There are several ransomware-type applications that modify the “Shell” registry entry of your computer. The location of this “Shell” registry key is as follows – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\. The default value of this “Shell” string must be explorer.exe, however, the scam perverted it by assigning the totally different name to it. The key to ransomware successful removal is in restoring the original value of “Shell” reg key. Here is your free guide how to do it.