bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: 
 ·Verizon Online DSL
4 edits | Re: MonaRonaDona "virus"?I guess we should be nicer to our Vista users. The following MonaRonaDona removal will work for either Windows XP or Windows Vista, Windows 2003 and Windows 2008:
1. Download HijackThis:
• Save HJTinstall.exe to your desktop.
• Double-click on the desktop icon for HJTinstall.exe.
• By default it will install to C:\Program Files\Trend Micro\HijackThis. It will also create a Desktop icon.
• Double click the HijackThis icon on your Desktop to start the Program. Select "System scan only".
Checkmark these items (if found):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MonaRonaDona
O4 - HKLM\..\Run: [.NET.] \FUD.exe
O4 - Global Startup: SRVSPOOL.exe
O4 - HKCU\..\Run: [RegistryCleanFixMFC] C:\Program Files\RegistryCleanFix2008\RegistryCleaner2008.exe
Click "Fix checked", and when it finishes exit HijackThis.
2. Please download to your Desktop OT_MOVEIT2.exe:
Please double-click OTMoveIt2.exe to run the utility.
{Vista users -- right click and "Run as Administrator"}
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy); or click on the little highlighted text on the top right of the Code box that says "copy to clipboard":
Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
IMPORTANT -- Paste only into the bottom input panel (under the Yellow bar), The top panel will not help you.
Right-click and choose Paste.
Click the red Moveit button.
This will take several minutes as a guess, as I am scanning the user profile folder completely.
When it has finished, look in the the large right-hand panel that shows Results. You should see at least the principal infector files are deleted, and whatever applicable registry changes were made. (Not all might apply in your case.)
Close OTMoveIt2 when it has finished.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Now, Double click to open OTMOVEIT2 again.
Click the green button, "CleanupUp!" at the top.
{Note: it will need to access the internet to download a small script file. Please allow your Firewall to do so.}
When it finishes it will have deleted all of its qauarantines, as well as the OTMOVEIT2 program and all created folders.
Reboot.
Best wishes,
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
|
 
Conestogaman
@sbcglobal.net
|  Re: MonaRonaDona "virus"?
Sincerely,
Conestogaman | |
|
 |
Sicilianshory
@bresnan.net
| Re: MonaRonaDona "virus"? Yep, I think I got the monaronadona from the registrycleanfix2008! And you have to pay for it, which is really what sux! But the registry does have a MBG nd I deleted the srvspool.exe but still have the monaronadona on my internet explorer toolbar! UGG! | |
|
BigMinge
join:2008-03-03
Wethersfield, CT | Thanks for this. I to found this when i turned my comp on. | |
|
kf
@net.au | This was succesful in removing Monaronadona virus for me. Thankyou! | |
|
dentalchick007
@comcast.net | Hey I did this to fix the virus and it worked for me! Nothing else did. Thank you so much. | |
|
sc
@rr.com | Thanks so much for the help. It worked and thank goodness it is gone. | |
|
Oricat
@com.au
| Hi... Thank-you for your help with this. I have followed you instructions and all has worked very well, until the last step! After clicking "MoveIt" all results were displayed in the right hand panel as "not found" I then exited and reopened OTMoveIt, when I clicked on CleanUp a message was displayed stating "Äccess Denied"??? I tried to repeat the second step, and each time I try to move the files; they move to the results screen then the programe stops responding??? Any ideas???? This is new Laptop, running Vista, Please Help!!! | |
|
| 
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
1 edit | Re: MonaRonaDona "virus"? said by Oricat :
I try to move the files; they move to the results screen then the programe stops responding??? Any ideas???? This is new Laptop, running Vista, Please Help!!!
try
"...
If you have any issues, run the steps in Safe Mode...."
edit: safe mode howto link
»www.bleepingcomputer.com/tutoria···ml#vista
Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006-2007 | |
|
Oricat
@com.au | Fantastic... That seemed to work! Thank-you Cudni and Thanks again to Bill... Much appreciated! | |
|
MS
@ac.za | Thanks, It Helped | |
|
omputeretard
join:2008-03-04
Decatur, IN | you are the man. i am primadona free thanks to you. | |
|
| 
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: MonaRonaDona "virus"? All Hail bcastner  , All Hail!
Hopefully, this thread and this experience will cause a bit of a light bulb to come on for some of the less computer-literate.
This infection is pure social engineering.
Don't believe everything you see in a pop-up on your screen, in an e-mail, etc.
In fact, don't even open unrecognized e-mails. Simply delete them.
You have no unknown benefactor in Nigeria who has died and willed you a large amount of money, if only you could send the cash for the process to be transacted.
You have no virus or other issue with your computer simply because some random and unrecognized pop-up says so, with the "guaranteed cure right here at this link".
