Yesterday I got hit by “pc-off.bat” virus. It makes your PC restart whenever you open the Command Prompt. I don’t know where I got it, but I was downloading laptop drivers off Dell.com when the thing appeared. Or maybe it was from my memory card reader. Anyway, here’s what I did…

I knew it was a virus since it showed the message “Thank You!!! Password:Winzip123”, normal programs don’t do that. My anti-virus (Comodo) had detected a C:\WINDOWS\pc-off.bat, but was unable to quarantine it.

Then I checked the Processes tab under Windows Task Manager (ctrl+alt+del), and looked for odd or suspicious processes. I saw a “bar311.exe” so I immediately ended it. After this, you can now manually delete or quarantine the pc-off.bat file. Again, I used Comodo to quarantine and remove the file and this time it was able to remove it without a hitch.

But then the pc-off.bat virus has some leftovers. Because whenever I open the Command Prompt, an autorun error appears as it attempts to run the pc-off.bat file.

I suspect the virus has altered an entry in the Windows Registry. So, I popped Regedit (go to Run, type regedit then press enter) then go to: HKEY_CURRENT_USER, SOFTWARE, Microsoft and then Command Processor. On the right column you will see an entry with “autorun” and “pc-off.bat”, simply select that, right click and then delete.

To prevent the virus from running again, go to: HKEY_LOCAL_MACHINE, SOFTWARE, Microsoft, Windows NT, CurrentVersion and then Winlogon. Then select the “Userinit” field, you will see “bar311.exe”. Select it, right click, modify then remove the “, bar311.exe” beside userinit.exe. You can now delete the bar311.exe file under C:\WINDOWS\ folder.

Run another round of virus scan just to be sure. This works for Windows XP SP3.

Posted by Tofu on Tue 06/16/2009 at 07:37:51 UTC+10 under Tech & Online.

Post URL: http://www.zai3p.com/blog/how-to-remove-pc-off-bat/

Tagged: bar311.exe, Comodo, Microsoft, pc-off.bat, virus, Windows XP