Unknown process: fxiegwfr.exe

Does anyone know what this process is?

Thank you.

 

Doesn't look too good.

In this thread, the poster had the same executable.

http://forums.majorgeeks.com/showthread.php?t=58063

I'm not saying act on what was suggested in that thread because your situation might be different. Just a little heads up on what it could be.

 

Seconal and Chaslang, thanks for responding to the quote.

Seconal: The problem described is most likely the same one experienced by me.

Chaslang: No one has provided an answer for the other poor soul. I only post information I believe is pertinent in assisting problem resolution. My question still stands. What does fxiegwfr.exe do?

 

The attatched mini log identifies the questionable processes and DLL filenames I'm uncertain about. I removed portions of the log I can readily identify and know have no part in the problem.

My antivirus definitions are current.
My SpySweeper definitions are current.
My ZoneAlarmPro is current.

An antivirus scan and spysweeper scan were run prior to this current event. No viruses or threats were identified.

Any ideas??

 

Symantec findings on the file fxiegwfr.exe. This is why virus scans do not detect the file.

 

Chaslang,

I do appreciate your effort to help. Regarding the log post I made, you only need to see what is called into question. I doubt you need to know what printer services or printer software is running. Also, I did read the posting guidelines and other thread mentioning the same problem prior to submitting my post. My post demonstrates the same pattern and nothing more. The file systr.dll present on the other user's machine does no t exist on mine -- niether does the prefetch folder. I know to delete those files. As a matter of fact, I have been constantly deleting those files. I want to know the vulnerablity being exploited.

Here are a few question regarding the problem. Why am I unable to switch to the applications running in the second explorer.exe shell? How is it possible to execute a second explorer.exe shell? I have attempted executing explorer.exe locally -- only a windows explorer appears. I do not see a second explorer.exe in the task manager process list.

 

Momentarily, I believed the root of my problem stemmed from the Microsoft java virtual machine. It was still installed on my machine. I removed it. I installed the Sun JRE. I have done everything. I know to delete the files. That is not a good enough answer. This thing -- this intrusion upon my system -- has reappeared. It happened around 8:45PM CST. I don't think it has to do with a "time-bomb". Something else is going on.

 

Chaslang,

Please quit repeating yourself and treating me like a "true" amatuer.

Done this. Been there. Still annoyed.

What you seemingly fail to recognize is I have done all of the below/above. Once removed, it comes back. This time I sent a report to Webroot (SpySweeper's report tool) with some of the HJT log information as well. I am not lacking in capability of identifying files to remove or which tools to use. My problem is strictly related to the "how" the attack occurs. Another thing, it has been a while since I posted in this thread. Like mentioned below, I believed removal of the microsoft java VM and installation of the Sun java JRE fixed things. I was wrong.

 

I have the answer to your problem, I think.

Steve

 

Some people just can't be helped, unless one of us has a medical degree?

SGC_Geek, if you are so "professional" and skilled, then why is it that you are the one with the problem and can't fix it?

Your last three words summed it up perfectly!

 

Insomniac,

If your best answer is an insult, then I'm GLAD and THRILLED I was dealing with Chaslang.

Chaslang,

What I am saying is after performing all the steps in the sticky, the problem still exists. It happened again this morning at 2:15 am CST. As pointed out below,

systr.dll -- Not on my system.
prefetch folder -- Not on my system.

So, your previous solution does not apply. I'll post the HJT log from lastnight with all the junk you don't need to see. But, please don't insult me and tell me to delete the DAT files and fxiewgfr.exe file.

 

Chaslang,

I use a dial-up connection.

Yes.

Yes

Going online and not immediatley after connection.

No.

It's a result of what happens. The second instance of the file explorer.exe is a result too.

CCleaner.exe

Basically, I used HJT 1.99.1 to capture everything happening when the attack occured.

 

Currently, the file does not exist on my machine. It is rather small. I don't have those specs. Next time it comes around -- I'll get it. It's wierd. It doesn't happen all the time.

CCleaner does clean out the temp folder. Plus, I do various other things to earase history and traces.

 

Spoke too soon. It just happened. And I had just run the TrendMicro scan.

File Size: 50kB

No, those values don't appear in the registry.

 

I'm not a software programmer. I see no logic in this action. Once the system has no power (except for the clock) the phone line is dead. If I understood how this helps, I'd do it. Are you suggesting a dialer may be active and I won't know it? How does a program check to see if a telephone wire is connected or not? The program would need to communicate with the modem hardware and read voltage.

