Link to home
Start Free TrialLog in
Avatar of Capt_Lee
Capt_Lee

asked on

Infected Windows 98 system.... etqueze.exe ???

I am working on a client machine, Windows 98.  I have disinfected the hard drive on a test system as a slave hard drive.  

Primary symtoms are:

Windows screen appears to be at lowest resolution, but not booting to safe mode.
No problems with boot up observed.
ANY attempt to do anything responds with a windows error box.  

Title: Program Not Found

Message:

Windows cannot find etquez.exe
This program is needed to open files of type 'Application'

Location of etquez.ese
"here is a dialog box to browse for a file"

booted to DOS and looked and the Autoexec.bat file and do not see anything out of the ordinary there

Attempted safe mode and same symptoms.

Searched all over the internet for etquez.exe

Any ideas?
Avatar of sunray_2003
sunray_2003
Flag of United States of America image

Avatar of R_Rajesh
R_Rajesh

Hi Capt_Lee,

don't know about the low resolution but try this to solve the program not found error: make sure the registry key HKEY_CLASSES_ROOTexefile\shell\open\command contains the following value -  "%1" %*

Cheers!

Raj
Avatar of Capt_Lee

ASKER

First comment will not work, because any attempt to do anything comes up with this error.  SO I cannot run the ad ware hunting software without getting the error, or even bring up a browser.

The Registry idea is interesting, I am attempting to reboot to windows to see if I can run regedit.

regedit will not run also.

Is there a way to edit a registry file when this drive is a slave on another system?
Avatar of Luc Franken
You might want to try to do a windows installation on top of the existing one, just boot from your win98 cd-rom and let it install (in c:\windows, not c:\windows.000 as it might suggest to you) Afterwards, you should be able to run the ad-ware scanners and virusscanners again.

LucF
rename regedit.exe to regedit.com that should work
rename regedit.exe to regedit.com that should work
Boot the system to msdos and run a virus software for dos like www.f-prot.com.
You could also try PEBuilder at http://www.nu2.nu/pebuilder/ This program will start computer with windows interface however it will not start actual windows. You can run registry editor from there and edit whatever you want.
Thanks for the idea about PEBuilder, and I will most likely use this tool someday in the future, however it will not run in a windows 98 environment.

From the help file:

PE Builder (pebuilder.exe) runs on Windows 2000/XP/2003. It does not run on Windows NT4/ME/9x.

This tool would allow you to inspect the 2 .dat files that compried the old registry on the drive that is now the slave, or from any source if you can copy those files out into another functional machine:

MiTeC Windows Registry File Viewer Version 1.8:
21.10.2003

http://www.mitec.cz/
http://www.mitec.cz/regtools.htm#RFV

Fixed Unicode character decoding
Values of type REG_MULTI_SZ are now displayed as strings
Searching now processes all value types including REG_BINARY
Possibility of save binary data to file

Description

Viewer for standalone files containing Windows registry hives (e.g. NTUSER.DAT, SYSTEM.1ST, SAM, etc.).

It features extended registry searching, registry dumping and exporting to REGEDIT4 format and detailed key information including security (NT) and hash values.
For NT registry value of type REG_RESOURCE_LIST here's Resource information in Data View.
 
Target platforms
MS Windows 9x, MS Windows ME, MS Windows NT 4.x, MS Windows 2000, MS Windows XP, MS Windows Server 2003

Status
Freeware

http://www.mitec.cz/Data/Screenshots/RFV.gif
http://www.mitec.cz/downloads.htm

MiTeC Windows Registry File Viewer 1.8  http://www.mitec.cz/Downloads/RFV.zip

-------------------------------------------

Registry Viewer 2.0  http://www.mitec.cz/Downloads/RegView.zip

Description
Viewer for REGEDIT4 and REGEDIT5 files and local or remote registry.
It supports bookmarks, searching and registry exporting.
 
Target platforms
MS Windows 9x, MS Windows ME, MS Windows NT 4.x, MS Windows 2000, MS Windows XP, MS Windows Server 2003

Status
Freeware
There is also one tool that would allow you to obtain a report of your system from DOS.

The well known AIDA32 Windows Diagnostics reporting utility:

http://www.aida32.hu/aida-features.php?bit=32

http://www.aida32.hu/aida-download.php?bit=32

has an equivalent 16-bit "sysinfo" tool that will run from a floppy.

http://www.aida32.hu/aida-download.php?bit=16

http://www.aida32.hu/download/aida16en_211.zip

Swap the slave drive back to Master without rebooting, boot to a win98 boot floppy, and then swap it for the floppy with the 16-bit AIDA program on it.

Just call it with the command:

a:\AIDA.EXE

Usage:  AIDA  [/S]
             AIDA  [/R [filename]]  [/S]  [/D]
             AIDA  [/RC [filename]]  [/S]  [/D]
             AIDA  [/RS [filename]]  [/S]  [/D]
             AIDA  [/F5 filename]  [/S]  [/D]

  /R    Make text report to <filename>
  /RC   Make CSV report to <filename>
  /RS   Make report summary to <filename>
  /F5   Append to <filename> if F5 key pressed
  /S    Activate safe mode
  /D    Disable debug information


or to create a report, run the batch file

a:\A.bat

which equates to:

aida /r %1 %2 %3 %4 %5

It might help to obtain some details of those system files.

