Due to a crypto-malware infection in the computer, after logging in to your user account, a black screen appears with a Command Prompt window open. Your desktop, taskbar, and the wallpaper (explorer shell) don’t get loaded unless you type explorer.exe in the Command Prompt window manually. This problem may continue even in the aftermath of malware or crypto-miner removal.
The malware may have changed the registry settings such that Command Prompt opens up at every login, and automatically executes a rogue program/command-line using the Command Processor’s Autorun registry value.
If you use Microsoft’s Autoruns utility to manage Windows startup, you’ll see that the Winlogon\Shell value is added (under HKEY_CURRENT_USER — as a per-user override) by malware.
Solution for Black Screen and Command Prompt at Startup Issue
To fix the problem, follow these steps:
- In the Command Prompt window, type
explorer.exeand press Enter - Start the Registry Editor (
Regedit.exe) and go to the following branch:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- In the right-pane, right-click on the
Shellregistry value and choose Delete. - Right-click on the
Winlogonkey, and click Go to HKEY_LOCAL_MACHINE to jump to the equivalent registry key under theHKEY_LOCAL_MACHINEroot key. You’ll now be taken to the following key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Make sure that the
Shellvalue is set toexplorer.exe
- Then, go to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
- If the value named
Autorunexists, right-click, and choose Delete. - Exit the Registry Editor.
- Follow up with a full system scan using Malwarebytes as well as your anti-virus software with updated definitions if you haven’t done it already.
One small request: If you liked this post, please share this?
One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!
Now running the full system scan in malwarebytes. Saw a bunch of lag happening the past week after i went into some BOINC mining so thought it was the BOINC software giving some minor trouble. But as i got the “black screen with CMD” thing i thought i’d look into this. As i ticked all the boxes (and after i found the strange CMD autorun reg entry earlier this week with a bunch of start/stop certain tasks and connecting to random adresses, didn’t take a screencap unfortunately, but might have a backup somewhere) i was pretty sure this was why i ran into some trouble running games, high rpm on my fans and laggy windows performance. Hopefully i fixed it now :p
Bravo!!!!!!!!!
Thanks a lot.
It takes months to find an issue.
Good Job.
Thank you very much!
after months of research this fixed the problem for good..
the problem was in the first step of deleting the Shell from “HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon”
all other site give only the next steps..
Just use this if any PC opens only “command prompt” instead of opening desktop with “c:\WINDOWS\system32>” line shows on cmd black window.
Type the following
explorer.exe
Thank me later.
Your letting the miner, NO THANK YOU.
Thank you very much you solved me huge problem here <3
I had the problem after remove the malware, search with hijackthis but nothing showed up, autoruns make the job, i knew it has a solution. Thanks a lot
It’s finally solved!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Thank you VERY MUCH dude!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wish you have a nice day,THX!!!
This was a great help! Worked like a charm.
Wow thanks so much for the help! I didnt realize the %comspec%. Simply editing that to explorer.exe did the trick. No deleting was needed.
Thank you many times, worked like a charm!
Man, I want to thank you from the bottom of my heart. That worked out smooth! You saved my a__!
Kudos, the %comspec% had snuck in to my current user key. Thanks so much for this!
I had to thank you!!!!!!!!!!!
THANK YOU! U were the only one that could resolve my problem <3
not working for me 🙁
Thanks a lot!!! that process was very explanatory and helpful!! fixed my problem! great idea to put the screenshots of the steps! 10/10
This worked for me, thank you very much!!
Massive thank you had to work the majority of a day having to type explorer.exe.
Saved a lot of time
Thankyou so much!!!
Many thanks, but any idea what the virus is? should we be worried?
Thanks, it worked
Good tip. While mine was caused by an incorrect windows Server update rather than a virus, the advice was sound.
I haven’t done it yet but I know it’s going to work.
Thanks a lot. : D
Solved it exactly for me
Thank you, it works!