Solved

Computer attacked by malware now this message upon reboot

Posted on 2008-10-26
43
581 Views
Last Modified: 2013-11-30
Got hit with Antispyware2009 mallware this morning. Used spysweeper to get rid of it. After rebooting some of my programs did not function properly, rebooted again and then I got the error message "Unable to load sqlboot.dll, server has been tampered with etc." Used regedit to repair, programs are still not functioning and same error message occurs. PC running XP and internet explorer.
0
Comment
Question by:Sebor98
  • 17
  • 14
  • 6
  • +2
43 Comments
 
LVL 12

Expert Comment

by:jazzIIIlove
ID: 22808518
Hi there;

Please follow the instructions below link...But first close sys. restore and send us a hijackthis log...Don't fix yet...

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_23656472.html?sfQueryTermInfo=1+2009+antiviru

best regards...
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 22809132
This thread may provide additional help>
"SQL Server installation is either corrupt or has been tampered with":
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_21327743.html

<Quote> You may need to reinstall SQL Server - at the very least resintall the latest service pack. If both of these don't work, call MS PSS. It looks like the installation directory has been damaged or changed, or the registry has been edited <unquote>
0
 

Author Comment

by:Sebor98
ID: 22809212
Here is the higack file.

thanks for the help
hijackthis1.txt
0
 

Author Comment

by:Sebor98
ID: 22809395
How do I reinstall SQL server?
0
 
LVL 22

Assisted Solution

by:orangutang
orangutang earned 50 total points
ID: 22809426
Try Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php)
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22809433
Then send another updated HijackThis log.
0
 

Author Comment

by:Sebor98
ID: 22809459
I thought I got rid of the virus, can you tell from the log? Now the problem is some of my program files are missing ie. word, palm, quicken, as well as the error message upon reboot.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22809491
No, you're still infected. These are suspicious:
O4 - HKLM\..\Run: [brastk] brastk.exe
O20 - AppInit_DLLs: karna.dat

You probably have a rootkit that's hiding other items in your HijackThis log.
0
 

Author Comment

by:Sebor98
ID: 22809576
Attached hijack log as well as malware log.

Thanks
mbam-log-2008-10-26--18-07-50-.txt
hijackthis2.txt
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22809600
Your log seems clean. Remove this to clean up:
O20 - AppInit_DLLs: karna.dat

There are also a lot of missing files in your HijackThis. I guess the virus deleted a lot of startup programs. You also might want to scan with one more virus scanner such as SUPERAntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE). Maybe someone else can help you with reinstalling SQL.
0
 

Author Comment

by:Sebor98
ID: 22809637
Thanks for the help on the virus, the startup programs are still a problem.
0
 

Author Comment

by:Sebor98
ID: 22809716
Still have the SQL server error message when I rebooted after malware scan.
0
 

Author Comment

by:Sebor98
ID: 22809726
Would it be safe to reinstall word, quicken etc.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22809772
I think so since your computer seems clean. But I would still check with at least one more scanner such as Anti-Malware.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 22810485
As stated above let's try at least one more scanner, as no one scanner can guarantee removing all viruses & Malware>
Kaspersky free online virus scanner:
http://www.kaspersky.co.uk/virusscanner

Also try running RootkitRevealer v1.71
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

This link is for information only  .. looks like you were not alone!
http://www.castlecops.com/t227519-Karna_dat_is_it_gone.html

If your machine still looks good after scanning, i agree with orangutang, go ahead and try to reinstall Word, & quicken etc.   If one of the last two scanners picks up something we can always use a more powerful Tool such as ComboFix.


