HELP - Got infected by Win32:Tibs-Gen1

Hi,

I got it today, I began to see my system slowing down, my e-mail starting with Send/Receive for hours, my CPU is taken 100%.

I have AVAST Home and ZA Free, my OS is WXP PRO, I ran a boot schedule with Avast and have seen that it was deleting Win32:Tibs-Gen1 from C\System Volume Information_restore

I ran HijackThis.exe and nothing relevent seems to be there.

What shall I do now?

It’s really very strange because this morning was asked by ZA if I wanted to allow an appliacation called cli.exe to go, after having checked on the internet I saw it is an ATI application, so I allowed it.

I ran also in SafeMode Spybot and AdAware and they did not find anything this morning.

What can I do now?

Thanks
Alex ???

Hi metallo,

To be absolutely sure you have removed the trojan downloader you mentioned , run this special removal tool for this malware from here: http://wirusy.antivirenkit.pl/en/szczepionki/Tibs.html

cli.exe is known to be a real cpu eater, so that could be responsible for the slowing down of your system as well,

polonus

I’m going to download it right now, shall I run the application in Safe Mode or normal?

CLI.EXE, it can be a CPU eater, but 100%… I can remove it if I do not need it, strange indeed it came out yesterday for the first time.

Thanks man
Alex

Hi,

I ran the application you suggested, found a couple of things (enclosed), I clicked to “change name”, but nothing changed.
I ran in SafeMode, Adaware, Spybot and HiJackThis, found nothing.

I de-activated cli.exe from my startup programs.

What shall I do? :cry:

Thank you
Alex

PS: I have no clou how I got this virus, I can only say that yesterday I changed my mail protocol and switched from POP3 to IMAP. I am usually very careful >:(

I went in TaskManager and found out that the process suking my CPU was spoolsv.exe

I went into Microsoft Office Document Image Writer and found a printing job that was on stand by, I deleted it and now the CPU went down to normal levels.

Let’s see if this was the reason, I hope.

I’ll come back with a confirmation.

Cheers
Alex

:slight_smile: Hi Metallo ;

  Should NOT run "HijackThis" in "Safe Mode" unless the
 "normal" mode will not work .

Hi Metallo,

That is why you should always work under “guidance”, and before doing a thing check, for instance one of the things you found is perfectly normal:
Twist.dll

Component Name: Twist.dll

Description of Twist.dll
This is a component of MemoriesOnTV. MemoriesOnTV, from CodeJam, is a media management tool designed to make it easy for users to create slideshows from digital images, and burn them onto CDs or DVDs.

Recommendation for Twist.dll
NA

Trusted: Yes
Trojan: No
Chronic: No
Adware: No
Carrier: No
Browser Hijacker: No
Dialer: No
Commercial Keylogger: No
Remote Administration Tool: No
Suspected: No

Company Name: CodeJam
Platforms Affected:
Methods of Distribution: This program is available for download on shareware websites.
Variants/Versions:
Release Date: 2005

polonus,