• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Help fixing aftermath of invasion

This occurred about three hours ago. My Norton Anti-Virus and Internet Security were showing as up to date and running. I also had Ad Muncher (registered) running.

Steps of what happened:

1. I was on Yahoo! Answers, looking at the question on this URL (http://answers.yahoo.c_m/question/index;_ylt=AmZzt6y9cidlEEVTFnZeZu7sy6IX;_ylv=3?qid=20080814042844AAFAcYC), about web proxies. I clicked on several of the answerers' links to see what a web proxy site was, and I believe that's when the invasion happened, but I'm not sure which of the links it came from.

2. The first alert I had was a pop-up saying rnAV was trying to access a DNS server. It never tells you why, you know? I clicked " Block this instance" before I realized it was talking about the anti-virus program. (Question 1. Why does the AV try to access a server when an attack is happening?)

3. Right after that, I got another pop-up from Norton saying it had successfully blocked Trojan.Blusod. I realized at that point, I should get offline and run a virus check, but I stupidly read a couple of emails first, then logged off.

4. When I closed my browser (IE 6.0.2900.5512.xpsp.080413-2111), my desktop wallpaper had disappeared and the background was white. I think it was at this point that I disconnected my cable modem so nothing more could get to the web.

5. I ran a quick scan, and it turned up Adware.CWSIEFeats. I clicked Fix. (I got this even though I had Ad Muncher running.

(Question 2. How did it get past Ad Muncher?

Question 3. Was Fix the right thing to choose? My only other option was Exclude, which sounded like it would exclude it from being mentioned in future virus scans.) I turned off Ad Muncher around this time.

6. I aborted the scan, reopened my browser, and erased the cookies, history and temporary Internet files, including the offline ones.

7. I re-ran the quick scan, and nothing else showed up.

8. Then I realized I should run a full system scan. About 1.4 of the way through that, it suddenly stopped and went to the Welcome screen, which I have set up as password protected.

9. I clicked shut down instead, fearing something would record my password and hoping the cold reboot would wipe that. I got a message saying, "Other people are logged on to this computer" (I was logged on as HP_Administrator, it wasn't connected to the Internet, and it's not networked to anything but my printer) and that shutting down would close that. !!!! I continued the shutdown, then rebooted.

10. The screen before the Welcome screen was the normal shade of blue for my XP Home OS. The Welcome screen was normal. The desktop loaded with a royal blue background, but that didn't stay. It turned white by the time the boot finished.

11. I ran the full system scan again, and the same thing happened, only this time when I went to shut down, the message said there were two user accounts running for HP_Administrator.

12. I continued the shutdown, waited 2 minutes, then rebooted. This time, the desktop stayed that royal blue color, no white. I wentto My Computer/Control Panel/User Accounts. The only ones showing were HP_Administrator, Guest (offline) and a SQLDebugger account. These all seem valid. (Question 4. What do you think?)

13. I decided to uncheck the Fast Switching check box, which had been checked. I'm the only user of this computer, and I don't know if this was a default setting or something the invading program did. (Question 5. Anyone know?)

14. I reran the full system scan, and this time, it ran completely. It didn't find anything more.

15. I shut down, to see what would happen with the change in fast switching. Some program shutter window flashed by, then it shut down. On reboot, everything looked normal except for my desktop.

16. I right-clicked on the desktop and selected Properties to put back my wallpaper. Three tabs are still there (Themes, Appearance and Settings), but the ones for my wallpaper and screensaver are missing. (Question 6. How do I get them baaaaaack?)

17. I went back to My Computer/Control Panel/ User Accounts to test whether adding back Fast Switch would cause the "other user account" to show again. A message came up saying, "Fast switching cannot be used because Offline Files is currently enabled." I clicked OK and the Offline Files tab appeared. I check My Computer and My Network Files for any shared offline files, but there weren't any. I de-selected the offline files box. (Question 7. If there's no virus or trojan, why are these changes happening? )

18. Then I re-selected Fast Switching, re-ran the Full System Scan, got the same interruption and move to the Welcome screen, and the same message about 2 HP_Administrator accounts running. I did the cold boot, unchecked Fast Switching, and came here hoping for help.

