is a bothersome situation as I can't fix it.

First, I have run a full scan on the computer for any probable virus and malware/rootkit activity, but TrendMicro OfficeScan said that no viruses have been found. I went to an old Restore Point using Windows System Restore, but the problem was not solved.

What I have tried so far (which couldn't find the rootkit):

  • TrendMicro OfficeScan Antivirus
  • AVAST
  • Malwarebytes' Anti-malware
  • Ad-Aware
  • Vipre Antivirus
  • GMER
  • TDSSKiller (Kaspersky Labs)
  • HiJackThis
  • RegRuns
  • UnHackMe
  • SuperAntiSpyware Portable
  • Tizer Rootkit Razor (*)
  • Sophos Anti-Rootkit
  • SpyHunter 4
  • ComboFix

There are no other strange activities on the machine. Everything works fine except this bizarre incident.

What could be the name of this annoying rootkit? How can I detect and remove it?

EDIT: Below is the log file generated by HijackThis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:07:04, on 17.01.2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\LightningFAX\LFclient\lfsndmng.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Microsoft LifeCam\LifeExp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\mimio\mimio Studio\system\aps_tablet\atwtusb.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\userx\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.yaysat.com.tr/proxy/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Babylon IE plugin - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [lfsndmng] C:\Program Files\LightningFAX\LFclient\LFSNDMNG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [AgentUiRunKey] "C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe" -ni -sss -e http://localhost:16386/
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: mimio Studio.lnk = C:\Program Files\mimio\mimio Studio\mimiosys.exe
O8 - Extra context menu item: Microsoft Excel'e &Ver - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate this web page with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
O8 - Extra context menu item: Translate with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O9 - Extra 'Tools' menuitem: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://172.20.12.103:4343/officescan/console/html/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://172.20.12.103:4343/officescan/console/html/ClientInstall/setup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = yaysat.com
O17 - HKLM\Software\..\Telephony: DomainName = yaysat.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = yaysat.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = yaysat.com
O18 - Protocol: qcom - {B8DBD265-42C3-43E6-B439-E968C71984C6} - C:\Program Files\Common Files\Quest Shared\CodeXpert\qcom.dll
O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences\FencesMenu.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: AgentService - Iron Mountain Incorporated - C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: BMFMySQL - Unknown owner - C:\Program Files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SMS Task Sequence Agent (smstsmgr) - Unknown owner - C:\Windows\system32\CCM\TSManager.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8204 bytes

As suggested in this very similar question, I have run full scans (+boot time scans) with RegRun and UnHackMe, but they also did not find anything. I have carefully examined all entries in the Event Viewer, but there's nothing wrong.

Now I know that there is a hidden trojan (rootkit) on my machine which seems to disguise itself quite successfully. Note that I don't have the chance to remove the HDD, or reinstall the OS as this is a work machine subjected to certain IT policies on a company domain.

Despite all my attempts, the problem still remains. I strictly need a to-the-point method or a pukka rootkit remover to remove whatever it is. I don't want to monkey with the system settings, i.e. disabling auto runs one by one, messing the registry, etc.

EDIT 2: I have found an article which is closely related to my trouble:

Malware can turn off UAC in Windows 7; “By design” says Microsoft. Special thanks(!) to Microsoft.

In the article, a VBScript code is given to disable UAC automatically:

'// 1337H4x Written by _____________ 
'//                    (12 year old)

Set WshShell = WScript.CreateObject("WScript.Shell")

'// Toggle Start menu
WshShell.SendKeys("^{ESC}")
WScript.Sleep(500)

'// Search for UAC applet
WshShell.SendKeys("change uac")
WScript.Sleep(2000)

'// Open the applet (assuming second result)
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{ENTER}")
WScript.Sleep(2000)

'// Set UAC level to lowest (assuming out-of-box Default setting)
WshShell.SendKeys("{TAB}")
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{DOWN}")

'// Save our changes
WshShell.SendKeys("{TAB}")
WshShell.SendKeys("{ENTER}")

'// TODO: Add code to handle installation of rebound
'// process to continue exploitation, i.e. place something
'// evil in Startup folder

'// Reboot the system
'// WshShell.Run "shutdown /r /f"

Unfortunately, that doesn't tell me how I can get rid of this malicious code running on my system.

