Computer attacked by malware now this message upon reboot

Got hit with Antispyware2009 mallware this morning. Used spysweeper to get rid of it. After rebooting some of my programs did not function properly, rebooted again and then I got the error message "Unable to load sqlboot.dll, server has been tampered with etc." Used regedit to repair, programs are still not functioning and same error message occurs. PC running XP and internet explorer.
Sebor98Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jazzIIIloveCommented:
Hi there;

Please follow the instructions below link...But first close sys. restore and send us a hijackthis log...Don't fix yet...

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_23656472.html?sfQueryTermInfo=1+2009+antiviru

best regards...
0
JonveeCommented:
This thread may provide additional help>
"SQL Server installation is either corrupt or has been tampered with":
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_21327743.html

<Quote> You may need to reinstall SQL Server - at the very least resintall the latest service pack. If both of these don't work, call MS PSS. It looks like the installation directory has been damaged or changed, or the registry has been edited <unquote>
0
Sebor98Author Commented:
Here is the higack file.

thanks for the help
hijackthis1.txt
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

Sebor98Author Commented:
How do I reinstall SQL server?
0
orangutangCommented:
Try Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php)
0
orangutangCommented:
Then send another updated HijackThis log.
0
Sebor98Author Commented:
I thought I got rid of the virus, can you tell from the log? Now the problem is some of my program files are missing ie. word, palm, quicken, as well as the error message upon reboot.
0
orangutangCommented:
No, you're still infected. These are suspicious:
O4 - HKLM\..\Run: [brastk] brastk.exe
O20 - AppInit_DLLs: karna.dat

You probably have a rootkit that's hiding other items in your HijackThis log.
0
Sebor98Author Commented:
Attached hijack log as well as malware log.

Thanks
mbam-log-2008-10-26--18-07-50-.txt
hijackthis2.txt
0
orangutangCommented:
Your log seems clean. Remove this to clean up:
O20 - AppInit_DLLs: karna.dat

There are also a lot of missing files in your HijackThis. I guess the virus deleted a lot of startup programs. You also might want to scan with one more virus scanner such as SUPERAntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE). Maybe someone else can help you with reinstalling SQL.
0
Sebor98Author Commented:
Thanks for the help on the virus, the startup programs are still a problem.
0
Sebor98Author Commented:
Still have the SQL server error message when I rebooted after malware scan.
0
Sebor98Author Commented:
Would it be safe to reinstall word, quicken etc.
0
orangutangCommented:
I think so since your computer seems clean. But I would still check with at least one more scanner such as Anti-Malware.
0
JonveeCommented:
As stated above let's try at least one more scanner, as no one scanner can guarantee removing all viruses & Malware>
Kaspersky free online virus scanner:
http://www.kaspersky.co.uk/virusscanner

Also try running RootkitRevealer v1.71
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

This link is for information only  .. looks like you were not alone!
http://www.castlecops.com/t227519-Karna_dat_is_it_gone.html

If your machine still looks good after scanning, i agree with orangutang, go ahead and try to reinstall Word, & quicken etc.   If one of the last two scanners picks up something we can always use a more powerful Tool such as ComboFix.


>How do I reinstall SQL server? <
Let's see if this article helps>
"SQL Server Installation Tutorial":
http://www.databasedesign-resource.com/sql-server-installation.html

Also>  "Free SQL Server Training Videos":
http://weblogs.asp.net/scottgu/archive/2007/03/01/free-sql-server-training-videos-and-other-good-data-tutorial-pointers.aspx
0
rpggamergirlCommented:
What's your antivirus?
Do you still  have Symantec installed there? there are Symantec references with also files missing. It's likely that a file infector was present there at some stage and your scanner had deleted the infected files which caused programs to not functioned as their files are missing.
If in fact a file infector was at work, then you would need to reinstall those programs, or start fresh whichever you preferred.
0
Sebor98Author Commented:
Ran another scan with webroot virus came up clean, tried to use the one you suggested but it kept saying I didn't have the right version of Java installed even after I downloaded the current version. Also ran rootkit reveal, it came up with 3 things, but now I can't find where I put the log file. How do I get the sql server program, do I have to download it?
By reinstalling this program is there a chance I can recover some missing data files that don't seem to be there any longer?
0
JonveeCommented:
You could try running RootkitRevealer again.  It's great at detecting a problem, but will not necessarily remove it apparantly.  

Did you originally download your SQL Server, and which version was it, please?

Hopefully you can use the ideas from this article>
"Recover the master database in SQL Server":
http://articles.techrepublic.com.com/5100-10878_11-5025441.html
0
Sebor98Author Commented:
I have never downloaded SQL server, it is just the error message I get when I boot.
0
rpggamergirlCommented:
>>>I have never downloaded SQL server, it is just the error message I get when I boot.<<

So you don't use it?
then fix that relevant entries in Hijackthis.
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: SQLAgent$VAIO_VEDB - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE (file missing)


or alternatively just stop and delete the services.

