Computer ShutDown / Restart When You Type cmd In Run To Launch Command Prompt fix

One of our reader reported us a common virus problem which causes your computer to restart every time he try to launch command prompt. Below is the what he had sent us in the mail to contact us.

My Computer gets shutdown when I type cmd in run prompt to start command prompt, I know this is a virus problem please help me solve this problem.

This is a virus activity which prevents to use command prompt on the infected machine, this virus is called PC-OFF.bat trojan which turns off or shutdown your computer when ever you try to use command promptby any means.

The infected computer restarts on opening command prompt.

This PC-OFF.bat virus creates the following files

• password_viewer.exe
• bar311.exe
• photo.zip.exe
• pc-off.bat

at the following locations

• c:\windows\bar311.exe
• c:\windows\password_viewer.exe
• c:\windows\photo.zip.exe
• c:\windows\pc-off.bat

Another variant of the this virus is recognized as bar311.exe virus A.K.A. winzip123 which will have almost the same symptoms and when ever you boot your Windows Xp computer in safe mode it will say a message Thank You!!! Password:Winzip123

Let’s find out the fix to remove this shutdown virus completely from computer.

Fix:

1. Open Task Manager by pressing Ctrl+Shift+Esc, click the process tab and locate the process named ‘password_viewer.exe‘ or ‘bar311.exe‘ or ‘photo.zip.exe‘ one by one and right click  and select ‘End Process’   

2. Open Start Menu >> Run, type regedit and press Enter key or OK button

3. Navigate to the following path

HKEY_LOCAL_MACHINE \ SOFTWARE \ MICROSOFT \ WINDOWS NT \ CURRENTVERSION \ WINLOGON

4. Locate the key named Userinit in right pane

"Userinit" = C:\WINDOWS\system32\userinit.exe,bar311.exe"
double click and remove the text ‘bar311.exe’ from the above
OR
"Userinit" = C:\WINDOWS\system32\userinit.exe,photo.zip.exe"
double click and remove the text ‘photo.zip.exe’ from the above
OR
"Userinit" = C:\WINDOWS\system32\userinit.exe,password_viewer.exe"
double click and remove the text ‘password_viewer.exe’ from the above

Note: Please make sure after editing the above Userinit key value it should be only

C:\WINDOWS\system32\userinit.exe (as shown in the image below)

5. Navigate to the following path now

HKEY_CURRENT_USER \software\microsoft\windows\currentversion\explorer\advanced

Change Value of the following registry Key’s  :-
"Hidden"=dword:00000001 (1) – Change to ‘1’
"HideFileExt"=Dword:00000000 (0) – Change to ‘0’
"ShowSupperHidden"=Dword:00000001 (1) – Change to ‘1’

6. Navigate to the following registry path

HKEY_CURRENT_USER \software\microsoft\Command Processor

Find the registry key named autorun, right click and delete this key. The value of the key would beautorun=c:\windows\pc-off.bat

7. Open notepad and type the following commands

@echo off
del /a /f c:\windows\bar311.exe
del /a /f c:\windows\password_viewer.exe
del /a /f c:\windows\photo.zip.exe
del /a /f c:\windows\pc-off.bat
pause

Save it as remove-pc-off-virus.bat and double click to run it.

8. Search for bar311.exe OR password_viewer.exe OR photo.zip.exe OR pc-off.bat and delete these files where ever found on your computer.

or

use this command

@echo off
attrib -s -r c:\windows
attrib -s -r E:\
del /a /f c:\windows\bar311.exe
del /a /f c:\windows\password_viewer.exe
del /a /f c:\windows\photo.zip.exe
del /a /f c:\windows\pc-off.bat
del /a /f c:\windows\iph.exe
del /a /f c:\windows\autorun.inf
pause

save it as .bat format and open it

9. That’s it, Enjoy the pc off virus is now completely removed from your computer.