Windows Vista / Windows XP Blank Screen after Login

How to fix your Windows Vista / Windows XP after it shows a blank screen after login.

A few days ago, I was referred by a friend of a friend, who had another friend who was having some problems with her PCs (pretty far huh?). She said that she can’t use her PCs anymore as both show a blank screen after Windows boot-up. It was weird that both PCs were showing the same problem that I had to see it myself. It got even weirder as one PC had Windows Vista, and the other had Windows XP.

The problem: Windows Vista or Windows XP displays a blank screen showing only the mouse pointer after booting-up (after the login screen which is usually after clicking the username).

 

Solution for Windows Vista / Windows XP Blank Screen after Login

Make sure first that the Task Manager is working by pressing CTRL+ALT+DEL, and choosing Task Manager. If Task Manager doesn’t work, then this guide cannot help you.

Moreover, unless specified, the steps below are both applicable for Windows Vista and Windows XP.

 

1. Launch the Task Manger and Restore your Desktop

Press CTRL+ALT+DEL and then go to File->New Task

Windows-Vista-Windows-XP-Blank-Screen-after-Login-graphic01

 

When the Run window appears, type Explorer or Explorer.exe or C:\Windows\Explorer

Windows-Vista-Windows-XP-Blank-Screen-after-Login-graphic02

 

Important: If this does not restore your desktop, your desktop icons and windows taskbar, then you should stop reading this now as this guide would not be able to help you.

 

2. Check your Registry

Create a New Task again by using the Task Manager. Since you now have the Taskbar restored, you can do this also by clicking Windows Start and choosing Run. When the Create a New Task or Run window appears, type regedit.

 

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Once you’ve clicked on WinLogon look for Shell in the right pane. Double-click on Shell and the value for Shell should only be Explorer.exe.

 

As can be seen above, there is an additional entry which is C:\Windows\System32\keyboard\services.exe which the Shell key refers to. Normally what we should do is just delete this additional entry and leave Explorer.exe in the field. However, if you’re seeing that value above, your computer is now infected with a Malware – specifically a Keylogger.

Important: If the value above is not just Explorer.exe but has a different additional entry (and not C:\Windows\System32\keyboard\services.exe), then you may have another kind of Malware. If the additional entry is C:\Windows\services.exe, then you should read my other article here – Windows Vista / Windows XP Blank Screen after Login – Version 2. If it’s neither of the two, then this guide would not help you.

 

3. Download and Install Unlocker software

We won’t be using any Malware scanner or virus scanner as I have not found any which can remove this Malware. Moreover, if there is a scanner out there which could remove this Malware, I think using Unlocker is still the most simple way where you have total control of what is going on.

As I’ve mentioned, download Unlocker from CNET as their official website is currently down. Once you’ve successfully downloaded the software, install it.

 

4. Delete the Malware files

Go to C:\Windows\System32\keyboard\ through Windows Explorer or by typing this in the Create New Task or Run command.

Windows-Vista-Windows-XP-Blank-Screen-after-Login-graphic05

 

You should be able to see the services.exe file. DON’T execute or double click it. Right click on it and if you’ve successfully installed Unlocker, you should be able to select it like below:

Windows-Vista-Windows-XP-Blank-Screen-after-Login-graphic06

 

The Unlocker program should now launch and show you the Processes that are using services.exe. Select all the processes and choose, Kill Process.

 

Once there is no more process using services.exe, quit Unlocker, and then delete services.exe. Make sure to delete it at the Recycle Bin as well. If we don’t use Unlocker, we won’t easily delete the Malware.

 

For Windows Vista
Go to the following folders and delete the files indicated. Use Unlocker as needed.

C:\ProgramData\Application Data\Fearghus\ – delete lsass.exe
C:\ProgramData\Fearghus\ – delete lsass.exe
C:\ProgramData\Application Data\microsoft\usb2.0\ – delete usb-hi.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ – delete kbdrv16.com

Important: Use the Create New Task or Run window as sometimes using Windows Explorer doesn’t work saying that the folder does not exist.

