All processes killed
========== OTL ==========
Process explorer.exe killed successfully!
========== FILES ==========
C:\Admin\antispy\ewido_micro.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Doylechiro
File delete failed. C:\Documents and Settings\Doylechiro\Local Settings\Temp\~DF8D03.tmp scheduled to be deleted on reboot.
->Temp folder emptied: 86850359 bytes
File delete failed. C:\Documents and Settings\Doylechiro\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 15524515 bytes
->Java cache emptied: 25684707 bytes
->FireFox cache emptied: 0 bytes
File delete failed. C:\Documents and Settings\Doylechiro\Local Settings\Application Data\Apple Computer\Safari\Cache.db scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Doylechiro\Local Settings\Application Data\Apple Computer\Safari\WebpageIcons.db scheduled to be deleted on reboot.
->Apple Safari cache emptied: 22059123 bytes

User: DRB777~1~COD

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes
->Apple Safari cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 6928 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Phyllis
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_bd4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\spnserv.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\spserv.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 34215 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 143.27 mb


OTL by OldTimer - Version 3.0.21.0 log created on 10282009_053741

Files\Folders moved on Reboot...
C:\Documents and Settings\Doylechiro\Local Settings\Temp\~DF8D03.tmp moved successfully.
C:\Documents and Settings\Doylechiro\Local Settings\Application Data\Apple Computer\Safari\Cache.db moved successfully.
C:\Documents and Settings\Doylechiro\Local Settings\Application Data\Apple Computer\Safari\WebpageIcons.db moved successfully.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_bd4.dat not found!
File move failed. C:\WINDOWS\temp\spnserv.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\spserv.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Hello bitterbuck

congratulations, your logs are clean and another fix is in the can

i cant see a quick fix and given i am at work at the moment i would advise you go through Steps 1 and 2 below and then post your issue about the SQL in this part of the forums. say that your machine has been cleaned of malware. i will keep an eye on the thread, but someone else of better knowledge in this area will be able to help you faster.


the malwarebytes scan found and cleared some infected files, as did the super antispyware scan. the kaspersky scan only found items in the system restore which we will clear now as well as some uninfected files.

in this post we will clear away the fix tools (this is so that should you ever be re-infected, you will download updated versions and it will also remove the quarantined Malware from your computer), reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.

====STEP 1====
Follow these steps to uninstall Combofix, some of the tools used in the removal of malware and to flush your system restore points

• Click START then RUN
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between ComboFix and the /Uninstall, it needs to be there.

====STEP 2====
Double-click OTL to run it. (Vista users, please right click on OTListIt.exe and select "Run as an Administrator")

• Click the Clean up button and let the program run
• when prompted, click Yes to the reboot.

you can also clear away any other tools we used.


====IDEAS TO SPEED UP YOUR MACHINE====
this page http://users.telenet.be/bluepatchy/miekiem...owcomputer.html gives some good ideas on how to improve the efficiency of your machine and has one or two useful links to help you further.


====AND FINALLY====
The following is a list of free tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. MBAM - Malware Bytes Anti Malware is an excellent tool for anyone's antimalware arsenal. This program should be updated and run often.
   
2. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
   
3. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
   
4. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
   
5. ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
   
6. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
   
7. Digsby or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
   
8. Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
   
9. FireFox - Alternate web browser. Open source and quick, Firefox is usually the first thing I install on a new system.
   
10. NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

best wishes

andrewuk

If I were to do a system restore to before we cleaned the system, would the malware be back?

yes, it would.

that is one of the problems with malware.

uninstalling the combofix will clear the system restore points, which is your best bet here.

i am pretty sure that the SQL issue can be resolved without a system restore.

So if I have already uninstalled combofix I can not restore it??? Oh no!!!!

I am being told that we somehow damaged windows? Does this sound possible?

very unlikely that we damaged any critical part of windows. i dont see anything that we did that damaged any other part of windows - but removing malware does come with some risks, though rarely are those risks unrecoverable.

i will consult others on this and see what the view is on how to recover it.

andrewuk

Thanks!

lets check a few settings:

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as Query.bat
• Change the Save as Type to All Files
• and Save it on the desktop
• Once saved, double click on the Query.bat file and post the resulting report.

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSQLServer
Type REG_DWORD 0x10
Start REG_DWORD 0x2
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe -sMSSQLSERVER
DisplayName REG_SZ MSSQLSERVER
ObjectName REG_SZ LocalSystem

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSQLServer\Linkage
Export REG_MULTI_SZ MSSQLSERVER\0\0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSQLServer\Performance
Library REG_SZ C:\PROGRA~1\MI6841~1\MSSQL\Binn\sqlctr80.dll
Open REG_SZ OpenSQLPerformanceData
Close REG_SZ CloseSQLPerformanceData
Collect REG_SZ CollectSQLPerformanceData
Last Counter REG_DWORD 0xdae
Last Help REG_DWORD 0xdaf
First Counter REG_DWORD 0xc9a
First Help REG_DWORD 0xc9b
WbemAdapFileSignature REG_BINARY D170DCF8A7755EE49EE6DD919ECD0665
WbemAdapFileTime REG_BINARY 0096398E23A6C201
WbemAdapFileSize REG_DWORD 0x8238
WbemAdapStatus REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSQLServer\Security
Security REG_BINARY 01001480900000009C000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020060000400000000001400
FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D01020001010000000000050B0000000
0001800FD01020001020000000000052000000023020000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSQLServer\Enum
0 REG_SZ Root\LEGACY_MSSQLSERVER\0000
Count REG_DWORD 0x1
NextInstance REG_DWORD 0x1

i cant see anything wrong there.

try these links for ideas - where other people have had similar problems:

http://www.sqlmonster.com/Uwe/Forum.aspx/s...r-error-on-boot

http://www.microsoft.com/communities/newsg...p;sloc=&p=1

http://www.sqlteam.com/FORUMS/topic.asp?TOPIC_ID=38692

http://help.wugnet.com/office/SQL-server-e...pict675465.html

keep in mind that this is outside my knowledge, so, for example, i dont know what information you would lose, if any, if you reinstalled it.

also, can you give me some idea as to what program you are trying to run?

andrewuk

andrewuk,

I am trying to run my office mgmt soft ware Chiro8000. It needs SQL Server to run.

When we tried to uninstall the SQL server using add/remove programs we got an error. We can't uninstall.

Basically, if i can unstall the sql server I can reinstall and should be ok.

what version of SGL Server is it? 2005?

2000

this link here takes you through a step by step proceedure to uninstall it.

there are two parts:

1. backing up data <<< need to do first, obviously
2. the uninstallation

its not as long as it looks.

if you need help in deleting files / folders / registry items, then let me know and i can help.

before you start entering the registry, i would back it up first with the instructions below:

Backing Up Your Registry

1. Download ERUNT
   (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
   (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
   (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
   (the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

andrewuk