Windows Vista / Windows XP Blank Screen after Login
How to fix your Windows Vista / Windows XP after it shows a blank screen after login.
A few days ago, I was referred by a friend of a friend, who had another friend who was having some problems with her PCs (pretty far huh?). She said that she can’t use her PCs anymore as both show a blank screen after Windows boot-up. It was weird that both PCs were showing the same problem that I had to see it myself. It got even weirder as one PC had Windows Vista, and the other had Windows XP.
The problem: Windows Vista or Windows XP displays a blank screen showing only the mouse pointer after booting-up (after the login screen which is usually after clicking the username).
Solution for Windows Vista / Windows XP Blank Screen after Login
Make sure first that the Task Manager is working by pressing CTRL+ALT+DEL, and choosing Task Manager. If Task Manager doesn’t work, then this guide cannot help you.
Moreover, unless specified, the steps below are both applicable for Windows Vista and Windows XP.
1. Launch the Task Manger and Restore your Desktop
Press CTRL+ALT+DEL and then go to File->New Task
When the Run window appears, type Explorer or Explorer.exe or C:\Windows\Explorer
Important: If this does not restore your desktop, your desktop icons and windows taskbar, then you should stop reading this now as this guide would not be able to help you.
2. Check your Registry
Create a New Task again by using the Task Manager. Since you now have the Taskbar restored, you can do this also by clicking Windows Start and choosing Run. When the Create a New Task or Run window appears, type regedit.
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Once you’ve clicked on WinLogon look for Shell in the right pane. Double-click on Shell and the value for Shell should only be Explorer.exe.
As can be seen above, there is an additional entry which is C:\Windows\System32\keyboard\services.exe which the Shell key refers to. Normally what we should do is just delete this additional entry and leave Explorer.exe in the field. However, if you’re seeing that value above, your computer is now infected with a Malware – specifically a Keylogger.
Important: If the value above is not just Explorer.exe but has a different additional entry (and not C:\Windows\System32\keyboard\services.exe), then you may have another kind of Malware. If the additional entry is C:\Windows\services.exe, then you should read my other article here – Windows Vista / Windows XP Blank Screen after Login – Version 2. If it’s neither of the two, then this guide would not help you.
3. Download and Install Unlocker software
We won’t be using any Malware scanner or virus scanner as I have not found any which can remove this Malware. Moreover, if there is a scanner out there which could remove this Malware, I think using Unlocker is still the most simple way where you have total control of what is going on.
As I’ve mentioned, download Unlocker from CNET as their official website is currently down. Once you’ve successfully downloaded the software, install it.
4. Delete the Malware files
Go to C:\Windows\System32\keyboard\ through Windows Explorer or by typing this in the Create New Task or Run command.
You should be able to see the services.exe file. DON’T execute or double click it. Right click on it and if you’ve successfully installed Unlocker, you should be able to select it like below:
The Unlocker program should now launch and show you the Processes that are using services.exe. Select all the processes and choose, Kill Process.
Once there is no more process using services.exe, quit Unlocker, and then delete services.exe. Make sure to delete it at the Recycle Bin as well. If we don’t use Unlocker, we won’t easily delete the Malware.
For Windows Vista
Go to the following folders and delete the files indicated. Use Unlocker as needed.
C:\ProgramData\Application Data\Fearghus\ – delete lsass.exe
C:\ProgramData\Fearghus\ – delete lsass.exe
C:\ProgramData\Application Data\microsoft\usb2.0\ – delete usb-hi.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ – delete kbdrv16.com
Important: Use the Create New Task or Run window as sometimes using Windows Explorer doesn’t work saying that the folder does not exist.
For Windows XP
Go to the following folders and delete the files indicated. Use Unlocker as needed.
C:\Documents and Settings\All Users\Application Data\Fearghus\ – delete lsass.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\ – delete usb-hi.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ – delete kbdrv16.com
5. Clean your Registry
Launch Registration editor again by making a new task through Task Manager or by using the Run command and entering regedit.
Go to HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ and then on the right pane click USB2.0 and Keyboard and then delete both.