The big questions:
a. Could I still have some kind of infection, even those NAV says no?

b. If so, what is going on here? What to do? Could this be progressive? I do not want to wipe my system and reinstall everything if I can avoid it.

c. How do I get the 2 user accounts thing to go away? I assume there's some code doing this.

d. How do I get my two desktop Properties tabs to come back?

e. Anything else I should know?

Please help - I'm really freaked out. Thanks.

[edit: broke link, to prevent accidental clicking.]

Message Edited by Allen_K on 09-24-2008 12:24 AM

Replies

Kudos0

Re: Help fixing aftermath of invasion

Have you tried doing a System Restore. BTW do not use IE. Always use Firefox which can block attacks like this. No need for Ad Muncher if you use Firefox.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
Kudos0

Re: Help fixing aftermath of invasion

Here is a reg fix for the screensaver tab missing.

Start > Run > Regedit



Navigate to



HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System



If there is a DWoRD Value called "NoDispScrSavPage" with a data value of 1

this will disable the screen saver tab. Change the value to 0 to

see the tab again.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
Kudos0

Re: Help fixing aftermath of invasion

Hi LisaB.

I am typing the rest out, and will post later on.

A quick addition, "Trojan.Blusod"  disables the stem restore.

Full meesage soon.

Quads 

Kudos0

Re: Help fixing aftermath of invasion

opps.

"Trojan.Blusod"  disables the system restore. 

Kudos0

Re: Help fixing aftermath of invasion

Now Hi

"Trojan.Blusod"  attempts (or suceeds) to download files to your PC. It disables Sysyem Restore, and changes some of your user settings like the wallpaper and screensaver.

Your Desktop went white due to probably the files that Trojan.Blusod" downloaded on to your PC having been removed (hopefully). So now on start-up windows can't find the image file. This is because the registry entries have not been fixed. The reason that your screesaver and wallpaper tabs are missing (or greyed out) are they have been disabled.

The 2 files the Trojan set for the wallpaper and screensaver are:-

C:\WINDOWS\\system32\blph***************.scr      (***....  = random characters)

C:\WINDOWS\\system32\blph***************.bmp      (***....  = random characters) 

Now download and install Malwarebytes Antimalware and do a database update. Do a "Full Scan"

After that is finished and any files removed that registry has to be fixed.

Delete these entries,

HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver\”EULAAccepted” = “1″

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"lph[RANDOM CHARACTERS]" = "%System%\lph[RANDOM CHARACTERS].exe"

And chage these entries back to these previous settings if needed,

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”lph[RANDOM CHARACTERS]” = “%System%\lph[RANDOM CHARACTERS].exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier\”InstallationID” = “906b1f2d-66b5-439e-8c02-9d08858fe527″
HKEY_CURRENT_USER\Control Panel\Desktop\”ConvertedWallpaper” = “%System%\ph[RANDOM CHARACTERS].bmp”
HKEY_CURRENT_USER\Control Panel\Desktop\”SCRNSAVE.EXE” = “%System%\blph[RANDOM CHARACTERS].scr”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”NoDispBackgroundPage” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”NoDispScrSavPage” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\”DisableSR” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\”Start” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\”ImagePath” = “*system32\DRIVERS\sr.sys*”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\Parameters\”FirstRun” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\”Start” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\”ImagePath” = “*system32\DRIVERS\sr.sys*”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters\”FirstRun” = “0″
HKEY_CURRENT_USER\Control Panel\Colors\”Background” = “0 0 255″
HKEY_CURRENT_USER\Control Panel\Desktop\”ScreenSaveActive” = “1″

HKEY_CURRENT_USER\Control Panel\Desktop\”TileWallpaper” = “0″ 

Try that

Cheers

Quads 

Kudos0

Re: Help fixing aftermath of invasion

Good find Quads. But in addition before all that try running a full scan with SuperAntiSpyware and Malware Bytes Anti Malware.

Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
Kudos0

Re: Help fixing aftermath of invasion

Thanks hugely, all, for your answers!

I will print out the info, read it, and try the suggestions.

A couple questions about Trojan.Blusod disabling System Restore:

1. How can I tell if it did? When I go to System Restore, the box is unchecked.

2. So I guess this means that even if Norton AV gets trojans and viruses, it doesn't keep them from doing damage?

By the way, I don't mind the editor breaking my link to the web page I gave, but it wasn't where the problem was. One of the links on that page was the problem. Guess it's not really necessary info, though.

Message Edited by LisaB on 09-24-2008 01:22 PM
Kudos0

Re: Help fixing aftermath of invasion


LisaB wrote:

Thanks hugely, all, for your answers!

I will print out the info, read it, and try the suggestions.

A couple questions about Trojan.Blusod disabling System Restore:

1. How can I tell if it did? When I go to System Restore, the box is unchecked.

2. So I guess this means that even if Norton AV gets trojans and viruses, it doesn't keep them from doing damage?

By the way, I don't mind the editor breaking my link to the web page I gave, but it wasn't where the problem was. One of the links on that page was the problem. Guess it's not really necessary info, though.

Message Edited by LisaB on 09-24-2008 01:22 PM

1. If the box is unchecked than it is off. Mayeb you did this or maybe some trojan did.

2. If Norton catches malware it should disinfect them. What version are you running?

The best thing to start is to download Norton Antibot. You can download it from here

Let's see if that catches something. 

If that doesn't do the trick for you, please download Malwarebytes and rusn a scan. You can download that from here

"All that we are is the result of what we have thought"
Kudos0

Re: Help fixing aftermath of invasion


Dieselman743 wrote:

Good find Quads. But in addition before all that try running a full scan with SuperAntiSpyware and Malware Bytes Anti Malware.


I did say "Now download and install Malwarebytes Antimalware and do a database update. Do a "Full Scan" After that is finished and any files removed that registry has to be fixed." LOL
Tried to type everything out simply as possible to understand, I just copied and pasted the reg entries.
Thanks 
Quads 
Kudos0

Re: Help fixing aftermath of invasion

Hi LisaB

Basically the system restore is turned off, or even sometimes you can't even get to the settings box.  Like you had with your screensaver and wallpaper tabs.

Sometimes, any security program may not stop the infection, 1. that's whay the definition database needs to be keeps up to date.  Some nasties are even created to try and disable the security software (including firewall).

One thing you could do afterwards is to run a registry cleaner.  To remove and not needed reg entries related to your infection as the files are now gone. 

Thanks

Quads 

Kudos0

Re: Help fixing aftermath of invasion

First, make absolutely sure this virus is gone (I think it is one of the nastiest ones out there -- a new mutation appears every so often and AV is only as good as the signatures that have already been recognized).  Follow the above advice about a variety of virus testers just to be sure.

I have seen desktops so ravaged I have not been comfortable restoring them.

Instead, I ...

a.  create a new user with administrator rights

b.  transfer over settings of things that have not been harmed (outlook, etc) using system migration wizard (if possible) or export/import, etc.

c.  if the desktop for the new user is clean and stays that way, then I delete (using the complete option) the other user.

(d.)  if I am happy with the name of this new user, I leave things as they are; otherwise, I create a new user under the old name and transfer all settings back to that user, then delete the current one.

mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
Kudos0

Re: Help fixing aftermath of invasion

Hi LisaB

Just another thing you could  do, is place these enteries inside your "hosts" file using Notepad.
127.0.0.1       antivirusxp2008.com127.0.0.1     youpornztube.com
Exactly like written.Antivirusxp2008 is a rogue security program and the trojan could accessing these sites to download files, even if the trojan is gone, these can be typed into the host file stopping the sites being accessed in future 
Windows checks the HOSTS file BEFORE it looks to your ISP to find the site. Editing the HOSTS file prevents access to the outside sites by redirecting traffic back to your own computer. It can block applications (viruses, trojans,downloaders) from accessing specific sites, by redirecting any (would be) outgoing communication back to your own computer, preventing it from accessing whatever material it was trying to get.