 

For Windows XP
Go to the following folders and delete the files indicated. Use Unlocker as needed.

C:\Documents and Settings\All Users\Application Data\Fearghus\ – delete lsass.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\ – delete usb-hi.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ – delete kbdrv16.com

 

5. Clean your Registry

Launch Registration editor again by making a new task through Task Manager or by using the Run command and entering regedit.

 

Go to HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ and then on the right pane click USB2.0 and Keyboard and then delete both.

 

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and then double-click on Shell on the right pane to modify it (You can now modify it). Only Explorer.exe should be the value left.

Windows-Vista-Windows-XP-Blank-Screen-after-Login-graphic09

 

Click Ok to accept the changes.

The only thing left to do now is restart Windows and test if the Windows desktop would still be blank.

That’s it! I hope I’ve helped you solve your problem on Windows Vista / Windows XP blank screen after login.

Be Sociable, Share!

 

 

 
Be Sociable, Share!

Subscribe to our TechieChips' RSS Feed or via Email or Newsletter. We'll only update you if there are new posts/articles. (No Spam!). Why do you want to subscribe to TechieChips?


 

 
  1. Hi,

    Thanks for helping me. Although I don’t have any blank desktop, I was still infected by this keylogger and I worry if something is happening on my PC which I don’t know. Thank you again!

    Best regards,
    Willy David Jr
    Business Coach
    http://cashflowphilippines.blogspot.com

  2. Mara says:

    Hi,

    My screen doesn’t blank out either, but I had all the files mentioned above, which was detected to be the generic13 trojan. I followed the instructions listed above, but when I boot up, I still get an error saying that it can’t find the system32\keyboard\service.exe file. What other stuff could possibly be trying to access it, when it’s not in the registry anymore?

    Hope you can help!

    Thanks,
    Mara

    • Ige says:

      Hi Mara,
      Let me first clear one thing. Are you having an error on services.exe or service.exe? Im’ going to assume below that you are referring to services.exe.

      The most likely reason that you get that error message is that there is still a registry entry accessing services.exe but the file is no longer present in the system. Have you checked on the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ? Remember it should be Explorer.exe only.

      What you may also have is a different variant of the virus. You can do a search in the registry (Ctrl+F in regedit), and search for services.exe to find out.

  3. Grace Bonifacio says:

    this was absolutely helpful! thank you so much!

  4. Grace Bonifacio says:

    oh no! it went back to the blank screen again. first try it was effective, but the second time, it went back. you have any idea why?

    • Ige says:

      Hi Grace,
      It just means that your computer has been infected again with the virus. Have you tried doing the steps again to see if the same files are in your computer again?

      If your computer has been infected again, check your USB drives if they have the virus. Usually this propagates through portable USB flash disks/drives. When you insert the USB flash disk to your computer do not use the Autoplay functionality. Go to My Computer and right click on your USB flash disk. If the highlighted or bold words ARE NOT Explore or Open, then that USB disk is infected with the virus. Usually if its infected “Install Device” or something like that is the one highlighted or in bold letters when you right click it.

      • Grace Bonifacio says:

        you’re right! it’s my usb! i’ll try it all again after i’ve cleaned my usb.

        btw, aside from windows explorer not loading on startup, does this virus have any other effects on my computer?

        thanks again!

        • Ige says:

          This virus/trojan/worm is actually a keylogger. It records all the keystrokes you make on your keyboard in the hopes of finding sensitive information (like credit card info, username and password, etc.) and sends them to a central server via the internet.

          When I got a hold of this virus, I immediately changed my passwords as soon as I was sure that my computer was clean.

      • Capri says:

        I had the same problem as Grace.
        Finally, I downloaded Malwarebytes from
        cnet.com and after scanning the computer, the results showed that 6 infections were detected,
        including the trojan virus. I simply clicked on
        the REMOVE button and, voila! I have not had that
        problem again.

  5. Spider Web says:

    I would like to know if there is a commercial or popular antivirus utility that could detect and clean this infection. Many non-tech guys like me cannot remove the worm at all no matter how hard we try following instructions.

