[Albert Lionheart]

Despite what it says about itself, and it broadcasts that it is a virus spread on behalf of, amongst other things, human rights, this is not a virus. It is an extortion scam and you are invited to pay up about US$40 to download a fix called UniGray.
Don't do it!
Reboot the system into safe mode and search for the file srvspool.exe and delete it. Remove it from the recycle bin.
You could also remove the line from the startup listing in msconfig
Reboot and all should be well.
I have just found this and cleared a system of it fairly easily using this process. The only residues are that task manager does not work but this is no big deal on this pc but I cleared it using a useful utility I found on http://www.dougknox.com/xp/utils/xp_taskmgrenab.htm. The other is the IE header; I cleared Monaronadona by changing the reference in the registry - make a copy first before searching for "monaronadona" which you can then change.
Remember - it is nothing more sinister than a scam.

[evilfantasy]

Moved to general security.
We could use this in the guides section if you are willing to create a removal guide for the MonaRonaDona infection.

Hijackthis entries for MonaRonaDona

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MonaRonaDona
O4 - HKLM\..\Run: [.NET.] \FUD.exe
O4 - Global Startup: SRVSPOOL.exe
O4 - HKCU\..\Run: [RegistryCleanFixMFC] C:\Program Files\RegistryCleanFix2008\RegistryCleaner2008.exe

Registry keys for MonaRonaDona

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System\\DisableTaskMgr
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\System\\DisableTaskMgr
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Window Title
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Window Title
HKEY_CURRENT_USER\Software\Microsoft\Outlook Express\\Window Title

File and folder paths for MonaRonaDona

C:\Program Files\RegistryCleanFix2008
C:\Program Files\UniGray Antivirus
C:\Documents and Settings\All Users\SRVSPOOL.EXE /S /D
C:\Users\SRVSPOOL.EXE /S /D

[Spleenharvester]

Cheers for the info. I can't believe morons do that, it's just going to make people unaware of the scan pay up. Is there a way to remove it while keeping the task manager?

[Blind Dragon]

Can't you just write a script for Avenger

[evilfantasy]

@ Spleenharvester

Yes there is a way. Credit to DSL Reports

First:

Have Hijackthis fix these entries (if found)

• R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MonaRonaDona
• O4 - HKLM\..\Run: [.NET.] \FUD.exe
• O4 - Global Startup: SRVSPOOL.exe
• O4 - HKCU\..\Run: [RegistryCleanFixMFC] C:\Program Files\RegistryCleanFix2008\RegistryCleaner2008.exe

Second:

Download OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr  
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Window Title  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Window Title  
  HKEY_CURRENT_USER\Software\Microsoft\Outlook Express\\Window Title  
  C:\Program Files\RegistryCleanFix2008  
  C:\Program Files\UniGray Antivirus   
  C:\Documents and Settings\All Users\SRVSPOOL.EXE /S /D  
  C:\Users\SRVSPOOL.EXE /S /D
  

• Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
  IMPORTANT -- Paste only into the bottom input panel (under the Yellow bar), The top panel will not help you.
  Right-click and choose Paste.
• Click the red Moveit! button.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Now, Double click to open OTMoveIt2 again.
Click the green CleanupUp! button at the top.
Note: it will need to access the internet to download a small script file. Please allow your Firewall to do so.

When it finishes it will have deleted all of its qauarantines, as well as the OTMOVEIT2 program and all created folders.

Reboot the computer.

[Spleenharvester]

That was quick... Thanks

[evilfantasy]

@ Blind Dragon

The Avenger would work as well but you need to know the script commands. OTMoveIt2 is easier and works just as well.

Also there is a new version of The Avenger and it now works with Vista!

Including:

* A complete overhaul of the GUI
* Automatic rootkit detection and removal
* New scripting functionality
* Full compatibility with Windows Vista

Complete version information and tutorial here

[Blind Dragon]

I am familiar with it

[evilfantasy]

Another tool to fix the Task Manager and other policies that this virus effects.

Download to your Desktop this self-extracting ZIP archive FixPolicies.exe

• Double-click FixPolicies.exe
• Click the Install button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies
• Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd
• A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings.

[Albert Lionheart]

Don't want to appear ungrateful, but these fixes seem more complex than the ones I found above. Lets face it, most users don't use the task manager and the rest would not notice the change in the IE header anyway!
Judging by the growing awareness, I think this has a limited life anyway. With any luck!

[evilfantasy]

I have to disagree. The removal process is no more complex than the malware itself. Leaving any trace of it is no different then inviting the same infection to return. Unfixed entries are open doors for future attack or another malicious program/web site to exploit. The growing awareness might bring about an automated fix, but once a virus like this is introduced to the internet it is here to stay.

Most users are aware of the Task Manager as they like to keep an eye on what processes/applications are doing what. It is a quick and well known way to view performance.

It's the difference between removing symptoms and removing the malware. I choose the later.

[tomrca]

have you looked this one up yet, it's quite new..?
monaronadona and here
forget it, just found a previous post refering to it

[Daveskater]

Threads merged.

[evilfantasy]

Antivirus vendors are already up to date with this virus. This is from Kaspersky, if their antivirus is able to detect or remove it then the others will soon follow.

Users are instructed to install Unigray Antivirus that removes monaronadona for a fee of 39.99…and then does nothing else. Don’t fall this scam.

Rouge web site: unigray dot com
Rouge name: Unigray Antivirus
Identified as: Trojan.Win32.Monagrey.a as not-a-virus:FraudTool.Win32.Unigray.a

I'm also seeing reports that the updated copy of smitfraudfix will remove it.

[Daveskater]

Anybody who wants to remove this infection should see here:

MonaRonaDona Virus Removal

[Albert Lionheart]

I had heard that sometimes there is more than the $39.95 taken from the credit card account; one tale told of over $4000. Still, true or not this is a nasty racket and the more we can publicise what it is the better.
It took most of the AV houses a long time to wake up to this one - much longer than usual. Perhaps they believed it when it said it was not a virus?

[Daveskater]

That just adds to the importance of this problem being stamped out then mate. If money laundering (right word?) is coming into it then it's probably one of the worst infections I've seen of late.

[Albert Lionheart]

This is not the first of this type - there was another one called SpyHacker, SpyShield, SpyDefence and so on - all the same and all offering to sell a non working fix for 40 bucks. Apparently it came from South America although where that news came from I cannot remember. The trouble is that as most of these are not a virus, the AV packs are useless against them.

[Daveskater]

That's true mate, by the sounds of it it has to be removed via HJT and other tools.

Here is a list of rogue programs etc:

The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites

[evilfantasy]

I found a lot of blogs and posts about this while making the second guide last night. Unigray Antivirus is written in the same code as Registry Cleaner 2008 which is also making a splash with infecting users. I had to walk an 80 year old man with limited use of his hands in removing Registry Cleaner 2008 on another forum. That was a struggle for both of us but he hung in there and we got it done!!!

Second blog post here has video, the Digg page, and more on the virus > Viruslist.com - Analyst's Diary

This page has links that will lead you to pictures and web site registration information of the guy suspected of creating and launching monaronadona > The MonaRonaDona Extortion Scam - Security Fix

This moron sure did make a splash with this one. Virus writers around the world are very jealous I'm sure. Their ultimate goal is to become infamous in the underground groups who create this rubbish. He succeeded