Removing the cmd auto shutdown virus
A few moments ago, I fixed my friend’s computer’s problem. She was having problems accessing the command prompt (DOS) from her Windows XP operating system. Every time she attempts to execute “cmd” on her Run dialog box, her computer automatically shuts down. Here is my analysis on how the virus prevents her from using the command prompt and how to remove the virus from the system.
Problem
A virus is preventing the user from using the command prompt. When “cmd” is used, the system automatically shuts off.
Analysis
After giving attempting the “cmd” on her system, the command prompt executes a file called “pc-off.bat“. If my assumptions are correct, this file causes the system to shut down. The file injects itself before the “cmd” command starts.
The only way that this can be done is to inject a command in the Command Processor registry entry. To solve the problem, we have to trace and remove the command that was injected by the virus.
Solution
We must first gain access to our registry editor (regedit on your run prompt). In some cases, the virus disables user (admin) access to the registry. Since the virus injects itself in our command prompt, using DOS to access the registry is not possible. What I can suggest is you download and install an alternate registry editor which you can use to browse your registry editors.
One you gain access to the system registry, browse on the [HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor] and remove the “autorun“= “c:Windowspc-off.bat” entry.
Remove or delete the highlighted entry.
After removing the autorun entry, download and run this batch file.
In some reported cases, the pc-off.bat virus have other variations like bar311.exe, password_viewer.exe, and photos.zip.exe. The fix file above should remove these files as well.
After fixing the problem, update your anti-virus or buy an updated anti-virus to prevent further infection.
Tweet This
Share on Facebook
Digg This
Save to delicious
Stumble it
RSS Feed
wow! thanks for this post! It helped me solve my shutdown prob
Reply
rommel Reply:
December 7th, 2010 at 8:50 pm
papz here is my instruction how to delete this virus shutdown.
he pc-off.bat contains the syntax like this”C:/path/shutdown -s -f -t 2 -c” which automatically shutdown your computer when you run the cmd.exe. So heres the solution to this problem… just follow these simple steps that im goin to discuss….
Manual removal:
1. upon start up…. after os loading… go to task manager by pressing CTRL+ALT+DEL then kill (end process) password_viewer.exe or bar311.exe or photos.zip.exe…
2. EDIT the following registry entries thru regedit at start/run
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Userinit”=”userinit.exe,bar311.exe” —> remove “, bar311.exe” only… leave userinit.exe because this is used by Windows when you log-in…
[HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\Advanced]
“Hidden”=dword:00000001
“HideFileExt”=dword:00000000
“ShowSuperHidden”=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
“autorun”=”c:\Windows\pc-off.bat” –> remove “c:\Windows\pc-off.bat” or delete the autorun key.
3. go to your thumb drive, please use the folders view in the explorer and use the navigation panel on the left side when accessing the drives to avoid triggering the autorun… then delete autorun.inf and password_viewer.exe or bar311.exe
4. open notepad then type what is shown below as is…
@echo off
del /a /f c:\Windows\bar311.exe
del /a /f c:\Windows\password_viewer.exe
del /a /f c:\Windows\photos.zip.exe
del /a /f c:\Windows\pc-off.bat
pause
then save this as remove.bat then click to run…. it will remove this annoying types of PC shut-off thing of virus…
Try it.. it works peepz…
Reply
sumanta Reply:
December 14th, 2010 at 9:33 pm
very useful info by you,thank for sharing
Reply
robert Reply:
September 24th, 2011 at 4:35 pm
thank you so much i will try it…
it is the best solution i ever found! i tried a lot but this is the most accurate. thanks!
Reply
ah. had the same problem a few months ago… pero ang ginamit ko noob killer.
Reply
not working
Reply
Great… my friend problem was solve.. thanks br0
Reply
Hi there! Thanks very much for this. I was able to get rid of this extremely annoying virus and can now use “CMD” anytime. Thanks again!
-BC
Reply
ei thanks…it really works…;)
Reply
Im having trouble with my PC coz every 2:30 min in using it, my internet connection is gone…how to solve this please help me..tnx
Reply
hi
got into registry editor but auto run is not there ??
