0

I executed a .scr file, (without prior checking of the file ending, because the filename was longer than what the explorer showed) and there was a popup saying something. Instant realization that I probably f***ed up. I didn't click anything on the dialog, but switched to taskmanger and killed the process running it (in the hope, the process that was displaying the dialogue was waiting for a response before going on), and afterwards deleted the file.

Now I Googled for quite a while, and found out it might be the so called "sohanad virus". Now while BitDefender and Emisoft emergency kit running in the background, the symptoms of this virus is the access denial to registery and some Windows features. I still have access to all these features, I checked for any unknown processes, and the scanning of BitSefender and the emergency kit have not returned any threats or malicious files.

I checked several system executeables (svchost, crss) on Virustotal, without any of them being identified as malicious. I dont experience any differences with the system and I have access to regedit and so on. There is no unusual high load on CPU/HDD/RAM or anything else. I also did some research on the sohanad thing, and it seemed to be around mainly a few years ago, so I assume that modern antivirus systems should be able to correctly identify it, when checking the filesystem.

My questions now:

How high are the chances I got my system infected?
What additional efforts can I perform to check if my system is clean or infected?

In the worst case scenario, I have Ubuntu on dual boot, where I can backup all my stuff from there, and reset Windows, but I really want this as a last resort. If possible I want to make sure my system is not infected in any way. I do not have any passwords stored on my PC, nor any PayPal, bank or etc. stuff data associated with any software.

Vilican
  • 2,703
  • 8
  • 21
  • 35
random_guy
  • 3
  • 1
  • 1
    Unfortunately, we are not tech support or a virus removal forum. The best answer we can give is to reformat and reinstall from scratch if you believe that you are infected. – schroeder Nov 28 '15 at 16:34

1 Answers1

2

First, an SCR file is an executable file so it could really have been any malware in existence. Failing more specific evidence you didn't share, there is no reason to believe it was the Sohanad worm. In fact, given you do not see any of the symptoms attributed to Sohanad and your virus scanner did not detect it as such, it was quite probably something else. It is most unfortunate you deleted it so now you have no way to find out what it actually was.

Second, there is no such thing as a partial execution. The executable was loaded and started, as evidenced by the fact that it popped up a message. If it was malware then there's no reason to believe it really sat idle while waiting for you to dismiss the message. It is quite possible that it had already started to compromise your system in the background.

Third, checking "several system executables" is not enough to assure your system is clean. If your system was compromised then malware may be hiding in any location. Not every malware modifies regular Windows executables.

Your safest course of action would be to reinstall the system from known good media. At the very least, perform a full scan of your system from an antivirus live CD.

Tilman Schmidt
  • 871
  • 4
  • 7
  • do you recommend a certain antivirus live cd or do the regular ones do the job? – random_guy Nov 28 '15 at 15:38
  • I'm quite satisfied with the "desinfec't" antivirus disk I get once a year with my subsciption of the German c't magazine but I don't know if you can get that where you are. But the essential point is that you run the scan from a clean boot, not from inside the possibly compromised system. Any live CD will do that. – Tilman Schmidt Nov 28 '15 at 15:50
  • when the point is to run the scan from a clean boot, will the ubuntu partition do that as well? – random_guy Nov 28 '15 at 15:51
  • Theoretically the malware may have compromised your Ubuntu installation too, either directly or by infecting the boot partition. But so far I've never encountered such a case. So booting from an actual read-only CD would be marginally more secure, but the Ubuntu partition can be considered good enough, provided it has a virus scanner. – Tilman Schmidt Nov 28 '15 at 16:05