Found the item at the top of the forum list; but as I started to reply, the forum s/w suggested I start a new topic as no one had replied to that particular topic in more than 120 days (it’s been about two years, really; so I guess that’s more than 120d). So here’s a psc-exam.txt file that I got since I seem to have contracted Browser Shop, which keeps plastering very unwanted ads all over my web pages. I found a 27-page guide to getting rid of Browser Shop on malwaretips.com; but after doing everything on that list, I still open CD and find this annoyance has reappeared in my extensions. I can’t figure out how it got there in the first place, nor can I figure out why it’s still here like a cockroach after dropping both Little Boy and Fat Man on it. If anyone out there has an idea, I’m all ears. As it is, I now have to open the extensions list when I first start the program and kill Browser Shop (under whatever guise it’s using; lately it’s been “broewseaindshop”) before I do anything else. Exceedingly annoying that it’s gotten past all my incoming defenses, and successfully evades all my post-infection defenses.
I see that a few folks have read this post; but no one has replied. Does no one have an idea about either psc-exam or the Browser Shop invasion? It’s gotten to the point where it doesn’t matter that I kill the extensions when I open CD: Browser Shop shows up anyway. I’ve downloaded a raft of supposed deep-scanning programs; none of them have neutralized it. Here’s another psc-exam.txt file if anyone out there can read it. It’s over my head. And since I’m having problems with Geekbuddy (that’s in another forum section), I have no answers for this. Any help greatly appreciated. Thank you.
I used to fix other peoples adware issues so lets do this
Uninstall Browser Shop program from your computer AND the other adware ■■■■ from the “control panel” Also uninstall any other adware thats there too. If you can show me a picture or 2 and upload it here (like just do a print screen or snapshop ) of the installed programs I can point out to you which is which for adware
For all the browsers you have start here
Open Internet Explorer, click on the “gear icon” in the upper right part of your browser,
then click “Internet Options” then click on “Advanced” tab
then click on the “Reset” button
In the “Reset Internet Explorer settings” section make sure theres a check mark on “Delete personal settings”
Now click reset
For chrome and its variants
Click on the “Chrome menu button” on the browser toolbar
select “Tools“
click on “Extensions“
Remove extensions that should not be there
and change the homepage if needed
Run these tools one at a time. When your computer is clean, just uninstall it Done
Thanks for getting back to me. I’ve tried some of these things before; I’ll try them again.
FWIW, here are five pages of programs going back almost four years (although the infestation didn’t start to rear its ugly head until about the time I first posted this). I have never seen anything so obvious as “Browser Shop” or anything remotely resembling the same in my list of installed programs; and the one program I did uninstall (OfficeTabEnterprise) because it had been flagged on line as PUP or worse has only ■■■■■■■ up my installation of Office (running the repair on Office didn’t resolve that; but I digress).
Looks like I’ll have to close down so adwcleaner can try its thing; see you in a few.
When the adware is getting removed, it may cripple some of the free software so when reinstalling something pay attention to the accept and decline options and always choose “customize” as a rule of thumb
Thanks for the suggestions. I usually do custom installs on webware and cut out everything but the item I really wanted. I tried to uninstall the two Spigot items in the list I sent you; the temp files upon which the uninstalls depend have been deleted and the uninstalls won’t run. So I don’t know if the items are even still installed, or how to uninstall them if they are still installed.
I’ve attached a log file from AdwCleaner and from JRT as well as something I saw on the screen while JRT was running. Hitman Pro and Malwarebytes found virtual nothing (HMP found a few cookies). As I said before, I’ve never seen anything remotely approaching “Browser Shop” in my program list that would make it easy to uninstall. And after running all these programs, when I opened Comodo Dragon (a Chromium browser, if you’re unfamiliar), the file “it keeps coming back” shows what I’ve gotten used to pulling up when I start a browser session. I have to disable and delete this extension every time I start a session; makes it impossible to reopen a previous session because pages will be infected with Browser Shop.
Since it keeps coming back, can you go to the [i]run command[/i] and type in "services.msc" see if you can find something that obviously not supposed tot be there
If you see something thats not supposed to be there then right click on it and click "stop" also go to the properties and under startup click "disable"
When you done with the services. Do not reboot
Go back to the run command and type in “msconfig”
click on the “startup” tab and also do the same with "services too when finished with startup
remove the check marks if you see anything undesirable
Then reboot (hopefully this should stop the parent process from starting and reinstalling adware every startup
now remove the extention again in chrome
Please run this online scanner, http://download.eset.com/special/eos/esetsmartinstaller_enu.exe
this is extremely good with dealing with adware, but it is slow. When done you can uninstall that
click on "enable detection of potentially unwanted applications and then click on “advanced settings”
make sure the first 4 options have a check mark on it. Dont worry about the last setting
This will take a while, let it clean and then restart computer
OK, sounds like this will take quite some time. In the meantime, what do you make of 1AB14RN500.exe, which I found in my Startup folder? I ran a search for it, got one hit (a site called processchecker.com) that said it “is windows process,” a turn of phrase that makes me a little concerned about going to that particular web site. I also found 1AB14RN500 under Startup when I ran msconfig, as well as a file called conime. Now, there are web pages that say conime is a MS product (Console IME, whatever that means) and others that say it’s a trojan. I found my copy located in %windir%\system32\conime.exe. These are the only two files under Startup that look even remotely questionable to me. Opinion, please? Equally curious: Of all the services listed by msconfig, there are dozens from Microsoft Corporation — and one from “Microsoft Corp.”, which seems strange in context. The item is called “Windows Live ID Sign-In Assistant” and is currently stopped as I write this.
