What in the world is expiis.exe??

Does anyone know what expiis.exe is? I think it is a bad process because it appears to be slowing my cpu down and I can't get rid of it. I have done all the recommendations for removing spyware, malware, adware, etc.. Still no results.

Any help would be fabulous.

-shnek81

 

Hi Shnek81,

I'm going to take a shot in the dark and guess that it may be StopGuard-Related.

Please look at the threads in this link and see if anything rings a bell:

StopGuard or WinFirewall Problems?

Let us know if you have a similar isue.

Then, if you are sure that you have exhausted the options here:
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Send us a HijackThis Log, as per the instructions below:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I'll try to check back when I get a chance.

Best luck
PP

 

Sorry for the slow response PP. Here is my HJT log. Let me know what you think.

Thanks,
Shnek

 

Hi Shnek81,

Looks like you've got a little StopGuard-related problem as I suspected. I thought I recognized that .exe

Do you want to keep this the way it is? Little odd to me.
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe

Let me know. I'll try to check back when I can.

Best,
PP

 

I had a little free time, so I threw something together for you. If you want to keep the above entry, then don't fix it with HijackThis.

Please print out these instructions so that you can operate with All Browser Windows CLOSED. Note that you need to be familiar with the Cleanup Tutorial that I previously linked and that you will need some of the tools from that tutorial – CCleaner & SpybotSD.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and END them, if possible. Skip the ones that don’t allow this and continue on with the rest of the instructions:
expiis.exe
libbas.exe
bkinst.exe

NEXT:
Look in C: > WINDOWS > PREFETCH & Delete libbas.exe ( or any libbas or sabbil entries). If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

NOW:
Run HijackThis and Check the Boxes for the Following:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe

O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: d.com
O1 - Hosts: d.com
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: ind.com
O1 - Hosts: ind.com
O1 - Hosts: find.com
O1 - Hosts: nu.com

O2 - BHO: CATLEvents Object - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - C:\DOCUME~1\JOEY&M~1\LOCALS~1\Temp\sabbil.dat

O4 - HKLM\..\Run: [*expiis] C:\WINDOWS\Registration\expiis.exe

O4 - HKLM\..\RunOnce: [*libbas] C:\WINDOWS\inf\libbas.exe rerun

O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\system32\bkinst.exe ren time:1100733917

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\inf\libbas.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if they remain:

C:\WINDOWS\system32\bkinst.exe
C:\WINDOWS\inf\libbas.exe
C:\WINDOWS\Registration\expiis.exe

THEN:
Use Windows Explorer to run a search of your computer for:
Bkinst
expiis
libbas
sabbil

and DELETE the related files. (We especially want to get rid of libbas.ini & libbas.dat & libbas.bak AND sabbil.ini & sabbil.dat & sabbil.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then , as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let us know of any problems that you may have encountered with the above instructions.

ALSO: Use Notepad to open your Hosts file and tell me what it says. Hosts is located here: C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

Best luck
PP

 

Yo PP,

Here is my fresh HJT log and two host files for you to look at. Couple of things when I was doing what you told me to. The only process running of the ones you told me to end was libbas.exe and I couldn't end it. It kept restarting.

In safe mode, I couldn't find \inf\libbas.exe or \registration\expiis.exe

When I did an explorer search for bkinst, expiis, libbas, and sabbil, I only found one file: sabbil.tmp, but I could not delete it because it was in use by another program or user...

Once I rebooted back into normal mode, it rebooted noticeably slower and it ran a lot slower in windows, for example, it took 4 seconds to close any explorer window.

I still think I am infected. What should I do next?

Once again, I can't thank you enough for all of your help.

Cheers,
Shnek

 

Hi Shnek,

The instructions are pretty much the same - Lucky I can copy & paste!!

Let me know if you have any trouble deleting the file on reboot.

