Win32 Virus - Boot-time Scan Failure

Greetings, I’ve acquired a rather nasty virus, and I humbly come to you for help.

OS : Windows Vista

Symptoms:

  • Internet explorer popup advertisements (I currently use Firefox.)

  • Security Center automatically disables. I have run services, and set it back to automatic, and it simply turns back to disabled immediately.

  • Failure of Spy bot Search & Destroy and other anti spy-ware software. The program crashed, and when I try to run it again, it fails. The following message is given, “(program name) has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available”. This occurs with Spy bot S&D, Superantispyware, and Malwarebytes.

*When I run avast scan, it pops up 4-5 different warnings that a virus / trojan has infected my computer. Delete / Move to Virus Chest do nothing. Move to virus chest tells me that the file cannot be accessed due to current use.

Here is a somewhat large copy and paste of a log of these 4-5 warnings that pop up over and over again. (Deleted repetitive middle portion to save some space.)


8/12/2009 10:20:30 PM 1250133630 SYSTEM 1840 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Windows\System32\UACrhttajeqxc.dll” file.
8/12/2009 10:20:30 PM 1250133630 SYSTEM 1840 Sign of “Win32:Fasec [Trj]” has been found in “C:\Windows\System32\UAChhfeuusppy.dll” file.
8/12/2009 10:20:37 PM 1250133637 SYSTEM 1840 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Windows\System32\UACrhttajeqxc.dll” file.
8/12/2009 10:20:37 PM 1250133637 SYSTEM 1840 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Windows\System32\UACrhttajeqxc.dll” file.
8/12/2009 10:20:37 PM 1250133637 SYSTEM 1840 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Windows\System32\UACrhttajeqxc.dll” file.
8/12/2009 10:24:31 PM 1250133871 SYSTEM 1840 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Windows\System32\UACrhttajeqxc.dll” file.
8/12/2009 10:25:11 PM 1250133911 SYSTEM 1840 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Windows\System32\UACrhttajeqxc.dll” file.
8/12/2009 10:25:23 PM 1250133923 SYSTEM 1840 Sign of “Win32:Fasec [Trj]” has been found in “C:\Windows\System32\UAChhfeuusppy.dll” file.
8/12/2009 10:25:32 PM 1250133932 SYSTEM 1840 Sign of “Win32:Fasec [Trj]” has been found in “C:\Windows\System32\UAChhfeuusppy.dll” file.
8/12/2009 10:25:41 PM 1250133941 SYSTEM 1840 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Windows\System32\UACrhttajeqxc.dll” file.
8/12/2009 10:25:47 PM 1250133947 SYSTEM 1840 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Windows\System32\UACrhttajeqxc.dll” file.
8/12/2009 10:25:54 PM 1250133954 SYSTEM 1840 Sign of “Win32:Fasec [Trj]” has been found in “C:\Windows\System32\UAChhfeuusppy.dll” file.
8/12/2009 10:26:04 PM 1250133964 SYSTEM 1840 Sign of “Win32:Fasec [Trj]” has been found in “C:\Windows\System32\UAChhfeuusppy.dll” file.
\UACrhttajeqxc.dll" file.
8/12/2009 10:45:04 PM 1250135104 SYSTEM 1840 Sign of “Win32:Fasec [Trj]” has been found in “C:\Windows\System32\UAChhfeuusppy.dll” file.
8/12/2009 10:45:13 PM 1250135113 SYSTEM 1840 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Windows\System32\UACrhttajeqxc.dll” file.
8/12/2009 11:31:43 PM 1250137903 SYSTEM 1928 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Windows\System32\UACrhttajeqxc.dll” file.
8/12/2009 11:31:44 PM 1250137904 SYSTEM 1928 Sign of “Win32:Fasec [Trj]” has been found in “C:\Windows\System32\UAChhfeuusppy.dll” file.
8/13/2009 12:01:13 AM 1250139673 SYSTEM 1928 Sign of “JS:Pdfka-MQ [Trj]” has been found in “C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3K322BZ4\README[1].pdf” file.


  • Failure of Boot-time scan. I’ve tried to run the boot-time scan multiple times to avoid the currently running issue. The scan freezes on the same file each time I run it. “D:\windows…TMContainer00000000000000000002.regtrans-ms”

I have tried other anti-virus software including AVG Free and OneCare, with no sucess. I disabled both of these before running Avast. I’m currently running the free demo version, and I plan to pay for the upgrade if it can repair my system.

