UAC being turned off once a day on Windows 7
You should first check if the Security Center service can start, and if not - which one of its dependencies is to blame. Look also for error messages in the Event Viewer.
If you have the feeling that your computer is infected, possible solutions may be :
- How to Repair Windows 7 System Files with System File Checker.
- Startup Repair : How To Easily Repair Windows 7 Boot Problems Using Startup Repair.
- The last resort is to reformat the hard disk and reinstall Windows.
In your case, this might apply : Performing an HP System Recovery in Windows Vista.
Just to remark that Windows is quite capable of destroying itself without any help, which is why Windows Update is more dangerous than any virus. Startup Repair may fix the problem in this case by reinitializing Windows, without requiring the applications to be reinstalled.
If you realy think the problem is rather that of a virus, and you wish to know more about what is happening on your computer, you will need to find out two things :
- What change is being done to your system,
- What program does this change.
For the first one, if it is a registry change, then the key is probably
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, item EnableLUA, whose value is 0 for Disabling and 1 for Enabling.
Once you have located the change being done to your system, you can use Process Monitor and its Enable Boot Logging option (see help) to log all accesses to the key.
I would first boot in Safe mode, and see if this is also happening. If not, then another attack-vector is to use Autoruns to disable startup items in a binary search for the product (since this might be a legitimate product causing the problem, rather than a virus).
In my case it was domain policy that was being applied once per day. Same problem. Diagnosis was easier because UAC turning off occurred only when logging in to the domain, or connecting over VPN. Thus it was discovered that the domain policy included some script to turn UAC off. I contacted my system admins and they confirmed that. So you better consult with your administrators of domain or validate profile local policies and scripts if you are not in domain.
Option 1: Disable all programs in Startup. (Start >Run > Msconfig. Disable everything under startup).
Option 2: Install AVAST home edition and schedule a boot time scan. Better yet, disconnect the hard disk from your machine and connect it to another one and scan it from there using AVAST.
Option 3. Another option is to run HijackThis. Generate the report and share it here for analysis. http://free.antivirus.com/hijackthis/