mrcleanpc.com hijacker?

[callmemrv]

I searched the forums and cannot find anyone having this specific issue.

I am relatively new to win7 and a novice by all means. I have recently acquired a browser 'hijacker' that tries to send me to [URL="http://www.mrcleanpc.com"]www.mrcleanpc.com[/URL] rather than my intended destination. It never makes it to that site it just keeps shuttering. I can go back a page and try other sites from google and sometimes I go right there sometimes mrcleanpc tries to load.

I have updated and run Spy-Bot S&D, Malwarebytes and AVG. I tried the MS malicious removal tool too. I updated to IE9 and installed Google chrome (to try a different browser). And it is still there. I did a search for mrcleanpc and did not find any files on my laptop with that name.

Can someone please tell me where to look and how to get there and what i should look for?LOL.

I like 7 but it seems more difficult to get in deep to the file structure. I really don't want to mess anything up! I am dangerous that way. I was hoping to be able to get to the temporary internet files folder and see if there was something that i could clean out but I cannot find that either (help here too).

Basically any advice is appreciated. As for system restore????? That will bring me back to a non-issue time but will the hijacker not still be residing somewhere?

Thanks in advance for all your assistance.

Callmemr.V
in SC

 

[mckillwashere]

I would reboot into safemode and run MalwareBytes.
If this does not work, I would Suggest ComboFix. (Disclaimer - Have a good backup of your material because while it is a great tool it risks damaging your OS since it does attempt to correct some system files. + I do not claim and liability for damages done, this is meerly a suggestion.)

 

[Oaken]

   Note

Some folk say this tool is outdated, not so in my experience. If I had £pound for every time it has removed a nasty, simply and efficiently without the need for multiple scans, safe mode, etc, I'd be a lucky fellow. It takes a couple of minutes to use and will often rid you of a browser hijacker or unwanted search toolbar with little fuss...

Always worth a try for this type of thing, before you get the big guns out.

1. Download HijackThis *executable (no installer)*
2. Create a restore point, close any open programs, Explorer, etc, and then run the executable
3. Click Scan at bottom-left, and wait
4. Check down the list for the item you want to remove and check the box next to it (you may have to do a little research here if the name is not obvious)
5. Click "Fix Checked" and follow the prompts

Hopefully it can help you with this?

 

[SledgeDG]

Seeing how HijackThis is basically a way to remove certain unwanted entries from the registry in a convenient way, make sure you have a good backup before you simply check everything and click on fix it. you could always run the log file through here and see what the experts say...or with some caution and common sense use an automated log file analyzer for that:
HijackThis Logfileauswertung
HiJackThis! Log auto analyzer V2

 

[Oaken]

Good additional points SledgeDG, for which I couldn't agree more.

 

[Devux]

Norton has a tool called power eraser
Norton Rescue Tools
In the past it has gotten rid of fake antivirus programs, and browser redirect issues. Again, a backup before running it is in order. Also read the instructions with the tool. A system restore might also solve the issue, if you can remember when your PC started doing this, just restore to a point before then, and to answer your question; No, if you do a system restore the browser redirect bug shouldn't be residing on your PC any longer, assuming you restored to the proper point.

 

[callmemrv]

I would reboot into safemode and run MalwareBytes

I could not get into safe mode! There was an F2 option but I could not find safe mode anywhere in there. It had a F12 boot option but that did not have a safe mode either. I realize that no one has the same set up so F-buttons are different....Is there a way to find safe mode? I would like to try that first.

THANK YOU EVERYONE FOR YOUR IDEAS SO FAR, HOPEFULLY ONE WILL WORK SOON.

 

[JDobbsy1987]

Try pressing F8 instead of F2 & F12, you should then get the option to boot into safe mode.

Regards,
JDobbsy1987

 

[HammerHead]

F8

Just a little more coaching...........Your bios screens will roll by and then when they are all done windows begins a boot. You may have to observe this boot to get the exact timing. When the bios is done at that instant you want to begin tapping F8. Like I say you may have to do multiple trys to get the correct timing. I miss it sometimes.

 

[SledgeDG]

this is from the aspire 5336 handbook: http://support.acer.com/acerpanam/Manuals/acer/2010/ServiceGuides/SG_Aspire_5336_20100811.pdf

BIOS Setup Utility
The BIOS Setup Utility is a hardware configuration program built into your computer’s BIOS (Basic Input/
Output System).
Your computer is already properly configured and optimized, and you do not need to run this utility. However, if
you encounter configuration problems, you may need to run Setup. Please also refer to Chapter 4
Troubleshooting when problem arises.
To activate the BIOS Utility, press F2 during POST (when “Press <F2> to enter Setup” message is prompted
on the bottom of screen).
The default parameter of F12 Boot Menu is set to “disabled”. If you want to change boot device without
entering BIOS Setup Utility, please set the parameter to “enabled”.
Press <F12> during POST to enter multi-boot menu. In this menu, user can change boot device without
entering BIOS SETUP Utility

 

[callmemrv]

Evertone is awesome here! You have all been so very quick to help me out. I finally got in through safe mode by tapping F8. This hijacker wouldn't let me go to a ny MS pages that would instruct on the safe mode!

So I tried Malwarebytes and Spy-Bot in safe mode and neither found anything! I did a system restore from 2 weeks ago and all seems back to normal for now! Not sure how it got there in the first place.

Once again thank you all I am sure I will be back.

 

[HammerHead]

Good Show

Well you got it working, good for you. Some advice: Since we don't really know what the infection was I would do some more scanning. You say malwarebytes doesn't find anything. What are you using for an Anti Virus? You could always download Microsoft Security Essentials and scan with that. You could try free Avast. and when your are done scanning turn them all off except the one you prefer. You could even uninstall the ones you don't want. One other option you have is from an adminstrator command prompt* window run "mrt" (no quotes).

*Right click Command Prompt in Accesories and select "Run As Admin" for an elevated command prompt

 

[Agent Zach]

I know that the issue has been solved, but does anyone think that his "hosts" file may have been compromised?

If the issue was appearing with every browser (including newly installed ones), the hosts file seems like it may have been the suspect...

 

[JDobbsy1987]

I know that the issue has been solved, but does anyone think that his "hosts" file may have been compromised?

If the issue was appearing with every browser (including newly installed ones), the hosts file seems like it may have been the suspect...

This is a good idea and can't hurt to look

callmemrv, this guide will help you check your host file, if you are unsure of anything then please don't hesitate to ask
http://www.sevenforums.com/tutorials/78266-hosts-file-use-windows-7-vista.html?ltr=H

An untouched host file would look something like this:

Image was used from the above tutorial

Regards,
JDobbsy1987