Etc.
And when in doubt, don't do it.
Learning from mistakes is a positive experience.
Ignoring mistakes and continuing to make the same ones is strictly a dead-end street, and potentially a ticket to a financial nightmare or identity theft merry-go-round.
It does keep folks busy in this forum, though.  | |
|
| | omputeretard
join:2008-03-04
Decatur, IN
| Re: MonaRonaDona "virus"? well yeah i have learned a few things. but when i found errorsmart i was on the microsoft download site. what are they thinking? i mean its not very professional of them to go screwing people out of money. yay to corporate wool over my blind and unintelligent eyelids. it must have been an add or something that i assumed was from microsuck. | |
|
| | omputeretard
join:2008-03-04
Decatur, IN
| well yeah i have learned a few things. but when i found errorsmart i was on the microsoft download site. what are they thinking? i mean its not very professinal of them to go screwing people out of money. yay to corperate wool over my blind and unintelligent eyelids. it must have been an add or something that i assumed was from microsuck. | |
|
| | classical62
join:2008-03-03
Vacaville, CA
| said by AB :All Hail bcastner , All Hail! Hopefully, this thread and this experience will cause a bit of a light bulb to come on for some of the less computer-literate. I'll double that "hail" and raise you a three cheers!
AB~ I agree with you on this actually "easy" lesson that was learned..I think my light bulb was having a bit of an electrical connection and that's why I did a dumb thing and downloaded that *^&$ virus...I KNOW better than to open email I don't recognize as well as be mindful of what I download...funny thing is I was scolding myself for not listening to my intuitin the other day and then I went ahead and didn't listen and got a pain the the *** for my troubles.
Thank you all again for your time and I will behave myself from now on  | |
|
Mona Moaner
@wa.gov
| Thanks for the info to get Mona off, but now I can't shutdown my comp. However, after reboot, my task manager was enabled. I have to pull the power to shut down. It hangs when I go to Start/Shutdown. How can I fix this? I hope they shoot the b___stards that did this.
MM | |
|
| |
qwerty714
@verizon.net | it worked thank you so much you will be in my prayers tonight  | |
|
Larry G
@comcast.net | Thanks Thanks Thanks Yes, this solution really
does work.. Some of the virus software folks haven't
even found it -- their software does not identify or
do anything to help. Your article is the best solution.
Larry Gorin | |
|
SingOlong
@on.ca | Cool man You are the coolest person on earth. | |
|
eosab
@wideopenwest.com
| THANK YOU!!!!! I could kiss you full on the lips for posting this cure. I would have been one of those people who bought the antivirus software... after searching and getting frustrated... I was willing to try anything. You saved me $40 and restored my faith in the kindness of total strangers. Today, you are my hero.
Thanks again,
Elissa | |
|
ME user
@charter.com | I have an old laptop with Windows ME and got that blamed mona thing. Is there a fix for this OS? | |
|
| 
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
2 edits | Re: MonaRonaDona "virus"? said by ME user :
I have an old laptop with Windows ME and got that blamed mona thing. Is there a fix for this OS?
Bill Responded to you in the next post.. edit
But it is still a good suggestion to head to this forum section and follow the instruction to then post a hijacthis log..someone will help you there.
»Security Cleanup
you will be asked first to do these steps..
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
But it will be worth it since those experts will then give you other suggestions on how to keep you system safe.
And I suggested that to anyone else that got whacked with this monaronadona..since chances are you could have other bad boys on your PC and they will help you clean them off and get your system running smoother and faster in many cases.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ | |
|
| |
Lisa71
@bellsouth.net | IT WORKED!!! Thank You!!! | |
|
Snowbunny85
@cox.net | My comp has this virus and it has gotten so bad that it has disabled EVERYTHING!! I can't even get online with it....is there any way to get rid of it without having to access the internet?? | |
|
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: | Re: MonaRonaDona "virus"? Use the script solution, as nothing needs to be downloaded:
»Re: MonaRonaDona "virus"? | |
|
| | 
jefe
Premium
join:2001-05-19
Northport, NY
 ·Verizon FIOS
| Re: MonaRonaDona "virus"? I've scanned through this thread and one thing that hasn't popped out is...how did those that got infected do so?
If I missed it...sorry. But it would be interesting to know how the bad guy wound up on infected machines so others won't make the same mistake. | |
|
| | | |
| | |
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| quote:
Well, as we research further into the so-called MonaRonaDona virus, Registry Cleaner 2008, and Unigray Antivirus, we find characteristics common to each executable binary, leading us to believe with a high level of confidence that not only are the binaries from the same group, but they were developed on the same machine.
