 
shaker
@qwest.net | Re: MonaRonaDona "virus"? - "Do not leave warm thoughts to the cooling influences of the world" -unknown
Thanks for the help! It worked perfectly! | |
|
Rick G
@comcast.net |  Thank you ... Thank you ... Thank you. This worked when nothing else did. | |
|
bgclm
@telecomitalia.it | I LOVE YOU!!! this was so easy!!! | |
|
Heather71
join:2008-03-10
Dover, DE | Bill! Thank you! Thank you! Thank you! After many other attempts to remove the annoyance, your suggestion worked! | |
|
Chuckv
@verizon.net | This worked fine for me. Thank you very much!!!!! | |
|
creendar
@bellsouth.net | This works fine until I reboot and then it's back | |
|
 | 
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: 
| Re: MonaRonaDona "virus"? The only issue the batch scripting solution might have is that it was unable to find Tsklist in the path.
If you have issues with the first fix, then use the second. It has everything needed to remove the virus:
»Re: MonaRonaDona "virus"? | |
|
| |
HOLLY3RN
@verizon.net
|  Re: MonaRonaDona "virus"?
I AM SO LOST, MY COMPUTER HAS THIS MONARONADONA VIRUS, i THOUGHT I CLEANED IT OFF WITH MY AVG, BUT I DONT UNDERSTAND HOW TO GET THE MONA DONA RONA OFF OF MY HEADER AT THE TOP OF MY SCREEN, I TRIED TO READ ONE OF THE SITES YOU POSTED, BUT I AM LOST AND AM AFRAID I WILL REALLY SCREW UP MY COMPUTER, COULD YOU SUGGEST AN EASIER SITE FOR COMPUTER DUMMIES. THANKS HOLLY | |
|
| | |
Chuckv
@verizon.net | Re: MonaRonaDona "virus"? Follow the instructions at the beginning of this post and you can't go wrong. | |
|
| | | |
| | | 
AB
Premium
join:2006-04-04
Leesburg, VA
| said by HOLLY3RN :
HI,
I AM SO LOST, MY COMPUTER HAS THIS MONARONADONA VIRUS, i THOUGHT I CLEANED IT OFF WITH MY AVG, BUT I DONT UNDERSTAND HOW TO GET THE MONA DONA RONA OFF OF MY HEADER AT THE TOP OF MY SCREEN, I TRIED TO READ ONE OF THE SITES YOU POSTED, BUT I AM LOST AND AM AFRAID I WILL REALLY SCREW UP MY COMPUTER, COULD YOU SUGGEST AN EASIER SITE FOR COMPUTER DUMMIES. THANKS HOLLY One option would be to download and install Spywareblaster.
There's an option within that app to change IE's title bar, among other things.
An added benefit would be the additional anti-spyware protection that it offers.
»javacoolsoftware.com/spywareblaster.html
Though it's not going to remove any current or left-over MonaRonaDona crapola on your machine, beyond allowing you to make that one change. | |
|
un4tune82
@wanadoo.fr | happy as a lark!!! thanks for the clear instructions. worked like a charm. | |
|
|
Duckie
@aol.com | Cheers Bill you helped me get rid of mona for good i hope! Thanks mate | |
|
diverphd
@com.mx | thank you soooo much.. tried other resolutions and only yours worked.. where was norton and mcaffee? they did not have it even listed.. thaks again.. | |
|
aimester
@sbcglobal.net | Thanx brian this worked great! Just think other anti virus will charge up to $100 to fix thanx again. | |
|
Puzzled
@cox.net | My brother has this malware on his computer but has Windows 98 ~ I know, old! How can you get rid of it with such an old version of windows? | |
|
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
1 edit | Re: MonaRonaDona "virus"? Windows 98?
Hmmmm.
I am surprised it would have much effect other than change the IE Title bar. The infection is not terribly well written, and seems very XP and Vista dependent on where it locates files.
There may have been some files or folders installed, but I doubt they would be active. It is more likely the Title Bar you are noticing.
See: »support.microsoft.com/kb/176497
Since in the general scheme of things this infection is more annoyance than danger, give it a day or so and manually update your antivirus program definitions, and then do a through scan. It is likely in the next few days this infection will be in your antivirus program database.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
|
Snowbunny85
@cox.net | My comp has this virus and it has gotten so bad that it has disabled EVERYTHING!! I can't even get online with it....is there any way to get rid of it without having to access the internet?? | |
|
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: | Re: MonaRonaDona "virus"? Use the script solution, as nothing needs to be downloaded:
»Re: MonaRonaDona "virus"? | |
|
| | 
jefe
Premium
join:2001-05-19
Northport, NY
 ·Verizon FIOS
| Re: MonaRonaDona "virus"? I've scanned through this thread and one thing that hasn't popped out is...how did those that got infected do so?
