search_glow in task manager

Discussion in 'malware problems & news' started by bigpeto, Oct 2, 2006.

Thread Status:
Not open for further replies.
  1. bigpeto
    Offline

    bigpeto Registered Member

    last week my computer starting running real slow, i opened up task manager and found "search_glow" listed 3 or 4 times in the applications section. since then i cannot access the security center and i also get a balloon saying that my firewall is down, i have ran search and destroy and it also noted that there has been registry changes to disable the firewall, i have also ran adaware se and it has noticed the "search_glow." today whatever is making the changes to my computer has now made changes to the security portion or my internet and intranet sections of my computer....need help please!!

    thanks
  2. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you called combofix.log. Post the content of that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Regards,

    Pieter
  3. bigpeto
    Offline

    bigpeto Registered Member

    Compaq_Owner - 06-10-02 12:30:18.26 Service Pack 2
    ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Compaq_Owner\Desktop"

    ((((((((((((((((((((((((((((((( Files Created from 2006-09-02 to 2006-10-02 ))))))))))))))))))))))))))))))))))


    2006-09-28 08:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-10-02 09:07 4336 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\.googlewebacchosts
    2006-10-02 08:36 -------- d-------- C:\Program Files\Internet Explorer
    2006-10-02 07:52 -------- d-------- C:\Program Files\Microsoft Windows OneCare Live
    2006-09-29 08:05 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
    2006-09-28 14:13 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
    2006-09-28 14:12 -------- d-------- C:\Program Files\Lavasoft
    2006-09-28 13:59 -------- d-------- C:\Program Files\Yahoo!
    2006-09-14 11:51 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Adobe
    2006-09-14 10:13 -------- d---s---- C:\Documents and Settings\Compaq_Owner\Application Data\Microsoft
    2006-09-13 08:45 -------- d-------- C:\Program Files\Windows Live Toolbar
    2006-09-13 08:44 -------- d-------- C:\Program Files\Windows Live Favorites
    2006-09-06 16:04 -------- d-------- C:\Program Files\Google
    2006-09-01 09:24 -------- d-------- C:\Program Files\Common Files\Scanner
    2006-08-31 12:30 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
    2006-08-31 12:29 -------- d-------- C:\Program Files\Microsoft Office
    2006-08-23 00:31 5906432 --------- C:\WINDOWS\system32\ieframe.dll
    2006-08-23 00:31 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
    2006-08-23 00:31 457728 --------- C:\WINDOWS\system32\msfeeds.dll
    2006-08-23 00:31 413696 --a------ C:\WINDOWS\system32\vbscript.dll
    2006-08-23 00:31 225792 --a------ C:\WINDOWS\system32\webcheck.dll
    2006-08-23 00:31 175616 --------- C:\WINDOWS\system32\ieui.dll
    2006-08-23 00:31 152064 --a------ C:\WINDOWS\system32\msls31.dll
    2006-08-23 00:18 78336 --a------ C:\WINDOWS\system32\ieencode.dll
    2006-08-23 00:18 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
    2006-08-23 00:17 40448 --a------ C:\WINDOWS\system32\licmgr10.dll
    2006-08-23 00:17 105472 --a------ C:\WINDOWS\system32\url.dll
    2006-08-23 00:17 100352 --a------ C:\WINDOWS\system32\occache.dll
    2006-08-23 00:16 16896 --a------ C:\WINDOWS\system32\corpol.dll
    2006-08-23 00:14 378368 --a------ C:\WINDOWS\system32\iedkcs32.dll
    2006-08-23 00:14 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
    2006-08-23 00:13 71680 --a------ C:\WINDOWS\system32\admparse.dll
    2006-08-23 00:13 55296 --a------ C:\WINDOWS\system32\iesetup.dll
    2006-08-23 00:13 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
    2006-08-23 00:13 43008 --a------ C:\WINDOWS\system32\iernonce.dll
    2006-08-23 00:13 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
    2006-08-23 00:13 122880 --a------ C:\WINDOWS\system32\advpack.dll
    2006-08-23 00:13 11776 --a------ C:\WINDOWS\system32\ieudinit.exe
    2006-08-23 00:11 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
    2006-08-23 00:10 61440 --------- C:\WINDOWS\system32\icardie.dll
    2006-08-23 00:10 35328 --a------ C:\WINDOWS\system32\imgutil.dll
    2006-08-23 00:09 262656 --------- C:\WINDOWS\system32\iertutil.dll
    2006-08-23 00:07 45568 --a------ C:\WINDOWS\system32\mshta.exe
    2006-08-22 23:37 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
    2006-08-22 23:36 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
    2006-08-22 23:30 161792 --a------ C:\WINDOWS\system32\ieakui.dll
    2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
    2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
    2006-08-21 02:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
    2006-08-10 19:46 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
    2006-08-07 14:14 -------- d-------- C:\Program Files\Common Files\xing shared
    2006-08-07 14:14 -------- d-------- C:\Program Files\Common Files
    2006-08-07 14:13 -------- d-------- C:\Program Files\Common Files\Real
    2006-08-04 12:18 613208 --a------ C:\WINDOWS\system32\WINSSWEBAGENT.DLL
    2006-08-04 12:10 -------- d--h----- C:\Program Files\InstallShield Installation Information
    2006-08-04 12:10 -------- d-------- C:\Program Files\Common Files\InstallShield
    2006-08-04 12:10 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Google
    2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
    2006-07-20 12:24 14872 --a------ C:\WINDOWS\system32\SBBD.exe
    2006-07-14 08:52 121856 --a------ C:\WINDOWS\system32\xmllite.dll
    2006-07-11 13:04 0 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
    @=""
    "PCDrProfiler"=""
    "HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
    "HP Software Update"=hex(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
    48,50,5c,48,50,20,53,6f,66,74,77,61,72,65,20,55,70,64,61,74,65,5c,48,50,77,\
    75,53,63,68,64,32,2e,65,78,65,00
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
    "YCentral"="C:\\Program Files\\Yahoo!\\YCentral\\YahooCentral.exe"
    "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
    "OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000000