Below is a copy / paste of my HijackThis logfile, if it is of any use.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:51 PM, on 8/12/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\msa.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Windows\system32\rundll32.exe
C:\Users\John\AppData\Local\Temp\b.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [Monopod] C:\Users\John\AppData\Local\Temp\b.exe
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User ‘Default user’)
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe


End of file - 2078 bytes


I will check back regularly, and if more information is required to help, I’ll provide it ASAP.

I’m grateful for any help with this issue.

-BlackRoseBaron

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

Download Malwarebytes’ Anti-Malware (MBAM) then install it then update it and run a Quick scan:
http://www.malwarebytes.org/mbam.php

Post its log here.

Even though you use Firefox Windows still uses IE8 for Windows and it should be updated:
http://www.microsoft.com/windows/internet-explorer/default.aspx

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Internet Explorer 8.0 has now been installed, and all available windows updates are installed.

I’m unable to complete the MalwareBytes step, the program encounters a problem and is forced the close the second I try to install.

The Secunia Online Software Inspector couldn’t complete its scan.

Here is a screenshot of the result: I let it run for over 30 minutes on that same file after this was taken.

http://i31.tinypic.com/8zqxpc.jpg

I apparently have something nasty in my D recovery drive, something that causes scans to come to a screeching halt.

Something else noteworthy: After updates were installed, and computer was rebooted, I got a message telling me that something called “b.exe” failed to run and is being shut down.

Another note: I had AVCare on this machine before this latest problem started, I closed processes, uninstalled, deleted its files in registry, and deleted its program files directory. This had cleared up all issues until recently.

Your help is much appreciated,
-BlackRoseBaron

Can you boot into safe mode with networking and try installing malwarebytes again.After you have it installed,update it and run a full scan.Then post back a log.

If you don’t know how to boot into safe mode with networking,here is a tutorial:
http://www.vista4beginners.com/Boot-in-safe-mode

you could try

Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en

Dr.Web CurIt http://www.freedrweb.com/

I’ve now uninstalled and reinstalled malwarebytes in safe mode with networking. The program installed, but will not run. When I try to run it under normal boot, I get a message telling me that the program is closing. In safe mode, when I try to run, it just does absolutely nothing.

-BlackRoseBaron

Try renaming it to something like fun.exe or bad.exe and try again in safe mode.

I tried Norman Malware, it doesn’t appear to have fixed my problem, but I gained information. I’ll likely try Dr. Web later if I am still infected.

FakeAlert.AANY (marked for deferred cleaning)
W32/FakeAlert.AANZ (marked for deferred cleaning)
W32/DNSChanger.FDCM (marked for deferred cleaning)
W32/DLoader.TGAO (4 deleted)
W32/FakeAlert.ZQI (1 deleted)
HTML/Iframe.J (many deleted)

The items marked for deferred cleaning don’t appear to have been fixed.

Edit: The items marked for deferred cleaning were on the same files that Avast picked up over and over again but could not fix.

Try renaming it to something like fun.exe or bad.exe and try again in safe mode.

I tried renaming, and it worked. I’m currently running malwarebytes scan and will post back with results later.

-BlackRoseBaron

you may need to run Norman more than once and restart between

Unfortunately, Malwarebytes scan was not successful. The program froze while scanning the D Recovery drive in the same fashion as the other scans.

Here is a screenshot of the result (frozen screen):

http://i27.tinypic.com/2it2aoj.jpg

I’m now going to try rescanning with Norman a couple times, as per suggestion.

Thank you for the continued support,
-BlackRoseBaron

Edit: I’m also going to try running Spybot S&D and Superantispyware after renaming.

Edit: Another symptom I have noticed, fake / redirected google search bar on firefox start page, redirected google / yahoo image search. It redirects to a blank page, what I assume was supposed to be advertisements.

The redirection is caused by the dns changer trojan.Usually malwarebytes can get rid of it.

Edit:You could run a quick scan as pondus suggested if the full scan don’t work.

I see Malwarebytes did 26minutes in full scan before it froze…what if you try quick scan, will it finish the scan?

Following is copy / paste of MBytes quick scan, which completed successfully.