Delete these services --> MSSQLServerADHelper, SQLAgent$VAIO_VEDB
Go to Start Menu > Run > type

cmd

Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:

sc stop MSSQLServerADHelper
sc delete MSSQLServerADHelper
sc stop SQLAgent$VAIO_VEDB
sc delete SQLAgent$VAIO_VEDB

exit
0
Sebor98Author Commented:
I ran hijaakthis again and those services were already gone.
I also ran msconfig and checked the services there. Why would a bunch of these show being stopped.
Would that have something to do with why I can't uninstall or install any of my programs?
The SQL error still shows up when I reboot.

Thanks for the help
0
JonveeCommented:
> SQL server express is using 8% cpu usage about 90% off the time <
That's your reason for the delays!
Recommend therefore that you delay that repair install, it may not be necessary, and try HijackThis>

Trend HijackThis 2.02:
http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html

Create a folder where you would like the HijackThis file to reside and run it from there, not from the Desktop or a temporary folder.
Run the scan & save the logfile.  Then click the "Attach Code Snippet" box, paste the logfile into the "Code Snippet" page & there i can get it analysed.  

Also, you may like to take a look at this ongoing EE question, in particular the comments by rpggamergirl who is brilliant at Malware removal >
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_23848905.html?cid=238#a22818645
0
JonveeCommented:
@ Sebor98 .. my apologies, those last words should have been posted in another thread.  
0
Sebor98Author Commented:
Can't install or un-install programs, recieve error messages like problem with Office source engine, file missing. Tried turning on related services that were stopped, some would not allow me to turn on. Do I need to re-install XP or what?
0
JonveeCommented:
First i would try running Combofix, and then consider a repair/install if Combo did not resolve the issue.  
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins.  Just let it run.

ComboFix does present a slight risk to your system, but it's worth considering when our next move may be the repair/install.
0
JonveeCommented:
Then, only if we need this later>
How to Perform a Windows XP Repair Install:
http://www.michaelstevenstech.com/XPrepairinstall.htm
0
Sebor98Author Commented:
Ran Combofix and hijack, logs attached
Combofix-log.txt
hijackthis.log
0
JonveeCommented:
Result of HijackThis analysis.  These five entries can be Fixed, as all have missing files>

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Webroot Software, Inc. (www.webroot.com) - (no file)
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - (no file)
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - (no file)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - (no file)
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - (no file)


Still checking three other entries.   Results of ComboFix are yet to be studied.
Presume there has been no improvement since running ComboFix?

0
JonveeCommented:
Your HijackThis log 'appears' clean.

Initial ComboFix results:  A study shows approx 11 infected "Other Deletions" which have been successfully removed.  


> "C:\\Program Files\\Palm\\HOTSYNC.EXE"= <

Fairly certain that this entry is ok.  It's listed here, but you may wish to comment >
hotsync.exe
http://www.processlibrary.com/directory/files/hotsync


Could you confirm the present status of your machine please?  How much improvement?   ..  i need a little more time to re-scrutinise Combo log.

Conceivably we'll need to write a short script for a ComboFix re-run, but hopefully that will not be necessary.  
Perhaps rpggamergirl the Malware removal specialist would like to comment on the 'script writing'   :)

0
Sebor98Author Commented:
Computer seems to run fine, however the only program that functions properly is Iexplorer.
When I try to install or un-install a program it either just stops or I get an error message of a file missing so it can't complete installation.
I tried to do a fix with Hijack but it doesn't seem to do anything, they are still there when I run it again.
Hotsync is part of my Palm pilot program that syncs the handheld DB with the computer's DB.
0
JonveeCommented:
Ok, thanks.  Well, under those circumstances, i would be inclined to do one more ComboFix scan, post the results here where we can take a look, then if reasonable go for an XP repair install.
You may wish to first backup any valuable documents you have, as an added security precaution.

Then if, in the (unlikely) event a repair is unsuccessful due to earlier virus 'damage', your best bet would then be to re-format and reinstall XP.

  "Clean Install Windows XP":
http://www.michaelstevenstech.com/cleanxpinstall.html
0
rpggamergirlCommented:

There are still some bad files that can be deleted using CF script function.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:

