# PUM. Hijack.Desktop | Should we be worrying about this ?



## satyasai (Dec 1, 2012)

Good Morning Guys,

I need help, pl. Out of 10,000 user PCs in my company, we recently did scan on 40-50% of the systems and found mostly some PUM programs in Registry. We scanned mostly with MalwareBytes. I am adding one log here.

--------------------------------------------
Malwarebytes Anti-Malware (Corporate) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.03.05

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
ApExAdmin :: APAC000324 [administrator]

11/30/2012 1:24:35 PM
mbam-log-2012-11-30 (13-24-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 265710
Time elapsed: 6 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop|NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceActiveDesktopOn (PUM.Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|NoDispBackgroundPage (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|NoDispAppearancePage (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

------------------------------------------------------

Could some one please tell me some information about these PUM.Hijack programs. What are these, how they behave, their port information and should we be worried about these. I am waiting for a response, pl let me know if any more information you need to best describe the situation. Thank you guys.


----------



## Cookiegal (Aug 27, 2003)

PUMs are "Potentially Unwanted Modifications". These particular detections are policies that apply to the "current user" and we have no way of knowing if you have set them intentionally or not. When you see a value of "1" that means the policy is in force, for instance, this one:

NoChangingWallPaper

It was set to "1" meaning the user cannot change the wallpaper. But since it's not the default value of "0", MalwareBytes detects it as a PUM.

I hope that clears it up.


----------



## satyasai (Dec 1, 2012)

Thank you Admin. Yes we have policies that keep our background image as Company's image. This is pushed thru each and every user PC via SCCM. Now I am very clear that these are not suspicious.

I am still curious to know: if I am changing the same settings on my personal PC, will the registry entry show as PUM, kinda thing. I will give it a try on my PC.

Anyway, thank you Cookiegal. I am putting this as "Mark Solved".


----------



## Cookiegal (Aug 27, 2003)

satyasai said:


> Thank you Admin. Yes we have policies that keep our background image as Company's image. This is pushed thru each and every user PC via SCCM. Now I am very clear that these are not suspicious.
> 
> *I am still curious to know: if I am changing the same settings on my personal PC, will the registry entry show as PUM, kinda thing.* I will give it a try on my PC.
> 
> Anyway, thank you Cookiegal. I am putting this as "Mark Solved".


Yes, it will show the same detection on a personal PC.

Since MalwareBytes has "repaired" those entries, you will have to reset those policies. You can have MalwareBytes ignore these so they don't keep getting detected all the time.


----------



## satyasai (Dec 1, 2012)

Will do for sure. Thanks for your help Admin!


----------



## Cookiegal (Aug 27, 2003)

You're welcome.


----------

