Black screen /w cursor even in safe mode

[Dankiedoge]

Hello, i've stumbled upon a probable virus or corruption that leaves my screen black /w cursor and in safe mode and it occurs before I get to log in preventing ctrl+alt+del commands and stuff like that.
I have tried the following
* Last Known Good Configuration
* Chkdsk
* SFC /Scannow
* Lower resolution
* System Repair
* System Restore
* System Image Recovery
* Memory Diagnostic

That leaves me with low amount of options, with the top one being reformat but i'd rather not as I believe there's another, easier, hidden way to recover my pc. My arsenal right now compose of CMD, and Regedit(the only two programs I can actually run in recovery mode). I've been able to run Regedit thanks to getting windows explorer in System Image Recovery (i'm supposed to install a driver but i've managed to do other stuff with this newly opened explorer). Now this is where I found the troubling little pest, the winlogon shell's value is "cmd.exe /k start cmd.exe" instead of explorer.exe. Now obviously i've tried changing it back to explorer.exe but it seems it reverts back every restart. I could toy around with permissions but i'm afraid I could make it worse. That's why i'm asking here, please any suggestions would be greatly appreciated. I have to recover this pc in a week or my dad is totally gonna ban me from using it.

 

[file3456]

Based on what you said about regedit and what not, it sounds like you are in fact seeing an image on the monitor, correct?

Are you using the Windows disk to do all this?

On its face it sounds like a possible monitor issue. Just to rule that out, swap the display port for the HDMI port vice versa or even VGA if you can. If you have another monitor for testing use that. I'd also monkey around with the monitor settings or if there's a reset back to default in the monitor use that. Something else you can do to be absolutely sure your monitor is alright is to try and boot a live CD like Damn Small Linux or Hirens Boot CD. You should be able to write these to USB and boot the USB, but USB can be problematic sometimes. If so, you'll have to write these images to CD. I use IMGBurn portable for CD/DVD writing of ISO files.

The winlogon shell thing sounds interesting and perhaps indicative of malware. There are live CDs from anti-virus companies like Bitdefender and Avira that you can boot and scan the computer in a non-running Windows environment to help clean up any malware. Even if it does, the damage may be done. Which ultimately means you format and reinstall Windows. In order to save your data you have a couple of options. 1) You should be able to use Hirens Boot CD to access the hard drive. From there it's a simple copy/paste of all your data from the hard drive to an external hard drive or USB thumb drive with enough storage. 2) If this is a SATA drive you can use a SATA to USB drive adapter, pull the hard drive and connect it to another computer where then you can do a copy/paste of your data. This is relatively easy for pictures and what not. But for browser bookmarks and other stuff I have to tell you specifically how to do it which means I need to know the name of the browser. It just involves going to the browser's profile directory where all that data is kept.

And if this truly is a malware issue, you may have better luck with some experts who do this stuff all the time at bleepingcomputer. But again, and as I said, if malware messed anything up it may be irreversible which means a format and new Windows install. But this all depends on the malware if it is malware and if it can be removed and any damaged reversed with a system restore or repair install, etc.

This is exactly why you should do periodic clones of the computer to an external USB hard drive or even a temp hard drive connected to a SATA port in the computer. In all cases, the backup hard drive should be air gaped and kept in a safe place. I use a couple fireproof safes for this. While the locking mechanism isn't that great, and that's not why I bought them, your data, etc in a safe like this has the potential of staying as safe as possible. In the U.S. a fireproof safe goes for about $35 on eBay. I have not a single clue where you'd buy one where your at let alone if you have access to a eBay for your country. Look for a good safe that is rated for electronics. And place all thumb drives and hard drives in plastic bags inside the safe. In the U.S. these are called Ziploc bags or sandwich bags. For cloning a hard drive I have used in the past AOMEI Backupper. It's straight forward and easy to use. Chose the source (your computer's hard drive) and the destination (the USB hard drive) or what ever. If it's SSD or NVMe, chose the align option. Sector by sector is not needed unless you are cloning corrupt files. That's the only reason I can think of as to why one would use that option.

At any rate, one week is not a lot of time. It might just be faster to backup your data and format least your banned from the computer. You should explain how the Internet is a learning tool and by fixing the computer is a learning process in of its self and that a set timeline isn't very fair as it pertains to learning how to fix it and learning how to never having it happen again. LOL But all parents have their own set of rules and while some rules make sense, others may not. If this happened to one of my kids I'd make them fix it themselves as a learning experience, and if they can't, oh well. LOL

I can tell you right now that if you have a bad habit of using the pirate bay or visiting shady websites, you're gonna pick up an online STD in short order. Learn how to use Sandboxie for your browser, and run potentially shady software in a Windows 7 or 10 install in VMware Workstation Player. Both are free to use. Above all else, clone the computer at least once a month or as data is accumulated on the hard drive dictates.

 

[Dankiedoge]

Hello, Simpilot. Sorry for the late reply I was around other websites looking for help too. Anyways thank you for the long and thoughtful reply, I've read it all and I appreciate your sympathy. About the getting banned thing, my mom called my dad and he said he won't ban me but advised me to just reformat the thing. Well, for me its safe to say he'd at least be disappointed. That's why i'm still a bit of determined to find another way to fix this. Also i've found similar but old posts to my problem and it might help you get a better picture - KSOD - I suspect Malware - Resolved Malware Removal Logs - Malwarebytes Forums , Malware uncertainty - cmd.exe /k start cmd.exe - Am I infected? What do I do? , How to make Windows 7 get working again (black screen with a cursor)? , Boot problems: Black screen + CMD no explorer.exe Solved - Page 6 - Windows 10 Forums . Of course I've tried their methods of how they solved it, most of them just gave up and did a fresh install. I've tried all methods I could find without format but still to no luck. I've started to believe this is just a corruption and not a virus, i've ran EEK(Emsisoft Emergency Kit) and it found no threats. I've also found other people saying that they had the same problem but it was due to a service going banaynays - Forum FAQ:After Logging into Windows 7, a Black Screen Appears and the Desktop is Missing . I've done "copy *.* .." in Regback but even the old registry which had Shell = explorer.exe and Userinit = C: drive didn't work out. Any ideas? Still willing to give this a shot and help a young lass out?

 

[file3456]

How are you accessing the computer with a black screen? Are you using the Windows disk?

What did you do prior to this issue happening?

 

[Dankiedoge]

Oh i'm accessing through the "Repair Your Computer" place. Peeps on the other websites told me its the recovery environment and that anything that I modify here wouldn't be saved because its just an image. And they were right, turns out the reason why I can't change cmd.exe to explorer.exe in shell registry is because i'm not modifying the real thing. Guess my last option is CMD but even chkdsk and sfc /scannow don't do a thing like they don't even seen the problem. I've come to think this is a corruption and not a virus. I'm slowly fading away on to just resorting to format the damn thing now.

 

[file3456]

Have you seen this thread?

Post #21 may be your answer. I'm assuming that's from CMD.