EDIT 3: Last night, I left the laptop open because of a running SQL task. When I came in the morning, I saw that UAC was turned off. So, I suspect that the problem is not related to startup. It is happening once a day for sure no matter if the machine is rebooted.

EDIT 4: Today, I immediately started "Process Monitor" as soon as Windows was started to hopefully catch the guilty one (thanks to @harrymc for the idea). At 9:17, UAC slider was slided to the bottom (Windows 7 Action Center gave the warning). I investigated all the registry actions between 9:16 and 9:18. I saved the Process Monitor log file (70MB containing only that 2 minutes interval). There are lots of EnableLUA = 0 (and the other) entries. I'm posting the screenshots of the properties windows of the first 4 below. It says svchost.exe is doing this, and gives some thread and PID numbers. I don't know what I should infer about them:

enter image description here enter image description here enter image description here enter image description here

Improve this question
6
  • 1
    As an extra thing to investigate, this could possibly be a setting that is being applied by the Group Policy from your domain controller. It may be that they (for some reason) have it set to reset UAC on a daily basis. Of course if they're enabling it using group policies and malware is disabling it, then that is bad. I'd have a chat with your IT guys, that is if they're the talkative kind.
    – Mokubai
    Commented Jan 21, 2011 at 13:34
  • @Mokubai: Thanks for your suggestion. I talked to the other colleagues in the company, and none of them is having such an issue. I'm sure our IT has not disabled UAC, as they are very sensitive on security issues. The interesting thing is, how did that (possible) rootkit befool the antivirus or other security measures put in place by IT?
    – Mehper C. Palavuzlar
    Commented Jan 21, 2011 at 14:33
  • As to how you may have gotten this possible infection in the first place, at it's simplest any malware protection you may have is generally reactive in nature, though proactive detection is possible it is not reliable. Someone dreams up a way to break into a system, then a company spots it and writes up a way to detect or remove it, action and reaction. If you do indeed have an infection it could very well be a completely new strain that hasn't been seen by the AV companies yet. As to how you got it there are too many security holes in places you wouldn't expect to give any idea...
    – Mokubai
    Commented Jan 21, 2011 at 17:07
  • HijackThis is clean. You might want to consider to get a filewall. Please try Autoruns and Process Monitor as described by Harry.
    – Tamara Wijsman
    Commented Feb 3, 2011 at 19:29
  • Have you tried looking in the Task Scheduler? (Start -> Control Panel -> Administrative Tools -> Task Scheduler) Click "Task Scheduler Library" to see Tasks set up by by things like the Google Updater. It is possible that your daily UAC reset is somewhere in there as tasks can be set up at a particular time and then be set to run X minutes after login if that time has already passed... I would have to say though, it could be a long and arduous task searching through the thousands of items in there.
    – Mokubai
    Commented Feb 6, 2011 at 19:21

9 Answers 9

Reset to default
6
+50

You should first check if the Security Center service can start, and if not - which one of its dependencies is to blame. Look also for error messages in the Event Viewer.

If you have the feeling that your computer is infected, possible solutions may be :

  1. How to Repair Windows 7 System Files with System File Checker.
  2. Startup Repair : How To Easily Repair Windows 7 Boot Problems Using Startup Repair.
  3. The last resort is to reformat the hard disk and reinstall Windows.
    In your case, this might apply : Performing an HP System Recovery in Windows Vista.

Just to remark that Windows is quite capable of destroying itself without any help, which is why Windows Update is more dangerous than any virus. Startup Repair may fix the problem in this case by reinitializing Windows, without requiring the applications to be reinstalled.

If you realy think the problem is rather that of a virus, and you wish to know more about what is happening on your computer, you will need to find out two things :

  1. What change is being done to your system,
  2. What program does this change.

For the first one, if it is a registry change, then the key is probably HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, item EnableLUA, whose value is 0 for Disabling and 1 for Enabling.

Once you have located the change being done to your system, you can use Process Monitor and its Enable Boot Logging option (see help) to log all accesses to the key.

