Millikin University
no content
Removing the Downloader-CIW virus

The Downloader-CIW virus is a new virus that appeared recently on campus that spreads through a Windows flaw discovered a couple of months ago. The Windows update has been released for a while, and only machines that do not have this update are vulnerable to the virus.

Symptoms of infection include: when you log into your machine, you will see your background picture, but will not get your start menu to display, and no icons will appear on your desktop.

This should remove the new virus from your computer. Please note that editing the registry is VERY DANGEROUS and can render your system UNUSABLE. Please also note that Information Technology can not be responsible for any damages you incur when doing this, and that we can not help you if such damages do occur.

This process will take between one and three hours, and must be done in one sitting. If you leave your machine for any length of time, there is a good possibility that you will become reinfected with this virus, so you must do every step in order in one sitting.

1. Restart your computer in SAFE mode:
    a. As soon as your computer makes the “beep” noise, start pressing the F8 key very frequently.
    b. This will bring up a boot menu, select Safe Mode from the list.
    c. If you have Windows XP, it will then probably make you pick your operating system – just select the one that is in the list.
    d. When you get all the way into Windows, it should let you know that your computer is running in Safe mode. If this is not the case, restart your computer and try again (sometimes it can take a couple of tries to get into Safe mode.)
    e. IT MAY SEEM LIKE YOUR COMPUTER IS LOCKED UP AT SEVERAL TIMES DURING THE BOOT PROCESS – this is normal. It should log in after about 5-10 minutes.

2. Go to Start, Run and type in regedit then hit OK.
3. Go to the Edit menu, then select Find.
4. In the Find What: box, type in csrs.exe
5. Click Find next
6. On the right-hand side, it will list csrs.exe in the list. Click on the name to the left of this entry (probably Com+ Sys), then click on the Delete button.
7. Press F3 to find the next occurrence, then repeat steps 7 and this step until it says Finished searching through the registry.
8. Repeat steps 4 through 8, but this time searching for norton32.exe in step 5. When you get to step 7, instead of saying Com+ Sys, it would say norton32.
9. Repeat steps 4 through 8, but this time searching for winusb32.exe in step 5. When you get to step 7, instead of saying Com+ Sys, it would say Windows USB Driver.
10. Exit out of the Registry Editor.
11. Go to the Start menu, click on Search, (then click on For files or folders if given the option.)
12. On the left side, tell it search for All files and folders.
13. In the box labeled All or part of the file name: type in csrs.exe, then click on the search button. On the right hand side, it will display any times that it finds this program. Click on the program, then press the delete key on the keyboard. Make sure that it says csrs.exe, because there are other important windows programs that are named similarly.
14. When the search is done, on the left hand side, click on the option that says Change file name or keywords.
15. In the box that says What word or words do you remember in the name or contents of the file? Type in norton32.exe, then click on Search.
16. On the right hand side, it will display any times that it finds this program. Click on the program, then press the delete key on the keyboard.
17. When the search is done, on the left hand side, click on the option that says Change file name or keywords.
18. In the box that says What word or words do you remember in the name or contents of the file? Type in winusb32.exe, then click on Search.
19. On the right hand side, it will display any times that it finds this program. Click on the program, then press the delete key on the keyboard.
20. Empty your recycle bin.
21. Restart your computer in normal mode, and log into your computer. If you are able to get into your machine fully, you have successfully removed the virus. If not, either you missed part of one of the steps, or you have an extra copy of the virus on your system. If you are absolutely sure that you successfully completed the steps, please call the IT office at x6488 and ask for Shane or Chris – we will walk you through determining if you do indeed have an extra copy of the virus, then will update our documentation for the newly-found copy.
22. Run Windows Updates. This is essential, because the virus propagates through a Windows flaw that was discovered several months ago.
23. Run Windows Updates.
24. It is imperative that you run Windows Updates
a. If you need help doing this, go to the IT website page on this at /it/techservices/pcmaintenance/default.asp and follow the instructions there.
25. Install the Millikin Virus software. Instructions for this are available at: /it/techservices/studentpcs/ePolicy.asp
26. Restart your computer in Safe mode again (see step 1) and run a virus scan. To do this, go to Start, Programs, Network Associates, On Demand Scan, and then click on Scan Now.
Disclaimer|Privacy Statement |Contact Millikin