Ransomware that replaces explorer.exe file. Guide to unlock

Ransomware is a serious computer threat of today. Millions of PCs all over the world have been attacked by this type of virus that locks the infected system and asks for certain ransom in order to unlock it. In addition, this malware accuses computer users of what they have never done or thought of doing. In particular, this scary program tells that users have been noticed of watching, spreading and promoting illegal information over the Internet, using pirated copies of Windows and other software. In some cases users are accused of sending spam and even supporting terrorist activities. Some serious ransomware applications modify and infect “explorer.exe” file located in C:\Windows\ folder. In such case scanning your computer with a reliable antivirus in Safe Mode with Networking is not enough. What saves your PC and unlocks it is the procedure of replacement of infected “explorer.exe” file with a clean “explorer.exe” that can be downloaded as described below. Please follow the removal guidelines we’ve elaborated specifically to unlock your system hijacked by the ransomware that modified “explorer.exe” file.

  1. Reboot your computer into Safe Mode with Command Prompt. For this purpose please select “Restart” or “Reboot” option via Start menu. Before Windows starts booting start repeatedly hitting “F8” button on your keyboard. The following window comes up:
  2. Safe Mode with Command PromptApply up / down arrow keys of your keyboard to select Safe mode with command prompt.

  3. Log into the same account you used when your computer became locked with ransomware.
  4. In the window that came up type-in “regedit” and press “Enter“.
  5. cmd regedit

  6. The above-mentioned command opens the Registry Editor. Now locate the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
  7. Modify shell

  8. In the right-side section find and choose the registry key named Shell. Right-click this registry key and choose Modify.
  9. Its value by default should be explorer.exe.
  10. explorer.exe

  11. Modify the value parameter to iexplore.exe. Click “OK” to apply your changes and now close the Registry Editor.
  12. iexplore.exe

  13. Get back to “Normal Mode“. In order to restart your computer, at the command prompt, type the combination “shutdown /r /t 0” (without quotes) and press Enter button of your keyboard.
  14. shutdown /r /t 0

  15. When your Windows operating system version boots itself you will not encounter any desktop icons / shortcuts. Do not worry, this problem will be fixed soon. Apply the key combination “Ctrl+Alt+Del” or “Ctrl+Shift+Esc” (recommended) and now launch Task Manager. Go to File → New Task (Run…)
  16. New task

  17. Type-in “iexplore” and click “OK” or press Enter keyboard button.
  18. New task iexplore

  19. This command opens Internet Explorer browser. Now you must download clean explorer.exe file and overwrite the existing (infected) one. Go to https://www.system-tips.net/ and find this very article to download the necessary version of explorer.exe file for your system. Please get convinced that you download the proper file for your version of Windows operating system. Click the relevant link to download the file. Choose Save. Then go to C:\Windows\ folder and choose available explorer.exe file. Click “Save” in order to overwrite the infected explorer.exe file. Clean “explorer.exe” download links (depending on the operating system type):
  20. Windows XP SP2
    Windows XP SP3
    Windows Vista SP2
    Windows 7 SP1
    Replace explorer

  21. While Internet Explorer window is still open please download reliable, effective and powerful anti-virus sofware.
  22. Remove all detected viruses they find, but do not yet restart your computer.
  23. Open up the Task Manager once again. For this goal click File → New Task (Run…) as described earlier.
  24. New task (Run...)

  25. Type in “regedit” and click “OK“. This will open the Registry Editor.
  26. Regedit

  27. Find the same registry entry referred to in the step 3 of this tutorial:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
  28. In the right part of the window that appeared select the registry entry with the name Shell. Right-click this registry entry and choose “Modify“. Delete iexplore.exe and type in explorer.exe, its initial value. Click “OK” to apply the changes.
  29. Explorer.exe

  30. Now shut down the Registry Editor and restart your computer. If you have carefully followed this guide the ransomware should be gone and system should be unlocked. However, if this solution didn’t help you, please consider using other guides to remove ransomware-type infections in the respective “Ransomware” category of this blog.