HVredeling
@myvzw.com
| reply to bcastner
Re: MonaRonaDona "virus"?
Despite lack of information on the Internet, I was able to pinpoint the culprit that was causing my machine to start acting up due to the MonaRonaDona virus.
I was able to fix the problem and here is how.
The virus installs an executable SRVSPOOL.EXE in the startup folder of the all users account. Click Start/Programs/Startup, right click the SRVSPOOL.EXE entry and delete it. How to fix the header of your Internet explorer and how to re-enable taskmanager, is posted in numerous postings online.
Re-enable Task Manager: Troubleshooting Windows XP, Tweaks and Fixes for Windows XP
Go to this page and try #51 from the right column. Click on "enable the task
manager."
Modify header of Internet explorer: How do i get rid of monaronadona on top bar of my homepage? - Yahoo! Answers
(optionally, you can manually type "Microsoft Internet Explorer" to replace the string "MonaRonaDona".
After that, reboot your machine.
The virus puts a message on the screen. Aside from that, the task manager is disabled, the header of Internet Explorer is modified and when trying to open programs, those programs are shut down immediately.
Whatever you do, do NOT download and install the virus scanner named UniGray. That "scanner" is a scam, a non-working piece of software. The website tries to get you to register and pay for something that does nothing.
Hope this info helps those who come across this virus. It seems to be a brand new occurence given the lack of solutions found on the Internet. |
|
jimschoe
@ameritech.net | I just Tried to delete the Srvspool and it says access denied. Anyone else have any new news?? |
|
MysteryFCM
join:2006-10-01
England
| You really should post in the infection help forums
»Security Cleanup
But to get rid of this specific file;
1. Either log into Safe Mode and delete it there or
2. Download the following, right click the file you want to delete and select "Who Lock Me", then kill the process locking it (will then allow you to delete it)
»freeware.it-mate.co.uk/?Editors_···&pid=170
or ...
3. Use MoveOnBoot
»www.snapfiles.com/get/moveonboot.html
Or ....
4. See the following;
»www.aumha.org/a/stubborn.php
--
Regards
Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk
Keeping it FREE! |
|
NanDog
The Pup Was Female, I'M Not
Premium
join:2003-12-28
Tacoma, WA
 ·Rainier Connect fr..
| said by MysteryFCM  :You really should post in the infection help forums » Security Cleanup If your suggestion was to the OP it's a bit misguided.
bcastner is one of the accredited helpers on the Security Cleanup forum: »Security Cleanup FAQ
He knows what he's doing. 
--
See ya across the Rainbow Bridge, my good and faithful friend! |
|
MysteryFCM
join:2006-10-01
England | hehe nope, my reply was to jimschoe  (I'm already familiar with BC ) |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: 
·Verizon Online DSL
| Steve and I are known to each other.
Here and elsewhere.
What I was hoping is that someone victimized by this would tell us if you get messages from "UniGray Antivirus". That is the part that bothers me at the moment.
(If you have this infection, I would be happy to remove it in the Cleanup subForum. It should go pretty easily.)
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
|
|
NanDog
The Pup Was Female, I'M Not
Premium
join:2003-12-28
Tacoma, WA
1 edit | reply to MysteryFCM
MysteryFCM said: "hehe nope, my reply was to jimschoe (I'm already familiar with BC )"
Sorry! My bad! |
|
Txboy
@verizon.net
| reply to HVredeling
This fix worked! I have Vista and had to go into safe mode to delete it. I had Microsoft tech support logged into my pc and they followed the posted directions and it worked with a little work. They had no record of the virus as of yet and they copied the file to submit it. My One Care software did not catch it. I also searched Symantec. Kaspersky and Trend Micro sites for help and none had anything to offer. I could not find any damage to my pc from it. I did notice that the install date was 2-23-08. The file properties said that it was a file from Microsoft. The Microsoft Tech support person I worked with in the virus department was very good. He did a search on the file name and determined that is NOT a Microsoft File!!!