    Thanks a lot!

    • Ige says:

      I haven’t really tested what commercial anti-virus utilities can actually remove this infection. However, I’m pretty sure these top two commercial/paid anti-virus softwares can – Kaspersky and BitDefender.

      I do suggest that you try the solution above though. :-)

      • Spider Web says:

        I got infected with this worm about 3 months ago. Sadly, Kaspersky cannot remove it once the worm has already infected Windows. Kaspersky, can prevent it from infecting clean systems though.

        Sadly, this page was not yet available when my computer was hit by this worm – so I reformatted. :(

        • Ige says:

          That’s sad to hear. Prevention really is the key. If you’re careful on the websites you visit, the files you download, and where you insert your USB flash disk, your computer won’t be easily infected with a virus/worm/trojan.

  6. Donna says:

    I like you! You take time to dissect a worm and explain details. As of today, I cannot find an antivirus that could remove this worm. Many heuristic scanner can detect it but cannot remove it. With the help of this site, I am able to fix the “blue screen of death” problem my computer was experiencing.

    Good luck maintaining this kind of site!!!

  7. Jason says:

    My computer has the symptons describe above with the blank screen and cursor after login. I have Windows XP and the only way I can now work any applications is thru the task manager. The Explore.exe appears to be okay, so I am down to the step were you enter in C:\Windows\System32\keyboard\ and I get an error message. Any solutions? Thank -Jason

    • Ige says:

      Why don’t you go directly from your My computer to C:\Windows\System32\Keyboard folder?

      Also, what error are you encountering?

  8. Thank you very much for the help i owe you one

  9. Harsh says:

    Thanks for this information but the Task Manager is not popping up at all.

  10. jose alcala says:

    Hey…

    I’ve got this same problem only when I CTRL + ALT + DELETE it doesn’t let me click on TASK MANAGER.

    I’ve got windows xp sp2.

    Is there anyway to get rid of this??

    Thanks in advance

    • Ige says:

      You may have another variant of the virus. If you can provide more details on what the virus is currently doing to your system, I might be of more help.

      • jose alcala says:

        thanks for replying…

        currently its doing the same thing as described in ur article..

        when i turn on the computer it loads up the windows xp screen and then the log-in screen…

        i type in the password click ok and it just goes to a blank blue screen… nothing but blue and the mouse cursor.. i tried CTRL+ALT+DELETE and a box appears with 6 buttons “lock computer” , “log off”, “shut down”, “change password”, “task manager”, and “cancel”…

        i can click on all except the “task manager” button…

        i tried restarting it n turning it off n on numerous times but nothing…

        thanks again for help

        • Ige says:

          Your computer really is infected with another variant of the virus. It would be really hard to troubleshoot your problem when I’m not seeing it personally. What I do suggest is that you reinstall your Windows XP if you can. Reinstall it without formatting your hard drive so you can back up your data later. I think you know what to do from there. :-) Good Luck. Sorry I wasn’t of much help.

          I suggest that you login use, Kaspersky Virus Removal tool to check your system. I’ve written an article about it here: Kaspersky Virus Removal Tool. You may

          • jose alcala says:

            Ill give that a try…

            Thanks a lot for your help though… really appreciate it.

  11. Ahmed says:

    I think I was worst affected and was disappointed to read this on the blog “Important: If this does not restore your desktop, your desktop icons and windows taskbar, then you should stop reading this now as this guide would not be able to help you.”

    But following instructions above I managed to recover my Vista machine. Here is what I did (my system was infected with the scvhost.exe variant)

    1- Since you cannot access your desktop nor Task Manager so there is nothing much you can do while loged-in. Turn off your computer, take Hard Disk out and connect to sane computer as an external hard disk.
    2- Delete following files;

    (The OS drive of External Hard Disk will be reference)
    WINDOWS\scvhost.exe [This is a virus file and executes as an argument to explorer.exe. This is hidden and you will need to change view settings to see it.]
    WINDOWS\system32\scvhost.exe [This is a virus backup. This is hidden and you will need to change view settings to see it.]