>How do I reinstall SQL server? <
Let's see if this article helps>
"SQL Server Installation Tutorial":
http://www.databasedesign-resource.com/sql-server-installation.html

Also>  "Free SQL Server Training Videos":
http://weblogs.asp.net/scottgu/archive/2007/03/01/free-sql-server-training-videos-and-other-good-data-tutorial-pointers.aspx
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22810951
What's your antivirus?
Do you still  have Symantec installed there? there are Symantec references with also files missing. It's likely that a file infector was present there at some stage and your scanner had deleted the infected files which caused programs to not functioned as their files are missing.
If in fact a file infector was at work, then you would need to reinstall those programs, or start fresh whichever you preferred.
0
 

Author Comment

by:Sebor98
ID: 22815155
Ran another scan with webroot virus came up clean, tried to use the one you suggested but it kept saying I didn't have the right version of Java installed even after I downloaded the current version. Also ran rootkit reveal, it came up with 3 things, but now I can't find where I put the log file. How do I get the sql server program, do I have to download it?
By reinstalling this program is there a chance I can recover some missing data files that don't seem to be there any longer?
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 22817553
You could try running RootkitRevealer again.  It's great at detecting a problem, but will not necessarily remove it apparantly.  

Did you originally download your SQL Server, and which version was it, please?

Hopefully you can use the ideas from this article>
"Recover the master database in SQL Server":
http://articles.techrepublic.com.com/5100-10878_11-5025441.html
0
 

Author Comment

by:Sebor98
ID: 22817968
I have never downloaded SQL server, it is just the error message I get when I boot.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22818002
>>>I have never downloaded SQL server, it is just the error message I get when I boot.<<

So you don't use it?
then fix that relevant entries in Hijackthis.
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: SQLAgent$VAIO_VEDB - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE (file missing)


or alternatively just stop and delete the services.

Delete these services --> MSSQLServerADHelper, SQLAgent$VAIO_VEDB
Go to Start Menu > Run > type

cmd

Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:

sc stop MSSQLServerADHelper
sc delete MSSQLServerADHelper
sc stop SQLAgent$VAIO_VEDB
sc delete SQLAgent$VAIO_VEDB

exit
0
 

Author Comment

by:Sebor98
ID: 22818645
I ran hijaakthis again and those services were already gone.
I also ran msconfig and checked the services there. Why would a bunch of these show being stopped.
Would that have something to do with why I can't uninstall or install any of my programs?
The SQL error still shows up when I reboot.

Thanks for the help
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 27

Expert Comment

by:Jonvee
ID: 22820028
> SQL server express is using 8% cpu usage about 90% off the time <
That's your reason for the delays!
Recommend therefore that you delay that repair install, it may not be necessary, and try HijackThis>

Trend HijackThis 2.02:
http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html

Create a folder where you would like the HijackThis file to reside and run it from there, not from the Desktop or a temporary folder.
Run the scan & save the logfile.  Then click the "Attach Code Snippet" box, paste the logfile into the "Code Snippet" page & there i can get it analysed.  

Also, you may like to take a look at this ongoing EE question, in particular the comments by rpggamergirl who is brilliant at Malware removal >
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_23848905.html?cid=238#a22818645
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 22820042
@ Sebor98 .. my apologies, those last words should have been posted in another thread.  
0
 

Author Comment

by:Sebor98
ID: 22821035
Can't install or un-install programs, recieve error messages like problem with Office source engine, file missing. Tried turning on related services that were stopped, some would not allow me to turn on. Do I need to re-install XP or what?
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 22822188
First i would try running Combofix, and then consider a repair/install if Combo did not resolve the issue.  
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins.  Just let it run.

ComboFix does present a slight risk to your system, but it's worth considering when our next move may be the repair/install.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 22822221
Then, only if we need this later>
How to Perform a Windows XP Repair Install:
http://www.michaelstevenstech.com/XPrepairinstall.htm
0
 

Author Comment

by:Sebor98
ID: 22837948
Ran Combofix and hijack, logs attached
Combofix-log.txt
hijackthis.log
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 22838675
Result of HijackThis analysis.  These five entries can be Fixed, as all have missing files>

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Webroot Software, Inc. (www.webroot.com) - (no file)
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - (no file)
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - (no file)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - (no file)
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - (no file)


Still checking three other entries.   Results of ComboFix are yet to be studied.
Presume there has been no improvement since running ComboFix?

