bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: 
 ·Verizon Online DSL
1 edit | MonaRonaDona "virus"?
What is up with this new one that seems to have hit many in the last week: »groups.google.com/groups/search?···=d&hl=en
It looks like you could use HijackThis to stop this one:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MonaRonaDona
O4 - Global Startup: SRVSPOOL.exe
It appears to be linked somehow with "UniGray Antivirus", but in what way is unclear. It is clearly extortion-ware, offering on the user's screen: "Welcome to MonaRonaDona; hi, my name is Mona RonaDona. i am a virus& i am here to Wreck Your PC."
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
|
|
HVredeling
@myvzw.com
| Despite lack of information on the Internet, I was able to pinpoint the culprit that was causing my machine to start acting up due to the MonaRonaDona virus.
I was able to fix the problem and here is how.
The virus installs an executable SRVSPOOL.EXE in the startup folder of the all users account. Click Start/Programs/Startup, right click the SRVSPOOL.EXE entry and delete it. How to fix the header of your Internet explorer and how to re-enable taskmanager, is posted in numerous postings online.
Re-enable Task Manager: Troubleshooting Windows XP, Tweaks and Fixes for Windows XP
Go to this page and try #51 from the right column. Click on "enable the task
manager."
Modify header of Internet explorer: How do i get rid of monaronadona on top bar of my homepage? - Yahoo! Answers
(optionally, you can manually type "Microsoft Internet Explorer" to replace the string "MonaRonaDona".
After that, reboot your machine.
The virus puts a message on the screen. Aside from that, the task manager is disabled, the header of Internet Explorer is modified and when trying to open programs, those programs are shut down immediately.
Whatever you do, do NOT download and install the virus scanner named UniGray. That "scanner" is a scam, a non-working piece of software. The website tries to get you to register and pay for something that does nothing.
Hope this info helps those who come across this virus. It seems to be a brand new occurence given the lack of solutions found on the Internet. |
|
jimschoe
@ameritech.net | I just Tried to delete the Srvspool and it says access denied. Anyone else have any new news?? |
|
MysteryFCM
join:2006-10-01
England
| You really should post in the infection help forums
»Security Cleanup
But to get rid of this specific file;
1. Either log into Safe Mode and delete it there or
2. Download the following, right click the file you want to delete and select "Who Lock Me", then kill the process locking it (will then allow you to delete it)
»freeware.it-mate.co.uk/?Editors_···&pid=170
or ...
3. Use MoveOnBoot
»www.snapfiles.com/get/moveonboot.html
Or ....
4. See the following;
»www.aumha.org/a/stubborn.php
--
Regards
Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk
Keeping it FREE! |
|
NanDog
The Pup Was Female, I'M Not
Premium
join:2003-12-28
Tacoma, WA
·Rainier Connect fr..
| said by MysteryFCM  :You really should post in the infection help forums » Security Cleanup If your suggestion was to the OP it's a bit misguided.
bcastner is one of the accredited helpers on the Security Cleanup forum: »Security Cleanup FAQ
He knows what he's doing. 
--
See ya across the Rainbow Bridge, my good and faithful friend! |
|
MysteryFCM
join:2006-10-01
England | hehe nope, my reply was to jimschoe  (I'm already familiar with BC ) |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
3 edits | reply to bcastner
How to Change the Internet Explorer Window Title
»support.microsoft.com/kb/176497
Yup Bill,
Seems to be pretty well orchestrated.
Besides the UniGray Antivirus scam going on with it and the Youtube video..
Others are now posting special (untested and unknown) tools to remove it. 
J Hilton postings:
»www.howtofixcomputers.com/forums···9-4.html
»forums.microsoft.com/WindowsOneC···SiteID=2
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| reply to MysteryFCM
Steve and I are known to each other.
Here and elsewhere.
What I was hoping is that someone victimized by this would tell us if you get messages from "UniGray Antivirus". That is the part that bothers me at the moment.
(If you have this infection, I would be happy to remove it in the Cleanup subForum. It should go pretty easily.)