    3- Fix registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon of ‘Shell’ value is not set to “Explorer.exe” instead of “Explorer.exe C:\Windows\svchost.exe”
    This can be done with any Registry Editor. I did not have Registry Editor so I used HexEdit (Searched for this binary value “45 00 78 00 70 00 6C 00 6F 00 72 00 65 00 72 00 2E 00 65 00 78 00 65 00 20 00 73 00 63 00 76 00″).

    4- Install hard disk back and boot your system. This time you will get access to your desktop.

    In case you can not open task manager (or regedit)
    If you haved loged in and you are unable to use task manager, i.e., every time you open it, it vanishes itself. Now, you need to kill ‘scvhost.exe’ process. Since you can not use Task Manager, it is good idea to use any other tool to kill this process. One such tool is ‘Process Explorer’ from microsoft. Download and run. You will clearly see the ‘scvhost.exe’ running in user’s processes domain, kill this process and you will be able to run task manager/regedit again.

    Note: Avoid confusion of file names. The virus file name is ‘scvhost.exe’. There is a system file name that has resembling name ‘svchost.exe’. So, do not spent energy fighting with system file thinking of it as virus file.

    I hope this is helpful …

    • Ige says:

      Ahmed,

      Let me say that your post is awesome!! This is very helpful indeed as there many variants of the virus which exhibits this kind of behavior. I may have to promote your comment to a post in this site (if you permit me of course).

      Many thanks again!

      • Rocel says:

        Hi Ige! There’s a worm/trojan that is presently infecting our computers. It hides all system folders and replace them with exe files! Worse, it appears that it could not be removed in safe mode and it deletes system restore information. How could I ever fix this dilemma!?

        • Ige says:

          Hi Rocel,

          It looks like what your describing is a different ind of virus. It’s very hard to diagnose a virus or trojan or worm when I’m not getting a first hand experience of it. All is not lost though so don’t panic. Have you tried installing the Kaspersky Virus Removal tool? Visit this page – Scan your computer for free – Kaspersky Virus Removal Tool. I’ve included a download link there. It should be able to detect your virus.

          I hope I helped.

      • Brahma says:

        Hello Ige!

        kbdrv16.com, usb-hi.exe and all the files related with them are now identified as the w32/smalltrojan.dwn and could now be removed with ease! Spread the news please and thanks!

    • amy says:

      how do we take out the hard disc? and to put it back? ;o Really need help!

  12. sheng says:

    I wanna thank you for all the steps given above.
    Very helpful tip…
    I am currently using the computer having this problem. I found out that i can open task manager although my screen is blank and i can only see the mouse cursor. thank God i was able to pull up google and search this issue using new task. then i found this link and tried it. It works. thanks you sooooo much….

    • Ige says:

      Glad I helped sheng. :-)

      • Crunch says:

        Hello Ige!

        Have you encountered the w32.daprosy worm? We woud be very glad if you could publish manual removal for the said worm. It is presently feasting on our server and workstations.

        Thanks in advance!

        • Ige says:

          Hmmm.. I have to research that and maybe let my computer be infected just to know how to manually remove it.

          • Andrew says:

            Hello Ige!

            We are being attacked by classified.exe files and we are in need of a solution. If you have encountered this kind of infection, please do post its cure here. It will be appreciated a lot!

            Thanks and Mabuhay!

          • Ige says:

            I’ll try to search and see what I can do. When you have a solution please do email me about it though so we help anyone who has encountered such problem.

            Salamat!

  13. Mark Daniel says:

    just droppin by to say thanks. it solved my problem pal!

  14. traumatic says:

    awesome!!
    thanks a lot dude
    i owe u one

  15. PinkTeen says:

    I got tip from a friend that a batch script is able to remove classified.exe. Will you please review the script for us? We will use (or not use) the script based on your recommendation.

    The link is http://www.filefront.com/14560747/class-x.exe and the password to uncompress it is subatomica.

    Thanks for helping us deal with kbdrv16.com!

