New Vista installation - rootkit found!

I've been running Vista RC1/RC2 for several months without problems so
decided to upgrade to the new release. I installed Vista Ultimate OEM
on a new hard drive and everything proceeded smoothly. Before doing
anything else I went to Grisoft's site and downloaded and installed AVG
free.

I then ran AVG and it found the trojans c:/windows/system32/agony.sys
and c:/windows/system32/winsecurity/mswinup.exe, which I understand are
some sort of rootkit.

Obviously I wasn't happy about this on a new installation, so I
reformatted and installed the whole thing again. This time everything
was fine.

My questions are: How did this rootkit get itself onto a new system and
why didn't UAC and Windows Defender prevent this or, at least, warn me
about it?

--
Walter.

Hi Walter,

can you provide a little more information on what way the
installations were performed.

When you installed Vista RC1, did you "upgrade" something like XP?

Where did you get your Vista Disk, was it downloaded from the
Microsoft site?

Did you find the rootkit on the new hard drive?

There is plenty of anti-rootkit info at http://www.antirootkit.com

Zoned :-)

Walter Docherty wrote:

> I've been running Vista RC1/RC2 for several months without problems so
> decided to upgrade to the new release. I installed Vista Ultimate OEM
> on a new hard drive and everything proceeded smoothly. Before doing
> anything else I went to Grisoft's site and downloaded and installed AVG
> free.
>
> I then ran AVG and it found the trojans c:/windows/system32/agony.sys
> and c:/windows/system32/winsecurity/mswinup.exe, which I understand are
> some sort of rootkit.
>
> Obviously I wasn't happy about this on a new installation, so I
> reformatted and installed the whole thing again. This time everything
> was fine.
>
> My questions are: How did this rootkit get itself onto a new system and
> why didn't UAC and Windows Defender prevent this or, at least, warn me
> about it?
>

Dude... it's designed that way. Windows vista has emerged from a long line
of windows source code and window is insecure by design. Yes, vista is, at
the moment, more secure than previous versions of windows. But give it a
few months, weeks, days or hours and it'll prove itself as insecure as
every version before it.


--


Jerry McBride

On 1 Feb 2007 14:50:27 -0800, Zoned wrote:

> When you installed Vista RC1, did you "upgrade" something like XP?

No, it was a clean install. I triple-boot this machine but prefer to do
this via the BIOS. So when I installed Vista I followed my usual
procedure of unplugging the existing three drives and installing onto
the new, clean, hard drive.

> Where did you get your Vista Disk, was it downloaded from the
> Microsoft site?

Nope. It was purchased, together with the new hard drive, from a large
retailer here in the UK and was in the usual sealed MS package. Anyway,
the infection couldn't have been on the DVD as the second
re-installation was clean.

> Did you find the rootkit on the new hard drive?

Yes. It was the only drive installed at the time so the infection
couldn't have come from any of the existing drives.

> There is plenty of anti-rootkit info at http://www.antirootkit.com

Thanks. I've had a quick look and bookmarked the site for a more
in-depth look when I have more time. I've a lot to learn about this
problem - this is the first time I've ever had any kind of infection
after running Win95/ME/XP for many years so it's not something I've paid
much attention to, beyond running the usual AV/Anti-Spyware software.

Thanks for your reply.

--
Walter.

"Walter Docherty" wrote:

> I've been running Vista RC1/RC2 for several months without problems so
> decided to upgrade to the new release. I installed Vista Ultimate OEM
> I then ran AVG and it found the trojans c:/windows/system32/agony.sys
> and c:/windows/system32/winsecurity/mswinup.exe, which I understand are
> some sort of rootkit.
> My questions are: How did this rootkit get itself onto a new system

because it was in your pirated copy of Vista