127.0.0.1 is the IP address of your PC usually. 

Now as for "Adware.CWSIEFeats", this is the lesser of 2 evils, It should be easier for the scanners to remove, although afterwards you may have to reset (enter) your browser settings, Homepage, search etc.

As to creating a new user account and transfering the settings across,  Sometimes this won't works as transfering the settings from the affected account ( with the previosly stated registry entries not fixed) can cause the new account to have the same problem once the settings for the sceensaver and wallpaer are transfered.

LisaB, well done on your first detailed post, the more details and symptoms the better for us to work out the fix.

Cheers

Quads 

Kudos0

Re: Help fixing aftermath of invasion

As Quads pointed out, you need to be careful about transferring settings over.  I would transfer nothing except what can't be brought any other way.  I certainly wouldn't bother with trivial items like screensaver or wallpaper -- the idea is to start afresh.  If you use outlook express, you can grab your inbox and outbox et al, and copy them over.  If you use Office Outlook, it has a great export tool right in the Files drop-down menu.  Bring over as little as possible!
mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
Kudos0

Re: Help fixing aftermath of invasion

First, thanks for all the tips and answers, everyone!

Quads, also thanks for the good words about my initial writeup. I'm a software tester, so I should know how to write these things up. Had I not been so upset, I could have written a cleaner, more concise, better organized post. However, I've never learned about the Registry and am not all that technically knowledgeable.

I also want to correct what I said about System Restore. The check box is unchecked, but what the check box says is, "Turn off System Restore on all drives." So that would mean it's on and was never affected, wouldn't it? Not that it's disabled (unless the trojan changed the wording on the check box?) But when I backed up the registry, I wasn't prompted to enable it, so I think it's okay. Just want confirmation.

I didn't have the heart to tackle the repairs yesterday, so I've been working on them today, starting with Quads' posts.

1. I backed up the (invaded) registry before doing anything, just in case.

2. I looked for the two files you mentioned, Quads, the blph* files in Windows\System32, but they weren't there. I gather this is not a problem?

3. Downloaded Malwarebytes AntiMalware, updated it and ran the full scan. I'm pasting the relevant parts here:

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

 

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc134j0e125 (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\.tt1.tmp.vbs (Trojan.FakeAlert) -> No action taken.

This was before I clicked the Remove Selected button. I didn't realize I had to log the results - thought that would be automatic. Anyway, the removal was successful, according to the software.

4. Then I right-clicked on my desktop and selected Properties. Lo and behold, my Desktop and Screensaver tabs were back, so I restored my wallpaper and temporarily added a screensaver just to make sure it worked (I don't usually use one). I did this via the GUI.

5. Next, I went to your list, Quads, found the first entry, HKEY_CURRENT_USER..."EULAAccepted"="1" and deleted the entire key, not just the value. Was that what I was supposed to do?

6. The second entry you said to delete was not there, no key like this. Is this okay?

7. Then you have a list of keys to be changed back to original values. Are the values in your post the correct ones or the bad ones? I have no idea what my original values were, and I don't even have the first two files (or whatever they're called) in your list. Do I need to add them????? For the others, the values I have are the ones in your list.

8. Again, I restored my wallpaper using the GUI, but the last HKEY in your list still shows the 0 value in the Registry. Is this correct or a problem?

I have all the other suggestions and will look at every one, but I want to do this carefully, to fix things before adding more security, for example. So let me get these questions answered first, then I'll work on the rest.

Thanks again for all the help!

