Jump to content

How to remove PUM.SecurityCenter.Disable Virus


mach0

Recommended Posts

Hello All,

A couple of days ago on booting my system, I go a blue screen saying that there were some errors and it automatically went on rectifying them. Below are the changes that seem to have occurred according to the log in windows event viewer.

___________________________________________________________

Checking file system on C:

The type of the file system is NTFS.

One of your disks needs to be checked for consistency. You

may cancel the disk check, but it is strongly recommended

that you continue.

Windows will now check the disk.

The segment number 0x374000000000 in file 0x373e is incorrect.

Correcting a minor error in file 14142.

The segment number 0x374100000000 in file 0x373f is incorrect.

Correcting a minor error in file 14143.

The segment number 0x374200000000 in file 0x3740 is incorrect.

Correcting a minor error in file 14144.

The segment number 0x374300000000 in file 0x3741 is incorrect.

Correcting a minor error in file 14145.

The segment number 0x376c00000000 in file 0x3742 is incorrect.

Correcting a minor error in file 14146.

The segment number 0x376d00000000 in file 0x3743 is incorrect.

Correcting a minor error in file 14147.

The segment number 0x376e00000000 in file 0x3744 is incorrect.

Correcting a minor error in file 14148.

The segment number 0x376f00000000 in file 0x3745 is incorrect.

Correcting a minor error in file 14149.

The segment number 0x379400000000 in file 0x3746 is incorrect.

Correcting a minor error in file 14150.

The segment number 0x379500000000 in file 0x3747 is incorrect.

Correcting a minor error in file 14151.

The attribute list in file 0x3747 indicates the standard information

attribute is outside the base file record segment.

Deleted corrupt attribute list for file 14151.

The segment number 0x379a00000000 in file 0x374c is incorrect.

Correcting a minor error in file 14156.

Attribute record of type 0x80 and instance tag 0x3 is cross linked

starting at 0x171eb for possibly 0x4 clusters.

Attribute record of type 0x80 and instance tag 0x3 is cross linked

starting at 0x171eb for possibly 0x4 clusters.

Some clusters occupied by attribute of type 0x80 and instance tag 0x3

in file 0x376c is already in use.

Deleting corrupt attribute record (128, "")

from file record segment 14188.

Attribute record of type 0x80 and instance tag 0x3 is cross linked

starting at 0x3cf47a for possibly 0x1c clusters.

Attribute record of type 0x80 and instance tag 0x3 is cross linked

starting at 0x3cf47a for possibly 0x1c clusters.

Some clusters occupied by attribute of type 0x80 and instance tag 0x3

in file 0x376e is already in use.

Deleting corrupt attribute record (128, "")

from file record segment 14190.

Attribute record of type 0x80 and instance tag 0x3 is cross linked

starting at 0x3cf84a for possibly 0x1ee clusters.

Attribute record of type 0x80 and instance tag 0x3 is cross linked

starting at 0x3cf84a for possibly 0x1ee clusters.

Some clusters occupied by attribute of type 0x80 and instance tag 0x3

in file 0x376f is already in use.

Deleting corrupt attribute record (128, "")

from file record segment 14191.

Attribute record of type 0x80 and instance tag 0x3 is cross linked

starting at 0xb5f3b for possibly 0x4 clusters.

Attribute record of type 0x80 and instance tag 0x3 is cross linked

starting at 0xb5f3b for possibly 0x4 clusters.

Some clusters occupied by attribute of type 0x80 and instance tag 0x3

in file 0x3794 is already in use.

Deleting corrupt attribute record (128, "")

from file record segment 14228.

Attribute record of type 0x80 and instance tag 0x3 is cross linked

starting at 0x2a03 for possibly 0x6 clusters.

Attribute record of type 0x80 and instance tag 0x3 is cross linked

starting at 0x2a03 for possibly 0x6 clusters.

Some clusters occupied by attribute of type 0x80 and instance tag 0x3

in file 0x379a is already in use.

Deleting corrupt attribute record (128, "")

from file record segment 14234.

Cleaning up instance tags for file 0xb43c.

Deleting orphan file record segment 14157.

The object id in file 0x3745 already existed in the object

id index in file 0x19.

c8 3e 13 6c b0 1d de 11 b7 64 00 19 d1 7b ff aa .>.l.....d...{..