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
|
|
MysteryFCM
join:2006-10-01
England | reply to bcastner
hiya dude
Been trying to find a sample of this that I can analyse but haven't been successful thus far |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| If I get a live one I will do a capture and post at MR.
Just read this "review" of Unigray Antivirus.
quote:
Re: unigray antivirus
by Kees Bakker - 2/27/08 5:20 AM
In reply to: monadonarona by Kees Bakker
I donwloaded their program and installed it (after Norton found it was virus-free). I must say it's amazing.
All it installs:
- the program itself, some 6 Mb
- an uninstall dat and exe
- an icon
- some shortcuts and pifs
- NO virus definitions
Then I ran it. It said:
Virus definition version: 02.73.88 (Februari 15, 2008)
DB version: 4.34/2008
Protecting against 679871 threads
That's fairly impressive for a company that's only on the web for 6 days.
Then (after disabling the real-time protection it offers, which is amazing on its own given the components it installed) I used it to scan my clean (according to Norton) system. It found:
- 240 viruses
- 48 malware
- 43 adware
Most of them were in Microsoft programs (like Visual Studio). And I'm sure they don't contain those viruses and malware. So these are false positives. I preferred not to run the Repair, for obvious reasons.
Then I checked for updated definitions. Couldn't harm, as I had none. So the program contacted their website (or so it said) and reported I already had the latest version (those of Februari 15, remember). Then I went to their (rather unimpressive) website and found out that they added detection for monaronadona on Februari 22.
Which leaves me wondering why so many of our new members report it cleaned it off their systems if it's a version one week older.
I'm uninstalling the program now, and still feel rather safe behind my firewall.
Somehow, I keep thinking this is a scam.
Kees
»forums.cnet.com/5208-6132_102-0.···=2715970
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
|
|
NanDog
The Pup Was Female, I'M Not
Premium
join:2003-12-28
Tacoma, WA
1 edit | reply to MysteryFCM
MysteryFCM said: "hehe nope, my reply was to jimschoe (I'm already familiar with BC )"
Sorry! My bad! |
|
jrmarto
join:2004-02-01
Norwich, CT
| reply to MysteryFCM
This is fascinating to me as a co-worker of my husband's called me this morning complaining of this very infection, on a laptop I just helped her buy last week. She was using the Verizon subscription antivirus product. She told me she had "cured" it by creating another adminstrator account, moving her files over, and deleting her one week old account - but asked me if I had any suggestions. Never having heard of MondRonaDona I advised her to run an online scan at Trend Micro, download spybot and adaware, and keep an eye on what was going on with her computer. I would be happy to (on Monday) walk her through creating a HJT log if anybody is interested in seeing what is on her computer. |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
4 edits | reply to bcastner
MonaRonaDona Removal Tool
~~~ EDIT: You would be better doing the more comprehensive fix posted further below for Vista, XP, Windows 2003 and Windows 2008. If you have any issues, run the steps in Safe Mode.
Important Note: This fix version is likely best done in Safe Mode after creating the actual script below. The second "fix" (below): »Re: MonaRonaDona "virus"? does not have this requirement, and is likely the best overall choice.
Using your mouse, Highlight and then Right-click | Copy the entire contents of the Quote box below, including blank lines:
quote:
@echo off
cd %~dp0
REM Quick cleanup - Restores Task Manager,
REM Fixes the IE Header, and Removes the Trojan MonaRonaDona.
REM DSLR Security Forum, Bill Castner
REM If you find this file, go ahead and delete it
TSKILL SRVSPOOL /A >nul
del /a/f/q "%systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\SRVSPOOL.EXE"
rd /s/q "C:\Program Files\UniGray Antivirus">nul
rd /s/q "C:\Program Files\RegistryCleanFix2008">nul
(
echo.REGEDIT4
echo.
echo.[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
echo."DisableTaskMgr"=dword:00000000
echo.
echo.[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
echo."DisableTaskMgr"=dword:00000000
echo.
echo.[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
echo."Window Title"=-
echo.
echo.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
echo."Window Title"=-
echo.
echo.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Outlook Express]
echo."Window Title"=-
echo.
echo.
)>checkit.reg
regedit /s checkit.reg
del checkit.reg
del %0
exit
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "KillTrojan.cmd" . Exit.