Message Edited by LisaB on 09-25-2008 06:56 PM
Kudos0

Re: Help fixing aftermath of invasion

Hi LisaB
 
1. Backed up registry, GOOD
2. No the fact the files are not there is also good and no problem.
 
Looks as though Malwarebytes fixed a lot of entries, The entry I posted vs the Malwarebytes entry in log. 
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”lph[RANDOM CHARACTERS]” = “%System%\lph[RANDOM CHARACTERS].exe” is the same as
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc134j0e125 (Trojan.FakeAlert) -> No action taken."

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier\”InstallationID” = “906b1f2d-66b5-439e-8c02-9d08858fe527″ is the same as 
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken". in the Malwarebytes log 
 
 HKEY_CURRENT_USER\Control Panel\Desktop\”ConvertedWallpaper” = “%System%\ph[RANDOM CHARACTERS].bmp”
"HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken." in Malwarebytes log
 
HKEY_CURRENT_USER\Control Panel\Desktop\”SCRNSAVE.EXE” = “%System%\blph[RANDOM CHARACTERS].scr”
"HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> No action taken." in Malwarebytes log
 
7. The Values posted were the correct ones, Actually Malwarebytes stated this in the below entries " Bad: (1) Good: (0)" that's cool.
 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”NoDispBackgroundPage” = “0″
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken." 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”NoDispScrSavPage” = “0″
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\”DisableSR” = “0″  As written shouldd say "0"
 
You can check these entries also to just make sure the values are correct,if you like, the values written are the values should be shown .  opps, may have already done that.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\”Start” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\”ImagePath” = “*system32\DRIVERS\sr.sys*”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\Parameters\”FirstRun” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\”Start” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\”ImagePath” = “*system32\DRIVERS\sr.sys*”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters\”FirstRun” = “0″
HKEY_CURRENT_USER\Control Panel\Colors\”Background” = “0 0 255″
HKEY_CURRENT_USER\Control Panel\Desktop\”ScreenSaveActive” = “1″
HKEY_CURRENT_USER\Control Panel\Desktop\”TileWallpaper” = “0″  
 
8.  the last entry value of "0 is correct.   
 
Looks as though Malwarebytes may have done it's job., any more Questions??
 
Cheers
 
Quads 

Kudos0

Re: Help fixing aftermath of invasion

I just wrote a wrap-up post and got blown out of the system and asked to log in again. Don't have the patience to rewrite it, so I'll just say that I've done all the checks I wanted to do, and everything seems back to normal.

I'm leery of adding things to files and downloading software that essentially does the same thing as what I have, in case an incompatibility screws things up, so I'll hold off on most of your suggestions.

mijcar's point about AV software only being able to fight what it can recognize and Quads' about some malware disabling AV software are two things I'm concerned about, so I may still take Dieselman's suggestion about running SuperAntiSpyware.

Thanks again, everyone!

Kudos0

Re: Help fixing aftermath of invasion

Hi LisaB

Having Norton and an on demand product for scanning like Spyot S&D, Ad-Aware, MalwareBytes and SuperAntispyware free there is no problem.

It's when you have 2 or more realtime products installed like.  Norton NIS + ZoneAlarm.   Norton + AVG or Avast  etc.   that is where the conflict arises.  Also Norton and Webroot Spysweeper 5.8

bye

Quads 

Kudos0

Re: Help fixing aftermath of invasion

Okay, Quads, I understand about not having two AV programs installed. And I see that it's okay to have Norton and MalwareBytes together. But is it okay to have these and also SuperAntiSpyware?
Kudos0

Re: Help fixing aftermath of invasion

Hi LisaB

It's OK to have SuperAntiSpyware free installed on your PC as well, as the free edition is also not realtime. It's like MalwareBytes, you have to st art the program, you can run a scan then close it after. It doesn't "start-up" when Windows does.   Like Norton.

Quads 

This thread is closed from further comment. Please visit the forum to start a new thread.