05 2d 00 00 bc e5 06 00 cf 98 05 01 a4 e2 06 00 .-..............

Deleting duplicate object id from file record segment 14149.

The file reference 0x100000000374c of index entry ATHPRXY.DLL of index $I30

with parent 0x1d is not the same as 0xd6400000000374c.

Deleting index entry ATHPRXY.DLL in index $I30 of file 29.

The file reference 0x12fa00000000373f of index entry _REGISTRY_USER_USRCLASS_S-1-5-20 of index $I30

with parent 0x361e is not the same as 0x100000000373f.

Deleting index entry _REGISTRY_USER_USRCLASS_S-1-5-20 in index $I30 of file 13854.

The file reference 0x12fa00000000373f of index entry _RF17F~1 of index $I30

with parent 0x361e is not the same as 0x100000000373f.

Deleting index entry _RF17F~1 in index $I30 of file 13854.

Index entry MAPPING.VER of index $I30 in file 0x371a points to unused file 0x374d.

Deleting index entry MAPPING.VER in index $I30 of file 14106.

Unable to locate the file name attribute of index entry 1033

of index $I30 with parent 0x371b in file 0x3740.

Deleting index entry 1033 in index $I30 of file 14107.

The file reference 0x1000000003742 of index entry mdm.exe of index $I30

with parent 0x371b is not the same as 0x113a000000003742.

Deleting index entry mdm.exe in index $I30 of file 14107.

The file reference 0x1000000003746 of index entry msdbg2.dll of index $I30

with parent 0x371b is not the same as 0x87f000000003746.

Deleting index entry msdbg2.dll in index $I30 of file 14107.

The file reference 0x1000000003743 of index entry pdm.dll of index $I30

with parent 0x371b is not the same as 0xea000000003743.

Deleting index entry pdm.dll in index $I30 of file 14107.

The parent 0x1000000003740 of index entry mdmui.dll of index $I30

in file 0x3741 is incorrect. The expected parent is 0x100000000373e.

Deleting index entry mdmui.dll in index $I30 of file 14142.

The parent 0xea00000000376d of index entry settings.sol of index $I30

in file 0x3775 is incorrect. The expected parent is 0xea000000003743.

Deleting index entry settings.sol in index $I30 of file 14147.

The file reference 0x2d200000000373e of index entry Dc5101.bmp of index $I30

with parent 0x5bfe is not the same as 0x100000000373e.

Deleting index entry Dc5101.bmp in index $I30 of file 23550.

The file reference 0x8db000000003747 of index entry queue.xml of index $I30

with parent 0x9d79 is not the same as 0x871000000003747.

Deleting index entry queue.xml in index $I30 of file 40313.

The file reference 0xd71000000003744 of index entry HT8579~1.LOC of index $I30

with parent 0x9f7a is not the same as 0x72000000003744.

Deleting index entry HT8579~1.LOC in index $I30 of file 40826.

The file reference 0xd71000000003744 of index entry http_www.ndtv.com_0.localstorage-journal of index $I30

with parent 0x9f7a is not the same as 0x72000000003744.

Deleting index entry http_www.ndtv.com_0.localstorage-journal in index $I30 of file 40826.

The file reference 0xe9000000003745 of index entry RT88B3~1.YML of index $I30

with parent 0x11157 is not the same as 0x7f000000003745.

Deleting index entry RT88B3~1.YML in index $I30 of file 69975.

The file reference 0xe9000000003745 of index entry rt_20090628-090315.yml of index $I30

with parent 0x11157 is not the same as 0x7f000000003745.

Deleting index entry rt_20090628-090315.yml in index $I30 of file 69975.

Cleaning up minor inconsistencies on the drive.

CHKDSK is recovering lost files.

Recovering orphaned file 1033 (14142) into directory file 14107.

Recovering orphaned file mdm.exe (14144) into directory file 14107.

Recovering orphaned file pdm.dll (14145) into directory file 14107.

Cleaning up 688 unused index entries from index $SII of file 0x9.

Cleaning up 688 unused index entries from index $SDH of file 0x9.

Cleaning up 688 unused security descriptors.

Inserting data attribute into file 14151.

Inserting data attribute into file 14188.

Inserting data attribute into file 14190.

Inserting data attribute into file 14191.

Inserting data attribute into file 14228.

