Solved

Infected Windows 98 system....  etqueze.exe ???

Posted on 2003-11-13
21
366 Views
Last Modified: 2013-12-28
I am working on a client machine, Windows 98.  I have disinfected the hard drive on a test system as a slave hard drive.  

Primary symtoms are:

Windows screen appears to be at lowest resolution, but not booting to safe mode.
No problems with boot up observed.
ANY attempt to do anything responds with a windows error box.  

Title: Program Not Found

Message:

Windows cannot find etquez.exe
This program is needed to open files of type 'Application'

Location of etquez.ese
"here is a dialog box to browse for a file"

booted to DOS and looked and the Autoexec.bat file and do not see anything out of the ordinary there

Attempted safe mode and same symptoms.

Searched all over the internet for etquez.exe

Any ideas?
0
Comment
Question by:Capt_Lee
  • 5
  • 5
  • 4
  • +5
21 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9739635
0
 
LVL 24

Expert Comment

by:R_Rajesh
ID: 9739655
Hi Capt_Lee,

don't know about the low resolution but try this to solve the program not found error: make sure the registry key HKEY_CLASSES_ROOTexefile\shell\open\command contains the following value -  "%1" %*

Cheers!

Raj
0
 

Author Comment

by:Capt_Lee
ID: 9739771
First comment will not work, because any attempt to do anything comes up with this error.  SO I cannot run the ad ware hunting software without getting the error, or even bring up a browser.

The Registry idea is interesting, I am attempting to reboot to windows to see if I can run regedit.

regedit will not run also.

Is there a way to edit a registry file when this drive is a slave on another system?
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9740081
You might want to try to do a windows installation on top of the existing one, just boot from your win98 cd-rom and let it install (in c:\windows, not c:\windows.000 as it might suggest to you) Afterwards, you should be able to run the ad-ware scanners and virusscanners again.

LucF
0
 
LVL 24

Expert Comment

by:R_Rajesh
ID: 9740111
rename regedit.exe to regedit.com that should work
0
 
LVL 24

Expert Comment

by:R_Rajesh
ID: 9740119
rename regedit.exe to regedit.com that should work
0
 
LVL 4

Expert Comment

by:kabix
ID: 9744403
Boot the system to msdos and run a virus software for dos like www.f-prot.com.
You could also try PEBuilder at http://www.nu2.nu/pebuilder/ This program will start computer with windows interface however it will not start actual windows. You can run registry editor from there and edit whatever you want.
0
 

Author Comment

by:Capt_Lee
ID: 9745250
Thanks for the idea about PEBuilder, and I will most likely use this tool someday in the future, however it will not run in a windows 98 environment.

From the help file:

PE Builder (pebuilder.exe) runs on Windows 2000/XP/2003. It does not run on Windows NT4/ME/9x.

0
 
LVL 38

Expert Comment

by:BillDL
ID: 9745750
This tool would allow you to inspect the 2 .dat files that compried the old registry on the drive that is now the slave, or from any source if you can copy those files out into another functional machine:

MiTeC Windows Registry File Viewer Version 1.8:
21.10.2003

http://www.mitec.cz/
http://www.mitec.cz/regtools.htm#RFV

Fixed Unicode character decoding
Values of type REG_MULTI_SZ are now displayed as strings
Searching now processes all value types including REG_BINARY
Possibility of save binary data to file

Description

Viewer for standalone files containing Windows registry hives (e.g. NTUSER.DAT, SYSTEM.1ST, SAM, etc.).

It features extended registry searching, registry dumping and exporting to REGEDIT4 format and detailed key information including security (NT) and hash values.
For NT registry value of type REG_RESOURCE_LIST here's Resource information in Data View.
 