    • Ige says:

      I just looked at the script and it looks safe enough.

      You can also opt to run “a-squared free” as it can remove malicious classified.exe even if you are already infected with it.

  16. Harry says:

    Hi Ige!

    I have here a batch script downloaded from Filefront. I am presently experiencing symptoms of classified.exe infection but is hesitant to run the said script. I’m afraid my system gets worse if I run scripts from unknown source.

    The script came from the site mentioned by PinkTeen. Please do analyze the script and classified.exe virus or maybe you could create a new page dissecting this troublesome virus.

    We’ve been very thankful for your solution of the kbdrv16 worm!

    Mabuhay ka Ige!

    • Ige says:

      Hi Harry and Salamat!

      I just looked at the script and it looks safe enough to run. You can also opt to install and run “a-squared free” as it can remove classified.exe even if your computer is already infected with it.

  17. tony says:

    hi done checks and procedure for windows xp blank screen and explorer was the only thing on value data ,screen come back does this mean i got trouble somewhere else,run bt spyware several timess shows all ok thanks tony ps laptop notino 4400

  18. deux says:

    hi guys
    well i had the same problem like all of you,
    i solved it with registry cleaning software,

    it detected a errors in registry system
    4 of them was a windows account problems

    repair process solved mine problem

    • Ige says:

      Great if it worked for you. I don’t really recommend registry cleaning softwares though as they tend to mess up your registry more than they fix it.

  19. bobjoeATX says:

    hey I have read all of the posts here and was following your instructions up to the point where you go to C:\Windows\System32\keyboard.
    My problem is I cant seem to even find a keyboard folder.

    Here is my registry under winlogon>Shell: C:\Explorer.exe rundll32.exe akhr .vfo mnbjbxt

  20. Alvin P. says:

    Hi Mr. Ige,

    I find your solutions very helpful. Of course take it from the expert. Now I have somehow a similar technical problem after I downloaded AVG anti-virus version 8.5 for free from kickasstorrents.com. I scanned the computer using AVG and it detected the several viruses and it automaticaly healed them. Now once I restarted the computer and after logging in this particular message came out:

    Windows cannot find C:\WINDOWS\system32\keyboard\services.exe Make sure you typed the name correctly, and then try again. To search for a file click Start button then click search.

    The desktop icons are still visible and once I clicked the OK tab of the message, everything are so far normal. However if I leave the message for 10sec. without clicking the OK tab, the desktop disappears including the message! But after I clicked the OK tab where I estimated is located, the whole desktop comes right back again and everything seem normal.

    I followed your advise on downloading unlocker after seeing the “C:\WINDOWS\system32\keyboard\services.exe” on the Shell of the registry. Now when I got into the folder C:\WINDOWS\system32\keyboard using Task Manager I can’t see the “services.exe” and so I have no file to unlock.

    Kindly help me on this dilemma because I really feel uncomfortable seeing that message everytime I log in to my computer.

    Your kind accomodation would be greatly appreciated.

    Thank you Ige.

    Best regards,
    Alvin P.

  21. Randy says:

    Hello Ige!

    Please write a solution for the classified.exe trojan worm. It really affects us so badly that we have closed our shop for about a week now. The said worm is available at 4shared.com as “my naughty pix.exe”

  22. Rohit says:

    Thanks a lot this helps to get my desktop icons and task bar. Found regsvr.exe in explorer.exe so deleted regsvr.exe.

  23. Anthony says:

    Hey man, this came in really helpful up until a certain point. When I open the “Shell” file, the value mentioned is “Explorer.exe C:\WINDOWS\Config\csrss.exe”

    I understand that this probably just means I have another variant of the virus as you have explained to countless other people in this topic. However, I’m just wondering if the method to go about sorting this problem is the same as the one you’ve given, just with different files? (If that makes sense)

    Something else which might interest you is a difference in the symptoms. When I log in to Windows (I’m on Vista btw), I don’t just get a blank screen as most people here seem to have done. I get screen that’s completely black besides a “My Documents” window.
    For over a year now I’ve coped with just closing this window, pressing ctrl+alt+del and opening “explorer.exe” from a new task. But I’ve stumbled across this post and it seems the closest I’ve come to removing this problem permanently so I’d really appreciate your help!
    Also, as it seems to be a keylogger trojan virus thing, I’m pretty worried as I’m almost 18 and will soon be getting credit cards and things like that so my essential details may get exposed to the internet.