Double click the new file "KillTrojan.cmd" to run the program. There is a black box that will open but there are no user prompts, and this will take only moments to complete.
Best wishes,
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
|
|
Txboy
@verizon.net
| reply to HVredeling
This fix worked! I have Vista and had to go into safe mode to delete it. I had Microsoft tech support logged into my pc and they followed the posted directions and it worked with a little work. They had no record of the virus as of yet and they copied the file to submit it. My One Care software did not catch it. I also searched Symantec. Kaspersky and Trend Micro sites for help and none had anything to offer. I could not find any damage to my pc from it. I did notice that the install date was 2-23-08. The file properties said that it was a file from Microsoft. The Microsoft Tech support person I worked with in the virus department was very good. He did a search on the file name and determined that is NOT a Microsoft File!!!
The tech went into the registry to change the setting for the task manager and also had to go there to give permissions in order to delete the file.
Good luck to everyone and thanks for the tip listed above!! |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
4 edits | reply to bcastner
I guess we should be nicer to our Vista users. The following MonaRonaDona removal will work for either Windows XP or Windows Vista, Windows 2003 and Windows 2008:
1. Download HijackThis:
• Save HJTinstall.exe to your desktop.
• Double-click on the desktop icon for HJTinstall.exe.
• By default it will install to C:\Program Files\Trend Micro\HijackThis. It will also create a Desktop icon.
• Double click the HijackThis icon on your Desktop to start the Program. Select "System scan only".
Checkmark these items (if found):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MonaRonaDona
O4 - HKLM\..\Run: [.NET.] \FUD.exe
O4 - Global Startup: SRVSPOOL.exe
O4 - HKCU\..\Run: [RegistryCleanFixMFC] C:\Program Files\RegistryCleanFix2008\RegistryCleaner2008.exe
Click "Fix checked", and when it finishes exit HijackThis.
2. Please download to your Desktop OT_MOVEIT2.exe:
Please double-click OTMoveIt2.exe to run the utility.
{Vista users -- right click and "Run as Administrator"}
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy); or click on the little highlighted text on the top right of the Code box that says "copy to clipboard":
Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
IMPORTANT -- Paste only into the bottom input panel (under the Yellow bar), The top panel will not help you.
Right-click and choose Paste.
Click the red Moveit button.
This will take several minutes as a guess, as I am scanning the user profile folder completely.
When it has finished, look in the the large right-hand panel that shows Results. You should see at least the principal infector files are deleted, and whatever applicable registry changes were made. (Not all might apply in your case.)
Close OTMoveIt2 when it has finished.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Now, Double click to open OTMOVEIT2 again.
Click the green button, "CleanupUp!" at the top.
{Note: it will need to access the internet to download a small script file. Please allow your Firewall to do so.}
When it finishes it will have deleted all of its qauarantines, as well as the OTMOVEIT2 program and all created folders.
Reboot.
Best wishes,
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
|
|
UK HardDrive
@btcentralplus.com | reply to bcastner
Re: MonaRonaDona "virus"?
Having tried unsuccessfully some of the recommendations here, I did a system restore and this seems to have worked(touch wood) 1st Feb 2008 UK 21:10pm |
|
UK HardDrive
@btcentralplus.com | My previous post should have read 1st Mar 2008 as the date. Hope this solution works for you. Again, I did a system restore and this rid me of the problem. 20:15pm |
|
Kas
@optonline.net
| reply to bcastner
Thank you for the removal tool, bcastner.
For Windows Vista it worked from safe mode.
I installed Spotmau WinCare 2008 on the same date SRVPOOL was created on my computer. I'm wondering if there is any connection between them. Did anybody who had Spotmau installed got this problem? |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| said by Kas :
Thank you for the removal tool, bcastner.
For Windows Vista it worked from safe mode.
I installed Spotmau WinCare 2008 on the same date SRVPOOL was created on my computer. I'm wondering if there is any connection between them. Did anybody who had Spotmau installed got this problem?
Can you tell us the reasons and steps that led you to even download and install Spotmau WinCare 2008 in the first place ?
Thanks
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
