Capt_Lee
asked on
Infected Windows 98 system.... etqueze.exe ???
I am working on a client machine, Windows 98. I have disinfected the hard drive on a test system as a slave hard drive.
Primary symtoms are:
Windows screen appears to be at lowest resolution, but not booting to safe mode.
No problems with boot up observed.
ANY attempt to do anything responds with a windows error box.
Title: Program Not Found
Message:
Windows cannot find etquez.exe
This program is needed to open files of type 'Application'
Location of etquez.ese
"here is a dialog box to browse for a file"
booted to DOS and looked and the Autoexec.bat file and do not see anything out of the ordinary there
Attempted safe mode and same symptoms.
Searched all over the internet for etquez.exe
Any ideas?
Primary symtoms are:
Windows screen appears to be at lowest resolution, but not booting to safe mode.
No problems with boot up observed.
ANY attempt to do anything responds with a windows error box.
Title: Program Not Found
Message:
Windows cannot find etquez.exe
This program is needed to open files of type 'Application'
Location of etquez.ese
"here is a dialog box to browse for a file"
booted to DOS and looked and the Autoexec.bat file and do not see anything out of the ordinary there
Attempted safe mode and same symptoms.
Searched all over the internet for etquez.exe
Any ideas?
Hi Capt_Lee,
don't know about the low resolution but try this to solve the program not found error: make sure the registry key HKEY_CLASSES_ROOTexefile\s hell\open\ command contains the following value - "%1" %*
Cheers!
Raj
don't know about the low resolution but try this to solve the program not found error: make sure the registry key HKEY_CLASSES_ROOTexefile\s
Cheers!
Raj
ASKER
First comment will not work, because any attempt to do anything comes up with this error. SO I cannot run the ad ware hunting software without getting the error, or even bring up a browser.
The Registry idea is interesting, I am attempting to reboot to windows to see if I can run regedit.
regedit will not run also.
Is there a way to edit a registry file when this drive is a slave on another system?
The Registry idea is interesting, I am attempting to reboot to windows to see if I can run regedit.
regedit will not run also.
Is there a way to edit a registry file when this drive is a slave on another system?
You might want to try to do a windows installation on top of the existing one, just boot from your win98 cd-rom and let it install (in c:\windows, not c:\windows.000 as it might suggest to you) Afterwards, you should be able to run the ad-ware scanners and virusscanners again.
LucF
LucF
rename regedit.exe to regedit.com that should work
rename regedit.exe to regedit.com that should work
Boot the system to msdos and run a virus software for dos like www.f-prot.com.
You could also try PEBuilder at http://www.nu2.nu/pebuilder/ This program will start computer with windows interface however it will not start actual windows. You can run registry editor from there and edit whatever you want.
You could also try PEBuilder at http://www.nu2.nu/pebuilder/ This program will start computer with windows interface however it will not start actual windows. You can run registry editor from there and edit whatever you want.
ASKER
Thanks for the idea about PEBuilder, and I will most likely use this tool someday in the future, however it will not run in a windows 98 environment.
From the help file:
PE Builder (pebuilder.exe) runs on Windows 2000/XP/2003. It does not run on Windows NT4/ME/9x.
From the help file:
PE Builder (pebuilder.exe) runs on Windows 2000/XP/2003. It does not run on Windows NT4/ME/9x.
This tool would allow you to inspect the 2 .dat files that compried the old registry on the drive that is now the slave, or from any source if you can copy those files out into another functional machine:
MiTeC Windows Registry File Viewer Version 1.8:
21.10.2003
http://www.mitec.cz/
http://www.mitec.cz/regtools.htm#RFV
Fixed Unicode character decoding
Values of type REG_MULTI_SZ are now displayed as strings
Searching now processes all value types including REG_BINARY
Possibility of save binary data to file
Description
Viewer for standalone files containing Windows registry hives (e.g. NTUSER.DAT, SYSTEM.1ST, SAM, etc.).
It features extended registry searching, registry dumping and exporting to REGEDIT4 format and detailed key information including security (NT) and hash values.
For NT registry value of type REG_RESOURCE_LIST here's Resource information in Data View.
Target platforms
MS Windows 9x, MS Windows ME, MS Windows NT 4.x, MS Windows 2000, MS Windows XP, MS Windows Server 2003
Status
Freeware
http://www.mitec.cz/Data/Screenshots/RFV.gif
http://www.mitec.cz/downloads.htm
MiTeC Windows Registry File Viewer 1.8 http://www.mitec.cz/Downloads/RFV.zip
-------------------------- ---------- -------
Registry Viewer 2.0 http://www.mitec.cz/Downloads/RegView.zip
Description
Viewer for REGEDIT4 and REGEDIT5 files and local or remote registry.