------------------------------------------------------------------------
File::
C:\WINDOWS\aqim.dat
C:\WINDOWS\qijot.sys
C:\WINDOWS\lihim.inf
C:\WINDOWS\yjacifi.bin
C:\Documents and Settings\All Users\Application Data\ixesyzyqe.exe
C:\WINDOWS\ocyqepo.exe
C:\Program Files\Common Files\jiwakajo.dll
C:\Documents and Settings\All Users\Application Data\onadic.pif
C:\Documents and Settings\Owner\Application Data\hetopadyk.dat
C:\WINDOWS\ydohyreva.bat
C:\Documents and Settings\All Users\Application Data\vivaseb.exe
C:\WINDOWS\byqeced._dl
C:\Program Files\Common Files\ykibun.com
C:\Documents and Settings\All Users\Application Data\yzuciqimyf.pif
C:\Program Files\Common Files\kovumodaz.reg
C:\WINDOWS\system32\apusypi.com
C:\Program Files\Common Files\aquwyzuby.bin
C:\Documents and Settings\Owner\Application Data\osisu.scr
C:\Documents and Settings\Owner\Application Data\ewegozaxuj.scr
C:\WINDOWS\roduby.pif
C:\WINDOWS\baxepo.bat
C:\WINDOWS\tujisebore.com
C:\WINDOWS\system32\ciqosu.scr
C:\WINDOWS\system32\jevevoc.bat
C:\WINDOWS\dulyn.dat
C:\WINDOWS\icerebequ.dll
C:\WINDOWS\system32\symebovam.sys
C:\WINDOWS\system32\fomuhike.dll
C:\Documents and Settings\Owner\Application Data\ewodugo.com
C:\Documents and Settings\Owner\Application Data\xybevopywe.scr
C:\WINDOWS\umob.db
C:\WINDOWS\system32\etiwojiwyc.dat
C:\WINDOWS\system32\TDSSrwyu.dat

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


Do you still have Perfect Optimizer installed there? I'd uninstall it if I were you, sounds dodgy similar to rogue Performance Optimizer.

The 'file missing" or "no file' in the 023 lines in hijackthis doesn't always mean that files are really missing.
0
Sebor98Author Commented:
Got rid of Perfect Optimizer.
Ran your script with combofix and attached log file.
Combofix-log3.txt
0
rpggamergirlCommented:

Hi Jonvee, I just read your comment there, what a nice description :), so nice of you, thanks, :)

Sebor98,
We just need to kill the task belonging to Perfect Optimizer and its folder.
Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\WINDOWS\Tasks\At1.job
Folder::
C:\Program Files\Perfect Optimizer
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

How's the pc running?
0
Sebor98Author Commented:
Ran Script, see attached log.
Computer is still running fine, but still cannot load any programs.

What's next?

Thanks for your help
Combofix-log4.txt
0
Sebor98Author Commented:
I took a look at the services running in msconfig, why are some many of the microsoft services stopped even though they are checked, like application management etc. Does this have anything to do with not being able to load or install programs?
0
rpggamergirlCommented:
It's not recommended to disable services via msconfig, so most of the time disabled or stopped services will show a checkmark in msconfig.
My Application management service is also checked but stopped(but that service is not needed/supported in my OS (XP Home)

Try starting those stopped servcies and see if it will resolve the issue:
Start > Run > type

services.msc
and start those services.
Also try doing an online scan with Kaspersky to check for file infectors.

0
rpggamergirlCommented:
Description of Application management Service: (from BlackViper's page).
*Provides software installation services such as Assign, Publish, and Remove
0
JonveeCommented:
Presume you are not getting any error messages when trying to load/install programs ?

Basic question, but how much free space is available on C: drive?

Try renaming the Catroot2 folder, NOT the Catroot folder >
Start > Run          then type cmd           click OK.
At the command prompt type the following commands, and then press ENTER after each line:
net stop cryptsvc
ren %systemroot%\System32\Catroot2 oldcatroot2
net start cryptsvc
exit

Further suggestions >
You cannot install some updates or programs:
http://support.microsoft.com/kb/822798

Conceivably you still have an infected file(s).  Another idea therefore is to try the 'Stinger' which is a utility that cleans the system of viruses that block anti virus software.
http://vil.nai.com/vil/stinger/

@ rpggamergirl ... thanks for correcting/adjusting my comment about the 'file missing" or "no file' in the 023 lines in HijackThis log  ;)
0
JonveeCommented:
You could also try running >

regsvr32 /i shell32.dll

Details>
"Fix Windows Glitches by Re-registering Your DLLs":
http://www.pcworld.com/article/126116/windows_tips_fix_windows_glitches_by_reregistering_your_dlls.html
0
Sebor98Author Commented:
Ran what you suggested Jonvee and it seemed to allow me to load ms office. So I continued to install my other programs and everything seems to be working ok. I still lost some drawing and estimating files that I hadn't backed up, but so far so good. Are there any file recovery programs you can suggest or do you think the files have been written over.

Thanks all for the help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JonveeCommented:
That's good!

You may well be able to recover most or even all of the files but the procedures do not usually come free!  Much therefore depends upon just how valuable your drawing & estimating files are, to you.

"GetDataBack Data" is very popular, it's not free, but you can download a free demo version first.
http://runtime.org/

Step by Step:  Doing a Data Recovery with GetBackData
http://runtime.org/howto_datarecovery.pdf


Alternatively there is this option, also highly recommended by E_E Experts.
Their claim is that you'll not be charged for the service unless they're successful!

Leading Data File Recovery and Disk Disaster Recovery Service:
http://www.gillware.com/

Whichever method you decide upon, good luck.
0
JonveeCommented:
"FreeUndelete" is another possibility but even if it's suitable, i have no experience of it's use.  Although it does appear free, if you decide to try it please read the "Proper Usage" information to avoid further damage to your lost files.
FreeUndelete:
http://www.officerecovery.com/freeundelete/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
System Utilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.