CF27FE.EXE Removal
Quickheal: TrojanDropper.Flystud.ko
Avira: TR/Dropper.Gen
McAfee: W32/Autorun.worm.ev
Discovered very recently, this Worm resembles the activities of the famous Worm "New Folder.exe". The difference is just that this one doesn't damage the system as much as the "new folder" worm. It enters your system through Removable drives. This drive usually contains the file "CF27FE.EXE" (which is the main malware) and an "autorun.inf" that helps this worm to execute as soon as the drive is directly opened. The file drops a list of files with the .fne and .fnr extensions and also adds a shortcut to the "C:\Documents and Settings\Userprofile\Start Menu\Programs\Startup\" directory such that it is being run at every start-up. These files that are dropped by the worm inject themselves into the System processes that are very crucial and run at every boot-up of the system. When its process is running, the worm hides the original directories(folders) and creates .exe files consisting of the same name as the drive. The actual drives are supposed to look like this
Whereas the drives are hidden by the worm and {foldername.exe} file is shown.
Whenever these files are double-clicked, the worm gets activated and starts multiplying itself. Hence it should be removed as soon as possible before it creates copies of itself in every drive and directory. Here are the removal instructions of this worm.
Manual instructions to remove CF27FE.EXE:
Posts that might help you here:
Avira: TR/Dropper.Gen
McAfee: W32/Autorun.worm.ev
Discovered very recently, this Worm resembles the activities of the famous Worm "New Folder.exe". The difference is just that this one doesn't damage the system as much as the "new folder" worm. It enters your system through Removable drives. This drive usually contains the file "CF27FE.EXE" (which is the main malware) and an "autorun.inf" that helps this worm to execute as soon as the drive is directly opened. The file drops a list of files with the .fne and .fnr extensions and also adds a shortcut to the "C:\Documents and Settings\Userprofile\Start Menu\Programs\Startup\" directory such that it is being run at every start-up. These files that are dropped by the worm inject themselves into the System processes that are very crucial and run at every boot-up of the system. When its process is running, the worm hides the original directories(folders) and creates .exe files consisting of the same name as the drive. The actual drives are supposed to look like this
Whereas the drives are hidden by the worm and {foldername.exe} file is shown.
Whenever these files are double-clicked, the worm gets activated and starts multiplying itself. Hence it should be removed as soon as possible before it creates copies of itself in every drive and directory. Here are the removal instructions of this worm.
Manual instructions to remove CF27FE.EXE:
- First, reboot your system in the Safe mode. Once you're done, go to Start --> Run and type "regedit" to open the Registry editing tools. You'll have to stop the virus from multiplying and injecting itself into the other services. To do this, delete the following entry in the registry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Delete the key consisting of this name and value"Fly = "%System%\58BB34\CF27FE.EXE""
Once you've deleted that, press "Ctrl+F" in your registry window and search for the name "CF27FE.EXE". If you find any entry, don't delete it. Just remove the path of the virus i.e open the value and remove the "%System%\58BB34\CF27FE.EXE" from it. This way, the path of the worm is deleted entirely from the registry. - Restart your computer once again in the Safe Mode for the changes to take effect. Now delete the following files using the Windows Explorer or the Command Prompt.
%System%\D38B91\krnln.fnr
C:\WINDOWS\System32\D38B91\HtmlView.fne
C:\WINDOWS\System32\D38B91\internet.fne
C:\WINDOWS\System32\D38B91\eAPI.fne
C:\WINDOWS\System32\D38B91\dp1.fne
C:\WINDOWS\System32\D38B91\shell.fne
C:\WINDOWS\System32\D38B91\spec.fne
C:\WINDOWS\System32\D38B91\cnvpe.fne
C:\WINDOWS\System32\D38B91\RegEx.fnr
C:\Documents and Settings\Userprofile\Start Menu\Programs\Startup\CF27FE.lnk - It is now time to delete the original worm that is causing all this trouble. Go to the "C:\WINDOWS\System32\58BB34\" and delete the file "CF27FE.EXE".
- After you finish deleting the worm, you'll have to manually delete all the folders created by the worm and be careful while opening every folder.
Posts that might help you here:
- Enable Hidden files and folders option
- Enable Safe Mode booting
- Enable Registry editing tools
- Enable Command Prompt