Due to a crypto-malware infection in the computer, after logging in to your user account, a black screen appears with a Command Prompt window open. Your desktop, taskbar, and the wallpaper (explorer shell) don’t get loaded unless you type explorer.exe in the Command Prompt window manually. This problem may continue even in the aftermath of malware or crypto-miner removal.
The malware may have changed the registry settings such that Command Prompt opens up at every login, and automatically executes a rogue program/command-line using the Command Processor’s Autorun registry value.
If you use Microsoft’s Autoruns utility to manage Windows startup, you’ll see that the Winlogon\Shell value is added (under HKEY_CURRENT_USER — as a per-user override) by malware.
Solution for Black Screen and Command Prompt at Startup Issue
To fix the problem, follow these steps:
- In the Command Prompt window, type
explorer.exeand press Enter - Start the Registry Editor (
Regedit.exe) and go to the following branch:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- In the right-pane, right-click on the
Shellregistry value and choose Delete. - Right-click on the
Winlogonkey, and click Go to HKEY_LOCAL_MACHINE to jump to the equivalent registry key under theHKEY_LOCAL_MACHINEroot key. You’ll now be taken to the following key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Make sure that the
Shellvalue is set toexplorer.exe
- Then, go to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
- If the value named
Autorunexists, right-click, and choose Delete. - Exit the Registry Editor.
- Follow up with a full system scan using Malwarebytes as well as your anti-virus software with updated definitions if you haven’t done it already.
