Security → MonaRonaDona "virus"?

What is up with this new one that seems to have hit many in the last week: »groups.google.com/groups ··· =d&hl=en

It looks like you could use HijackThis to stop this one:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MonaRonaDona
O4 - Global Startup: SRVSPOOL.exe

It appears to be linked somehow with "UniGray Antivirus", but in what way is unclear. It is clearly extortion-ware, offering on the user's screen: "Welcome to MonaRonaDona; hi, my name is Mona RonaDona. i am a virus& i am here to Wreck Your PC."

Despite lack of information on the Internet, I was able to pinpoint the culprit that was causing my machine to start acting up due to the MonaRonaDona virus.

I was able to fix the problem and here is how.

The virus installs an executable SRVSPOOL.EXE in the startup folder of the all users account. Click Start/Programs/Startup, right click the SRVSPOOL.EXE entry and delete it. How to fix the header of your Internet explorer and how to re-enable taskmanager, is posted in numerous postings online.

Re-enable Task Manager: Troubleshooting Windows XP, Tweaks and Fixes for Windows XP
Go to this page and try #51 from the right column. Click on "enable the task
manager."

Modify header of Internet explorer: How do i get rid of monaronadona on top bar of my homepage? - Yahoo! Answers
(optionally, you can manually type "Microsoft Internet Explorer" to replace the string "MonaRonaDona".

After that, reboot your machine.

The virus puts a message on the screen. Aside from that, the task manager is disabled, the header of Internet Explorer is modified and when trying to open programs, those programs are shut down immediately.

Whatever you do, do NOT download and install the virus scanner named UniGray. That "scanner" is a scam, a non-working piece of software. The website tries to get you to register and pay for something that does nothing.

Hope this info helps those who come across this virus. It seems to be a brand new occurence given the lack of solutions found on the Internet.

I just Tried to delete the Srvspool and it says access denied. Anyone else have any new news??

You really should post in the infection help forums

»Security Cleanup

But to get rid of this specific file;

1. Either log into Safe Mode and delete it there or
2. Download the following, right click the file you want to delete and select "Who Lock Me", then kill the process locking it (will then allow you to delete it)

»freeware.it-mate.co.uk/? ··· &pid=170

or ...

3. Use MoveOnBoot

»www.snapfiles.com/get/mo ··· oot.html

Or ....

4. See the following;

»www.aumha.org/a/stubborn.php

If your suggestion was to the OP it's a bit misguided.

bcastner is one of the accredited helpers on the Security Cleanup forum: »Security Cleanup FAQ

He knows what he's doing.

hehe nope, my reply was to jimschoe (I'm already familiar with BC )

How to Change the Internet Explorer Window Title
»support.microsoft.com/kb/176497
Yup Bill,
Seems to be pretty well orchestrated.
Besides the UniGray Antivirus scam going on with it and the Youtube video..
Others are now posting special (untested and unknown) tools to remove it.

J Hilton postings:

»www.howtofixcomputers.co ··· 9-4.html

»forums.microsoft.com/Win ··· SiteID=2

Steve and I are known to each other.
Here and elsewhere.

What I was hoping is that someone victimized by this would tell us if you get messages from "UniGray Antivirus". That is the part that bothers me at the moment.

(If you have this infection, I would be happy to remove it in the Cleanup subForum. It should go pretty easily.)

hiya dude

Been trying to find a sample of this that I can analyse but haven't been successful thus far

If I get a live one I will do a capture and post at MR.

Just read this "review" of Unigray Antivirus.

quote:

---

Re: unigray antivirus
by Kees Bakker - 2/27/08 5:20 AM
In reply to: monadonarona by Kees Bakker
I donwloaded their program and installed it (after Norton found it was virus-free). I must say it's amazing.

All it installs:
- the program itself, some 6 Mb
- an uninstall dat and exe
- an icon
- some shortcuts and pifs
- NO virus definitions

Then I ran it. It said:
Virus definition version: 02.73.88 (Februari 15, 2008)
DB version: 4.34/2008
Protecting against 679871 threads
That's fairly impressive for a company that's only on the web for 6 days.

Then (after disabling the real-time protection it offers, which is amazing on its own given the components it installed) I used it to scan my clean (according to Norton) system. It found:
- 240 viruses
- 48 malware
- 43 adware
Most of them were in Microsoft programs (like Visual Studio). And I'm sure they don't contain those viruses and malware. So these are false positives. I preferred not to run the Repair, for obvious reasons.

Then I checked for updated definitions. Couldn't harm, as I had none. So the program contacted their website (or so it said) and reported I already had the latest version (those of Februari 15, remember). Then I went to their (rather unimpressive) website and found out that they added detection for monaronadona on Februari 22.
Which leaves me wondering why so many of our new members report it cleaned it off their systems if it's a version one week older.

