Search box hijacked on my cousin's computer.

[Tobolo]

I keep getting redirected on a search to http://feedgala.com

Could anyone possibly tell me how to fix this? I read some other forums and did what was I recommended but no loss. I did download HijackThis and here is the log from it:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:39:20 PM, on 10/22/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C-windows\system32\Dwm.exe
C-windows\system32\taskeng.exe
C-windows\Explorer.EXE
C-Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
C-Program Files\Synaptics\SynTP\SynTPEnh.exe
C-Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C-Program Files\Analog Devices\Core\smax4pnp.exe
C-Program Files\F-Secure\common\FSM32.EXE
C-windows\system32\wbem\unsecapp.exe
C-Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C-Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C-Program Files\Windows Media Player\wmpnscfg.exe
C-Program Files\Internet Explorer\iexplore.exe
C-Program Files\Internet Explorer\iexplore.exe
C-windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe
C-windows\system32\wuauclt.exe
C-Program Files\Internet Explorer\iexplore.exe
C-Users\Elizabeth\Downloads\HijackThis.exe
C-Users\Elizabeth\Desktop\HijackThis.exe
C-windows\system32\SearchFilterHost.exea
C-windows\System32\mobsync.exe
C-windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mg204.mail.yahoo.com/dc/launch?.partner=sbc&.gx=0&.rand=1200v9l91629l
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=all&pf=cmnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=all&pf=cmnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file)
O2 - BHO: BHO_Startup - {3134413B-49B4-425C-98A5-893C1F195601} - C-Program Files\Hewlett-Packard\File Sanitizer\IEBHO.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C-Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C-Program Files\F-Secure\NRS\iescript\baselitmus.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C-Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C-Program Files\F-Secure\NRS\iescript\baselitmus.dll
O4 - HKLM\..\Run: SynTPEnh] C-Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: hpWirelessAssistant] C-Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: SoundMAXPnP] C-Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: F-Secure Manager] "C-Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: F-Secure TNB] "C-Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C-PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos2.walmart.com/WalmartActivia.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O20 - AppInit_DLLs: APSHook.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C-windows\system32\browseui.dll
O23 - Service: McAfee Application Installer Cleanup (0136581287543102) (0136581287543102mcinstcleanup) - Unknown owner - C-Users\ELIZAB~1\AppData\Local\Temp\013658~1.EXE (file missing)
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C-Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C-windows\system32\AEADISRV.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C-Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C-windows\system32\Ati2evxx.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C-Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C-Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C-Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C-Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C-Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C-Program Files\F-Secure\ORSP Client\fsorsp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C-Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP ProtectTools Service - Hewlett-Packard Development Company, L.P - C-Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - C-Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: File Sanitizer for HP ProtectTools (HPFSService) - Hewlett-Packard - C-Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C-Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C-windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C-Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C-Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C-Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C-Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C-Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C-Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C-Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C-Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 8048 bytes

 

[Lanyap]

Nothing really stands out in the list. Here is what I would try.

> Run system restore to a previously known good date. The only thing I like about Vista is that it is consistantly successful on system restores unlike XP.

> Download, install and run Malwarebytes. If you can't download it from the infected PC then download it on another PC and transfer it to the infected PC.

 

[zagood]

I think it may be:
C-windows\system32\DllHost.exe

The dllhost.exe is a real part of windows, but isn't usually capitalized.

That being said, I wouldn't disable it manually. Read through http://forums.anandtech.com/showthread.php?t=98805 for some tips. Malwarebytes is pretty good.

 

[Capt Caveman]

I just posted a similar problem on my brother's pc - http://forums.anandtech.com/showthread.php?t=2115878 I found this thread to be helpful - http://forums.anandtech.com/showthread.php?t=2039907

After downloading, running tdsskiller, it found and removed a rootkit malware and fixed the problem.

 

[Maverick6969]

I keep getting redirected on a search to http://feedgala.com

Could anyone possibly tell me how to fix this?

There is a website where you can upload your hijack log (or simply copy & paste) and it will tell you if there any suspicious or dangerous items to be fixed. From your log, there are two that stand out as suspicious.

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file)

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

------------------------------------

Afterwards, I would also do a full system scan with Spybot Search & Destroy.

 

[Maverick6969]

A quick word about scanning with Spybot Search & Destroy. After you install the application, download the update definitions separately (which is available as a separate download from Spybot S&D's website.) Due to the growing size of the update definitions, the size has become rather large.

On badly infected PCs if Spybot S&D finds several malware, (I'm talking in the neighborhood of 100 or more), it is unable to delete them all in one fell swoop. Afterwards, you should reboot the system - go into safe mode and scan once more with Spybot S&D. In my experience, I have often found that Spybot will find yet more of them while in safe mode.

You can shave a little time off the scanning if you empty out your internet folder and temp folder cache.
C:\Windows\temp
C:\Users\{username}\Local\temp