It supports bookmarks, searching and registry exporting.
Target platforms
MS Windows 9x, MS Windows ME, MS Windows NT 4.x, MS Windows 2000, MS Windows XP, MS Windows Server 2003
Status
Freeware
MiTeC Windows Registry File Viewer Version 1.8:
21.10.2003
http://www.mitec.cz/
http://www.mitec.cz/regtools.htm#RFV
Fixed Unicode character decoding
Values of type REG_MULTI_SZ are now displayed as strings
Searching now processes all value types including REG_BINARY
Possibility of save binary data to file
Description
Viewer for standalone files containing Windows registry hives (e.g. NTUSER.DAT, SYSTEM.1ST, SAM, etc.).
It features extended registry searching, registry dumping and exporting to REGEDIT4 format and detailed key information including security (NT) and hash values.
For NT registry value of type REG_RESOURCE_LIST here's Resource information in Data View.
Target platforms
MS Windows 9x, MS Windows ME, MS Windows NT 4.x, MS Windows 2000, MS Windows XP, MS Windows Server 2003
Status
Freeware
http://www.mitec.cz/Data/Screenshots/RFV.gif
http://www.mitec.cz/downloads.htm
MiTeC Windows Registry File Viewer 1.8 http://www.mitec.cz/Downloads/RFV.zip
--------------------------
Registry Viewer 2.0 http://www.mitec.cz/Downloads/RegView.zip
Description
Viewer for REGEDIT4 and REGEDIT5 files and local or remote registry.
It supports bookmarks, searching and registry exporting.
Target platforms
MS Windows 9x, MS Windows ME, MS Windows NT 4.x, MS Windows 2000, MS Windows XP, MS Windows Server 2003
Status
Freeware
There is also one tool that would allow you to obtain a report of your system from DOS.
The well known AIDA32 Windows Diagnostics reporting utility:
http://www.aida32.hu/aida-features.php?bit=32
http://www.aida32.hu/aida-download.php?bit=32
has an equivalent 16-bit "sysinfo" tool that will run from a floppy.
http://www.aida32.hu/aida-download.php?bit=16
http://www.aida32.hu/download/aida16en_211.zip
Swap the slave drive back to Master without rebooting, boot to a win98 boot floppy, and then swap it for the floppy with the 16-bit AIDA program on it.
Just call it with the command:
a:\AIDA.EXE
Usage: AIDA [/S]
AIDA [/R [filename]] [/S] [/D]
AIDA [/RC [filename]] [/S] [/D]
AIDA [/RS [filename]] [/S] [/D]
AIDA [/F5 filename] [/S] [/D]
/R Make text report to <filename>
/RC Make CSV report to <filename>
/RS Make report summary to <filename>
/F5 Append to <filename> if F5 key pressed
/S Activate safe mode
/D Disable debug information
or to create a report, run the batch file
a:\A.bat
which equates to:
aida /r %1 %2 %3 %4 %5
It might help to obtain some details of those system files.
The well known AIDA32 Windows Diagnostics reporting utility:
http://www.aida32.hu/aida-features.php?bit=32
http://www.aida32.hu/aida-download.php?bit=32
has an equivalent 16-bit "sysinfo" tool that will run from a floppy.
http://www.aida32.hu/aida-download.php?bit=16
http://www.aida32.hu/download/aida16en_211.zip
Swap the slave drive back to Master without rebooting, boot to a win98 boot floppy, and then swap it for the floppy with the 16-bit AIDA program on it.
Just call it with the command:
a:\AIDA.EXE
Usage: AIDA [/S]
AIDA [/R [filename]] [/S] [/D]
AIDA [/RC [filename]] [/S] [/D]
AIDA [/RS [filename]] [/S] [/D]
AIDA [/F5 filename] [/S] [/D]
/R Make text report to <filename>
/RC Make CSV report to <filename>
/RS Make report summary to <filename>
/F5 Append to <filename> if F5 key pressed
/S Activate safe mode
/D Disable debug information
or to create a report, run the batch file
a:\A.bat
which equates to:
aida /r %1 %2 %3 %4 %5
It might help to obtain some details of those system files.
You might also want to force it to boot in "LOGGED" mode (F8 during boot > select "Logged" option) to create C;\bootlog.txt.
Boot to a win98 boot floppy, swap it for a blank, and issue the commands:
attrib -h c:\bootlog.txt
copy c:\bootlog.txt a:\bootlog.txt
attrib +h c:\bootlog.txt
On an operational computer, download the Bootlog Text Analyser (BLA.EXE)
Extract from web page and readme:
http://www.vision4.dial.pipex.com/
Boot Log Analyzer for Windows 95/98 from Gemini Affinitas Ltd (v1.22)
FREE Boot Log Analyzer utility to help in identifying Windows95/98 boot-up problems.