We performed a forensic investigation of the binaries, and in the Sherlock Holmes style we can say that the author of these masterpieces is a male (possibly Pakistani), who lives in Netherlands and speaks Dutch, in his mid 30-ies, who is a freelance programmer in C++ (MFC/ATL), who is also a soccer fan, wants to study in the U.S. or Pakistan as a Fulbright scholar and likes looking at Maria Ford and Jordon Ladd. Our Mr. X has no permanent job, so he takes the projects from his bosses to build these rogue antivirus solutions and pay his rent. He wants better projects and wants to run his own business. It is his bosses who are the real masterminds behind Unigray Antivirus and MonaRonaDona - not this man himself.
Clues?
Well, the executable was compiled on a Windows box with the Netherlands regional settings using Microsoft Visual Studio 8 and MFC/ATL settings.
MonaRonaDona is likely a word-play with Maradona - M(on)ar(on)adona, whose fans are likely to be in their mid 30-ies and older.
An ELance trace leads us to the web portal where freelance programmers can be hired.
Multiple others litter the files.
It's Elementary, My Dear Watson!
»blog.threatfire.com/
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
|
| | | |
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Re: MonaRonaDona "virus"? said by bcastner :Clues? MonaRonaDona is likely a word-play with Maradona - M(on)ar(on)adona, whose fans are likely to be in their mid 30-ies and older. And I of course do not agree with the footballer angle.
The Monaronadona message was for human rights violation protest. So it is closer to someone who would follow thoughts of Morodo in the word of the song Querido Enemigo (wanted enemy) "Beloved Enemy in peace and let me already now, or na na na." Those fans are alot younger.
»translate.google.com/translate?h···26sa%3DN
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
|
| | | | |
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: | Re: MonaRonaDona "virus"? Or, perhaps this Dutch speaking Pakistani just did not know how to spell the pop singer Madonna very well...... | |
|
| | | |
AB
Premium
join:2006-04-04
Leesburg, VA
| said by bcastner : quote:
. . in the Sherlock Holmes style we can say that the author of these masterpieces is a male (possibly Pakistani), who lives in Netherlands and speaks Dutch, in his mid 30-ies, who is a freelance programmer in C++ (MFC/ATL), who is also a soccer fan, wants to study in the U.S. or Pakistan . . .
. . MonaRonaDona is likely a word-play with Maradona - M(on)ar(on)adona . . . .
» blog.threatfire.com/ (Bolding mine.)
said by Name Game :. . The Monaronadona message was for human rights violation protest. So it is closer to someone who would follow thoughts of Morodo in the word of the song Querido Enemigo (wanted enemy) "Beloved Enemy in peace and let me already now, or na na na." . . . said by bcastner :. . perhaps this Dutch speaking Pakistani . . . (Again, bolding mine.)
I believe you're both wrong (and/or threatfire.com), if it's a Pakistani who wrote it.
Rona-Dona, or Rhona Dhona, is some sort of Pakistani/Indian slang-- for what, I'm not exactly sure, but examples can be found here:
»www.apnicommunity.com/kasturi/31···ity.html
»entertainment.oneindia.in/televi···706.html
»forum.indya.com/showthread.php?t=56424
There are others.
So if in fact it was a Pakistani who wrote it, that would seem to fit more so than any 'Diego Maradona' thing or human rights violation message.
Just a point of trivia, as it would seem to have no actual bearing on anything. | |
|
| | | | | |
| | | | | |
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Re: MonaRonaDona "virus"? I have that RemoveMonaRonaDona.exe2856KB and the .rar in a folder..Internal name: FixMalware.exe Version 1.0.0.1 since 2/29...will they be updating it soon?
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
|
| | | | | |
| | | | | |
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: MonaRonaDona "virus"? True enough. Though I'm not sure I see much of a connection to a song in Spanish by an Hispanic composer, other than in possible sentiment-- but similar sentiments have no doubt been expressed in song, film, and writings in many different languages.
But-- it's a mere point of trivia anyway, regardless of what it may refer to, and I suspect those victimized by MonaRonaDona are not overly concerned with what the malware writer may have been thinking whilst composing his piece of . . . 'art'.
Either that or "Mona" by Bo Diddley, I suppose, eh?
Or "Mona Mona" by Peter Cetera? Maybe "Mona Lisa" by Nat King Cole? | |
|
Puzzled
@cox.net | My brother has this malware on his computer but has Windows 98 ~ I know, old! How can you get rid of it with such an old version of windows? | |
|
| |
aimester
@sbcglobal.net | Thanx brian this worked great! Just think other anti virus will charge up to $100 to fix thanx again. | |
|
diverphd
@com.mx | thank you soooo much.. tried other resolutions and only yours worked.. where was norton and mcaffee? they did not have it even listed.. thaks again.. | |
|
|
|
|