Target platforms
MS Windows 9x, MS Windows ME, MS Windows NT 4.x, MS Windows 2000, MS Windows XP, MS Windows Server 2003

Status
Freeware

http://www.mitec.cz/Data/Screenshots/RFV.gif
http://www.mitec.cz/downloads.htm

MiTeC Windows Registry File Viewer 1.8  http://www.mitec.cz/Downloads/RFV.zip

-------------------------------------------

Registry Viewer 2.0  http://www.mitec.cz/Downloads/RegView.zip

Description
Viewer for REGEDIT4 and REGEDIT5 files and local or remote registry.
It supports bookmarks, searching and registry exporting.
 
Target platforms
MS Windows 9x, MS Windows ME, MS Windows NT 4.x, MS Windows 2000, MS Windows XP, MS Windows Server 2003

Status
Freeware
0
 
LVL 38

Expert Comment

by:BillDL
ID: 9745800
There is also one tool that would allow you to obtain a report of your system from DOS.

The well known AIDA32 Windows Diagnostics reporting utility:

http://www.aida32.hu/aida-features.php?bit=32

http://www.aida32.hu/aida-download.php?bit=32

has an equivalent 16-bit "sysinfo" tool that will run from a floppy.

http://www.aida32.hu/aida-download.php?bit=16

http://www.aida32.hu/download/aida16en_211.zip

Swap the slave drive back to Master without rebooting, boot to a win98 boot floppy, and then swap it for the floppy with the 16-bit AIDA program on it.

Just call it with the command:

a:\AIDA.EXE

Usage:  AIDA  [/S]
             AIDA  [/R [filename]]  [/S]  [/D]
             AIDA  [/RC [filename]]  [/S]  [/D]
             AIDA  [/RS [filename]]  [/S]  [/D]
             AIDA  [/F5 filename]  [/S]  [/D]

  /R    Make text report to <filename>
  /RC   Make CSV report to <filename>
  /RS   Make report summary to <filename>
  /F5   Append to <filename> if F5 key pressed
  /S    Activate safe mode
  /D    Disable debug information


or to create a report, run the batch file

a:\A.bat

which equates to:

aida /r %1 %2 %3 %4 %5

It might help to obtain some details of those system files.

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 38

Expert Comment

by:BillDL
ID: 9745818
You might also want to force it to boot in "LOGGED" mode (F8 during boot > select "Logged" option) to create C;\bootlog.txt.

Boot to a win98 boot floppy, swap it for a blank, and issue the commands:

attrib -h  c:\bootlog.txt
copy c:\bootlog.txt  a:\bootlog.txt
attrib  +h  c:\bootlog.txt

On an operational computer, download the Bootlog Text Analyser (BLA.EXE)

Extract from web page and readme:

http://www.vision4.dial.pipex.com/

Boot Log Analyzer for Windows 95/98 from Gemini Affinitas Ltd    (v1.22)

FREE Boot Log Analyzer utility to help in identifying Windows95/98 boot-up problems.
Looks at your Windows95 BOOTLOG.TXT file and calculates the time taken to load each driver etc, in order to help in locating any cause of lengthy boot-up times. The displayed result can be sorted by loading duration, filtered to show only those items with long durations or which reported failure, and saved to a text file.

Please note: This utility is intended for use by PC Support Personnel and Advanced Users only - interpreting the results requires in-depth technical knowledge.

Download latest BOOT LOG ANALYZER
http://www.vision4.dial.pipex.com/files/bla.zip
 
BLA Screenshot
http://www.vision4.dial.pipex.com/screen.htm
http://www.vision4.dial.pipex.com/images/bla.jpg
 
Home Page (Gemini Affinitas Ltd)
http://www.geminisoftware.co.uk/

It will sit happily on a floppy, and just ensure that you direct it to inspect a:\bootlog.txt or it will analyse the default on the C:\ drive.

It has a checkbox  "Show failures" to filter out only load failures, and then export to a text file.
0
 

Author Comment

by:Capt_Lee
ID: 9749499
THANKS - THANKS

All suggestions and tool ideas have been helpful, however, I have not been able to resolve my problem.