That is highly suspicious. When it is running close it and disable the related start entry.
as well as a file called conime. Now, there are web pages that say conime is a MS product (Console IME, whatever that means) and others that say it's a trojan. I found my copy located in %windir%\system32\conime.exe. These are the only two files under Startup that look even remotely questionable to me. Opinion, please?
That could be a [url=http://answers.microsoft.com/en-us/windows/forum/windows_vista-files/conimeexe-what-is/1c6eaa96-479b-4026-83d6-a2bced9d5dcd]legit file[/url]:
. Can you see if the file has a digital signature and if the signature is valid? Or cold you upload it to Virus Total and post the link to the report?
Equally curious: Of all the services listed by msconfig, there are dozens from Microsoft Corporation — and one from "Microsoft Corp.", which seems strange in context. The item is called "Windows Live ID Sign-In Assistant" and is currently stopped as I write this.
Microsoft entries in msconfig are normal. Windows Live ID Sign-In Assistant is more than likely the legitimate file it says it is.
Microsoft signs all its executables but the Properties screen of the files won’t show that. To know for sure that a system file is the original file you can use Sigcheck to see if it is digitally signed by Microsoft.
Download this zip archive and unpack it to C:\Program Files\SysinternalsSuite\ . When done run sigcheck.reg to add it to the registry.
When this is done navigate to the system32 or other foer, look up and select the file you want to check, click right and choose Signature from the context menu. A black command box will pop up. See if it is signed or not.
1AB14RN500.exe is known as Super Optimizer v3.2 and it is developed by Super PC Tools Ltd
At malwaretips.com they say its spyware
http://malwaretips.com/blogs/super-optimizer-removal/
So its probably safe to say its OK to remove
also [u][b]delete[/b][/u] if its there
C:\Users\Gateway\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
1AB14RN500
and
C:\PROGRAMDATA\{69AF748B-9A32-E012-69AF-F748B9A3D22E}\1AB14RN500.EXE
go to registry (by going to the run command and type in regedit)
HKEY_CURRENT_USER <--right click on it and select "find"
search for "1AB14RN500"
delete all you can find using the find feature
as for conime.exe. The legit version for conime.exe is
"comime.exe" is Microsoft Console IME (Input Method Editor). It executes whenever a command prompt is opened. Used for Asian language input support in the command prompt. There could be number of reasons you didn't see it until now, including, recently installing a program that supports Asian Languages, installing a patch from MS that included support for Asian languages, etc.
My reference point below
https://answers.microsoft.com/en-us/windows/forum/windows_vista-files/conimeexe-what-is/1c6eaa96-479b-4026-83d6-a2bced9d5dcd
Of all the services listed by msconfig, there are dozens from Microsoft Corporation — and one from "Microsoft Corp.", which seems strange in context. The item is called "Windows Live ID Sign-In Assistant" and is currently stopped as I write this.
There should be a option the says "hide all microsoft stuff (something like that) thats to simplify it
We help you get rid if this problem one way or another If it comes down to it, I can pull up something like" team viewer" and I can connect to you by remote and Ill do it. But that’ll have to wait a week or so if it comes down to that. I’m only a volunteer and do this in my spare time FYI
I should have mentioned, perhaps, that conime.exe is showing as “Unknown” when I check services in msconfig. I suppose that should be considered suspicious (“Ya think!?”).
Here’s the really strange part: I can’t find it. Msconfig shows it residing in %windir%/system32; but I can’t find it in System32 (and if it matters, yes, I have noticed the case inconsistency). Plus I tried to get rid of a few other things (especially after my HitmanPro, which Control Panel showed as having been installed 3/27, notified me I’d burned my 30-day trial and it won’t remove threats any more); and even though I kill the processes, I can’t remove the files because I’m told the files are in use. How does that happen? But let’s figure out this conime.exe thing first.
FINALLY!!! Something over which I tripped a few nights ago in yet another attempt to find out how to lift the curse of Browser Shop gave me the needed clue. I wish I could remember the article so I could post the link; but what the article said (about another but similar insidious infestation) was to check C:\ProgramData for any strange entries. Well, whaddya know: There I found a folder with a gobbledygook name (a long string of random letters) that had a bunch of .json files in it; and the folder was dated from about the time the malevolence first reared its ugly head. I deleted the folder; the Browser Shop menace stopped regurgitating itself into my CD extensions. Problem (apparently) solved!
Now, this begs the question of how this folder kept escaping the notice of Malwarebytes, Hitman Pro, etc., etc., etc. But it’s gone, and so (it seems) is the problem.
It is likely that the adware changed its form. I have seen an adware or similar menace being resurrected by a task in Task Scheduler that kept an eye on the existence of the menace and would revert if it got removed. When resurrection happens there is often some kind of helper process.
Hello! Silwncer – I believe this browsershop! is my problem, however, I am a novas and do not want to make a mess of things. I did a Comodo scan that said my computer was “safe” however, ads kept popping up whenever I click on anything!, on any page.( Right now, I feel pretty safe clicking on here.) I think I am in the right place to proceed but I have had trouble on Firefox Crome and Crome ect. “browsing”. I am a senior lady, but I am fairly computer savvy. . . well, not a complete dunder head. I am good at following steps, if am sure they are right for what I need. I have a Windows 7 right now. Please help. Many, many, thanks.
Done