search_glow in task manager

[bigpeto]

last week my computer starting running real slow, i opened up task manager and found "search_glow" listed 3 or 4 times in the applications section. since then i cannot access the security center and i also get a balloon saying that my firewall is down, i have ran search and destroy and it also noted that there has been registry changes to disable the firewall, i have also ran adaware se and it has noticed the "search_glow." today whatever is making the changes to my computer has now made changes to the security portion or my internet and intranet sections of my computer....need help please!!

thanks

[Pieter_Arntz]

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you called combofix.log. Post the content of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Regards,

Pieter

[bigpeto]

Compaq_Owner - 06-10-02 12:30:18.26 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Compaq_Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-02 to 2006-10-02 ))))))))))))))))))))))))))))))))))


2006-09-28 08:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-02 09:07 4336 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\.googlewebacchosts
2006-10-02 08:36 -------- d-------- C:\Program Files\Internet Explorer
2006-10-02 07:52 -------- d-------- C:\Program Files\Microsoft Windows OneCare Live
2006-09-29 08:05 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-28 14:13 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2006-09-28 14:12 -------- d-------- C:\Program Files\Lavasoft
2006-09-28 13:59 -------- d-------- C:\Program Files\Yahoo!
2006-09-14 11:51 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Adobe
2006-09-14 10:13 -------- d---s---- C:\Documents and Settings\Compaq_Owner\Application Data\Microsoft
2006-09-13 08:45 -------- d-------- C:\Program Files\Windows Live Toolbar
2006-09-13 08:44 -------- d-------- C:\Program Files\Windows Live Favorites
2006-09-06 16:04 -------- d-------- C:\Program Files\Google
2006-09-01 09:24 -------- d-------- C:\Program Files\Common Files\Scanner
2006-08-31 12:30 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-31 12:29 -------- d-------- C:\Program Files\Microsoft Office
2006-08-23 00:31 5906432 --------- C:\WINDOWS\system32\ieframe.dll
2006-08-23 00:31 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-08-23 00:31 457728 --------- C:\WINDOWS\system32\msfeeds.dll
2006-08-23 00:31 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-08-23 00:31 225792 --a------ C:\WINDOWS\system32\webcheck.dll
2006-08-23 00:31 175616 --------- C:\WINDOWS\system32\ieui.dll
2006-08-23 00:31 152064 --a------ C:\WINDOWS\system32\msls31.dll
2006-08-23 00:18 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-08-23 00:18 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-08-23 00:17 40448 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-08-23 00:17 105472 --a------ C:\WINDOWS\system32\url.dll
2006-08-23 00:17 100352 --a------ C:\WINDOWS\system32\occache.dll
2006-08-23 00:16 16896 --a------ C:\WINDOWS\system32\corpol.dll
2006-08-23 00:14 378368 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-08-23 00:14 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-08-23 00:13 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-08-23 00:13 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-08-23 00:13 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-08-23 00:13 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-08-23 00:13 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-08-23 00:13 122880 --a------ C:\WINDOWS\system32\advpack.dll
2006-08-23 00:13 11776 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-08-23 00:11 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-08-23 00:10 61440 --------- C:\WINDOWS\system32\icardie.dll
2006-08-23 00:10 35328 --a------ C:\WINDOWS\system32\imgutil.dll
2006-08-23 00:09 262656 --------- C:\WINDOWS\system32\iertutil.dll
2006-08-23 00:07 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-08-22 23:37 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-08-22 23:36 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-08-22 23:30 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 02:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-10 19:46 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-08-07 14:14 -------- d-------- C:\Program Files\Common Files\xing shared
2006-08-07 14:14 -------- d-------- C:\Program Files\Common Files
2006-08-07 14:13 -------- d-------- C:\Program Files\Common Files\Real
2006-08-04 12:18 613208 --a------ C:\WINDOWS\system32\WINSSWEBAGENT.DLL
2006-08-04 12:10 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-04 12:10 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-08-04 12:10 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Google
2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-20 12:24 14872 --a------ C:\WINDOWS\system32\SBBD.exe
2006-07-14 08:52 121856 --a------ C:\WINDOWS\system32\xmllite.dll
2006-07-11 13:04 0 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
@=""
"PCDrProfiler"=""
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"HP Software Update"=hex(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
48,50,5c,48,50,20,53,6f,66,74,77,61,72,65,20,55,70,64,61,74,65,5c,48,50,77,\
75,53,63,68,64,32,2e,65,78,65,00
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"YCentral"="C:\\Program Files\\Yahoo!\\YCentral\\YahooCentral.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Mon 10/02/2006 12:31:02.20
ComboFix.txt

[Pieter_Arntz]

So these symptoms started when you installed IE7 ?

If you click Start > run > and copy wscui.cpl into the window.
Does the Security Center come up after clicking OK to execute the command?

If so, check the settings and let me know if you can change them to your preferences.

Regards,

Pieter

[bigpeto]

not really, i've had ie7 installed for a few months now.
when i go into security center, i cannot change anything, but there is something on top stating "For your security, some settings are controlled by Group Policy." i have never seen this before, and there isnt a group administrator or IT guy that comes in and restricts stuff to this computer.

thanks,

pete

[Pieter_Arntz]

I'd like to have a look at a part of your registry.

Can you click Start > Run > and copy this command in the window:

regedit /e C:\firewalpolicy.txt "HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall"

Click OK to execute the command.
If the key exists that will create the file C:\firewalpolicy.txt
Find that file and post the content please.
Do not delete it, we might need it as a a backup.