1)  Review of the Windows directory idicates the problem was introduced on 11/7/03 at 5 AM
2)  Discovered file in Windows directory call COMPUTER.BAT.  In Computer.BAT the lines were
     @Echo off
      IF NOT "%1" == ""  etquez.exe %1
3)  Reference from R_Rajesh
      don't know about the low resolution but try this to solve the program not found error: make sure the registry key HKEY_CLASSES_ROOTexefile\shell\open\command contains the following value -  "%1" %*.  Helped me with the hint...  So I rem'ed the line and some functions came back but not all.
4)   Noticed a very large file called NULL was created on the date and time that this file was created.

Since this is an old system and there is not much user data, which I can capture anyway, I am going to declare this problem closed.  I appreciate ALL the feedback, especially R_Rajesh & BillDL
0
 

Author Comment

by:Capt_Lee
ID: 9749703
Final Note, I just discovered that this problem appears to have been proporgated by a virus infection by the name of  W32.Swen.A@mm.  Please reference this url..... http://www.sarc.com/avcenter/venc/data/w32.swen.a@mm.html.

Pay particular attention on how it installs itself....  Mascarades as an Internet Security update from Microsoft, including a pretty good mock up of Microsoft's install screens and messages.

Symantec adivce indicates that if the install actually gets to run on the system, a quarentine and deletion is not sufficient.... I think that is where I am now....  MANY registry changes done by this virus.....

Thanks again team....  It is great to not feel so alone out here.....  ;-)
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 500 total points
ID: 9749756
0
 

Author Comment

by:Capt_Lee
ID: 9749926
Final word on fix ---  working through Symatec instructions, and all going fine so far.  

Earilier note on Regedit4 also were on target.  A repiar file is created to repair the registry in DOS to allow programs to run from shell again as first step,  refer to Symantec link above to see how this is done.
0
 
LVL 16

Expert Comment

by:joinaunion
ID: 9750259
type sfc in the run box you may be prompted for windows cd this repairs windows files
0
 
LVL 38

Expert Comment

by:BillDL
ID: 9750997
That would account for the randomly generated filename that didn't come up with anything in a google search.

My advice?

http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html

F8 at boot - Command Line Option
a:\FIXSWEN.EXE  /S /LOG /START

POWER OFF and leave it for a few minutes.

Reboot to windows 98 boot floppy with CD Rom support and reinstall Windows.

Run a full virus scan as soon as possible afterwards.

Personally, I would format the drive and reinstall, but then again I have full backups of all my essential stuff on a partition.

0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9751139
BillDL, isn't that the same link I've posted, I assume you did this accidentely, but still, please read previous posts before you submit.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 9752032
You're quite right, LucF, and my apologies.  I typed my comment offline after reading the question and failed to reload it before I posted.  Ironically, I posted the wrong url anyway, it was supposed to be the direct download url:

http://www.symantec.com/avcenter/FixSwen.exe

What I was merely indicating was my personal view that you can spend an immense amount of time messing around fixing registry values and restoring files after running the fix, whereas a dirty install after the infection is cleared SHOULD work and save some time.

I notice now that this process is well under way, so perhaps a bit of time might save a reinstall or Format and Reinstall.

I also meant to add details of the actual vulnerability that can cause such Worms to be activated by merely reading an email containing one:

w32.swen.a@mm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message.  See:

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

This update is already included in Internet Explorer 5.01 Service Pack 2, but the downloadable patch has been superseded by that discussed on:
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp

Similar updates apply to later versions of Outlook and Outlook Express.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9753312
;-)
0
 

Expert Comment

by:CleanupPing
ID: 9977514
Capt_Lee:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Update 11/3/2014 - Although the below article will get you to relocate the WINSXS folder, Microsoft has finally released a utility to reduce the size of the WINSXS folder. For some reason, it's not that straightforward. It only works on Windows 2008…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now