    Thanks so much for any help you can offer!

    • Ige says:

      Hi Anthony,
      You kind of remind me of myself. :)
      I’m sure you have a different variant of the virus/trojan. I’ll try to check how you can fix that but I really can’t guarantee anything.

      What I would suggest is that you copy all your important files and just format your hard drive and reinstall Windows. You can also use your restore disks if you already have one. This way you are sure that the system is really virus/trojan free. If you don’t know how to do that I suggest that you let a computer technician do it for you.

  24. Sunil says:

    Dear Ige,
    Just found your site and you are a life-saver! Is it possible to ask you questions directly at your e-mail, or do I have to post here to get an answer.
    So, I managed to get rid of the blank screen by typing “explorer” in the task manager as you suggested. But in the registry shell entry it ONLY says Explorer.Exe. So what does that mean?
    If it means I have no Malware how and why did the problem occur?

    Also I tried to check my flash drive for viruses in the way you suggested, and here “Autoplay” is highlighted in bold. Does this mean it is infected or not?
    Also – any suggestions for what virus software to use? I have had problems with many of the main ones so far – Zone Alarm for example disabled by internet completely! Others really slow your computer down or block everything to be safe. AVG seems to keep giving me error messages. Also is it possible to get good free ones or does one always have to pay.

    Thanks again.

    • Ige says:

      Hi Sunil,

      I’m glad you found the site and my articles helpful. You can also email me but I prefer that you just post comments or questions on the article so that anyone can read and learn.
      After you typed explorer, when you restart the computer does the blank screen disappear? If it doesn’t appear, I guess your antivirus software has already detected the virus and deleted it. It just wasn’t able to restore your original settings which results to the blank screen.

      If autoplay is highlighted and you didn’t put any autorun functions in it – then most likely it is infected with a virus. Another possibility is that it was previously infected but is already clean, but the autorun just wasn’t deleted.

      Paid antivirus softwares are of course still better than free ones. If your’re going to get a paid one, Kaspersky is one of the best. If you opt for a free one, I suggest that you get the free Avira. You can read my 2 articles on that one – Avira Antivir 9 and Top Pick Free Antivirus

      • Sunil says:

        Dear Ige,

        Thanks for the quick reply. When I restarted the same problem was there, but then I ran a virus program someone suggested – malwarebytes anti-Malware and now problem has gone for good. Thanks for your advice on the virus programs and will read your articles – could you tell me what you think of the one I just mentioned using – Malwarebytes anti-Malware – only using free one right now, and want to get your input before buying anything.
        Thanks

  25. Sunil says:

    PLEASE HELP!

    I think I am in real trouble now because I now get a black screen straight after the Windows splash message and then the following message:
    lsass.exe Application error:
    the application failed to initialize properly (0xc0000005) click on ok to terminate the Application

    Nothing from pressing F8 works – safe mode, last known configuration etc.

    This has happened straight after I ran the Malwarebytes anti-Malware program a few times. Don’t know if that’s connected. Ctrl alt del – does not work. Nothing does. The cursor moves that’s all.

  26. toan says:

    There are no virus or anything.
    i just found out the answer after 5 hours of headache to figure what is going with my computer. I’m not the computer expert but you can try this.

    Press F8 at boot start, on Screen got SafeMode, SafeMode with network, etc.

    Click on Last Known Good Configuration (advance).
    Be happy like me.

  27. cooldude says:

    I’m only here because my grandparents are here and their PC is stuck. We got it to run, but we can’t hook up to the internet and my grandparents don’t want to change the registry because my aunt said you cn do permanant damage. if you run Safe with Networking from the prompt, will you be able to go on the internet?