Hijack.Shell

Short bio

Hijack.Shell is Malwarebytes’ generic detection name for hijackers that replace the Windows shell. By default the Windows shell is explorer.

Symptoms

Hijack.Shell alters the registry value(s)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\SystemShell

or

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\System
Shell

It does this to point to one of their own files, which will then be run automatically when the system starts running Windows.

Remediation

Malwarebytes can detect and remove Hijack.Shell without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  3. Then click Finish.
  4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  6. When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  7. Restart your computer when prompted to do so.

Add an exclusion

When Hijack.Shell is detected on your computer, Malwarebytes for Windows does not know if it was authorized. Optimization software, malware, and potentially unwanted programs (PUPs) are known to make these types of changes, hence they are regarded as potentially unwanted.

To have Malwarebytes for Windows ignore a Hijack, you must add the Hijack as an exclusion.

  1. Open Malwarebytes for Windows.
  2. Click Settings, then click the Protection tab.
  3. Scroll down to the bottom.
  4. Turn off Automatically quarantine detected malware. Turning this setting off prevents Malwarebytes for Windows from quarantining the Hijack automatically.
  5. Go to the Dashboard, then click Scan Now.
  6. When the Threat Scan Results appear, uncheck the box next to the detected Hijack you want to keep.
  7. Click Next.
  8. On the Remaining Items window, click Ignore Always to add the exclude the detectedHijack(s).
  9. Turn on Automatically quarantine detected malware.To find this setting, click Settings > Protection.

When a Hijack is excluded, Malwarebytes for Windows does not detect the Hijack during scans or real-time protection.

Related blog content

How to tell if you’re infected with malware

How to create a successful cybersecurity policy