Monaronadona

k101

i have this virus monaronadona on my computer. .Pops up everrytime i turn on the machine and its stops me opening certain programs. It appears to be some scam trying to make you purchase unigray antivirus software.

Does anyone know how i can get rid of it ?

Thanks

ActorSeeksJob

Do this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

k101

will that get rid of it straight away. What is it

ActorSeeksJob

No it wont

It will tell me what infection you have, it is similar to HijackThis

k101

d

ActorSeeksJob

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MonaRonaDona
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ROAD TOOL EXTRA VGA] C:\Documents and Settings\All Users\Application Data\Ante four vga mfcd\mpeg axis drv.exe
O4 - HKLM\..\Run: [Comp about extra bin] C:\Documents and Settings\All Users\Application Data\Roam Program Comp About\blah support.exe
O4 - HKCU\..\Run: [Windows] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SRVSPOOL.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  C:\Documents and Settings\All Users\Application Data\Ante four vga mfcd
  C:\Documents and Settings\All Users\Application Data\Roam Program Comp About
  C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SRVSPOOL.exe
  C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SRVSPOOL.exe
  C:\WINDOWS\pss\SRVSPOOL.exeCommon Startup 
  

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  purity
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SRVSPOOL.exe
  

• Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new DSS log

k101

This is what i got



File/Folder Code: not found.
C:\Documents and Settings\All Users\Application Data\Ante four vga mfcd moved successfully.
C:\Documents and Settings\All Users\Application Data\Roam Program Comp About moved successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SRVSPOOL.exe moved successfully.
File/Folder C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SRVSPOOL.exe not found.
C:\WINDOWS\pss\SRVSPOOL.exeCommon Startup moved successfully.
[Custom Input]
< purity >
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SRVSPOOL.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SRVSPOOL.exe\\ deleted successfully.

OTMoveIt2 v1.0.20 log created on 03032008_224247

k101

the 07-hkcu item wasnt on the list for me to tick either

ActorSeeksJob

No worries, can you post a new DSS log there

k101

d

k101

have you got what you need. looks like you have gort rid of it , thanks

ActorSeeksJob

You need to post a new DSS log or I can't be sure

k101

i will pm you.

k101

n

ActorSeeksJob

I'm not here waiting for your reply so I can copy and paste it to notepad

If you won't post it I will just assume you are clean

k101

--

ActorSeeksJob

Hello

Backup Your Registry with ERUNT

• Please use the following link and scroll down to ERUNT and download it.
  http://aumha.org/freeware/freeware.php
• For version with the Installer:
  Use the setup program to install ERUNT on your computer
• For the zipped version:
  Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-

Then double click on the fix.reg file, when it prompts to merge click "Yes".



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Reboot and post a new DSS log and tell me how your PC is running

k101

Malwarebytes' Anti-Malware 1.05
Database version: 449

Scan type: Full Scan (C:\|)
Objects scanned: 226967
Time elapsed: 1 hour(s), 15 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\tvengine.bho (Spyware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tvengine.bho.1 (Spyware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9fe6e4aa-800c-46a6-943d-dd83d90c25f0} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Hotbar (Adware.Hotbar) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\HbTools\Bin\4.8.2.0\dBenderC.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP421\A0520243.exe (Trojan.Downloader) -> Quarantined and deleted successfully

ActorSeeksJob

Post a new DSS log and tell me how your PC is running