Best way to remove  Worm:Win32/Phorpiex.B

Posted on 2011-10-20
Last Modified: 2012-06-27
We are using Microsoft Forefront in our organisation, but one site is badly infected with Worm:Win32/Phorpiex.B and Forefront is not helping much.   This is what a colleague sent me:

1.      Last night, I left my machine scanning with FEP in Safe Mode – Unfortunately I couldn’t see the results as the machine was rebooted over night
2.      Upon rebooting the machine in the Standard mode, FEP identifies a virus known as ‘Worm:Win32/Phorpiex.B ’, which I removed instead to disinfect or quarantine
3.      I then scanned USB with FEP but it neither identified or removed the virus from it
4.      I then used the tool ‘Virus Shortcut Remover’ to remove malicious application from the USB. Contrary to the previous behavior of this variant of virus, it has stopped repeating/coming back to USB. This result indicates that my computer is cleaned form virus or at least we can say that it is not affecting the USB disk drives any more.

A machine infected with ‘Worm:Win32/Phorpiex.B ’ gets slow but as such this virus doesn’t affect the data (files and folders). However it infects the USBs by changing the file type to Shortcut (.lnk) as well as hide files and folders inside it.  

FEP doesn’t identify or remove the virus from USBs. This worm can be removed and the files and folder are restored by using the tool ‘Virus Shortcut Remover’.  
FEP doesn’t identify or catch the virus on Full Scan in ladmin mode.  It also doesn’t catch the virus in Safe Mode either.  
However it is recommended to run a Full scan in Safe Mode. On next reboot in a standard mode, it is very likely that FEP would catch ‘Worm:Win32/Phorpiex.B’.  It is recommend to remove the worm instead of disinfect or quarantine.  

The main problem is that Forefront is not removing the virus from the USB drives.

The other problem is that I'm not sure if I trust the  ‘Virus Shortcut Remover’  tool completely since there are few references to it in forums that I trust.

The microsoft website refers to this virus and it has been the Forefront defnitions for months - but it's still not cleaning it off USB drives.

What is the best thing to do next, please?
Question by:concern_support

    Author Comment

    Anyone?  I'll be back online tomorrow morning, hopefully we'll have found something else out by then.
    LVL 38

    Accepted Solution

    I had to Google for ‘Virus Shortcut Remover’ - having never heard of it.
    I don't see it on any sites that I would trust, but maybe didn't look hard enough.

    Please use the basic programs described in my EE Articles here:

    The tools recommended have been used many millions of times by IT techs all over the world.

    Note - in almost all situations, you need to boot your system to "Normal Mode" for the actual scans.
    LVL 26

    Assisted Solution

    by:Thomas Zucker-Scharff
    I highly recommend innoculating all USB drives using USB-Set.  To remove virii from USB drives try Flash Disinfector by sUBS.

    Flash Disinfector:
    LVL 26

    Expert Comment

    by:Thomas Zucker-Scharff
    @younghv I would love to be of some help, but the OP has not posted any information on the results of suggestions here.  If there is no follow up on the OP's part, I'm not sure what the policy at ee is.  I hartily believe in my solution, but I do not know if it worked for him/her.  On the other hand I personally have found the articles you wrote extremely helpful and think the the OP would as well.
    LVL 38

    Expert Comment

    TZ -
    Sorry for not responding earlier. I've set the "CV Tool" we use to NOT notify me of responses. Too often they are not nearly so cordial as yours and I figure it's best to let the Mods handle objections.

    This is one of those questions in the Clean Up Queue that could go either way. Unless we're fairly confident that the suggestions posted will be useful to future readers, they tend to get deleted.

    Plus - as one of the "Expert" participants in the question, I tend to not award myself points.

    I'm going to recommend a point split on this one and let the Asker object - if he is still monitoring.
    LVL 38

    Expert Comment

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    So you got the Conficker. You could go to each machine and run the eye chart test (, but in a bigger environment, or if you prefer to work smarter and not harder, you need some …
    The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now