Conficker Eye Chart

Explanation

Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites.

If you are blocked from loading the remote images in the first row of the top table below (AV/security sites) but not blocked from loading the remote images in the second row (well-known search engines) then your Windows PC may be infected by Conficker (or some other malicious software).

If you can see all six images in both rows of the table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

See the “How to Interpret” table below for a visual comparison.

See the “Removal Instructions”, “Removal Tools”, and “Conficker Remote Scanners” tables at the bottom of this page for help removing Conficker.

AV/Security Sites
Well-known Search Engines

 

How to Interpret

If you see this above:It probably means this:
All images displayed= Normal/Not Infected by Conficker (or using proxy)
Security/AV logos not displayed= Possibly Infected by Conficker (C variant or greater)
See instructions below
Some security/AV logos not displayed= Possibly Infected by Conficker A/B variant
See instructions below
No images displayed= Image loading turned off in browser?
Any other combination= Poor Internet connection?

 

Removal Instructions

Microsoft: http://support.microsoft.com/kb/962007
Kaspersky: http://support.kaspersky.com/faq/
BitDefender: http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html
TrendMicro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp

To be able to access Anti-Virus vendors and SANS, Microsoft and others, from an infected Conficker.C machine, TrendMicro suggests to use "net stop dnscache" from the command line.
Sophos: http://www.sophos.com/support/knowledgebase/article/51416.html

Removal Tools

Microsoft MSRT: http://www.microsoft.com/security/malwareremove/default.mspx
F-Secure: ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
AhnLab: http://global.ahnlab.com/global/file_removeal_down.jsp?filename=12371830475821&down_filename=v3conficker.zip
Symantec: http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99
McAfee: http://vil.nai.com/vil/stinger/
ESET: http://download.eset.com/special/EConfickerRemover.exe
BitDefender: http://www.bdtools.net/
Kaspersky: http://data2.kaspersky-labs.com:8080/special/KidoKiller_v3.3.3.zip
TrendMicro: http://esupport.trendmicro.com/solution/en-us/1037133.aspx
Sophos: https://secure.sophos.com/products/free-tools/conficker-removal-tool-network/download (registration required)
Sunbelt: http://www.sunbeltsecurity.com/DownLoads.aspx

Conficker Remote Scanners

nmap nmap 4.85BETA5 now includes Conficker detection http://insecure.org/
nessus http://www.nessus.org/plugins/index.php?view=single&id=36036
McAfee http://www.mcafee.com/us/enterprise/confickertest.html
eEye http://www.eeye.com/html/downloads/other/ConfickerScanner.html

F-Secure and the F-Secure Logo are trademarks of F-Secure Corporation.
SecureWorks and the SecureWorks Logo are registered trademarks of SecureWorks Inc.
Trend Micro and the T-Ball logo are trademarks or registered trademarks of Trend Micro Inc.