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and then double-click on Shell on the right pane to modify it (You can now modify it). Only Explorer.exe should be the value left.
Click Ok to accept the changes.
The only thing left to do now is restart Windows and test if the Windows desktop would still be blank.
That’s it! I hope I’ve helped you solve your problem on Windows Vista / Windows XP blank screen after login.
Subscribe to our 
TechieChips' RSS Feed or via Email or Newsletter. We'll only update you if there are new posts/articles. (No Spam!). Why do you want to subscribe to TechieChips?
You can leave a response, or trackback from your own site.
Email This Post
Print This Post
Hi,
Thanks for helping me. Although I don’t have any blank desktop, I was still infected by this keylogger and I worry if something is happening on my PC which I don’t know. Thank you again!
Best regards,
Willy David Jr
Business Coach
http://cashflowphilippines.blogspot.com
i have blank screen after login showing only the mouse pointer after clicking username,and my son get screen saver on his,but if he turn off the computer and restart it works. i have try to launch the task manger as above but it does not work. can you help me? thank you bino
If you can’t launch task manager try the solution of Ahmed (who posted a great comment here!):Ahmed’s comment
I love to donate but can i donate to you by post
Of course! You do know my email right? ige@techiechips.com
Hi,
My screen doesn’t blank out either, but I had all the files mentioned above, which was detected to be the generic13 trojan. I followed the instructions listed above, but when I boot up, I still get an error saying that it can’t find the system32\keyboard\service.exe file. What other stuff could possibly be trying to access it, when it’s not in the registry anymore?
Hope you can help!
Thanks,
Mara
Hi Mara,
Let me first clear one thing. Are you having an error on services.exe or service.exe? Im’ going to assume below that you are referring to services.exe.
The most likely reason that you get that error message is that there is still a registry entry accessing services.exe but the file is no longer present in the system. Have you checked on the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ? Remember it should be Explorer.exe only.
What you may also have is a different variant of the virus. You can do a search in the registry (Ctrl+F in regedit), and search for services.exe to find out.
this was absolutely helpful! thank you so much!
oh no! it went back to the blank screen again. first try it was effective, but the second time, it went back. you have any idea why?
Hi Grace,
It just means that your computer has been infected again with the virus. Have you tried doing the steps again to see if the same files are in your computer again?
If your computer has been infected again, check your USB drives if they have the virus. Usually this propagates through portable USB flash disks/drives. When you insert the USB flash disk to your computer do not use the Autoplay functionality. Go to My Computer and right click on your USB flash disk. If the highlighted or bold words ARE NOT Explore or Open, then that USB disk is infected with the virus. Usually if its infected “Install Device” or something like that is the one highlighted or in bold letters when you right click it.
you’re right! it’s my usb! i’ll try it all again after i’ve cleaned my usb.
btw, aside from windows explorer not loading on startup, does this virus have any other effects on my computer?
thanks again!
This virus/trojan/worm is actually a keylogger. It records all the keystrokes you make on your keyboard in the hopes of finding sensitive information (like credit card info, username and password, etc.) and sends them to a central server via the internet.
When I got a hold of this virus, I immediately changed my passwords as soon as I was sure that my computer was clean.
Alright! It starts normally again! You were of great help, Ige. Thanks so much!
I would like to know if there is a commercial or popular antivirus utility that could detect and clean this infection. Many non-tech guys like me cannot remove the worm at all no matter how hard we try following instructions.
Thanks a lot!
I haven’t really tested what commercial anti-virus utilities can actually remove this infection. However, I’m pretty sure these top two commercial/paid anti-virus softwares can – Kaspersky and BitDefender.
I do suggest that you try the solution above though.
I got infected with this worm about 3 months ago. Sadly, Kaspersky cannot remove it once the worm has already infected Windows. Kaspersky, can prevent it from infecting clean systems though.
Sadly, this page was not yet available when my computer was hit by this worm – so I reformatted.
That’s sad to hear. Prevention really is the key. If you’re careful on the websites you visit, the files you download, and where you insert your USB flash disk, your computer won’t be easily infected with a virus/worm/trojan.
