PUM.Optional.CMDShell

Short Bio

This detection is for potentially unwanted modifications (PUMs) in the registry where the default Windows shell value, explorer.exe, is replaced with cmd.exe. This can be done by malware to hinder users in cleaning up their system.

System Modifications

The following registry value data are modified:

Under
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon

From:
Shell=explorer.exe

To:
Shell=cmd.exe

Under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon

From:
Shell=explorer.exe

To:
Shell=cmd.exe

Remediation

Malwarebytes can modify these registry value data back to their Windows default settings without user interaction.

Also, we advise users to do a full system scan as PUM.Optional.CMDShell could have been added to the system by malware or PUP.