I caught it at my school so I am sharing the expierience and making sure I don't loose these tools. Step 1: Are you spreading the virus publicly. - here is an online check that can quickly let you know of you are publically spreading the virus: -- http://four.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/ -- if you are spreadding the virus, I suggest signing up for an OpenDNS account and point your network dns to it (hint use fowarders). - If you have untangle take a look at this post: -- http://forums.untangle.com/networking/7393-you-infected-how-check-confic... -- curl -q http://untangle.com/download/patches/6.0/conficker_query_detail.sh | sh Step 2: Check your internal network. - This tool will scann a bank of IP's and will very clearly tell you what ip's are invected/clean. -- https://www.honeynet.org/node/388 -- you want to download the scs.zip, extract it and run it from a command prompt (or create a bat file with a pause statement at the end) Step 3: Prevent from spreadding internally. - Try this, becareful of step 4 (removing local administrator): -- http://support.microsoft.com/kb/962007 - Instead of disabling the administrator account I chose to rename it instead -- http://support.microsoft.com/kb/816109 Step 4: Clean up -See attached files. They are made up of the apps below. - The best removeal tool I found is the kaspersky -- http://support.kaspersky.com/faq/?qid=208279973 - Also make sure to apply the 3 microsoft patches -- http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx -- http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx -- http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx - I also found the network removal tool from bdtools to be quite helpful for remotely removing the virus. -- http://www.bdtools.net/?s_kwcid=conflicker|2740543616 - To clean temporary internet files ccleaner seems to work best. -- http://www.ccleaner.com/ - Below are some arguments for an unattended cleaning. This is already built into fix.zip. -- kk.exe /s /y -- ccleaner /AUTO -- cleanmgr /sagerun:50 (This runs the windows cleanup wiziard) -Microsofts removal tool: http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4... Notes: - In the Microsoft prevention GPO it disables access to SVCHOST, while this is important to prevent the virus from spreading it will also prevent Windows XP sp3 form installing. If you disconnect the computer from the network and manually reinstate the permissions to svchost in the registry sp3 will install. ATTACHED: - fix.zip will fix a single computer - Remote check and clean.zip will allow for remote cleaning (you will still need to apply the windows patch or else the comptuer will reinfect itself.