I would first boot in Safe mode, and see if this is also happening. If not, then another attack-vector is to use Autoruns to disable startup items in a binary search for the product (since this might be a legitimate product causing the problem, rather than a virus).

Improve this answer
20
  • Thanks for your suggestions. I've already performed sfc /scannow and it says Windows Resource Protection Did Not Find Any Integrity Violations. Step 2 is risky for me as this is a company laptop subjected to IT policies. If I somehow mess the boot process, I will be in more trouble. Step 3 is out of question for me.
    – Mehper C. Palavuzlar
    Commented Feb 3, 2011 at 12:15
  • IT policies problem understood. Any results from my 1st paragraph?
    – harrymc
    Commented Feb 3, 2011 at 12:23
  • Security Center starts without problems in Normal Mode. I have carefully examined all entries in the Event Viewer (all available dates till now), but there's nothing wrong, as I stated within my question. I have also separately checked all running services, startup processes, registry entries, and .dll files using various antivirus and antimalware programs.
    – Mehper C. Palavuzlar
    Commented Feb 3, 2011 at 14:15
  • OK, I have added more info. In any case, if you think your computer is infected, I am sure that IT policies require you to announce it to IT before you infect the entire company.
    – harrymc
    Commented Feb 3, 2011 at 16:23
  • 1
    Yup, something is turning UAC off. (1) Do you get an elevation prompt when running regedit? If you don't then UAC is already off after the boot. (2) What is the situation after a boot in Safe mode? (3) Just to remark that the Action Center message can be displayed because of a change in ConsentPromptBehaviorAdmin and not only for EnableLUA.
    – harrymc
    Commented Feb 9, 2011 at 9:05
5

In my case it was domain policy that was being applied once per day. Same problem. Diagnosis was easier because UAC turning off occurred only when logging in to the domain, or connecting over VPN. Thus it was discovered that the domain policy included some script to turn UAC off. I contacted my system admins and they confirmed that. So you better consult with your administrators of domain or validate profile local policies and scripts if you are not in domain.

Improve this answer
2

Option 1: Disable all programs in Startup. (Start >Run > Msconfig. Disable everything under startup).

Option 2: Install AVAST home edition and schedule a boot time scan. Better yet, disconnect the hard disk from your machine and connect it to another one and scan it from there using AVAST.

Option 3. Another option is to run HijackThis. Generate the report and share it here for analysis. http://free.antivirus.com/hijackthis/

Improve this answer
3
  • 1
    Yor startup items looks fine. All the same, disable the startup items and check again. I would strongly suggest you to install Avast and schedule a boot time scan, preferably after connecting the hard disk to another machine.
    – bobbyalex
    Commented Jan 17, 2011 at 11:14
  • There is another thing you can try: create a non administrative user and login as that user. If a program is trying to run then you should get a UAC prompt.
    – bobbyalex
    Commented Jan 17, 2011 at 11:16
  • This is a work PC on a company domain, so I'm not authorized to create new users. BTW, I tried Avast boot time scan as well, but it didn't find any viruses.
    – Mehper C. Palavuzlar
    Commented Jan 18, 2011 at 12:00
1

Please install Microsoft Security Essentials and do a full system scan. Since MSE makes use of OS APIs and hooks, it might be able to locate the malware, if it is actually some sort of malware. Also, if MSE is unable to actually install or run, then we know for sure system is compromised.

Since, you've run so many AV and Anti-Malware programs to check your system, I highly doubt that your computer has been compromised. Instead of installing the AV and Anti-Malware programs and then doing a boot scan, use another computer to scan the drive. Attach the drive to another system as a slave and then run the scans. You should do the boot scan by booting off of a CD or DVD and not from the hard drive itself since that truly prevents the OS from ever starting up and the root-kit from running during the actual scan.

Honestly though, if you are sure your system has been comprised by a root-kit, then nuke the hard drive and start from scratch. Ask your IT department to do this. This is the only fool proof way to be sure that your system is clean.

