Malware Removal - tsupdate.ini

I have  Temproary Internet FIles which has been identified as Malware, but wont delete "TSUPDATE.ini"  it also had a reference location of targetsaver.com.I could not find any instructions on removal, just links to purchase something that would get rid of it.

I tried using both Ad-Aware, and Spy Bot Seek and Destroy.  Neither was able to get rid of the issue.

Can anyone help me out with this one? Thanks
Tommy
tburickAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IndiGenusCommented:
Definitely sounds like some Adware/Spyware...

It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.
0
tburickAuthor Commented:
IndiGenus,

I will post this on monday (computer is at work) but thanks for the tip... I will be sure to attach and not post the log.
0
tburickAuthor Commented:
Here is the HiJackthis Log, thanks again for any assistance!!
Tom
hijackthis.log
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

IndiGenusCommented:
Run HijackThis. Click on None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

---------------------------------

O4 - HKCU\..\Run: [irkq] C:\PROGRA~1\COMMON~1\irkq\irkqm.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

---------------------------------

Then close all windows except this one and press Fix checked.

Then delete the following folders:

C:\PROGRAM FILES\COMMON FILES\irkq
C:\PROGRAM FILES\Web Offer

Reboot and upload a new HijackThis log. Let me know how it's running too.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tburickAuthor Commented:
I was able to delete the above, however the ini file tsupdate.ini located at C:\Documents and Settings\jsharmon\Local Settings\Temporary Internet Files\
Still cannot be deleted.  It has a internet address of http://dl.targetsaver.com/2k/tsupdate.ini in the description.  Delete is an option if I right click, but it does not go away.
Here is the latest HiJackfile.
hijackthis.log
0
tburickAuthor Commented:
I had the user test IE, and he is NOT getting redirected to the Targetsaver web sites.... So...... is there any harm in having that INI file sitting in his Temporary Internet files folder???  Or will it re-install the program?
0
IndiGenusCommented:
I don't think it will "re-install" anything but not sure...

What happens when you try to delete the file? Does it give you an access error of some kind? What happens? You could also try one of the cleaner programs to clean up your temp files. Either ATFCleaner or CCleaner. Both are good. We could also try Killbox on the file.

0
tburickAuthor Commented:
I have not tried CCleaner, and it is usually the FIRST thing I go for.  I did use File Unlocker which allowed me to get rid of one of the directories, but so far so good, no re-infestation.  I will go ahead and try those utilites and see if we can get rid of that file.
0
tburickAuthor Commented:
Oh.... I forgot to answer the first part of your question... Nothing happens when I try to delete.  I right click, it shows the delete option, but the file never goes away.. Same thing if I go in via safe mode or another user..  But I am going to try one of the utilities you mentioned now.
0
tburickAuthor Commented:
Well, none of those would delete the file, Killbox went as far as to say "The file you want to delete does not seem to exist".  So, his computer is fine, and thats all that matters to me.  Thanks for your help
0
tburickAuthor Commented:
Thanks again for helping me out... How do you gain the knowledge to read the HiJack logs??  I would love to be able to undertand those.  Any books you recommend?
0
IndiGenusCommented:
OK sounds good! Don't think that file is what was causing problem any way. Think it was entries we fixed with HJT.

You're welcome,
Dave
0
IndiGenusCommented:
Thank you for the grade and points.

No, no good books but there are outstanding online resources for learning this. Check out my blog for forums that teach this. Hope this helps.

http://www.anti-malwareoutlook.com/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.