Removing Conficker/Downadup from Your Network Using Active Directory

A couple of security companies have provided some neat freeware tools for network administrators to cleanup the downadup worm within their business networks. Some examples of these tools are:
1. Kaspersky Administration kit
2. Bitdefender Network Removal Tool
3. Sophos Conficker Network Cleanup Tool

These tools provide an automated deployment and disinfection for multiple computers at once.

However, I was called to an enterprise client who was suffering from a Downadup outbreak last May. The client had approximately 4000 computers across 6-8 domains. There was one problem though; since the network tools were not provided by the antivirus vendor they had installed, the client was not comfortable to install any third-party software on their servers. Luckily, they were ok with using the tiny, fast and silent Kaspersky kk.exe program. Now, I had to figure out to run this tool across all the infected machines for each domain. This is how I did it:

First, in each domain I copied the kk.exe into a shared folder. The shared folder could be on any server such as a file server. The accessibility of the shared folder was to everyone.

Second, I created a batch script that can deployed via the active directory:

@ECHO OFF
:: batch file made by AbuIbrahim12, Microsoft MVP
:: downadup/kido/conficker/conflicker removal tool
:: restores windows services, removes added policies
color 1F
copy \\{serverName}\{sharedFolder}\kk.exe c:\kk.exe
cd \
start kk.exe -s -x -l C:\VirusReport.txt
sc config wscsvc start= auto
sc config winDefend start= auto
sc config wuauserv start= auto
sc config BITS start= auto
sc config ERSvc start= auto
sc config WerSvc start= auto
sc start wscsvc
sc start WinDefend
sc start wuauserv
sc start BITS
sc start ERSvc
sc start WerSvc

Third, I went to the domain controller for every domain and done the following:
Active Directory Users and Computer -> right-click domain name (or 'Users') in the left pane and select Properties -> Group Policy tab -> new -> name the new policy to 'Downadup Script' -> edit -> you can now create either a startup script or a logon script. I prefer using the logon script as not everyone would reboot their computers and there could be some computers that the business would not like to have rebooted.
The logon script can be created as follows:
User Configuration -> Windows Settings -> Scripts -> double-click Logon in the right pane -> Show files -> record the location of the logon folder -> copy and paste the batch file into the logon folder -> close the logon folder -> Add -> browse to the logon folder and add the batch file -> ok -> ok -> close the group policy editor -> Apply
open the command prompt and then type: gpupdate /force

Now depending on the severity of the issue, you may want to ask the employees to immediately logoff/logon from/to their machines or at some time later. My client decided to wait until the next day when employees logon into thier machines in the morning. The script would run kk.exe completely unnoticeable in the background with completely no disruption to employee activities as it disinfects the worm-ridden machines.
After 3 days, the 4000 machines were downadup free and the logon script was removed from the active directory.