Looks at your Windows95 BOOTLOG.TXT file and calculates the time taken to load each driver etc, in order to help in locating any cause of lengthy boot-up times. The displayed result can be sorted by loading duration, filtered to show only those items with long durations or which reported failure, and saved to a text file.
Please note: This utility is intended for use by PC Support Personnel and Advanced Users only - interpreting the results requires in-depth technical knowledge.
Download latest BOOT LOG ANALYZER
http://www.vision4.dial.pipex.com/files/bla.zip
BLA Screenshot
http://www.vision4.dial.pipex.com/screen.htm
http://www.vision4.dial.pipex.com/images/bla.jpg
Home Page (Gemini Affinitas Ltd)
http://www.geminisoftware.co.uk/
It will sit happily on a floppy, and just ensure that you direct it to inspect a:\bootlog.txt or it will analyse the default on the C:\ drive.
It has a checkbox "Show failures" to filter out only load failures, and then export to a text file.
Boot to a win98 boot floppy, swap it for a blank, and issue the commands:
attrib -h c:\bootlog.txt
copy c:\bootlog.txt a:\bootlog.txt
attrib +h c:\bootlog.txt
On an operational computer, download the Bootlog Text Analyser (BLA.EXE)
Extract from web page and readme:
http://www.vision4.dial.pipex.com/
Boot Log Analyzer for Windows 95/98 from Gemini Affinitas Ltd (v1.22)
FREE Boot Log Analyzer utility to help in identifying Windows95/98 boot-up problems.
Looks at your Windows95 BOOTLOG.TXT file and calculates the time taken to load each driver etc, in order to help in locating any cause of lengthy boot-up times. The displayed result can be sorted by loading duration, filtered to show only those items with long durations or which reported failure, and saved to a text file.
Please note: This utility is intended for use by PC Support Personnel and Advanced Users only - interpreting the results requires in-depth technical knowledge.
Download latest BOOT LOG ANALYZER
http://www.vision4.dial.pipex.com/files/bla.zip
BLA Screenshot
http://www.vision4.dial.pipex.com/screen.htm
http://www.vision4.dial.pipex.com/images/bla.jpg
Home Page (Gemini Affinitas Ltd)
http://www.geminisoftware.co.uk/
It will sit happily on a floppy, and just ensure that you direct it to inspect a:\bootlog.txt or it will analyse the default on the C:\ drive.
It has a checkbox "Show failures" to filter out only load failures, and then export to a text file.
ASKER
THANKS - THANKS
All suggestions and tool ideas have been helpful, however, I have not been able to resolve my problem.
1) Review of the Windows directory idicates the problem was introduced on 11/7/03 at 5 AM
2) Discovered file in Windows directory call COMPUTER.BAT. In Computer.BAT the lines were
@Echo off
IF NOT "%1" == "" etquez.exe %1
3) Reference from R_Rajesh
don't know about the low resolution but try this to solve the program not found error: make sure the registry key HKEY_CLASSES_ROOTexefile\s hell\open\ command contains the following value - "%1" %*. Helped me with the hint... So I rem'ed the line and some functions came back but not all.
4) Noticed a very large file called NULL was created on the date and time that this file was created.
Since this is an old system and there is not much user data, which I can capture anyway, I am going to declare this problem closed. I appreciate ALL the feedback, especially R_Rajesh & BillDL
All suggestions and tool ideas have been helpful, however, I have not been able to resolve my problem.
1) Review of the Windows directory idicates the problem was introduced on 11/7/03 at 5 AM
2) Discovered file in Windows directory call COMPUTER.BAT. In Computer.BAT the lines were
@Echo off
IF NOT "%1" == "" etquez.exe %1
3) Reference from R_Rajesh
don't know about the low resolution but try this to solve the program not found error: make sure the registry key HKEY_CLASSES_ROOTexefile\s
4) Noticed a very large file called NULL was created on the date and time that this file was created.
Since this is an old system and there is not much user data, which I can capture anyway, I am going to declare this problem closed. I appreciate ALL the feedback, especially R_Rajesh & BillDL
ASKER
Final Note, I just discovered that this problem appears to have been proporgated by a virus infection by the name of W32.Swen.A@mm. Please reference this url..... http://www.sarc.com/avcenter/venc/data/w32.swen.a@mm.html.
Pay particular attention on how it installs itself.... Mascarades as an Internet Security update from Microsoft, including a pretty good mock up of Microsoft's install screens and messages.
Symantec adivce indicates that if the install actually gets to run on the system, a quarentine and deletion is not sufficient.... I think that is where I am now.... MANY registry changes done by this virus.....