I'm uninstalling the program now, and still feel rather safe behind my firewall.

Somehow, I keep thinking this is a scam.

Kees

---

»forums.cnet.com/5208-613 ··· =2715970

MysteryFCM said: "hehe nope, my reply was to jimschoe (I'm already familiar with BC )"

Sorry! My bad!

This is fascinating to me as a co-worker of my husband's called me this morning complaining of this very infection, on a laptop I just helped her buy last week. She was using the Verizon subscription antivirus product. She told me she had "cured" it by creating another adminstrator account, moving her files over, and deleting her one week old account - but asked me if I had any suggestions. Never having heard of MondRonaDona I advised her to run an online scan at Trend Micro, download spybot and adaware, and keep an eye on what was going on with her computer. I would be happy to (on Monday) walk her through creating a HJT log if anybody is interested in seeing what is on her computer.

This fix worked! I have Vista and had to go into safe mode to delete it. I had Microsoft tech support logged into my pc and they followed the posted directions and it worked with a little work. They had no record of the virus as of yet and they copied the file to submit it. My One Care software did not catch it. I also searched Symantec. Kaspersky and Trend Micro sites for help and none had anything to offer. I could not find any damage to my pc from it. I did notice that the install date was 2-23-08. The file properties said that it was a file from Microsoft. The Microsoft Tech support person I worked with in the virus department was very good. He did a search on the file name and determined that is NOT a Microsoft File!!!

The tech went into the registry to change the setting for the task manager and also had to go there to give permissions in order to delete the file.

Good luck to everyone and thanks for the tip listed above!!

Having tried unsuccessfully some of the recommendations here, I did a system restore and this seems to have worked(touch wood) 1st Feb 2008 UK 21:10pm

My previous post should have read 1st Mar 2008 as the date. Hope this solution works for you. Again, I did a system restore and this rid me of the problem. 20:15pm

Thank you for the removal tool, bcastner.
For Windows Vista it worked from safe mode.
I installed Spotmau WinCare 2008 on the same date SRVPOOL was created on my computer. I'm wondering if there is any connection between them. Did anybody who had Spotmau installed got this problem?

Can you tell us the reasons and steps that led you to even download and install Spotmau WinCare 2008 in the first place ?

Thanks

okay ya'll I got this virus feb. 29th at 4:39am. I'm not a comp. newbie. I know comps. I couldn't find anything on this virus so I called the geek squad and they sent me here. I read everything and copied and pasted SRVSPOOL.EXE to search and found the file. I deleted it from search. Now let me tell ya'll everything I did prior to that.
I have 3 different profiles on this one comp. I went to another profile and deleted the profile but saved the major files to another profile. The virus wasn't on it. I then went back to the infected profile and tried to find out what in the heck happened and why virus protector didn't go off. Now finding out that it is a hijacking and made into a anti-virus scam. I must say this is very intelligent! I couldn't find the main file it had made so I just did a system restore. My comp. was running okay but still something wasn't right. I was still losing files and things weren't working. After I found the main file and deleted it and deleted the files that wasn't working correctly any longer and I am still going to delete the infect profile and make another. This is the simplest way I know if you are not very computer knowledge; most people can run search and right click a mouse and scroll down to delete.

Best wishes to anyone seeking help with this pain the butt virus.

Sincerely,
Sassy

So has anyone yet figured out what the infection vector is? In googling about I can read about lots of folks with the issue but can't find any info about how they think they contracted this POS.

THANK!! That did the trick. I am very thankful! I was not sure there to go after Nortons did not find the virus! But this worked. Thanks again!

TOO get rid of the MonaRondaDona virus,use key F8, go into Safe mode find the startup program an DELETE Srvspool.exe then restart your computer.It should be gone.....

how do i get my task mangerto work

hi i am trying to find task manger trooble shooting..can't find it..how do i get my task manger to work please

If you were registered here I could have sent you this in a message and not have to "mess" the thread discussion a little
A freebie Unlocker should free something so you can delete.

I wrote two seperate fixes for this issue, including fixing the task manager, earlier in this thread. Either one will ensure that the virus is gone and your Task Manager and Title bars on IE and OE are repaired. See the first page of discussion in this thread. If you have removed the file, it will not harm things to do the full fix steps given earlier. They will repair Task Manager access among other things. Both will delete the active infector file if it still exists as well. The second one, using a freeware utility OTMOVEIT, would be the best choice, as it includes a first step using HijackThis that will ensure that no access denied errors are an issue for you. OTMOVEIT will unregister the file prior to deletion, and then schedules the actual deletion for the next restart, so it would not have access denied errors in deleting the file.