dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
73
share rss forum feed


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
kudos:7

4 edits

2 recommendations

reply to bcastner

Re: MonaRonaDona "virus"?

MonaRonaDona Removal Tool

~~~ EDIT: You would be better doing the more comprehensive fix posted further below for Vista, XP, Windows 2003 and Windows 2008. If you have any issues, run the steps in Safe Mode.

Important Note: This fix version is likely best done in Safe Mode after creating the actual script below. The second "fix" (below): http://www.dslreports.com/forum/r20088377- does not have this requirement, and is likely the best overall choice.

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Quote box below, including blank lines:
quote:
@echo off
cd %~dp0

REM Quick cleanup - Restores Task Manager,
REM Fixes the IE Header, and Removes the Trojan MonaRonaDona.
REM DSLR Security Forum, Bill Castner
REM If you find this file, go ahead and delete it

TSKILL SRVSPOOL /A >nul
del /a/f/q "%systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\SRVSPOOL.EXE"
rd /s/q "C:\Program Files\UniGray Antivirus">nul
rd /s/q "C:\Program Files\RegistryCleanFix2008">nul

(
echo.REGEDIT4
echo.
echo.[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
echo."DisableTaskMgr"=dword:00000000
echo.
echo.[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
echo."DisableTaskMgr"=dword:00000000
echo.
echo.[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
echo."Window Title"=-
echo.
echo.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
echo."Window Title"=-
echo.
echo.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Outlook Express]
echo."Window Title"=-
echo.
echo.
)>checkit.reg

regedit /s checkit.reg
del checkit.reg
del %0
exit


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "KillTrojan.cmd" . Exit.

Double click the new file "KillTrojan.cmd" to run the program. There is a black box that will open but there are no user prompts, and this will take only moments to complete.

Best wishes,
Bill Castner

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users



Kas

@optonline.net
Thank you for the removal tool, bcastner.
For Windows Vista it worked from safe mode.
I installed Spotmau WinCare 2008 on the same date SRVPOOL was created on my computer. I'm wondering if there is any connection between them. Did anybody who had Spotmau installed got this problem?


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
said by Kas :

Thank you for the removal tool, bcastner.
For Windows Vista it worked from safe mode.
I installed Spotmau WinCare 2008 on the same date SRVPOOL was created on my computer. I'm wondering if there is any connection between them. Did anybody who had Spotmau installed got this problem?
Can you tell us the reasons and steps that led you to even download and install Spotmau WinCare 2008 in the first place ?

Thanks
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/


sonikrx

@bendbroadband.com
reply to bcastner
THANK!! That did the trick. I am very thankful! I was not sure there to go after Nortons did not find the virus! But this worked. Thanks again!


SherriStiller

@pacbell.net
reply to bcastner
Help Me IM new. I just bought a Dell Computer one month Two days ago I have the MonaRonaDona Virus. I had been accually installing MSN and their version of messenger. I have been reading your message forum but don't know what I should do. PLEASE HELP,

new
Expand your moderator at work


Mato

@blueyonder.co.uk
reply to bcastner

Re: MonaRonaDona "virus"?

Thanks for your info, I have been able to delete this MonaRonaDona virus from my system and enable task manager but to kill all Trojan in my system, what is the code should i type in notepad before saving as "KillTrojan.cmd"


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
kudos:7

1 edit
All the text in the Quote box.
There are horizontal lines to mark the beginning and end of the Quote box.

The easier fix is a few posts below it. It uses HijackThis and a free utility called OTMOVEIT2 by Old Timer.

MonaRonaDona Remover
»Re: MonaRonaDona "virus"?


MDReferee
Federal Flack
Premium
join:2001-10-21
Germantown, MD
said by bcastner:

All the text in the Quote box.
I think he's looking for something a little more in depth... you might not have caught this little statement...

said by Mato :

...but to kill all Trojan in my system...
That seems a bit more complicated, doesn't it.
--
If I didn't see it... it didn't happen!


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
kudos:7

1 edit

2 recommendations

said by MDReferee :
That seems a bit more complicated, doesn' it.
Dunno.
Certainly the OP came here for MonaRonaDona.
Other issues are not suitable for handling in the Security subForum, and the post would get killed if I attempted to do so.

Anything that appears to be a one-to-one malware removal must be done only in the Security Cleanup Forum. The fixes I posted earlier raised some objections by some already; the fact that they were generic and not directed to a specific individual allowed them to stay.

One-on-one removal, or any other Trojan issue, would start with this: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance


Not a Comp Nerd

@montclair.edu
reply to bcastner
This worked great! I tried the "Who Lock Me" program and that was unsuccessful. I also had difficulty figuring out how to start my computer in safe mode. However, what you posted above worked perfectly and was so easy to follow!

THANK YOU SO MUCH!!!

reply to bcastner
Thank you soooooo much! I was completely panicked!!! Your instructions were easy to follow and I VERY MUCH appreciate your help!!! (XP User)

lordstarfyre

join:2008-03-03
91g02
reply to bcastner
Hi, I ran the KillTrojan.CMD, and now my Task Manager is disabled.

How do I turn it back on?

It appears the Trojan is gone, thanks for that, BTW!!!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits
said by lordstarfyre:

Hi, I ran the KillTrojan.CMD, and now my Task Manager is disabled.

How do I turn it back on?

It appears the Trojan is gone, thanks for that, BTW!!!
You could try the .reg file here if the OS is XP.

»www.kellys-korner-xp.com/xp_tweaks.htm

download it at #51 called Enable the Task Manager

put it on the desktop..double click on it to install..then you might have to reboot.

Also if by chance there are other reasons your's does not work then see this link and scroll down to Task Manager and see all the situations and fixes since there are three ways to bring it up.

»www.kellys-korner-xp.com/xp_t.htm

--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/


terry_nyorks_uk

@btcentralplus.com
reply to bcastner
Thanks too to B Castner. Your batch file "killtrojan.cmd" worked well. WinXP environment.

How come Norton asleep?


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
On norton..did you try to force a manual update or try to get their daily >

»Re: Security Software Updates - 03 Mar 2008
Daily Updates Learn More

»www.symantec.com/business/securi···ions.jsp
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/


Worried Novice

@btcentralplus.com
reply to bcastner
Want to say thak you very much for the advice!


ME user

@charter.com
reply to bcastner
I have tried the fixes suggested. When I open the notepad named "KillTrojan.cmd" it does not do anything. I have gone thru the whole sequence 3 times.


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
kudos:7

1 edit
Once you create the file in notepad, save it.
Rename the file "KillTrojan.bat" (instead of CMD as the file extension.

Then double click the saved and renamed file.

You may well have to manually remove the entry made to the IE Title Bar when finished: »support.microsoft.com/kb/176497


Glen M Borror

@seovec.org
reply to Name Game
Yes, I also downloaded that very program, and that's how MY MonaRonaDona appeared, and I can't deleat the SRVPOOL, because my access is denied, but I am the Administrator on my PC, and I don't know what to do. I would say try to do a disk de-fragment, and do a disk clean-up, and then do a virus scan. That should help a little bit. Try it, and if it doesn't help, then IO don't know.


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
Take it from a fellow Appalachian-American - the folks in the cleanup forum are top-notch people, many of whom are industry-recognized experts. Take the issue over there, follow the bouncing ball and you'll get rid of MRD and any other malware that may be infesting your system

Of course you could pay some big box store tech a couple hundred smackers to borrow your files to their USB dongles, wipe your drive and reinstall Windows
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre


vredeling

@65.202.40.x
reply to Name Game

MonaRonaDona revealed

I almost fell victim to the "space issue". Here is my revised post.

Registryfix is the culprit in this social engineering scheme. The "testimonial" of Jim Brown on the website, is from the same (no doubt) alias that is in the postings pointing to the bogus virusscanner.

The program is featured on a sponsored link on Google »pc-tools-review.com/

It now becomes very tricky to distinguish legit reviews from illegit reviews. Also, on »pc-tools-review.com/ more products get reviewed. I am now not sure that the registry scanner is the only dowload that will infect the computer with the MonaRonaDona problem.

You have to hand it to these guys: they did come up with a pretty elaborate, clever scam.

Type in "registryfix.com" in the google search box and you'll understand how elaborate and potentially widespread and dangerous this scam is.

The trick is in the space between registry and fix. "Registry fix 2008" is a legitimate scanner by Registryfixer Inc. "Registryfix" is the scam (ww.registryfix.com) and gets featured on numerous "comparison" sites, some may be legit (editor error by leaving out the space) and some may be part of the scam (like the link »pc-tools-review.com/)

Hans Vredeling
New York, NY


jimster

@comcast.net
reply to bcastner

Re: MonaRonaDona "virus"?

just wanted to say thanks to bcaster. worked like a charm and easy to execute.


a78monte

@clearwire-dns.net
reply to bcastner
bcastner, I am sur eyou have heard it a million times already, but YOU ROCK!!! Thank you for the little removal program. It kicked A$$!!!!