Thanks again team.... It is great to not feel so alone out here..... ;-)
Pay particular attention on how it installs itself.... Mascarades as an Internet Security update from Microsoft, including a pretty good mock up of Microsoft's install screens and messages.
Symantec adivce indicates that if the install actually gets to run on the system, a quarentine and deletion is not sufficient.... I think that is where I am now.... MANY registry changes done by this virus.....
Thanks again team.... It is great to not feel so alone out here..... ;-)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Final word on fix --- working through Symatec instructions, and all going fine so far.
Earilier note on Regedit4 also were on target. A repiar file is created to repair the registry in DOS to allow programs to run from shell again as first step, refer to Symantec link above to see how this is done.
Earilier note on Regedit4 also were on target. A repiar file is created to repair the registry in DOS to allow programs to run from shell again as first step, refer to Symantec link above to see how this is done.
type sfc in the run box you may be prompted for windows cd this repairs windows files
That would account for the randomly generated filename that didn't come up with anything in a google search.
My advice?
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html
F8 at boot - Command Line Option
a:\FIXSWEN.EXE /S /LOG /START
POWER OFF and leave it for a few minutes.
Reboot to windows 98 boot floppy with CD Rom support and reinstall Windows.
Run a full virus scan as soon as possible afterwards.
Personally, I would format the drive and reinstall, but then again I have full backups of all my essential stuff on a partition.
My advice?
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html
F8 at boot - Command Line Option
a:\FIXSWEN.EXE /S /LOG /START
POWER OFF and leave it for a few minutes.
Reboot to windows 98 boot floppy with CD Rom support and reinstall Windows.
Run a full virus scan as soon as possible afterwards.
Personally, I would format the drive and reinstall, but then again I have full backups of all my essential stuff on a partition.
BillDL, isn't that the same link I've posted, I assume you did this accidentely, but still, please read previous posts before you submit.
You're quite right, LucF, and my apologies. I typed my comment offline after reading the question and failed to reload it before I posted. Ironically, I posted the wrong url anyway, it was supposed to be the direct download url:
http://www.symantec.com/avcenter/FixSwen.exe
What I was merely indicating was my personal view that you can spend an immense amount of time messing around fixing registry values and restoring files after running the fix, whereas a dirty install after the infection is cleared SHOULD work and save some time.
I notice now that this process is well under way, so perhaps a bit of time might save a reinstall or Format and Reinstall.
I also meant to add details of the actual vulnerability that can cause such Worms to be activated by merely reading an email containing one:
w32.swen.a@mm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message. See:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
This update is already included in Internet Explorer 5.01 Service Pack 2, but the downloadable patch has been superseded by that discussed on:
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp
Similar updates apply to later versions of Outlook and Outlook Express.
http://www.symantec.com/avcenter/FixSwen.exe
What I was merely indicating was my personal view that you can spend an immense amount of time messing around fixing registry values and restoring files after running the fix, whereas a dirty install after the infection is cleared SHOULD work and save some time.
I notice now that this process is well under way, so perhaps a bit of time might save a reinstall or Format and Reinstall.
I also meant to add details of the actual vulnerability that can cause such Worms to be activated by merely reading an email containing one:
w32.swen.a@mm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message. See:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
This update is already included in Internet Explorer 5.01 Service Pack 2, but the downloadable patch has been superseded by that discussed on:
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp
Similar updates apply to later versions of Outlook and Outlook Express.
;-)
Capt_Lee:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
Have you got any success out of that
Spyware/Adware removal tools:
--------------------------
What is spyware : http://www.spychecker.com/spyware.html
SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml
Ad-aware : http://www.webattack.com/download/dladaware.shtml
Trojan Remover :http://www.simplysup.com/
HijackThis : http://www.webattack.com/download/dlhijackthis.shtml
KL-Detector :http://www.webattack.com/download/dlkldetector.shtml
X-Cleaner Free :http://www.webattack.com/download/dlxcleaner.shtml
SpywareBlaster :http://www.webattack.com/download/dlspywareblaster.shtml
SpywareGuard :http://www.webattack.com/download/dlspywareguard.shtml
SpySites :http://www.webattack.com/download/dlspysites.shtml
Keylogger Hunter :http://www.webattack.com/download/dlklhunter.shtml
Spycop: http://www.spycop.com/
Goodbye Spy http://www.topshareware.com/GoodBye-Spy-download-2012.htm
Other spyware removal instructions: http://www.pchell.com/support/click2findnow.shtml
online virus scanner:
---------------------
http://housecall.trendmicro.com/
http://security.symantec.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.pcpitstop.com/antivirus/default.asp
Sunray