Windows XP shuts down after login – PC-OFF.BAT

The PC-OFF.BAT virus loads a shutdown script when logging onto Windows XP. A few seconds after logging in, Windows will shut down. This also affects safe mode. The countdown timer is set to only a few seconds, not allowing the user to enter “shutdown – a” in the run box. You may not even see the emergency shutdown dialog before you are automatically shut down.

In order to remove the files, you’ll need the Windows XP CD. Other options include putting the hard drive into another computer, or using a LiveCD (BartPE or Linux) to remove the files.

Remove the files from your hard drive using the Windows XP CD

1.       Insert the Windows XP disc into the CDROM. You may need to adjust your BIOS settings to boot the CDROM first.

2.       When the “Welcome to Setup” screen appears, press “R.”

3.       Select the installation you wish to access (there should be only one option for most systems).

4.       Enter the administrator password when asked.

5.       Once at the Recovery Prompt, press ENTER after typing the following command: chdir c:\windows

6.       Press ENTER after typing the following command: del bar311.exe

7.       Press ENTER after typing the following command: del password_viewer.exe

8.       Press ENTER after typing the following command: del photo.zip.exe

9.       Press ENTER after typing the following command: del pc-off.bat

10.    Press ENTER after typing the following command: exit

11.    Remove the Windows XP disc and restart your computer.

Once pc-off.bat is removed from the Windows directory, you’ll be able to logon to Windows without it shutting down immediately. There are still remnants left over in the registry though – best to clean those up.

1.       Go to Start -> Run and type “regedit” and press ENTER.

2.       Go to HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon and find the key: “Userinit=C:\WINDOWS\system32\userinit.exe,xxxxxx.exe” where xxxxxx.exe is bar311.exe, photo.zip.exe or password_viewer.exe.

3.       Delete bar311.exe, photo.zip.exe or password_viewer.exe from the key, but be sure to leave userinit.exe! If you delete that, you will be unable to logon to Windows.

4.       Go to HKEY_CURRENT_USER \software\microsoft\windows\currentversion\explorer\advanced and set the following key values: “Hidden=dword:00000001 (1)” “HideFileExt=Dword:00000000 (0)” “ShowSupperHidden=Dword:00000001 (1)”

5.       Go to HKEY_CURRENT_USER \software\microsoft\Command Processor and find the key: “autorun=c:\windows\pc-off.bat” and remove “c:\windows\pc-off.bat”