I like you! You take time to dissect a worm and explain details. As of today, I cannot find an antivirus that could remove this worm. Many heuristic scanner can detect it but cannot remove it. With the help of this site, I am able to fix the “blue screen of death” problem my computer was experiencing.
Good luck maintaining this kind of site!!!
Thanks Donna! Great to hear I was of help!
My computer has the symptons describe above with the blank screen and cursor after login. I have Windows XP and the only way I can now work any applications is thru the task manager. The Explore.exe appears to be okay, so I am down to the step were you enter in C:\Windows\System32\keyboard\ and I get an error message. Any solutions? Thank -Jason
Why don’t you go directly from your My computer to C:\Windows\System32\Keyboard folder?
Also, what error are you encountering?
Thank you very much for the help i owe you one
Thanks for this information but the Task Manager is not popping up at all.
Then you may have another variant of the virus in your computer.
Hey…
I’ve got this same problem only when I CTRL + ALT + DELETE it doesn’t let me click on TASK MANAGER.
I’ve got windows xp sp2.
Is there anyway to get rid of this??
Thanks in advance
You may have another variant of the virus. If you can provide more details on what the virus is currently doing to your system, I might be of more help.
thanks for replying…
currently its doing the same thing as described in ur article..
when i turn on the computer it loads up the windows xp screen and then the log-in screen…
i type in the password click ok and it just goes to a blank blue screen… nothing but blue and the mouse cursor.. i tried CTRL+ALT+DELETE and a box appears with 6 buttons “lock computer” , “log off”, “shut down”, “change password”, “task manager”, and “cancel”…
i can click on all except the “task manager” button…
i tried restarting it n turning it off n on numerous times but nothing…
thanks again for help
Your computer really is infected with another variant of the virus. It would be really hard to troubleshoot your problem when I’m not seeing it personally. What I do suggest is that you reinstall your Windows XP if you can. Reinstall it without formatting your hard drive so you can back up your data later. I think you know what to do from there.
Good Luck. Sorry I wasn’t of much help.
I suggest that you login use, Kaspersky Virus Removal tool to check your system. I’ve written an article about it here: Kaspersky Virus Removal Tool. You may
Ill give that a try…
Thanks a lot for your help though… really appreciate it.
I think I was worst affected and was disappointed to read this on the blog “Important: If this does not restore your desktop, your desktop icons and windows taskbar, then you should stop reading this now as this guide would not be able to help you.”
But following instructions above I managed to recover my Vista machine. Here is what I did (my system was infected with the scvhost.exe variant)
1- Since you cannot access your desktop nor Task Manager so there is nothing much you can do while loged-in. Turn off your computer, take Hard Disk out and connect to sane computer as an external hard disk.
2- Delete following files;
(The OS drive of External Hard Disk will be reference)
WINDOWS\scvhost.exe [This is a virus file and executes as an argument to explorer.exe. This is hidden and you will need to change view settings to see it.]
WINDOWS\system32\scvhost.exe [This is a virus backup. This is hidden and you will need to change view settings to see it.]
3- Fix registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon of ‘Shell’ value is not set to “Explorer.exe” instead of “Explorer.exe C:\Windows\svchost.exe”
This can be done with any Registry Editor. I did not have Registry Editor so I used HexEdit (Searched for this binary value “45 00 78 00 70 00 6C 00 6F 00 72 00 65 00 72 00 2E 00 65 00 78 00 65 00 20 00 73 00 63 00 76 00″).
4- Install hard disk back and boot your system. This time you will get access to your desktop.
In case you can not open task manager (or regedit)
If you haved loged in and you are unable to use task manager, i.e., every time you open it, it vanishes itself. Now, you need to kill ’scvhost.exe’ process. Since you can not use Task Manager, it is good idea to use any other tool to kill this process. One such tool is ‘Process Explorer’ from microsoft. Download and run. You will clearly see the ’scvhost.exe’ running in user’s processes domain, kill this process and you will be able to run task manager/regedit again.
