When I start my computer I get Notepad with the file name qazwsx.hsq. I simiply close it, but I don't want it to open on start-up. It is not in my start-up file, so I can't get rid of it there. The file exists in the windows directory, and when I delete it it just returns on start-up. I had this problem in Windows 98 and still have it in WIN ME. Any ideas? Thanks.

Have you done a virus check?

Howdy, well I would scan for a virus first with an updated virus scanner but it may be something else. Things can be loaded at startup from all kinds of places most people would never think to look. But the key thing you said is you delete the file and it comes back. That normaly points to a virus even though I search at Mcafee for the file you named it did not find anything but that means nothing. Laters, Kevin The Tech Dude

You have got a virus that attaches itself to note.exe I had the same virus approx 2 months ago. It changes note.exe to note.com in your windows directory. It is called the QAZ worm or Trojan. GO to this link for more info.http://vil.mcafee.com/alphar.asp?

I have the same problem but I also have the wininit.exe file opened up in DOS screen editor. My virus software reports a worm called I-worm\RCA5 My software cleans this problem and it does not show each time the scan is run. I also have the file show up in the _restore\temp directory.

in order to remove the infected files from your restore folder(this is the folder where system restore stores it's information): right click 'my computer' choose properties go to the perfomance tab choose file system go to the troubleshooting tab put a check in 'disable system restore' click all of the ok's until it asks you to reboot reboot you have just cleared out the system restore folder and disabled system restore. now do the above again only take the check out of 'disable system restore'. reboot. your system restore folder should be cleared out entirely now... including the virus. for more info see: Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder

Here is more info about this virus: What is the W32.HLLW.Qaz.A virus? Situation: You want information about the W32.HLLW.Qaz.A virus, and you want to know how to remove it. Solution: The following is currently known about the W32.HLLW.Qaz.A virus: Detected as W32.HLLW.Qaz.A Also known as Qaz.Trojan Qaz.Worm Infection Length (varies) 120320 119296 120297 122880 Trigger Each time the virus is executed. Payload Creates a "backdoor" on the computer. W32.HLLW.Qaz.A was first discovered in China in July of 2000. It is a companion virus that can spread over the network. It also has a "backdoor" that will enable a remote user to connect to and control the computer. Because the virus cannot spread to computers outside of the network, it may have originally been sent out by email. W32.HLLW.Qaz.A was originally know as Qaz.Trojan. It was renamed to W32.HLLW.Qaz.A on August 10, 2000. As of August 10th, there are 3 variants of the original virus. This virus renames the Notepad.exe file to Note.com. It also emails the infected computer's IP address to a remote user, and it creates a backdoor to the computer. This could enable the remote user to connect to and control the computer. How to protect your computer from the W32.HLLW.Qaz.A virus Update virus definitions Configure NAV for maximum protection Configure Windows for maximum protection To update virus definitions Norton AntiVirus (NAV) has protected against the virus since July 18, 2000. The Symantec AntiVirus Research Center (SARC) continually updates the virus definitions to protected against new threats and variations of existing ones. You should run LiveUpdate at least once per week. You can also download the Virus Definition Update Installer from the following Internet address: http://www.symantec.com/avcenter/download.html To configure NAV for maximum protection 1. Start NAV, and then click Options. 2. Click Manual Scans (NAV 2000) or the Scanner tab (NAV 5.0). 3. Click All files. 4. Click Auto-Protect. 5. Click All files. 6. Click OK, and then exit NAV. To configure Windows for maximum protection Because this virus spreads by using shared folders on networked computers, to ensure that the virus does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection. How to remove the W32.HLLW.Qaz.A virus 1. Delete the virus's program files 2. Remove the startIE and bymer.scanner registry entries 3. Restore the original Notepad.exe file If you are on a network, then you must perform these steps for each computer connected to the network. NOTES: A tool that will help remove this virus has been developed by the Symantec AntiVirus Research Center (SARC). To download the tool, go to: http://www.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.fix.html Some components of this virus are distributed, at least in part, using an illegally altered version of a legitimate program. For additional information on distributed.net, the legitimate program that has been illegally altered to do this, see the document What is Distributed.net? To delete the virus's program files Run a full system scan and delete any infected files. Boot to MS-DOS mode, and then delete the virus infected Notepad.exe and Note.com files, and in some cases, an infected copy of the Wininit.exe file. Follow these steps to do this: NOTE: These instructions tell you to delete the files in MS-DOS mode. This is done because you must be disconnected from the network when deleting these files. If you are sure that you can restart the computer without connecting to the network, then the files can be deleted in Windows using Windows Explorer. 1. After running LiveUpdate to make sure that you have the most recent virus definitions, run a full system scan, making sure that NAV is set to scan all files as previously described. 2. Delete any files that NAV finds that are infected with this virus. 3. Click Start, and then click Shut Down. 4. Click Restart in MS-DOS mode, and then click OK. The computer restarts to DOS mode, at the C:\Windows prompt. NOTE: This feature has been removed from Windows Me. If you are using Windows Me, you will have to use a Windows Me startup disk to boot to DOS. See your Windows Me documentation for information on how to do this. 5. Type the following, pressing Enter after each line: del notepad.exe del note.com 6. Type the following, and then press Enter: cd system The prompt should now look similar to the following: C:\Windows\System> CAUTION: The next step will have you delete a file. This file may not be found on all systems infected with this virus. It is extremely important that you make sure that you are at the \Windows\System prompt and not at the \Windows prompt. A core Windows file with this file name is in the \Windows folder. If you delete the wrong copy, then you may not be able to restart Windows. 7. Type the following, and then press Enter: del wininit.exe 8. Restart the computer. Click OK if you see any error messages. To remove the startIE and bymer.scanner registry entries There is one, and in some cases, two registry entries that must be removed. Follow these steps to do this: CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or damaged files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows 95/98/NT registry before proceeding. 1. Click Start, and then click Run. The Run dialog box appears. 2. Type regedit and then click OK. The Registry Editor opens. 3. Navigate to and select the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4. In the right pane, look for the following Name and Data: startIE "notepad qazwsx.hsq" NOTES: In most cases, the text in the Data column points to Notepad. A few cases have been reported in which it pointed to a different file. In either case, this entry points to the virus and must be deleted. In some cases, this entry does not exist. If it does not exist, then skip to step 6. 5. Delete the startIE value. Click Yes to confirm. 6. In the right pane, look for the following value: bymer.scanner 7. If it exists, then select it, press Delete, and then click Yes to confirm. 8. Exit the Registry Editor. To restore the original Notepad.exe file Notepad is not an essential Windows program. It is useful for viewing and editing text-only files, such as readme files containing last-minute program information. Otherwise, you can use Wordpad or Microsoft Word to open text files when necessary. If you want to restore this file, the easiest method is to copy it from the C:\Windows folder of an uninfected computer that is running the same version of Windows. Perform another full system scan when finished. Technical description W32.HLLW.Qaz.A is a Win32 companion virus that can spread over a network. W32.HLLW.Qaz.A also has a backdoor that enables a remote user to connect to and control the computer. Because W32.HLLW.Qaz.A does not have the ability to spread to computers outside of a network, it may have originally been sent out by email. When W32.HLLW.Qaz.A is launched, it will search for and rename Notepad.exe to Note.com. W32.HLLW.Qaz.A will then copy itself to the computer as Notepad.exe. Each time Notepad.exe is executed, it will run the virus code and the original Notepad, which was renamed to Note.com, to avoid being noticed. The virus adds the following string value: startIE "notepad qazwsx.hsq" to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run W32.HLLW.Qaz.A will enumerate through the network neighborhood and attempt to find a computer to infect. When it finds a computer, it will infect it by searching for Notepad.exe and making the same modifications as previously described. It does not require any mapped drives to infect other computers. Once the computer is infected, its IP address will be emailed to a remote user. The backdoor payload in the virus will utilize WinSock and await connection. This enables a hacker to connect to and then gain access to the infected computer. -------------------------------------------------------------------------------- Product(s): General, SARC, Virus Information Operating System(s): Windows 95, Windows 98 Document ID: 2000082422364106 Date Created: 08/24/2000 Last Modified: 12/21/2000