Note: These steps require modifying the Windows system Registry. For instructions on using the Registry, see the Windows System Registry Tutorial.
If you haven't already done so, boot into safe mode.
Search for and delete the following folder, if found:
C:\Program Files\UniGray Antivirus
You may also wish to delete the following:
C:\Program Files\RegistryCleanFix2008
Search the global startup folder for the following file and delete the file if found:
SRVSPOOL.EXE
By default, the global startup folder location is
C:\Documents and Settings\All Users\Start Menu\Programs\StartupClick Start, click Run, type REGEDIT, and click OK. The Registry Editor will now open.
Note: To avoid unwanted page wrapping, the following abbreviations are used in the steps below:
HKCU = HKEY_CURRENT_USER
HKLM = HKEY_LOCAL_MACHINETo fix the title bar changes to Internet Explorer and Outlook Express caused by MonaRonaDona, browse to the following keys and delete the values indicated:
HKCU\Software\Microsoft\Internet Explorer\Main
Delete value: Window TitleHKLM\Software\Microsoft\Internet Explorer\Main
Delete value: Window TitleHKCU\Software\Microsoft\Outlook Express
Delete value: WindowTitleTo regain access to Task Manager, which was disabled by MonaRonaDona, browse to the following keys and delete the values indicated:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Delete value: DisableTaskMgrHKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Delete value: DisableTaskMgrYou may also wish to delete the following:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Delete value: RegistryCleanFixMFCClose the Registry editor by choosing File | Exit
Reboot the computer normally. The system should now be free of the MonaRonaDona 'virus' and the system changes made by the Trojan should now be reversed.
