Jump to content

Help with Phorpiex.


Go to solution Solved by Maurice Naggar,

Recommended Posts

So when I got back from Summer Camp I hop back onto my PC to start playing video games, but when I get on I do a scan just in case. It says 4 threats detected so I have them quarantined and removed, next day when I restart and scan it says 4 threats detected. What it is detecting is Phorpiex, every time I restart or sleep the computer the file named "MMAHHPWYFN" comes back. That file is what is being detected, is there any way to stop it from coming back every time I sleep or restart? It gets really annoying.

 

Phorpiex.txt

Thank you, Alec

Link to post
Share on other sites

Hello @Wenenu      :welcome:    My name is Maurice.

Please just always attach report (s) s we go along.

[   1    ]

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

[     2      ]

I would request that you do one run today with the Malwarebytes  for Windows.

This should only take something less than 15 minutes.

Now a fresh new scan with Malwarebytes for Windows.

  • In Malwarebytes for Windows program, we want to do a special scan.
  •  
  • Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.
  •  
  • Then click the Security tab.   
  • Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈
  •  
  • Click it to get it ON if it does not show a blue-color
  • .
  • Next, click the small x on the Settings line to go to the main Malwarebytes Window.
  •  
  • Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.d04ef98c885b4f44f51bfe735922fba7.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine.jpg.8639e1dfc2301bc6d60a8cfb3c339241.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

  • To save attachments please click the link as shown below. Then browse to where your file is located and select it and click the Open button.

_mb_attach.jpg

Edited by Maurice Naggar
  • Thanks 1
Link to post
Share on other sites

There are still 3 elements of this trojan that are reported & show as "NO action by user"

Trojan.Phorpiex.E, C:\PROGRAMDATA\MMAHHPWYFN, No Action By User 

File: 2
Trojan.Phorpiex.E, C:\PROGRAMDATA\MMAHHPWYFN\CFGI, No Action By User
Trojan.Phorpiex.E, C:\ProgramData\MMAHhpWyFn\cfg, No Action By User

 

I need to be very frank here.  Did you look real close and Review & TICK each line that was tagged ?   so that they are indeed marked for removal ?

Do you remember reading this section of my prior guidance

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.d04ef98c885b4f44f51bfe735922fba7.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine.jpg.8639e1dfc2301bc6d60a8cfb3c339241.jpg

Link to post
Share on other sites

6 hours ago, Maurice Naggar said:

There are still 3 elements of this trojan that are reported & show as "NO action by user"

Trojan.Phorpiex.E, C:\PROGRAMDATA\MMAHHPWYFN, No Action By User 

File: 2
Trojan.Phorpiex.E, C:\PROGRAMDATA\MMAHHPWYFN\CFGI, No Action By User
Trojan.Phorpiex.E, C:\ProgramData\MMAHhpWyFn\cfg, No Action By User

 

I need to be very frank here.  Did you look real close and Review & TICK each line that was tagged ?   so that they are indeed marked for removal ?

Do you remember reading this section of my prior guidance

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.d04ef98c885b4f44f51bfe735922fba7.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine.jpg.8639e1dfc2301bc6d60a8cfb3c339241.jpg

Whenever a scan has any threats detected I immediately quarantine an remove, I have also been doing it this whole time. My friend said that the Trojan can redownload itself.

Link to post
Share on other sites

This is a special one time run to do a different check of this system.   This ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.

get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.

Disregard the title subject of the topic.

 

Run the MBAR tool as listed here 

 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

 

when done, I need the MBAR logs.

Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.

 

Both files can be found in the extracted MBAR folder on your Desktop.

Please attach both files in your next reply.

Link to post
Share on other sites

I need a report set for review.   This is a report only.

Please download MBST Support Tool

 

Once you start it click Advanced > Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply , like displayed here.
  • To send  ( upload)   attachments please click the link as shown below. Then browse to where your file is located and select it and click the Open button.
Link to post
Share on other sites

Thank you.  The main goal on this next part is to get the Malwarebytes for Windows program updated to the very latest version update.

Now to insure the Malwarebytes program is all up to date.

Start Malwarebytes for Windows. Click on the Settings ( gear icon)

Now click on the tab "General". 

Then scroll up a bit. and then click on "Check for Updates " button.

 

Watch & follow all prompts.

 

That ought to do a check with the update server, and hopefully offer the newest component update.

Then click once more the Settings ( gear icon)  so that it goes back to main window.

Click the blue "Scan" button to do a new scan.   Kindly let me know the results.   Have faith.  Dont fret.  We can do other things later, as needed.

Link to post
Share on other sites

  • Solution

Thank you.  The result is perfect.  The Malwarebytes program has the latest program components.   Bravo !

There is more cleanup work to be done here.  Please do not be using other apps or web browsers during these next procedures. Only use web browser for purpose to get to this forum.

[    1    ]

As a next basic step, Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[    2    ]

We will use FRSTEnglish.exe  on Downloads folderr to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  WENENU  only / for this machine only.

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will rebuild the Winsock.  It will attempt to do a Quick scan with Microsoft Defender antivirus.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Please save the (attached file named) FIXLIST.txt   to the  C drive user Download  folder   

 

Fixlist.txt


Start the Windows Explorer and then, to the Download   folder.


RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.    We will do more after this.  Persistence & patience are called for here.

Cheers.

 

Link to post
Share on other sites

Yes, it is a very good thing that no more "phorpiex" messages !

Thanks for the Fixlog report.

I would suggest a free scan with the ESET Online Scanner.  This will be another check for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.

 

  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

  • When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
  • Click The blue Save scan log to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Please make sure you attach the log report.

Link to post
Share on other sites

Alright.  The ESET Online scanner found & removed 1 P U P.

I would suggest getting a readout report as to update status of some key apps.

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

and save the tool on the desktop.

  • If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.

This tool is safe.   Smartscreen is overly sensitive.

  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.