Reply
WOW IT IS A GOOD WAY BUT MAK IT EASY FOR THOSE WHO DONT KNOW COMPUTER BY USEDING THE COAD ONLY BESIDE THIS PC AutoOff Fix
Reply
This is the first time I commented here and I should say that you give genuine, and quality information for other bloggers! Great job.
p.s. You have a very good template . Where have you got it from?
Reply
it’s not working for me. i followed all instructions (deleted the registry value and ran the batchfile editor) but still it went autoshut down..when i checked it again, the value was still there.. Please help me. ae there other alternatives for my problem? PLEASE MAIL ME. dhey_scarlet16@yahoo.com your tip will be highly appreciated! thanks and God bless!
Reply
i want to thank the owner of this blog for being generous in posting some solutions regarding malwares..
may God bless you more 
)
(unfortunately it didn’t work for me, but it worked for others though..
i’ve surfed the net for alternative solutions..i found something that works for my pc. so if the solution above doesn’t work on your pc,it may have other problems that should be fixed first.
you may try this:
http://www.testmy.net/forum/index.php?topic=22968.msg266502
just click the link
Thanks people.:) God Bless!
Reply
It works!!! Thanks….
Reply
Hello guys,
Thanks for the solution but you are lacking one important thing!
Pls do this first before following the instructions above:
First, stop the virus application running at the Windows background (processes)
Press CTRL-ALT-DEL and select Task Manager.
Go to the Processes tab and stop the application: (bar311.exe, password_viewer.exe, and photos.zip.exe).
Then you can proceed with the other remaining steps..
Thanks!
Reply
Thank bro!..
it’s really work..
Reply
WOWOWOWOWOWOW!!!!!!! WHAT A GENIUS!!!!!!!!!! 100 STARS FOR YOU BRO!!!!!! YOU’VE SOLVE MY PROBLEM IN A FEW SECONDS!!!!
Reply
how to make a shutdown virus??????????
Reply
thank you very much…
since i cannot go to “regedit,” i just search for the “.bat” file and alas! the “pc-off.bat” appeared…i just deleted this file and the problem with “cmd autshutoff” is corrected…
Reply
its not working for me…when i restart my computer, it appears again.. my avast anti-virus detects the pc-off.bat virus.. what should i do?? pls email me..thanx!
Reply
natzz1569@yahoo.com.. pls email me here..thanx!
Reply
Ah.. Paano download and run batch file?
you mean that i will run autoshutdown?
Reply
after i flug in my mp3 player on my computer i saw a folder named “bi mat” i tried to delete it but it returns continoustly.
so when i open the folder my computer started to shutdown again and again…
i think there is some kind of virus enter my computer…
can anyone help me plzzz.
i cant open any files because the pc shutz in the first 5 sec. of its open… plz plz plz ty so much
Reply
I would like to thank the one who has saved my computer !!
thank you very much dude, now I can run CMD.
Thank god people like you are around.
Reply
Winston Reply:
September 11th, 2009 at 8:33 am
hi james. It’s my pleasure to help.
Reply
Anik Reply:
June 19th, 2012 at 3:13 am
Hi, this is Anik
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Userinit”=”userinit.exe,bar311.exe” —> remove “, bar311.exe”
I followed the above steps but I didnt find any file named pc-off.bat or bar311.exe but my computer still turns off automatically. Is there any other way to stop it? Can you help me James?
Reply
You saved my laptop! haha! Thank you soooooo much!
Reply
Did the alternate registry edit & deleted pc-off.bat.
Delete successful then downloaded PC AutoOff Fix bat file
I executed it but then same shutdown scenario..
I was able to see password_viewer.exe and photos.zip.exe from the cmd window while it shutdown
Please help.. i discovered that I’m infected when I’m tried to remove shoppingreport.dll.
Thank you for the post. By the time i read the initial paragraphs of this post, I know i should stick with your posts ^_^.
Reply
cant download pc off fix..=(pls help..
Reply
Hi,
It works… Thnkz and Appreciated…
Reply
this man is a big dumb genius! thanks for these Blog! u helped me a lot! Thanks, God Bless!
Reply