[Solved] Suspecting harmful files on laptop

[xMyuuchanx]

While I was looking at msconfig > startup list, there was two items on the list that seems suspicious to me.

(Startup Item > Manufacturer > Command> Location)

1. KOO9RV9K4Z > Unknown > C:\User\User\AppData\Local\Temp\Djd.exe > HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

2. Metropolis > Unknown > rundll32.exeC:\Windows\system32\sschnas21.dll,GetH andle > HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Among the two, I'm very suspicious of the second because there was a time I caught a virus accidentally (fake anti-virus alert pop up on start ups, apparently) that I scanned and put the sschnas21.dll in sandbox and deleted, ever since then whenever I start up my laptop, I would get an error prompt about sschnas21.dll couldn't be found.

I'm wondering what are those, and if they're harmful.
If so, how would you suggest I remove them?
(I have disabled them from starting up automatically for the time being.)

[profilerscot]

Have you tried running Malwarebytes?

[xMyuuchanx]

No I haven't because I thought I couldn't tell if it's a false positive or not.
Now that you mention it, I'll give it a go and maybe post the result here.

EDIT:
Here's the result I got from performing a quick scan:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6835

Windows 6.0.6000
Internet Explorer 7.0.6000.16916

6/11/2011 11:57:23 PM
mbam-log-2011-06-11 (23-57-15).txt

Scan type: Quick scan
Objects scanned: 161600
Time elapsed: 14 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\KOO9RV9K4Z (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\SMH2B46TDP (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Users\User\favorites\常用 (Malware.Trace) -> No action taken.
c:\Users\User\favorites\常用\360游戏 (Malware.Trace) -> No action taken.

Files Infected:
c:\Users\User\AppData\Local\Temp\wl0729184.exe (Trojan.Dropper) -> No action taken.
c:\Users\User\favorites\常用\ 手机充值.url (Malware.Trace) -> No action taken.
c:\Users\User\favorites\常用\ 网址大全.url (Malware.Trace) -> No action taken.
c:\Users\User\favorites\常用\ 谷歌.url (Malware.Trace) -> No action taken.
c:\Users\User\favorites\常用\360游戏\ 360游戏中心.url (Malware.Trace) -> No action taken.
c:\Users\User\favorites\常用\360游戏\ 商业大亨.url (Malware.Trace) -> No action taken.
c:\Users\User\favorites\常用\360游戏\ 弹弹堂.url (Malware.Trace) -> No action taken.
c:\Users\User\favorites\常用\360游戏\ 明朝时代.url (Malware.Trace) -> No action taken.
c:\Users\User\favorites\常用\360游戏\ 武侠风云.url (Malware.Trace) -> No action taken.
c:\Users\User\favorites\常用\360游戏\ 盘龙神墓.url (Malware.Trace) -> No action taken.
c:\Users\Us

[profilerscot]

ok now you know there is a problem, do a full scan and instruct malwarebytes to deal with the problems.

[xMyuuchanx]

Actually I'm quite worried about the "infected registry keys". Are they really infected or just false positives?
Instruct it to deal with the problems? As in let it remove all of those?
*will do a full scan now*

[KarumA]

You can have them moved the quarentine if you want to be carefull.
Do you still have that error .dll cannot be found when you boot up your laptop?
That simply means the virus file is gone but in the registry the command to run it on boot is still there.
Before you do anything in the registry though, do make an export.

The lower list listed as favourites etc. can be removed without a problem. The Troyan.FakeAlert as well, they do nothing but exploit your internet browser with unneeded thing or send out data liek sites you visit.

my advice: move them to quarentine which disables them, see if it causes any troubles.. if not remove them.

[xMyuuchanx]

Thank you for your input.
My laptop is running the full scan right now, I will post up the result again if it found out more stuff than the ones mentioned above.
Yes, I still have the .dll error now. I'm aware that the command is still running (and I have only just disabled it through startup, haven't restarted my laptop so I don't know if it will show up again), is there a way for me to remove the command?

With the list above, I assume the only thing that I should be cautious with is "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace)" then? Okay, I will take your advice and quarantine that one while I delete the other 3 Trojan.FakeAlert.
One thing though, if I quarantine that one, is there a need for me to export the registry beforehand?

[fataltea]

If you only quarantine it, you should not need to export/backup your registry beforehand. The quarantine will not delete the file - and if you experience issues afterward, you can instruct malwarebytes to restore this item.

(also, as far as I know, this /Handle registry value is indeed a bit of malware)

[xMyuuchanx]

I understand, thanks for the info, Tea-san!
I thought something huge might happen if I quarantined/disabled the wrong registry item <-is ignorant.

[KarumA]

I looked up some information about the .dll warning you keep on having. Apperantly it is part of an infection, so far read people who had this had afterward scanned with Malwarebytes and the messaged stopped displaying afterward.
It might do the same for you.

Steps to take afterward:
- if you still are unsure of being infected or not do a scan with Combofix. Shut down all internet browsers, make sure firewall is down as well as your own active anti virus before you scan with it so it doesn't clash. A guide and tutorial on using ComboFix

If you're sure youre no longer infected, time to clear out all temps etc. TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums in case anything is still hidding in there. Save to desktop, run. It will shut down all other programs so save any thing you have open. Let it run, when it is done reboot which either happens automatically or manually.