Inserting data attribute into file 14234.

Correcting errors in the master file table's (MFT) BITMAP attribute.

Correcting errors in the Volume Bitmap.

Windows has made corrections to the file system.

61440560 KB total disk space.

13410732 KB in 49495 files.

25200 KB in 6469 indexes.

0 KB in bad sectors.

148716 KB in use by the system.

65536 KB occupied by the log file.

47855912 KB available on disk.

4096 bytes in each allocation unit.

15360140 total allocation units on disk.

11963978 allocation units available on disk.

Internal Info:

a0 39 01 00 aa da 00 00 2c 36 01 00 00 00 00 00 .9......,6......

e5 00 00 00 02 00 00 00 da 03 00 00 00 00 00 00 ................

f4 69 b3 02 00 00 00 00 44 e0 b5 2a 00 00 00 00 .i......D..*....

b8 40 dc 07 00 00 00 00 00 00 00 00 00 00 00 00 .@..............

00 00 00 00 00 00 00 00 8e b4 6b 3d 00 00 00 00 ..........k=....

10 1e 2f 6b 00 00 00 00 80 36 07 00 57 c1 00 00 ../k.....6..W...

00 00 00 00 00 b0 86 32 03 00 00 00 45 19 00 00 .......2....E...

Windows has finished checking your disk.

Please wait while your computer restarts.

_______________________________________________________________

After the changes were finished Windows XP seemed to start normally, but my AntiVirus NOD32 4.0 did not start automatically. And every time I tried to open it manually I got the message that egui.exe is invalid.

I did a MBAM (Malware Bytes) scan and it returned three potential malwares

Vendor: PUM.Disabled.SecurityCenterDisabled

Category: Registry Data

Item: HKLM\Software\Microsoft\Security Center|UpdatesDisableNotify

Item: HKLM\Software\Microsoft\Security Center|FirewallDisableNotify

Item: HKLM\Software\Microsoft\Security Center|AntiVirusDisableNotify

I removed all three of them using MBAM but was still unable to open NOD32.

I used the NOD32 setup file to repair NOD32 and after restarting the system, NOD32 was working again and I did a complete scan but it did not detect anything.

Now NOD32 is working fine and updating automatically. The Firewall is on and all applications seem to be working normally.

As far as Windows Updates are concerned, I am getting a Red Balloon in the System Tray showing that my Automatic Updates are OFF.

I have always kept Windows Automatic Updates OFF and never got any Red Balloon in the System Tray nor did MBAM ever show it as a potential threat. But now, if I manually keep Windows Automatic Updates OFF then MBAM is showing it as a threat (Item: HKLM\Software\Microsoft\Security Center|UpdatesDisableNotify). If I clean it using MBAM then the red baloon is coming in the system tray but MBAM isnt showing any threat.

If I remove the Red Baloon then again MBAM is showing the threat.

Can anyone please explain to me what kind of virus threat I am dealing with and how to clean it?

Thank You.

Link to post
Share on other sites

There is no problem with the Firewall and Virus Protection. But if I put Automatic Updates in the Ignore List then MBAM is showing the PUM.SecurityCenter. Disable Malware. If I remove the malware from MBAM then the red balloon is coming in the System Tray.

If I remove the Red Balloon by UnTicking Updates in the Security Center then again MBAM is showing the above mentioned Malware. It is either have a red balloon or have the MBAM show a malware.

So how do I deal with it. Thank you for the patience.

Link to post
Share on other sites

Uncheck all 3 boxes in the "Security Center"

Run Malwarebytes

After you run Malwarebytes and these entries are found, put a check next to them and click on "Ignore"

Don't click "Remove Selected"

Now you'll never see them again.

I have XP and this is how I deal with this situation.

MrC

Link to post
Share on other sites

I will put them on the Ignore List as suggested.

But given that on the first day that it was detected, it disabled by AntiVirus program and I had to repair it to make it run again. I dont want to put a real virus on a ignore list.

Can I be confident there is no real virus in my system. I did all scans MBAM, SuperAntiSpyware, Nod32, TDSSKiller. But nothing is showing anything except in the first two which are showing the PUM.SecurityCenter.Disable error.

Link to post
Share on other sites

Well lets run some scans.....

....please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Quit all running programs.

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 48 hours, please send me a PM)

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.