Hijack.Shell

Short bio

Hijack.Shell is Malwarebytes’ generic detection name for hijackers that replace the Windows shell. By default the Windows shell is explorer.

Symptoms

Hijack.Shell alters the registry value(s)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\SystemShell

or

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\System
Shell

It does this to point to one of their own files, which will then be run automatically when the system starts running Windows.

Remediation

Malwarebytes can detect and remove Hijack.Shell without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click MBSetup.exe and follow the prompts to install the program.
  3. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get started button.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantine to remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

Add an exclusion

When Hijack.Shell is detected on your computer, Malwarebytes for Windows does not know if it was authorized. Optimization software, malware, and potentially unwanted programs (PUPs) are known to make these types of changes, hence they are regarded as potentially unwanted.

To have Malwarebytes for Windows ignore a Hijack, you must add the Hijack as an exclusion.

  1. When Hijack.Shell appears in the list of Scan results. PUM detected
  2. Uncheck the entry or entries related to Hijack.Shell.
  3. Then click on Next.
  4. You will see a prompt giving you several options.
  5. Choosing Always ignore will add Hijack.Shell to the Allow List.
  6. You can remove them there when you decide they should no longer be ignored.

When a Hijack is excluded, Malwarebytes for Windows does not detect the Hijack during scans or real-time protection.

Select your language