Improve this answer
3
  • First, thanks for your suggestions. Removing the HDD is not an option (see the question as to why). I think MSE is worth a try. Tomorrow I'll check and share the result. A boot scan by booting off of an optical disk seems quite reasonable to me. Can you recommend me a link to some image file to burn to disc? Again, nuking the HDD is the last resort for me. I need to solve the case without doing it. I know it is an absolute solution, but let's see what we can do.
    – Mehper C. Palavuzlar
    Commented Feb 6, 2011 at 12:06
  • I did a quick search. Here's a link that has information about bootable virus scans from different vendors. techmixer.com/free-bootable-antivirus-rescue-cds-download-list Try them out.
    – Metril
    Commented Feb 6, 2011 at 19:04
  • MSE did not find anything. Now I'll try a bootable rescue CD.
    – Mehper C. Palavuzlar
    Commented Feb 8, 2011 at 15:00
0

I recommend that you create another user account on your computer. Don't make this account an administrator; keep it as a standard user. Use this new account instead of your administrator account. If you do need admin rights, UAC will always prompt you for your admin credentials. That way, malware won't be able to disable UAC and run evil stuff...

Try to Disable UAC without Admin Rights

This won't get rid of the virus, but it will at least stop it from getting worse. Then, when your anti-virus gets new definitions to detect it, it will be able to remove it.

Improve this answer
1
  • The problem is, this is a work PC on a company domain and I don't have rights to create a new user.
    – Mehper C. Palavuzlar
    Commented Feb 6, 2011 at 23:36
0

Before you move onto more complicated measures, please do install AVG Anti-Virus Free Edition 2011. Let it perform a whole computer scan. Recently, I've had a similar problem, and no other anti-virus programs but the aforementioned one could fix it with its Anti-Rootkit measures.

Improve this answer
1
0

This is a rather interesting issue. I would have to say this would be caused by one or two different issues:

1) Most people have suspected a virus, and rightly so, viruses love getting into windows and tinkering with the settings.

You have a comprehensive amount of scans already run. Any virus should be caught by the ones already run, so I believe it is a windows fowl up.

2) Windows is fowled up. I would reccommend you run a disk check on your computer. Two different methods that render similar results.

-- Open my computer, and then rightclick on your hard drive that windows loads off of. Next, select the tools tab and click on the button that says Disk Check [or something similar]. Now tick the two option boxes if they already aren't. Your computer should ask you to restart your computer, if it doesn't you did not tick the option boxes. Let that scan run. It should clean up any fowl ups within your Windows installation.

Now, if that scan fails, insert your operating system installation disk. If using XP, hit R when the blue screen shows up asking what task you wish to do. Now, select what hard drive your operating system is on, and hit enter after entering the appropriate number. Afterwards, enter the password for the Administrator account [usually this is blank]. Now, enter into the command console: chkdsk /r

this should do the same scan, however it can fix more issues because the scan is being run off the installation disk.

if running the scan for a VISTA or SEVEN machine, insert the disk and select the repair option. Afterwards, hit cancel and it should bring up a new window, in which you can do more operations. The last option should say "Console window" or something of the sort.

enter into the command console "chkdsk /r C:"

Hope this helps.

Improve this answer
1
  • I'm running Windows 7 (please see the question tags). I have run chkdsk /r C: at boot and it took about 1 hour. No problems were found.
    – Mehper C. Palavuzlar
    Commented Feb 10, 2011 at 9:30
0

I have just encountered this very msg. this morning. Java has been trying to update itself for awhile now so I changed the notification settings to "do not notify" and immediately received the msg that I had to restart my cpu to turn off control. I went in and reset the notification level and the issue was resolved. Hope that helps

Improve this answer
-1

Win 10 using Malwarebytes. Malware apparently was turning off the UAC at startup. Stopped loading it at startup and the issue appeared to resolve. Then adjusted startup to delay in Malwarebytes setup and it appeared to work.

Improve this answer
2
  • Wouldn't delaying the startup of malware detection software increase the chances that actual malware can hide itself?
    – Arjan
    Commented Aug 16, 2015 at 12:32
  • The question explicitly asks about Windows 7, so I'm not sure why you're addressing Windows 10. Also, it's not clear that your suggestion actually solves the problem, rather than just hiding it.
    – David Richerby
    Commented Aug 16, 2015 at 13:35

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .