-----Original Message-----
I'm haveing a recurring appearance of Travelling Salesman
spyware and TargetSaver Trojan downloader after I deep
scan my computer. Can someone out there please advise me
how to eliminate these programs completely from my
harddrive.
Any help would be appreciated.
Thanks
.
Hi there Hope this Helps you get rid of this:
Adware.TargetSaver monitors open windows and displays ads.
File names: ts2.exe; tsl2.exe; tsm2.exe; tsp2.exe
Creates the following files in C:\Program Files\Common
Files\tsa:
inst.dat
ts2.exel
ts2lock
tsl2.exe
tsm2.exe
tsm2lock
tsm2.exe
tsm2lock
tsp2.exe
tsuninst.exe
wu
Creates the following files in C:\Program Files\Common
Files\tsa\rainbow:
class-barrel
classify.dll
vocabulary
Adds the value:
"Tsa2"="C:\PROGRA~1\COMMON~1\tsa\tsm2.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run
so that the adware runs every time Windows starts.
Creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\TSA
HKEY_LOCAL_MACHINE\SOFTWARE\Uninstall\TSA
HKEY_CURRENT_USER\SOFTWARE\TSA
Downloads updates from a remote site.
Removal Method:
If you have just got this trojan then use system restore
to go back to a earlier date to remove it but if its been
there a long time them carry on with these steps:
Before you begin: This adware may include an uninstaller.
The uninstaller file is usually C:\Program Files\Common
Files\tsuninst.exe. Using Windows Explorer, see if this
file exists.
If the file does exist, double-click it and follow any
prompts
If this file is not present or you are having problems
then move onto manual removal below:
First: Turn off Windows XP System Restore (Start,Right
click my computer,Properties,then system restore and
disable and apply)
Next: Enable viewing of hidden files and folders and
extensions; Some programs can hide this way by not being
visible in Windows. Start Windows Explorer and click on
your main hard drive, usually c:\. Then select Tools from
the top of Windows Explorer and then Folder Options. Go
to the View tab. Scroll down to the folder icon that says
Hidden files and folders and check show hidden files and
folders. Also, right below it, uncheck the hide file
extensions for known types. Not doing this could allow
file extensions commonly used by trojans and spyware to
be hidden, for example a file ending in .exe or dll
making manually finding it, if needed Very difficult
Next to boot into Safe Mode
Reboot the system and tap F8, choose Safe Mode.
Next: Delete Temp Internet files :
Open a internet browser window, click Tools then Internet
Options.
Click on the Delete Cookies and the Delete Files buttons,
then click OK and close the browser window.
Next: Delete Windows Temporary Files - (start,run then
type %temp% delete all files you can in this folder
The Windows temporary directory (usually located at
C:\windows\temp).
This directory should not be confused with the Internet
Explorer "Temporary Internet Files Directory".
The Windows temporary directory stores temporary files
that are used during installation of programs and at
other various times.
Cleaning this directory regularly is generally a good
idea.
Manual removal in safe mode :
Click Start > Run.
Type regedit
Then click OK.
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run
In the right pane, delete the value:
"Tsa2"="C:\PROGRA~1\COMMON~1\tsa\tsm2.exe"
Navigate to and delete the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\TSA
HKEY_LOCAL_MACHINE\SOFTWARE\Uninstall\TSA
HKEY_CURRENT_USER\SOFTWARE\TSA
Exit the Registry Editor.
Next Open your C/drive and go to these folders and delete
them you can also use the search funtion for this but
taking out the whole folder will be easier:
Delete the following files in C:\Program Files\Common
Files\tsa
And the folder itself)
inst.dat
ts2.exel
ts2lock
tsl2.exe
tsm2.exe
tsm2lock
tsm2.exe
tsm2lock
tsp2.exe
tsuninst.exe
wu
Delete the following files in C:\Program Files\Common
Files\tsa\rainbow
And the folder)
class-barrel
classify.dll
vocabulary
Then reboot into normal mode and that should be gone,To
make sure id also advise running a online Virus scan at
the address:
http://housecall.trendmicro.com/housecall/start_corp.asp
You will notice the files above called tsm this is the
travelling salesman part of the adware so this should
remove that too,If you have any problems then repost and
i will provide some more removal instructions but wanted
to keep it as easy as possible,Be carefull with the
regedit page as any mistakes could seriously damage your
pc only remove the exact matches for the registry values
i posted,If you are not sure about anything just repost
and i will be glad to help
Regards Andy