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


NEXT:
Look in C: > WINDOWS > PREFETCH & Delete libbas.exe ( or any libbas or sabbil entries). If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

NOW:
Run HijackThis and Check the Boxes for the Following:

O2 - BHO: CATLEvents Object - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - C:\DOCUME~1\JOEY&M~1\LOCALS~1\Temp\sabbil.dat

O4 - HKLM\..\Run: [*libbas] C:\WINDOWS\inf\libbas.exe

O4 - HKLM\..\RunOnce: [*libbas] C:\WINDOWS\inf\libbas.exe rerun

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\inf\libbas.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if it remains:

C:\WINDOWS\inf\libbas.exe

THEN:
Use Windows Explorer to run a search of your computer for:
Libbas
sabbil

and DELETE the related files. (We especially want to get rid of libbas.ini & libbas.dat & libbas.bak AND sabbil.ini & . sabbil.dat & sabbil.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then , as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. Again, fill me in as to any problems with the above insstructions.

Best
PP

 

Hello again PP,

Once again thanks, but I think I am still infected.

I received no error on reboot about deleting libbas.exe. I don't think it got it.

Also, during searches in safe mode I found ...inf\sabbil.tmp, but could not delete it because it is in use by another program etc...

Anyway, here is my new HJT log. Hopefully it looks better.


Let me know if you think it is still possible to get this thing or if I should consider an HD reformat.


Cheers,
Shnek

 

We should be able to get this. Plus, even if you reformat, you could be surfing and get reinfected. Funny thing is, I've had success with the Delete on Reboot before because the process never gets a chance to start running.

Please download this tool: Pocket KillBox - Perhaps it will be able to kill the baddies.

Run it and try both the regular kill process and the delete on reboot option for C:\WINDOWS\inf\libbas.exe Then try to hunt down and delete the remnants.

Let me know the results and attach a fresh log. I'll try to check back tomorrow.

Best luck,
PP

 

Hey Phillie,

Here is the next installment of the ongoing saga of libbas.exe.

I downloaded killbox, and tried to kill the process the normal way and on reboot.

Everytime I try to delete it the normal way it says the file cannot be deleted and when I try to kill it on reboot, it gives me an error that says: "PendingFileRenameOperations Registry Data has been removed by External Process!"

I get the same results in safe mode. Also, I seemed to have just pissed this thing off more, because it is now using a lot more cpu resources than before and windows is running super slow.

Anyway, here is a fresh HJT log. I think it looks the same, let me know what you think.

Thank you for all your time and help, it really means a lot.

Cheers,
Shnek

 

Hi Shnek81,

As I told another guy who is in the same boat (and there seem to be a lot these days), I do not know why my steps work like a charm in some cases and fail miserably in others. It is all a matter of finding a way to kill that troublesome file and running process!

Try this:
Disconnect from the internet and boot to Safe Mode and then use Killbox's delete on reboot option and try to delete the inf folder.

Navigate to C:\WINDOWS\inf and try to kill the folder. Then, run HJT and fix the related entries. Also, flush prefetch and Temp files.

I think this baddie phones home to reinstall itself if you don't get it all in one fell swoop!

Best luck,
PP

 

Yo PP!!

Sucess!!! I think we got 'er! I tried what you told me to and attempted to delete the INF folder with killbox and through explorer, but neither worked. So, while still in safe mode I thought I would try to delete the INF folder with the delete on reboot in Hijack This! But, HJT doesn't let you delete and entire folder , just files. So I thought I would try to delete libbas.exe on reboot in HJT. When it booted back up the process was still there, but for some reason I was able to kill the process in task manager and then go into the INF folder and delete libbas.exe. I then did a search for all the other related crap and got rid of it and then I ran all the anti spyware tools just to be safe.

Take a look at my log and let me know if you think I'm clean.

Thanks PP

I couldn't have done it without you.

Cheers,
Shnek

 

That's Great news!!

I think in your excitement, you forgot to attach the log

Go ahead and do that & I'll take a look when I check back later.

Also, take a look at this similar success: Another Virtumundo Problem

PP

 

Sorry....

Here is the log.

-Shnek

 

Hi Shnek81,

Your HJT Log is clean Congratulations!

While you're here, you should also take a look at Chaslang's recommendations HERE:How to protect yourself from malware!

Best regards,
PP