Malwarebytes’ Anti-Malware 1.40
Database version: 2616
Windows 6.0.6002 Service Pack 2 (Safe Mode)

8/13/2009 5:16:24 PM
mbam-log-2009-08-13 (17-16-24).txt

Scan type: Quick Scan
Objects scanned: 76498
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 30
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\?\globalroot\systemroot\System32\UAChhfeuusppy.dll (Trojan.TDSS) → Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\monopod (Trojan.Downloader) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\?\globalroot\systemroot\System32\UAChhfeuusppy.dll (Trojan.TDSS) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\b.exe (Trojan.Downloader) → Quarantined and deleted successfully.
C:$Recycle.Bin\S-1-5-21-3708478136-1392408501-2315465819-1000$RD040QY\Uninstall.exe (Rogue.AVCare) → Quarantined and deleted successfully.
C:$Recycle.Bin\S-1-5-21-3708478136-1392408501-2315465819-1000$RK0FBTH\AVCare.exe (Rogue.AVCare) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\d.exe (Trojan.Dropper) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\e.exe (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\g.exe (Trojan.Dropper) → Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\h.exe (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Windows\system32\uacinit.dll (Trojan.Agent) → Delete on reboot.
C:\Windows\Tasks{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Windows\Tasks{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) → Quarantined and deleted successfully.


I’ll now test for symptoms, and see if full scans on Malwarebytes and other software will run.

-BlackRoseBaron

Just one question before you start scanning again.Have you restarted your computer yet?

Edit:Please proceed to page 2 as I have posted instructions on how to remove these

Yes, I’ve been restarting computer between each scan.

Malwarebytes said that there was one infection which would require a reboot. I rebooted the computer, and symptoms persist. I’m now running another quickscan to see what remained.

Copy / Paste of this scan follows:

Malwarebytes’ Anti-Malware 1.40
Database version: 2616
Windows 6.0.6002 Service Pack 2 (Safe Mode)

8/13/2009 5:27:11 PM
mbam-log-2009-08-13 (17-27-11).txt

Scan type: Quick Scan
Objects scanned: 76095
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\uacinit.dll (Trojan.Agent) → Delete on reboot.


I’ll now reboot again.

-BlackRoseBaron

Edit: C:\Windows\system32\uacinit.dll – Whatever this is, it persists through quick-scan, repair, reboot, re quick-scan process and restores the following:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace)

It’s the same deal with Normon’s unfortunately, it picks up the same infections after scan, repair, reboot, rescan.

Currently trying Spybot, Superantispyware with new names.

looks like you get the bugs piece by piece :wink:

C:\Windows\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

This one usually has some friends along to the party (file names also beginning UAC and commonly in the windows\system32\drivers folder. and is pretty persistent. It is these other files that are restoring it I believe.

RootRepeal, http://rootrepeal.googlepages.com/ RootRepeal is a new rootkit detector currently in public beta. Scroll down the page for the download link. Also see, http://www.malwarebytes.org/forums/index.php?showtopic=12709 for general information on running it. Also see, http://forum.avast.com/index.php?topic=47511.msg401133#msg401133.

Can you boot into normal mode and download combofix by subs from the following link
http://subs.geekstogo.com/ComboFix.exe

Save the file to your desktop

Before you run it,make sure you have disabled all your antivirus and anti-spyware software as it might interfere with combofix.
Open the program and let it run the scan.
During this process,please don’t move your mouse or touch your keyboard as it might stall the program.
Combofix might restart your computers a few times during this process.
After combofix is done,it shall produce a log.
Please include the C:\ComboFix.txt in your next reply

I read the pages you linked, downloaded and am trying to run RootRepeal.

I get a popup telling me “Could not read the boot sector. Try adjusting Disk Access Level in the Options dialog”. If I close this window several times, the program comes up and appears normal. Is there something I need to do / fix before proceeding?

Update: Before I read your post, I was trying to reinstall spybot S&D, and the machine spontaneously reboots during the process, naturally causing installation to fail.

I’m not to familiar with RootRepeal but presumably it has the settings, see image, about tab, Settings, General, Disk Access Level. Try taking the slider down one notch.

I wouldn’t worry too much about Spybot S&D at this time as it really isn’t as good as either MBAM or SAS, but the major problem is the rootkit protection stopping other applications.