0
 
LVL 27

Expert Comment

by:Jonvee
ID: 22838823
Your HijackThis log 'appears' clean.

Initial ComboFix results:  A study shows approx 11 infected "Other Deletions" which have been successfully removed.  


> "C:\\Program Files\\Palm\\HOTSYNC.EXE"= <

Fairly certain that this entry is ok.  It's listed here, but you may wish to comment >
hotsync.exe
http://www.processlibrary.com/directory/files/hotsync


Could you confirm the present status of your machine please?  How much improvement?   ..  i need a little more time to re-scrutinise Combo log.

Conceivably we'll need to write a short script for a ComboFix re-run, but hopefully that will not be necessary.  
Perhaps rpggamergirl the Malware removal specialist would like to comment on the 'script writing'   :)

0
 

Author Comment

by:Sebor98
ID: 22840275
Computer seems to run fine, however the only program that functions properly is Iexplorer.
When I try to install or un-install a program it either just stops or I get an error message of a file missing so it can't complete installation.
I tried to do a fix with Hijack but it doesn't seem to do anything, they are still there when I run it again.
Hotsync is part of my Palm pilot program that syncs the handheld DB with the computer's DB.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 22840452
Ok, thanks.  Well, under those circumstances, i would be inclined to do one more ComboFix scan, post the results here where we can take a look, then if reasonable go for an XP repair install.
You may wish to first backup any valuable documents you have, as an added security precaution.

Then if, in the (unlikely) event a repair is unsuccessful due to earlier virus 'damage', your best bet would then be to re-format and reinstall XP.

  "Clean Install Windows XP":
http://www.michaelstevenstech.com/cleanxpinstall.html
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 150 total points
ID: 22846538

There are still some bad files that can be deleted using CF script function.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:

------------------------------------------------------------------------
File::
C:\WINDOWS\aqim.dat
C:\WINDOWS\qijot.sys
C:\WINDOWS\lihim.inf
C:\WINDOWS\yjacifi.bin
C:\Documents and Settings\All Users\Application Data\ixesyzyqe.exe
C:\WINDOWS\ocyqepo.exe
C:\Program Files\Common Files\jiwakajo.dll
C:\Documents and Settings\All Users\Application Data\onadic.pif
C:\Documents and Settings\Owner\Application Data\hetopadyk.dat
C:\WINDOWS\ydohyreva.bat
C:\Documents and Settings\All Users\Application Data\vivaseb.exe
C:\WINDOWS\byqeced._dl
C:\Program Files\Common Files\ykibun.com
C:\Documents and Settings\All Users\Application Data\yzuciqimyf.pif
C:\Program Files\Common Files\kovumodaz.reg
C:\WINDOWS\system32\apusypi.com
C:\Program Files\Common Files\aquwyzuby.bin
C:\Documents and Settings\Owner\Application Data\osisu.scr
C:\Documents and Settings\Owner\Application Data\ewegozaxuj.scr
C:\WINDOWS\roduby.pif
C:\WINDOWS\baxepo.bat
C:\WINDOWS\tujisebore.com
C:\WINDOWS\system32\ciqosu.scr
C:\WINDOWS\system32\jevevoc.bat
C:\WINDOWS\dulyn.dat
C:\WINDOWS\icerebequ.dll
C:\WINDOWS\system32\symebovam.sys
C:\WINDOWS\system32\fomuhike.dll
C:\Documents and Settings\Owner\Application Data\ewodugo.com
C:\Documents and Settings\Owner\Application Data\xybevopywe.scr
C:\WINDOWS\umob.db
C:\WINDOWS\system32\etiwojiwyc.dat
C:\WINDOWS\system32\TDSSrwyu.dat

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


Do you still have Perfect Optimizer installed there? I'd uninstall it if I were you, sounds dodgy similar to rogue Performance Optimizer.

