# Removing the cmd auto shutdown virus

A few moments ago, I fixed my friend’s computer’s problem. She was having problems accessing the command prompt (DOS) from her Windows XP operating system. Every time she attempts to execute “cmd” on her Run dialog box, her computer automatically shuts down. Here is my analysis on how the virus prevents her from using the command prompt and how to remove the virus from the system.
Problem

A virus is preventing the user from using the command prompt. When “cmd” is used, the system automatically shuts off.

Analysis

After giving attempting the “cmd” on her system, the command prompt executes a file called “pc-off.bat“. If my assumptions are correct, this file causes the system to shut down. The file injects itself before the “cmd” command starts.

The only way that this can be done is to inject a command in the Command Processor registry entry. To solve the problem, we have to trace and remove the command that was injected by the virus.

Solution

We must first gain access to our registry editor (regedit on your run prompt). In some cases, the virus disables user (admin) access to the registry. Since the virus injects itself in our command prompt, using DOS to access the registry is not possible. What I can suggest is you download and install an alternate registry editor which you can use to browse your registry editors.

One you gain access to the system registry, browse on the [HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor] and remove the “autorun“= “c:Windowspc-off.bat” entry.

Remove or delete the highlighted entry.

In some reported cases, the pc-off.bat virus have other variations like bar311.exe, password_viewer.exe, and photos.zip.exe. The fix file above should remove these files as well.

After fixing the problem, update your anti-virus or buy an updated anti-virus to prevent further infection.

### Related articles

1. wow! thanks for this post! It helped me solve my shutdown prob

papz here is my instruction how to delete this virus shutdown.

he pc-off.bat contains the syntax like this”C:/path/shutdown -s -f -t 2 -c” which automatically shutdown your computer when you run the cmd.exe. So heres the solution to this problem… just follow these simple steps that im goin to discuss….

Manual removal:

1. upon start up…. after os loading… go to task manager by pressing CTRL+ALT+DEL then kill (end process) password_viewer.exe or bar311.exe or photos.zip.exe…

2. EDIT the following registry entries thru regedit at start/run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Userinit”=”userinit.exe,bar311.exe” —> remove “, bar311.exe” only… leave userinit.exe because this is used by Windows when you log-in…

[HKEY_CURRENT_USER\Software\Microsoft\Windows\
“Hidden”=dword:00000001
“HideFileExt”=dword:00000000
“ShowSuperHidden”=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
“autorun”=”c:\Windows\pc-off.bat” –> remove “c:\Windows\pc-off.bat” or delete the autorun key.

3. go to your thumb drive, please use the folders view in the explorer and use the navigation panel on the left side when accessing the drives to avoid triggering the autorun… then delete autorun.inf and password_viewer.exe or bar311.exe

4. open notepad then type what is shown below as is…

@echo off
del /a /f c:\Windows\bar311.exe
del /a /f c:\Windows\photos.zip.exe
del /a /f c:\Windows\pc-off.bat
pause

then save this as remove.bat then click to run…. it will remove this annoying types of PC shut-off thing of virus…

Try it.. it works peepz…

very useful info by you,thank for sharing

thank you so much i will try it…

2. engr vicencio says:

it is the best solution i ever found! i tried a lot but this is the most accurate. thanks!

3. tiara says:

ah. had the same problem a few months ago… pero ang ginamit ko noob killer.

4. andi says:

not working

5. specialist says:

Great… my friend problem was solve.. thanks br0

6. BellaCullen says:

Hi there! Thanks very much for this. I was able to get rid of this extremely annoying virus and can now use “CMD” anytime. Thanks again!

-BC

7. abby says:

ei thanks…it really works…;)

8. keepU says:

Im having trouble with my PC coz every 2:30 min in using it, my internet connection is gone…how to solve this please help me..tnx

9. anthony says:

hi
got into registry editor but auto run is not there ??

10. T J B says:

WOW IT IS A GOOD WAY BUT MAK IT EASY FOR THOSE WHO DONT KNOW COMPUTER BY USEDING THE COAD ONLY BESIDE THIS PC AutoOff Fix

11. car floor jacks says:

This is the first time I commented here and I should say that you give genuine, and quality information for other bloggers! Great job.
p.s. You have a very good template . Where have you got it from?

12. yen says:

it’s not working for me. i followed all instructions (deleted the registry value and ran the batchfile editor) but still it went autoshut down..when i checked it again, the value was still there.. Please help me. ae there other alternatives for my problem? PLEASE MAIL ME. dhey_scarlet16@yahoo.com your tip will be highly appreciated! thanks and God bless!

13. yen says:

i want to thank the owner of this blog for being generous in posting some solutions regarding malwares.. may God bless you more
(unfortunately it didn’t work for me, but it worked for others though.. )

i’ve surfed the net for alternative solutions..i found something that works for my pc. so if the solution above doesn’t work on your pc,it may have other problems that should be fixed first.
you may try this:

http://www.testmy.net/forum/index.php?topic=22968.msg266502

Thanks people.:) God Bless!

14. talens126 says:

It works!!! Thanks….

15. Cyrus says:

Hello guys,

Thanks for the solution but you are lacking one important thing!
Pls do this first before following the instructions above:

First, stop the virus application running at the Windows background (processes)
Press CTRL-ALT-DEL and select Task Manager.
Go to the Processes tab and stop the application: (bar311.exe, password_viewer.exe, and photos.zip.exe).

Then you can proceed with the other remaining steps..

Thanks!

16. ramaq says:

Thank bro!..

it’s really work..

17. kevlocky says:

WOWOWOWOWOWOW!!!!!!! WHAT A GENIUS!!!!!!!!!! 100 STARS FOR YOU BRO!!!!!! YOU’VE SOLVE MY PROBLEM IN A FEW SECONDS!!!!

18. rifai says:

how to make a shutdown virus??????????

19. mr. winner says:

thank you very much…
since i cannot go to “regedit,” i just search for the “.bat” file and alas! the “pc-off.bat” appeared…i just deleted this file and the problem with “cmd autshutoff” is corrected…

20. Natzz Reyes says:

its not working for me…when i restart my computer, it appears again.. my avast anti-virus detects the pc-off.bat virus.. what should i do?? pls email me..thanx!

21. Natzz Reyes says:

natzz1569@yahoo.com.. pls email me here..thanx!

22. sinomee says:

you mean that i will run autoshutdown?

23. daniboyu says:

after i flug in my mp3 player on my computer i saw a folder named “bi mat” i tried to delete it but it returns continoustly.
so when i open the folder my computer started to shutdown again and again…
i think there is some kind of virus enter my computer…
can anyone help me plzzz.
i cant open any files because the pc shutz in the first 5 sec. of its open… plz plz plz ty so much

24. James says:

I would like to thank the one who has saved my computer !!
thank you very much dude, now I can run CMD.
Thank god people like you are around.

hi james. It’s my pleasure to help.

Hi, this is Anik

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Userinit”=”userinit.exe,bar311.exe” —> remove “, bar311.exe”

I followed the above steps but I didnt find any file named pc-off.bat or bar311.exe but my computer still turns off automatically. Is there any other way to stop it? Can you help me James?

25. Joena Marie says:

You saved my laptop! haha! Thank you soooooo much!

26. Wafukz says:

Did the alternate registry edit & deleted pc-off.bat.
I executed it but then same shutdown scenario..

I was able to see password_viewer.exe and photos.zip.exe from the cmd window while it shutdown

Thank you for the post. By the time i read the initial paragraphs of this post, I know i should stick with your posts ^_^.

27. Bea says:

28. WinHein says:

Hi,

It works… Thnkz and Appreciated…