You might also want to force it to boot in "LOGGED" mode (F8 during boot > select "Logged" option) to create C;\bootlog.txt.

Boot to a win98 boot floppy, swap it for a blank, and issue the commands:

attrib -h  c:\bootlog.txt
copy c:\bootlog.txt  a:\bootlog.txt
attrib  +h  c:\bootlog.txt

On an operational computer, download the Bootlog Text Analyser (BLA.EXE)

Extract from web page and readme:

http://www.vision4.dial.pipex.com/

Boot Log Analyzer for Windows 95/98 from Gemini Affinitas Ltd    (v1.22)

FREE Boot Log Analyzer utility to help in identifying Windows95/98 boot-up problems.
Looks at your Windows95 BOOTLOG.TXT file and calculates the time taken to load each driver etc, in order to help in locating any cause of lengthy boot-up times. The displayed result can be sorted by loading duration, filtered to show only those items with long durations or which reported failure, and saved to a text file.

Please note: This utility is intended for use by PC Support Personnel and Advanced Users only - interpreting the results requires in-depth technical knowledge.

Download latest BOOT LOG ANALYZER
http://www.vision4.dial.pipex.com/files/bla.zip
 
BLA Screenshot
http://www.vision4.dial.pipex.com/screen.htm
http://www.vision4.dial.pipex.com/images/bla.jpg
 
Home Page (Gemini Affinitas Ltd)
http://www.geminisoftware.co.uk/

It will sit happily on a floppy, and just ensure that you direct it to inspect a:\bootlog.txt or it will analyse the default on the C:\ drive.

It has a checkbox  "Show failures" to filter out only load failures, and then export to a text file.
THANKS - THANKS

All suggestions and tool ideas have been helpful, however, I have not been able to resolve my problem.

1)  Review of the Windows directory idicates the problem was introduced on 11/7/03 at 5 AM
2)  Discovered file in Windows directory call COMPUTER.BAT.  In Computer.BAT the lines were
     @Echo off
      IF NOT "%1" == ""  etquez.exe %1
3)  Reference from R_Rajesh
      don't know about the low resolution but try this to solve the program not found error: make sure the registry key HKEY_CLASSES_ROOTexefile\shell\open\command contains the following value -  "%1" %*.  Helped me with the hint...  So I rem'ed the line and some functions came back but not all.
4)   Noticed a very large file called NULL was created on the date and time that this file was created.

Since this is an old system and there is not much user data, which I can capture anyway, I am going to declare this problem closed.  I appreciate ALL the feedback, especially R_Rajesh & BillDL
Final Note, I just discovered that this problem appears to have been proporgated by a virus infection by the name of  W32.Swen.A@mm.  Please reference this url..... http://www.sarc.com/avcenter/venc/data/w32.swen.a@mm.html.

Pay particular attention on how it installs itself....  Mascarades as an Internet Security update from Microsoft, including a pretty good mock up of Microsoft's install screens and messages.

Symantec adivce indicates that if the install actually gets to run on the system, a quarentine and deletion is not sufficient.... I think that is where I am now....  MANY registry changes done by this virus.....

Thanks again team....  It is great to not feel so alone out here.....  ;-)
ASKER CERTIFIED SOLUTION
Avatar of Luc Franken
Luc Franken
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Final word on fix ---  working through Symatec instructions, and all going fine so far.  

Earilier note on Regedit4 also were on target.  A repiar file is created to repair the registry in DOS to allow programs to run from shell again as first step,  refer to Symantec link above to see how this is done.
type sfc in the run box you may be prompted for windows cd this repairs windows files
That would account for the randomly generated filename that didn't come up with anything in a google search.

My advice?

http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html

F8 at boot - Command Line Option
a:\FIXSWEN.EXE  /S /LOG /START

POWER OFF and leave it for a few minutes.

Reboot to windows 98 boot floppy with CD Rom support and reinstall Windows.

Run a full virus scan as soon as possible afterwards.

Personally, I would format the drive and reinstall, but then again I have full backups of all my essential stuff on a partition.

BillDL, isn't that the same link I've posted, I assume you did this accidentely, but still, please read previous posts before you submit.
You're quite right, LucF, and my apologies.  I typed my comment offline after reading the question and failed to reload it before I posted.  Ironically, I posted the wrong url anyway, it was supposed to be the direct download url:

http://www.symantec.com/avcenter/FixSwen.exe

What I was merely indicating was my personal view that you can spend an immense amount of time messing around fixing registry values and restoring files after running the fix, whereas a dirty install after the infection is cleared SHOULD work and save some time.

I notice now that this process is well under way, so perhaps a bit of time might save a reinstall or Format and Reinstall.

I also meant to add details of the actual vulnerability that can cause such Worms to be activated by merely reading an email containing one:

w32.swen.a@mm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message.  See:

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

This update is already included in Internet Explorer 5.01 Service Pack 2, but the downloadable patch has been superseded by that discussed on:
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp

Similar updates apply to later versions of Outlook and Outlook Express.
Capt_Lee:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.