The tech went into the registry to change the setting for the task manager and also had to go there to give permissions in order to delete the file.
Good luck to everyone and thanks for the tip listed above!! |
|
Sassygal31023
@mchsi.com
| reply to jimschoe
Re: MonaRonaDona "virus"?
okay ya'll I got this virus feb. 29th at 4:39am. I'm not a comp. newbie. I know comps. I couldn't find anything on this virus so I called the geek squad and they sent me here. I read everything and copied and pasted SRVSPOOL.EXE to search and found the file. I deleted it from search. Now let me tell ya'll everything I did prior to that.
I have 3 different profiles on this one comp. I went to another profile and deleted the profile but saved the major files to another profile. The virus wasn't on it. I then went back to the infected profile and tried to find out what in the heck happened and why virus protector didn't go off. Now finding out that it is a hijacking and made into a anti-virus scam. I must say this is very intelligent! I couldn't find the main file it had made so I just did a system restore. My comp. was running okay but still something wasn't right. I was still losing files and things weren't working. After I found the main file and deleted it and deleted the files that wasn't working correctly any longer and I am still going to delete the infect profile and make another. This is the simplest way I know if you are not very computer knowledge; most people can run search and right click a mouse and scroll down to delete.
Best wishes to anyone seeking help with this pain the butt virus.
Sincerely,
Sassy |
|
wrongway
@consolidated.net | reply to jimschoe
TOO get rid of the MonaRondaDona virus,use key F8, go into Safe mode find the startup program an DELETE Srvspool.exe then restart your computer.It should be gone..... |
|
theresa5790
@cgocable.net | reply to MysteryFCM
how do i get my task mangerto work |
|
Rxdoxx
Premium,Mod
join:2000-11-03
Middle River, MD
clubs:
 ·Verizon FIOS
 ·Comcast
Host:
Software
Washington & Balti..
| reply to jimschoe
said by jimschoe :
I just Tried to delete the Srvspool and it says access denied. Anyone else have any new news??
If you were registered here I could have sent you this in a message and not have to "mess" the thread discussion a little
A freebie Unlocker should free something so you can delete.
--
Was a Cruise Fanatic, one cruise on Princess cured me. Bleah |
|
DMCC
@co.uk | reply to HVredeling
Removed srvspool.exe as suggested. Nice one !! Disappeared completely. |
|
Fred Dag
@net.au | reply to HVredeling
I did this in XP by selecting safe mode /dos prompt & it allowed the necessary deletions that Windows won't allow. |
|
anndy
@aol.com
| reply to HVredeling
I couldn't do it following your directions but my grandson told me how. It does require an external harddrive.
Create a shortcut to the hard drive on your desktop.
Do an advanced search for SYSPRO including hidden files
Drag the files found on the search to the shortcut
Open the external harddrive and delete
Worked great! |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: | There is a simple fix already posted in this thread that requires no external hard drive, no Safe Mode, and no tricks. See: »Re: MonaRonaDona "virus"? |
|
Kim C
@as9105.com | reply to jimschoe
Try starting in safe mode(F8) you should then be able to delete it.
Don't know how to re-start the task manager though.
Best of luck. |
|
Whateve
@charter.com
| reply to HVredeling
This worked great : ) I was able to do it in safe mode but if I tried otherwise it had disabled my administration rights. My virus scan still didn't pick it up but it seems to be gone : ) Thanks so much for the information, I was at the end of my rope with this thing! |
|
windfire55
@telus.net
|  reply to Sassygal31023
Be really careful as unigray says that they have the answer
to this malware,but Its a ruse,First no aunthenticity cert.
Second The product does not completely remove MRD-virus until unigray sends you a patch (monadonarona.exe)to remove
the virus and again...no authenticity certificate and It seems that I got the virus right after I had downloaded
the google tool bar,As with everyone else I seem to have recieved it through the browser it all started happening
on Febuary 29/2008 |
|