Note: Avoid confusion of file names. The virus file name is ’scvhost.exe’. There is a system file name that has resembling name ’svchost.exe’. So, do not spent energy fighting with system file thinking of it as virus file.
I hope this is helpful …
Ahmed,
Let me say that your post is awesome!! This is very helpful indeed as there many variants of the virus which exhibits this kind of behavior. I may have to promote your comment to a post in this site (if you permit me of course).
Many thanks again!
Hi Ige! There’s a worm/trojan that is presently infecting our computers. It hides all system folders and replace them with exe files! Worse, it appears that it could not be removed in safe mode and it deletes system restore information. How could I ever fix this dilemma!?
Hi Rocel,
It looks like what your describing is a different ind of virus. It’s very hard to diagnose a virus or trojan or worm when I’m not getting a first hand experience of it. All is not lost though so don’t panic. Have you tried installing the Kaspersky Virus Removal tool? Visit this page – Scan your computer for free – Kaspersky Virus Removal Tool. I’ve included a download link there. It should be able to detect your virus.
I hope I helped.
Hello Ige!
kbdrv16.com, usb-hi.exe and all the files related with them are now identified as the w32/smalltrojan.dwn and could now be removed with ease! Spread the news please and thanks!
Thanks Brahma!
I wanna thank you for all the steps given above.
Very helpful tip…
I am currently using the computer having this problem. I found out that i can open task manager although my screen is blank and i can only see the mouse cursor. thank God i was able to pull up google and search this issue using new task. then i found this link and tried it. It works. thanks you sooooo much….
Glad I helped sheng.
Hello Ige!
Have you encountered the w32.daprosy worm? We woud be very glad if you could publish manual removal for the said worm. It is presently feasting on our server and workstations.
Thanks in advance!
Hmmm.. I have to research that and maybe let my computer be infected just to know how to manually remove it.
Hello Ige!
We are being attacked by classified.exe files and we are in need of a solution. If you have encountered this kind of infection, please do post its cure here. It will be appreciated a lot!
Thanks and Mabuhay!
just droppin by to say thanks. it solved my problem pal!
awesome!!
thanks a lot dude
i owe u one
I got tip from a friend that a batch script is able to remove classified.exe. Will you please review the script for us? We will use (or not use) the script based on your recommendation.
The link is http://www.filefront.com/14560747/class-x.exe and the password to uncompress it is subatomica.
Thanks for helping us deal with kbdrv16.com!
I just looked at the script and it looks safe enough.
You can also opt to run “a-squared free” as it can remove malicious classified.exe even if you are already infected with it.
Hi Ige!
I have here a batch script downloaded from Filefront. I am presently experiencing symptoms of classified.exe infection but is hesitant to run the said script. I’m afraid my system gets worse if I run scripts from unknown source.
The script came from the site mentioned by PinkTeen. Please do analyze the script and classified.exe virus or maybe you could create a new page dissecting this troublesome virus.
We’ve been very thankful for your solution of the kbdrv16 worm!
Mabuhay ka Ige!
Hi Harry and Salamat!
I just looked at the script and it looks safe enough to run. You can also opt to install and run “a-squared free” as it can remove classified.exe even if your computer is already infected with it.
hi done checks and procedure for windows xp blank screen and explorer was the only thing on value data ,screen come back does this mean i got trouble somewhere else,run bt spyware several timess shows all ok thanks tony ps laptop notino 4400
hi guys
well i had the same problem like all of you,
i solved it with registry cleaning software,
it detected a errors in registry system
4 of them was a windows account problems
repair process solved mine problem
Great if it worked for you. I don’t really recommend registry cleaning softwares though as they tend to mess up your registry more than they fix it.
hey I have read all of the posts here and was following your instructions up to the point where you go to C:\Windows\System32\keyboard.
My problem is I cant seem to even find a keyboard folder.
Here is my registry under winlogon>Shell: C:\Explorer.exe rundll32.exe akhr .vfo mnbjbxt
You might be encountering a different kind of virus. If you skip the step you mentioned above is the blank screen resolved?
I’ll try to search and see what I can do. When you have a solution please do email me about it though so we help anyone who has encountered such problem.
Salamat!