I thought about that a long time ago. Fxiegwfr.exe was the only one.

In the past, yes. It didn't help. For fun, I've added it again. I have also blocked all ports except (80, 110, 143, 443).

Yes, It was monitoring my system when things went bad last night. It's 38MB long. I let it run in the background.

I do know this now. I noticed a winlogon event captured prior to Internet Explorer creating the DAT file. The DAT file creates the fxiegwfr.exe file.

The Zip file includes the cookies created when IE goes off visiting websites without my knowledge, the executable, and the ProcViewer file.

 

MajorGeeks2.zip contains the DAT file.

And yes, I am hard headed.

 

I thought that might be your answer. I was actually looking forward to learning something new .

Keep this in mind. The IE Browser is opened to the teen porn sites on the second explorer.exe space. I am unable to switch to that instance. I am able to kill the application.

As of now, I have deleted the files I zipped and posted. I'm "clean" for the moment.

 

Anyone figure out how to beat this thing?

 

I long for the days I had a cable modem. Dial-up sucks.

c:\windows\system32\systr.dll
c:\windows\system\systr.dll
c:\windows\systr.dll

Check to see if you have param32.dll in any of those three locations. I believe that param32.dll may be a new version of systr.dll.

Not found.

 

No virus was found.

 

Did you want to look at the long even if no virus was found.?

 

I have avoided downloading a new browser due to my connection. Maybe, I'll make a trip to the local library and grab some stuff today -- including firefox.

Internet Explorer is the only browser I have on my system. I can't remeber when it occured, but I switched from Netscape and never looked back.

Given:
The cookies, Dat file, and fxiegwfr.exe have been removed.
The system has been scanned with various Virus detection tools.
Security tools are actively running: ZoneAlarmPro, SpySweeper, NAV
I have reconnected to the internet.
I have opened Internet Explorer and X amount of time passes.
Attack does not always occur during every connection to the internet.

Steps of attack
==============

1. Take advantage of "vulnerability"
2. Deliver malware file xxx.dat variation
3. Create the file fxiegwfr.exe
4. Create second instance of explorer.exe
5. Open New Internet Explorer instances to teen porn websites.

And, I'm not positive on when 4 occurs.

 

I'll do it for both explorer instances.

 

Here they are. I haven't had the chance to go through them. Thanks for the second pair of eyes and advanced knowledge.

 

Chaslang,

You were right about IE creating the xxx.DAT variant. I went through my FileMonitor log and tracked that information down.

 

Hello! im new in this forum. I have read all your thread because i have or i had exactly the same problem. Always when i connect in a game server, there is an ad during the loading (it is normal) but the probleme is this ad is open with IE, and so there is the fxiegwfr, ****.dat, and the second explorer (sometimes) wich are open. I want to add i have Mozilla browser and there is never this problem, it is only with IE.

And i think i know what is the .dll wich do it: I have avast antivirus, and after an update, when i was connecting on the server with add, avast said "intlmain.dll" is infected by trojan.gen, or something like that. This file is in system32/intlmain.dll, and so i deleted it, and now i tried to join many time some servers, and it is ok.

So try to found this intlmain.dll and examine it with antivirus or others, and make sure its not important file (i ve deleted it and there is no problem so...), and see if it's ok!!

sylvainb

 

ok. iegfxfrw.dll and fxiegwfr.exe are look like. And now i have tried a lot of time and the problem is not here again, so im sure it was the intlmain.dll *. But maybe you it is different!

I am happy to help you because this virus is very anoying!

 

I haven't read the post suggested, yet. I had something else to share. Today, I downloaded TDS-3. It "positively identified" several files to be malicious.

protector28.exe
intlmain.dll
killapps.exe

1 related to Trojan.Win32.StartPage.nk2
1 related to Trojan.Win32.StartPage.iv
1 related to Riskware.Tool.KillApp.b

I renamed protector28.exe > protector28.xxx
I renamed intlmain.dll > intlmain.xxx

I question the validity of the killapps.exe warning.

 

New behavior witnessed after installing recent Microsoft security updates and upgrading to Norton SystemWorks 2005 Premium (It becomes free with rebates).

The file fxiegwfr.exe was created in two locations.

\%windir%\
\%windir%\system32