Regards,

Pieter

[bigpeto]

indows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\DomainProfile]
"MPSLegacyEnableFirewall"=dword:00000000
"EnableFirewall"=dword:00000000

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\StandardProfile]
"EnableFirewall"=dword:00000000

[bigpeto]

pieter,

one more thing, when i run spybot search and destroy, i got this:

Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1

Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1

MediaPlex: Tracking cookie (Internet Explorer: Compaq_Owner) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-09-28 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-09-29 Includes\Cookies.sbi (*)
2006-09-29 Includes\Dialer.sbi (*)
2006-09-29 Includes\Hijackers.sbi (*)
2006-09-29 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-09-29 Includes\Malware.sbi (*)
2006-09-29 Includes\PUPS.sbi (*)
2006-09-29 Includes\Revision.sbi (*)
2006-09-29 Includes\Security.sbi (*)
2006-09-29 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-09-29 Includes\Trojans.sbi (*)

[Mrkvonic]

Hello,
Pieter, what's this combofix?
Mrk

[bigpeto]

hi,
in post #3 is combofix, the last post (#9), was something i pulled from spybot, search and destroy. reason i posted it was because it looked familiar to the previous post.

[Pieter_Arntz]

Those Spybot warnings look a bit strange.
It looks as if they are saying the enablefirewall values are set to 1
Which would be nice, but your registry export shows they are disabled (set to 0)

Please rename C:\firewalpolicy.txt (the one we made) to oldfirewalpolicy.reg
Should the fix I'm ghoing to propose mess something up you can doubleclick it to restore the old values.

Now copy the part in bold below into notepad and save it as newfirewallpolicy.reg
Set the Filetype to "All files"

REGEDIT4

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\DomainProfile]
"MPSLegacyEnableFirewall"=-
"EnableFirewall"=dword:00000001

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\StandardProfile]
"EnableFirewall"=dword:00000001


Doubleclick the file and confirm you want to merge it with the registry.

Reboot and let me know if Spybot still finds a problem with the WindowsSecurityCenter

Regards,

Pieter

[bigpeto]

yes, spybot still says that there is a registry change after doing the instructions you told me.

[justinw]

search_glow is part of the UI for Windows Live Toolbar.

It is not directly related to your IE7 installation or any of its security settings, and should not be responsible for any of those firewall problems you describe.

It sounds like it isn't always destroyed, and that may be a separate problem, but still unrelated to the security issues you mention.

[Pieter_Arntz]

Quote:

Originally Posted by bigpeto

yes, spybot still says that there is a registry change after doing the instructions you told me.

Sorry to keep you waiting. I missed your reply.

Can you delete the C:\firewalpolicy.txt we made earlier an make a new one?

I'd like to see if the changes were undone.

Regards,

Pieter

[tbone_wirick]

I think justinw is almost certainly right. I started noticing ie7 hanging every since I started using the windows live search bar. When it's hanging the taskmanager shows instances of search_glow. I kill them and IE shuts down. I still haven't found a fix, if one even exists.

[slimpopo]

i got it when i downloaded install_ICQ
instand chat q.. or something maybe this will help..? i have this damned problem also internet lags LOT.. wtf why dont you have ungry emotics?

[cabaratz]

Yeah... if you disable the Windows Live Toolbar from IE, then you'll see the search_glow disappear from the Task Manager.
Thanx!

[Ronald_Hutch]

Hello,
I am new to Wilders Security Forums!
I came across Wilders by running a Yahoo search for Search_Glow Running
I have 12 instances of search_glow in task manager!
I have read the posts by bigpeto , and Pieter_Arntz , and found them interesting !
The Question I would like to ask is does combofix.exe , sort this Problem ?

Or do I have to disable Windows Live Toolbar ?
Regards,
Ronald_Hutch.

bigpeto October 2nd, 2006, 07:47 PM
last week my computer starting running real slow, i opened up task manager and found "search_glow" listed 3 or 4 times in the applications section. since then i cannot access the security center and i also get a balloon saying that my firewall is down, i have ran search and destroy and it also noted that there has been registry changes to disable the firewall, i have also ran adaware se and it has noticed the "search_glow." today whatever is making the changes to my computer has now made changes to the security portion or my internet and intranet sections of my computer....need help please!!
thanks
--------------------------------------------------------------------------------
Pieter_Arntz October 2nd, 2006, 07:55 PM
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you called combofix.log. Post the content of that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Regards,
Pieter

[ccsito]

According to this link, search_glow is related to Windows Live Toolbar.

Quote:

Search_glow is buggy in Live Toolbar

A number of people are finding a process called search_glow on their PCs. Some are having problems from it (crashes, hangs, etc.). It's causing a stir on various security forums, and among Windows Secrets readers like Lou Nihoul, too.

"When I start IE 7.0, Task Manager shows an application, search_glow. Is this normal, and if so what is it? I can't find anything out about this app."

Search_glow is part of Microsoft's Windows Live Toolbar package, Lou, and it's apparently a weak link in that product. The number of problem reports about it is climbing. Fortunately, the immediate solution is easy. Just go to the Add/Remove Programs applet in the Control Panel and uninstall Windows Live Toolbar and Desktop Search. The toolbar and its search_glow component will go away.

After removing the toolbar, it'd be wise to run a full antimalware scan, just to be certain your PC is clean. There's no indication yet that malicious hackers are using search_glow or Windows Live Toolbar as a malware entry point, but it never hurts to check.

And if you do have trouble with search_glow or any part of the Windows Live Toolbar, be sure to use Microsoft's feedback form so the Microsofties will know the scope of the problem and can fashion a patch

http://ca.answers.yahoo.com/question...6090306AA7Cf04