If I missed it...sorry. But it would be interesting to know how the bad guy wound up on infected machines so others won't make the same mistake. | |
|
| | |
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
| Re: MonaRonaDona "virus"? quote:
Well, as we research further into the so-called MonaRonaDona virus, Registry Cleaner 2008, and Unigray Antivirus, we find characteristics common to each executable binary, leading us to believe with a high level of confidence that not only are the binaries from the same group, but they were developed on the same machine.
We performed a forensic investigation of the binaries, and in the Sherlock Holmes style we can say that the author of these masterpieces is a male (possibly Pakistani), who lives in Netherlands and speaks Dutch, in his mid 30-ies, who is a freelance programmer in C++ (MFC/ATL), who is also a soccer fan, wants to study in the U.S. or Pakistan as a Fulbright scholar and likes looking at Maria Ford and Jordon Ladd. Our Mr. X has no permanent job, so he takes the projects from his bosses to build these rogue antivirus solutions and pay his rent. He wants better projects and wants to run his own business. It is his bosses who are the real masterminds behind Unigray Antivirus and MonaRonaDona - not this man himself.
Clues?
Well, the executable was compiled on a Windows box with the Netherlands regional settings using Microsoft Visual Studio 8 and MFC/ATL settings.
MonaRonaDona is likely a word-play with Maradona - M(on)ar(on)adona, whose fans are likely to be in their mid 30-ies and older.
An ELance trace leads us to the web portal where freelance programmers can be hired.
Multiple others litter the files.
It's Elementary, My Dear Watson!
»blog.threatfire.com/
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
|
| | | |
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: MonaRonaDona "virus"? said by bcastner  : quote:
. . in the Sherlock Holmes style we can say that the author of these masterpieces is a male (possibly Pakistani), who lives in Netherlands and speaks Dutch, in his mid 30-ies, who is a freelance programmer in C++ (MFC/ATL), who is also a soccer fan, wants to study in the U.S. or Pakistan . . .
. . MonaRonaDona is likely a word-play with Maradona - M(on)ar(on)adona . . . .
» blog.threatfire.com/ (Bolding mine.)
said by Name Game :. . The Monaronadona message was for human rights violation protest. So it is closer to someone who would follow thoughts of Morodo in the word of the song Querido Enemigo (wanted enemy) "Beloved Enemy in peace and let me already now, or na na na." . . . said by bcastner :. . perhaps this Dutch speaking Pakistani . . . (Again, bolding mine.)
I believe you're both wrong (and/or threatfire.com), if it's a Pakistani who wrote it.
Rona-Dona, or Rhona Dhona, is some sort of Pakistani/Indian slang-- for what, I'm not exactly sure, but examples can be found here:
»www.apnicommunity.com/kasturi/31···ity.html
»entertainment.oneindia.in/televi···706.html
»forum.indya.com/showthread.php?t=56424
There are others.
So if in fact it was a Pakistani who wrote it, that would seem to fit more so than any 'Diego Maradona' thing or human rights violation message.
Just a point of trivia, as it would seem to have no actual bearing on anything. | |
|
| | | | | |
| | | | | |
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: MonaRonaDona "virus"? True enough. Though I'm not sure I see much of a connection to a song in Spanish by an Hispanic composer, other than in possible sentiment-- but similar sentiments have no doubt been expressed in song, film, and writings in many different languages.
But-- it's a mere point of trivia anyway, regardless of what it may refer to, and I suspect those victimized by MonaRonaDona are not overly concerned with what the malware writer may have been thinking whilst composing his piece of . . . 'art'. 
Either that or "Mona" by Bo Diddley, I suppose, eh?
Or "Mona Mona" by Peter Cetera? Maybe "Mona Lisa" by Nat King Cole? | |
|
| | | | | |
| | | | | | 
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Re: MonaRonaDona "virus"? I have that RemoveMonaRonaDona.exe2856KB and the .rar in a folder..Internal name: FixMalware.exe Version 1.0.0.1 since 2/29...will they be updating it soon? 
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
|
| | | |
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| said by bcastner :Clues? MonaRonaDona is likely a word-play with Maradona - M(on)ar(on)adona, whose fans are likely to be in their mid 30-ies and older. And I of course do not agree with the footballer angle.
The Monaronadona message was for human rights violation protest. So it is closer to someone who would follow thoughts of Morodo in the word of the song Querido Enemigo (wanted enemy) "Beloved Enemy in peace and let me already now, or na na na." Those fans are alot younger.
