Discovered: October 18, 2000
Updated: August 24, 2005 12:00:00 AM
Type: Removal Information

This tool repairs the damage done by the W32.HLLW.QAZ.A virus.

How to obtain and use the W32.HLLW.QAZ.A Fix Tool

Download the fixqaz.exe file to the root of drive C.
Close all programs.
Click Start -> Programs -> MS-DOS Prompt. An MS-DOS window will open.
Change to the following location where you saved the fixqaz.exe tool by typing the following and pressing Enter:

At the C:> prompt, type

fixqaz c:\

and then press Enter. This will scan all files on the infected system.

This completes the process.

Because this virus spreads by using shared folders on networked computers, to ensure that the virus does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document:

Title: How to configure shared Windows folders for maximum network protection
Document ID: 2000091415173339

Also, to ensure your system is not infected with any other viruses, the Symantec AntiVirus Research Center recommends you do a full scan with your anti-virus software.

What the tool does

The W32.HLLW.QAZ.A Fix Tool performs the following tasks:
Removes the following registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run "StartIE"="C:\WINDOWS\NOTEPAD.EXE qazwsx.hsq"

Scans for all QAZ files, and deletes them if possible. If not possible, the tool creates a Wininit.ini file that will delete the QAZ files when the machine is restarted. A message notifying the user of this action will be displayed prior to restarting., if it exists, is renamed to Notepad.exe.

To verify the digital signature of fixqaz.exe

Go here
Download and save chktrust.exe into the same directory as fixqaz.exe.

Click Start -> Programs -> MS-DOS prompt.

Change to the directory where fixqaz.exe and chktrust.exe are stored. If the files were saved to the desktop folder, enter the following command at the MS DOS prompt:

cd \windows\desktop

Type the following command to check the digital signature of fixqaz.exe:

chktrust -i fixqaz.exe

If the digital signature is valid you will see a dialog asking the following question:

"Do you want to install and run "FixQAZ.exe" signed on 10/18/2000 5:37PM and distributed by Symantec Corporation."

The date and time that are displayed in this dialog will be adjusted to your timezone if your computer is not set to the Pacific time zone. For example, if you live in the Eastern time zone the date and time you will see will be 10/18/2000 8:37PM.

You might also see the text message "Result:0" displayed following the command line. If you do, then the test is positive and the file is confirmed as being from Symantec.

If this dialog or text message do not appear or the date and time are not properly adjusted for your timezone do not use your copy of fixqaz.exe. It is not from Symantec.

If this dialog appears and the text is correct for your timezone this copy of fixqaz.exe is from Symantec.

Click the "Yes" button to dismiss the chktrust dialog.

Type exit and then press the Enter key. This will close the MS-DOS window.