by   January 12 2010   
Redirect Virus Vundo.JD csrss.exe infected When you find a Trojan like the Vundo or any that change your atapi.sys file and csrss.exe files you know a logging program is waiting for you at your keyboard.

Redirect Virus Vundo.JD csrss.exe infected

VIRUS: (Note: This post has been updated with semifinal results. )

This is an Adware issue.

csrss.exe memory_00280000 Vundo.JD

Testing the AVG fix: http://forums.avg.com/us-en/avg-free-forum?sec=thread&act=show&id=55097

I found the atapi.sys file was backed up as atapi.sys.tmp on 1/2/2010 which was the time coupons.com was installed.

My first guess is that it's not directly related to the coupons.com application but from one of it's advertisers.

I have seen viruses distributed via framed ads before.
In 2005 I found one advertisement that used IFRAMES:
http://www.digitalspy.co.uk/forums/showthread.php?t=237547

The uninstall application from coupons.com did remove the CPNPRT2.CID (DLL) file.
This is to update part of the article Benjamin Edelman wrote.
Benjamin Edelman

But the question is still not answered.
Does Coupons.com screen advertisements before they allow them to be targeted to it's members?

The adware application install track was not found and will need to be reproduced to actually answer the question of "Was it from a sponsored advertisement?"

The AVG fix didn't do anything for the popups.
But there is more information.
The popups would leave specific cookies in the SYSTEM32/CONFIG/ folder. This narrows the tracking down to 3 to 4 ad servers.

First Notes:
The active application found in memory was detected by AVG as a
csrss.exe in memory as well.
Vundo.JD
Virus installed 1/3/2010
Turn off System Restore:
Run AVG or your Antivirus
Once it is found in active memory and in your WINDOWS/SYSTEM folder have it healed or removed.

You'll need to restart to clear out the virus from memory.

This is classical Blackhat SEO work using virus style infections to promote websites or products.
The design is to show their customers page hit increases.
The redirect does this just fine.

Typically you will see different advertisements.
Years ago this was the primary method of a single company.
But today there are many.

Product Marketing sometimes doesn't go well when they are marketed like this.
I for one will list the domain names of the redirects and ask people not to download or purchase the software or products due to the type of marketing methods used.

The companies might not be aware of this but maybe they will read posts like this and fire the marketing company with a good number of legal actions.

Like a class action for the service time to clean out these viruses.

iconicon

Advertisement: Setting up Regisitry Defender for Windows.
URL: registrydefender .com / l/ indexsz.asp?utm_ medium = ctx&utm_campaign

Would I recommend that you purchase this product from the above website? No! I will be sending them the bill cleaning out the computer their marketing company infected.


Hi,

this infection is related with infected system driver "atapi.sys", please read this thread about solution - http://forums.avg.com/cz-en/avg-free-forum?sec=thread&act=show&id=51637#post_51637

Thanks


AVG Team

Perfect solution for
"C:\WINDOWS\system32\CSRSS.EXE (1080):\memory_00280000";"Trojan horse Vundo.JD";"Moved to Virus Vault"
"C:\WINDOWS\system32\CSRSS.EXE (1080)";"Trojan horse Vundo.JD";"Reboot is required to finish the action"

The instructions are easy to follow.
I found on 1/3/2010 the atapi.sys file was changed and the application that changed it (Coupons.com install) saved a temp file: atapi.sys.tmp

 

 

 

Redirect Virus Vundo.JD csrss.exe infected When you find a Trojan like the Vundo or any that change your atapi.sys file and csrss.exe files you know a logging program is waiting for you at your keyboard.