Tuesday, July 28, 2009

The Best Freeware Tools to Detect and Remove the Conficker/Downadup/Kido worm

In my previous post I have talked about how to manually clean and remove the downadup worm. I wrote that article back in March, 2009 when new variants of downadup started to appear in which antivirus venders haven't yet developed definitions for. However, since mid-April I havent personally encountered any new or unique variants of downadup. I started to do a quick evaluation of almost all the conflicker removal tools listed here:
http://isc.sans.org/diary.html?storyid=5860
The tests were made on infected live machines and networks. The results I have found are:

The best downadup detection tool:

Mcafee Conficker Detection Tool: http://www.mcafee.com/us/enterprise/confickertest.html
This program ROCKS! The only two products from Mcafee that I would recommend every enterprise to have: Secureweb and Mcafee Conficker Detection Tool.
The detection tool requires no installation, very easy to use and extremely fast. I have been using this tool since April after Mcafee fixed a bug in it. Every business that I have recommended the tool to them have highly praised it and love it so much.

The best downadup removal tool:

I have found that the kaspersky Kido Killer is the best so far. It requires no installation and no reboot for removal. It is very fast and effective. It has worked with different variants that I have come across offline. Sadly, when I tested the Bitdefender Conflicker removal tool (which I thought was good) on some machines, it did not succesfully remove one of the variants although it did detect it.

KK.exe has some neat command line that not only removes the infection, it can also restore the windows services that were disabled (does not restore windefender and security center though), restores the display of hidden system files, disables autorun, restore safeboot keys and many more.

I commonly use the following command line:
kk.exe -j -a -x -l report.txt

Windefender and the windows Security center can then be restored by the following command lines:
sc config wscsvc start= auto
sc config winDefend start= auto
sc start wscsvc
sc start WinDefend

The worst tool I came across was Symantec Downadup removal tool. It took over 6 hours scanning and since I am impatient I gave up and had to abort it. I could not tell if it actually does detect or remove the worm.
Posted by at
Labels:

1 comment:

  1. UnknownAugust 18, 2009 at 7:59 PM

    nice information AbuIbrahim

    keep it up..

    your Bro. Amir

    ReplyDelete

Subscribe to: Post Comments (Atom)