The 'file missing" or "no file' in the 023 lines in hijackthis doesn't always mean that files are really missing.
0
 

Author Comment

by:Sebor98
ID: 22846896
Got rid of Perfect Optimizer.
Ran your script with combofix and attached log file.
Combofix-log3.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22848106

Hi Jonvee, I just read your comment there, what a nice description :), so nice of you, thanks, :)

Sebor98,
We just need to kill the task belonging to Perfect Optimizer and its folder.
Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\WINDOWS\Tasks\At1.job
Folder::
C:\Program Files\Perfect Optimizer
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

How's the pc running?
0
 

Author Comment

by:Sebor98
ID: 22849153
Ran Script, see attached log.
Computer is still running fine, but still cannot load any programs.

What's next?

Thanks for your help
Combofix-log4.txt
0
 

Author Comment

by:Sebor98
ID: 22849815
I took a look at the services running in msconfig, why are some many of the microsoft services stopped even though they are checked, like application management etc. Does this have anything to do with not being able to load or install programs?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22850130
It's not recommended to disable services via msconfig, so most of the time disabled or stopped services will show a checkmark in msconfig.
My Application management service is also checked but stopped(but that service is not needed/supported in my OS (XP Home)

Try starting those stopped servcies and see if it will resolve the issue:
Start > Run > type

services.msc
and start those services.
Also try doing an online scan with Kaspersky to check for file infectors.

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22850167
Description of Application management Service: (from BlackViper's page).
*Provides software installation services such as Assign, Publish, and Remove
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 22854238
Presume you are not getting any error messages when trying to load/install programs ?

Basic question, but how much free space is available on C: drive?

Try renaming the Catroot2 folder, NOT the Catroot folder >
Start > Run          then type cmd           click OK.
At the command prompt type the following commands, and then press ENTER after each line:
net stop cryptsvc
ren %systemroot%\System32\Catroot2 oldcatroot2
net start cryptsvc
exit

Further suggestions >
You cannot install some updates or programs:
http://support.microsoft.com/kb/822798

Conceivably you still have an infected file(s).  Another idea therefore is to try the 'Stinger' which is a utility that cleans the system of viruses that block anti virus software.
http://vil.nai.com/vil/stinger/

@ rpggamergirl ... thanks for correcting/adjusting my comment about the 'file missing" or "no file' in the 023 lines in HijackThis log  ;)
0
 
LVL 27

Assisted Solution

by:Jonvee
Jonvee earned 300 total points
ID: 22856301
You could also try running >

regsvr32 /i shell32.dll

Details>
"Fix Windows Glitches by Re-registering Your DLLs":
http://www.pcworld.com/article/126116/windows_tips_fix_windows_glitches_by_reregistering_your_dlls.html
0
 

Accepted Solution

by:
Sebor98 earned 0 total points
ID: 22863698
Ran what you suggested Jonvee and it seemed to allow me to load ms office. So I continued to install my other programs and everything seems to be working ok. I still lost some drawing and estimating files that I hadn't backed up, but so far so good. Are there any file recovery programs you can suggest or do you think the files have been written over.

Thanks all for the help.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 22863903
That's good!

You may well be able to recover most or even all of the files but the procedures do not usually come free!  Much therefore depends upon just how valuable your drawing & estimating files are, to you.

"GetDataBack Data" is very popular, it's not free, but you can download a free demo version first.
http://runtime.org/

Step by Step:  Doing a Data Recovery with GetBackData
http://runtime.org/howto_datarecovery.pdf


Alternatively there is this option, also highly recommended by E_E Experts.
Their claim is that you'll not be charged for the service unless they're successful!

Leading Data File Recovery and Disk Disaster Recovery Service:
http://www.gillware.com/

Whichever method you decide upon, good luck.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 22863946
"FreeUndelete" is another possibility but even if it's suitable, i have no experience of it's use.  Although it does appear free, if you decide to try it please read the "Proper Usage" information to avoid further damage to your lost files.
FreeUndelete:
http://www.officerecovery.com/freeundelete/
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now