[evilfantasy]

This is virus is getting a lot of attention on malware removal forums and security blogs so I have put this removal guide together from information I have found around the web, mostly at the DSL Reports Security Forum so credit given where it is due.

The MonaRonaDona virus is a piece of malware that threatens to trash host computers. MonaRonaDona appears to be a relatively harmless invasion that was created to scare people into purchasing a fake anti-virus product called Unigray antivirus. It states that Unigray will clean it up for only $39.90. This is a rouge tool and will not do anything to remove the malware. DON'T BUY OR INSTALL IT!

MonaRonaDona is identified as Trojan.Win32.Monagrey.a and Unigray Antivirus identified as not-a-virus:FraudTool.Win32.Unigray.a.

First Step

Download HijackThis to the desktop.

• Double-click the icon for HJTinstall.exe
• Click on the Install button.
• By default it will install to C:\Program Files\Trend Micro\HijackThis and will also create a Desktop icon.
• Upon install, HijackThis should open for you.
• Select Do a system scan only.

Place a check mark next to the following entries: (if there)

• R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MonaRonaDona
• O4 - HKLM\..\Run: [.NET.] \FUD.exe
• O4 - Global Startup: SRVSPOOL.exe
• O4 - HKCU\..\Run: [RegistryCleanFixMFC] C:\Program Files\RegistryCleanFix2008\RegistryCleaner2008.exe

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

Second Step

Download OTMoveIt2 by OldTimer

• Save it to your desktop.
• Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Window Title  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Window Title  
  HKEY_CURRENT_USER\Software\Microsoft\Outlook Express\\Window Title  
  C:\Program Files\RegistryCleanFix2008  
  C:\Program Files\UniGray Antivirus   
  C:\Documents and Settings\All Users\SRVSPOOL.EXE /S /D  
  C:\Users\SRVSPOOL.EXE /S /D
  

• Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the Yellow bar) and choose Paste.
• Click the red Moveit! button.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Now, Double click to open OTMoveIt2 again.
Click the green CleanupUp! button at the top.
Note: it will need to access the internet to download a small script file. Please allow your Firewall to do so.

When it finishes it will have deleted all of its qauarantines, as well as the OTMoveIt2 program and all created folders.

Reboot the computer

Third Step

Download to your Desktop this self-extracting ZIP archive FixPolicies.exe

• Double-click FixPolicies.exe
• Click the Install button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies
• Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd
• A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings.
• Delete the FixPolicies files and folders.

You should now be clear of MonaRonaDona. If you are still having problems then visit our Malware Removalforum and ask for help there.