»translate.google.com/translate?h···26sa%3DN
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
|
| | | | |
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: | Re: MonaRonaDona "virus"? Or, perhaps this Dutch speaking Pakistani just did not know how to spell the pop singer Madonna very well...... | |
|
| | | |
Lisa71
@bellsouth.net | IT WORKED!!! Thank You!!! | |
|
ME user
@charter.com | I have an old laptop with Windows ME and got that blamed mona thing. Is there a fix for this OS? | |
|
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
1 edit | Re: MonaRonaDona "virus"? Either of the two fixes in this thread (first page) should work on Windows ME. The first method is likely a better choice for ME (only because I cannot test the second method under ME ahead of time for you.):
See the two links here to access the choices directly: »Re: MonaRonaDona "virus"? | |
|
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
2 edits | said by ME user :
I have an old laptop with Windows ME and got that blamed mona thing. Is there a fix for this OS?
Bill Responded to you in the next post.. edit
But it is still a good suggestion to head to this forum section and follow the instruction to then post a hijacthis log..someone will help you there.
»Security Cleanup
you will be asked first to do these steps..
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
But it will be worth it since those experts will then give you other suggestions on how to keep you system safe.
And I suggested that to anyone else that got whacked with this monaronadona..since chances are you could have other bad boys on your PC and they will help you clean them off and get your system running smoother and faster in many cases.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ | |
|
eosab
@wideopenwest.com
| THANK YOU!!!!! I could kiss you full on the lips for posting this cure. I would have been one of those people who bought the antivirus software... after searching and getting frustrated... I was willing to try anything. You saved me $40 and restored my faith in the kindness of total strangers. Today, you are my hero.
Thanks again,
Elissa | |
|
SingOlong
@on.ca | Cool man You are the coolest person on earth. | |
|
Larry G
@comcast.net | Thanks Thanks Thanks Yes, this solution really
does work.. Some of the virus software folks haven't
even found it -- their software does not identify or
do anything to help. Your article is the best solution.
Larry Gorin | |
|
qwerty714
@verizon.net | it worked thank you so much you will be in my prayers tonight | |
|
Mona Moaner
@wa.gov
| Thanks for the info to get Mona off, but now I can't shutdown my comp. However, after reboot, my task manager was enabled. I have to pull the power to shut down. It hangs when I go to Start/Shutdown. How can I fix this? I hope they shoot the b___stards that did this.
MM | |
|
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
| Re: MonaRonaDona "virus"? MonaRonaDona (and its "fix") come nowhere near any setting that would effect your ability to do a shutdown normally.
I think it best you raise this as a new issue in the Security Cleanup Forum. Be sure to follow the prerquisite steps in large letters at the top of the Forum prior to posting.
We will run some diagnostic tests to see what is up.
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
4 edits | Re: MonaRonaDona "virus"?I guess we should be nicer to our Vista users. The following MonaRonaDona removal will work for either Windows XP or Windows Vista, Windows 2003 and Windows 2008:
1. Download HijackThis:
• Save HJTinstall.exe to your desktop.
• Double-click on the desktop icon for HJTinstall.exe.
• By default it will install to C:\Program Files\Trend Micro\HijackThis. It will also create a Desktop icon.
• Double click the HijackThis icon on your Desktop to start the Program. Select "System scan only".
Checkmark these items (if found):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MonaRonaDona
O4 - HKLM\..\Run: [.NET.] \FUD.exe
O4 - Global Startup: SRVSPOOL.exe
O4 - HKCU\..\Run: [RegistryCleanFixMFC] C:\Program Files\RegistryCleanFix2008\RegistryCleaner2008.exe
Click "Fix checked", and when it finishes exit HijackThis.
2. Please download to your Desktop OT_MOVEIT2.exe:
Please double-click OTMoveIt2.exe to run the utility.
{Vista users -- right click and "Run as Administrator"}
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy); or click on the little highlighted text on the top right of the Code box that says "copy to clipboard":
Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
IMPORTANT -- Paste only into the bottom input panel (under the Yellow bar), The top panel will not help you.
Right-click and choose Paste.
Click the red Moveit button.
This will take several minutes as a guess, as I am scanning the user profile folder completely.
When it has finished, look in the the large right-hand panel that shows Results. You should see at least the principal infector files are deleted, and whatever applicable registry changes were made. (Not all might apply in your case.)
Close OTMoveIt2 when it has finished.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Now, Double click to open OTMOVEIT2 again.
Click the green button, "CleanupUp!" at the top.
{Note: it will need to access the internet to download a small script file. Please allow your Firewall to do so.}
When it finishes it will have deleted all of its qauarantines, as well as the OTMOVEIT2 program and all created folders.
Reboot.
Best wishes,
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
|
|
|
|
