First thing I recommend doing is disabling xp_cmdshell on your SQL Server. You can do that with the following SQL:
EXEC sp_configure 'show advanced options', '1';
EXEC sp_configure 'xp_cmdshell', '0';
reconfigure;Next you should kill any cmd.exe process on the server, which you can do from the command line with:
taskkill /IM cmd.exeNote that will also kill the command window you run it in. You should recheck task manager to ensure all CMD.EXEs have terminated. If they spring up again, you've got a virus and you'll probably need to wipe the server and reinstall everything if your antivirus can't remove it.
This still doesn't protect you from SQL injection.
BTW you can also use http://imgur.com as an image host.