How to remove the virus CONFICKER / DOWNADUP / KIDO?

October 2016

It is important to know how to remove the conficker or the downadup or the kido from an infected computer. Viruses and worms such as the conficker, also known as the downadup, or the kido, pose a grave security risk to all computers. A computer infected with the conficker is vulnerable to attack and all data including personal information is compromised. Disinfect the conficker affected computer by removing it from the network and running FlashDiskinfector software. Install the Windows patch to plug the entry point of the virus in the Windows operating system. It is a time consuming job to remove the conficker and it is best to take precautions to avoid infection by the conficker in the future.

What is the Conficker?

Conficker (also known under the names of Downup, Downandup and Kido) is a worm that first appeared in October 2008. It has infected millions of computers, especially in companies or institutions such as the French Navy, hospitals or the British Royal Navy. This threat is taken seriously, Microsoft has even promised a reward of $250,000 to anyone who gives information to stop the author of this worm.

When it is installed in a computer, Conficker disables the Windows updates and some security software. It then connects to a server, allowing an attacker to gain complete control to retrieve personal information, install other malicious software or conduct illegal acts.

How to avoid being infected by Conficker

This infection uses a Windows vulnerability to propagate. A patch correcting this vulnerability was published on October 15 by Microsoft, but many users have not installed it. If you have disabled automatic updates and have not yet installed this patch, you can download it here:

Conficker can also spread through removable drives (USB keys, external hard drives etc.) and within an open network or one protected by weak passwords. Use FlashDisinfector to vaccinate your removable disks, and secure your networks using strong passwords.

Disinfect a computer affected by Conficker


Take precautions to prevent the virus from spreading and to prevent reinfecting the computer again after disinfection.
  • Temporarily disconnect your computer from the network.
  • Stop the server temporarily:
    • In the Start Menu click Run and type "services.msc"
    • Click OK
    • Right-click on the "Server" and select Properties
    • Click "Stop", set Startup type to "Disabled" and click OK.
  • Disinfect and vaccinate all removable drives (USB keys, external hard drives, mp3 players etc.) with FlashDisinfector.

- Download the Microsoft patch to fix the vulnerability exploited by Conficker:

It is likely that you will not be able to do it from your computer. If this is the case, take it from another and upload the patch on a vaccinated removable disk (see above).

Remove infection

You can now start disinfecting the computer.
  • First try to scan the computer with your antivirus, or MalwareBytes Anti-Malware for example
  • Microsoft also provides a tool for removing malicious software (MSRT), which can help with the disinfection process. More information is available on Microsoft's website.
  • F-Secure (which works with Microsoft on Conficker) offers a removal tool targeting this infection:
  • However, Conficker is quite difficult to remove, because it creates files that are associated with legitimate Windows process, such as Svchost. It is therefore possible that all previous recommendations are not enough. In this case, feel free to post a message on the forum Viruses / security.

Related :

This document entitled « How to remove the virus CONFICKER / DOWNADUP / KIDO? » from CCM ( is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.