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
    00,00,01,00,00,00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
    "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "dontdisplaylastusername"=dword:00000000
    "legalnoticecaption"=""
    "legalnoticetext"=""
    "shutdownwithoutlogon"=dword:00000001
    "undockwithoutlogon"=dword:00000001

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
    "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
    securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
    C:\WINDOWS\tasks\MP Scheduled Scan.job

    Completion time: Mon 10/02/2006 12:31:02.20
    ComboFix.txt
  4. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    So these symptoms started when you installed IE7 ?

    If you click Start > run > and copy wscui.cpl into the window.
    Does the Security Center come up after clicking OK to execute the command?

    If so, check the settings and let me know if you can change them to your preferences.

    Regards,

    Pieter
  5. bigpeto
    Offline

    bigpeto Registered Member

    not really, i've had ie7 installed for a few months now.
    when i go into security center, i cannot change anything, but there is something on top stating "For your security, some settings are controlled by Group Policy." i have never seen this before, and there isnt a group administrator or IT guy that comes in and restricts stuff to this computer.

    thanks,

    pete
  6. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    I'd like to have a look at a part of your registry.

    Can you click Start > Run > and copy this command in the window:

    regedit /e C:\firewalpolicy.txt "HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall"


    Click OK to execute the command.
    If the key exists that will create the file C:\firewalpolicy.txt
    Find that file and post the content please.
    Do not delete it, we might need it as a a backup.

    Regards,

    Pieter
  7. bigpeto
    Offline

    bigpeto Registered Member

    indows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall]

    [HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\DomainProfile]
    "MPSLegacyEnableFirewall"=dword:00000000
    "EnableFirewall"=dword:00000000

    [HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\StandardProfile]
    "EnableFirewall"=dword:00000000
  8. bigpeto
    Offline

    bigpeto Registered Member

    pieter,

    one more thing, when i run spybot search and destroy, i got this:

    Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1

    Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1

    MediaPlex: Tracking cookie (Internet Explorer: Compaq_Owner) (Cookie, nothing done)



    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2006-09-28 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2006-02-06 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2006-02-20 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2006-09-29 Includes\Cookies.sbi (*)
    2006-09-29 Includes\Dialer.sbi (*)
    2006-09-29 Includes\Hijackers.sbi (*)
    2006-09-29 Includes\Keyloggers.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2006-09-29 Includes\Malware.sbi (*)
    2006-09-29 Includes\PUPS.sbi (*)
    2006-09-29 Includes\Revision.sbi (*)
    2006-09-29 Includes\Security.sbi (*)
    2006-09-29 Includes\Spybots.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2006-09-29 Includes\Trojans.sbi (*)
  9. Mrkvonic
    Offline

    Mrkvonic Linux Systems Expert

    Hello,
    Pieter, what's this combofix?
    Mrk
  10. bigpeto
    Offline

    bigpeto Registered Member

    hi,
    in post #3 is combofix, the last post (#9), was something i pulled from spybot, search and destroy. reason i posted it was because it looked familiar to the previous post.
  11. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Those Spybot warnings look a bit strange.
    It looks as if they are saying the enablefirewall values are set to 1
    Which would be nice, but your registry export shows they are disabled (set to 0)

    Please rename C:\firewalpolicy.txt (the one we made) to oldfirewalpolicy.reg
    Should the fix I'm ghoing to propose mess something up you can doubleclick it to restore the old values.

    Now copy the part in bold below into notepad and save it as newfirewallpolicy.reg
    Set the Filetype to "All files"

    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\DomainProfile]
    "MPSLegacyEnableFirewall"=-
    "EnableFirewall"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\StandardProfile]
    "EnableFirewall"=dword:00000001


    Doubleclick the file and confirm you want to merge it with the registry.

    Reboot and let me know if Spybot still finds a problem with the WindowsSecurityCenter

    Regards,

    Pieter
  12. bigpeto
    Offline

    bigpeto Registered Member

    yes, spybot still says that there is a registry change after doing the instructions you told me.
  13. justinw
    Offline

    justinw Registered Member

    search_glow is part of the UI for Windows Live Toolbar.

    It is not directly related to your IE7 installation or any of its security settings, and should not be responsible for any of those firewall problems you describe.

    It sounds like it isn't always destroyed, and that may be a separate problem, but still unrelated to the security issues you mention.
  14. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Sorry to keep you waiting. I missed your reply.

    Can you delete the C:\firewalpolicy.txt we made earlier an make a new one?

    I'd like to see if the changes were undone.

    Regards,

    Pieter
  15. tbone_wirick
    Offline

    tbone_wirick Registered Member

    I think justinw is almost certainly right. I started noticing ie7 hanging every since I started using the windows live search bar. When it's hanging the taskmanager shows instances of search_glow. I kill them and IE shuts down. I still haven't found a fix, if one even exists.
  16. slimpopo
    Offline

    slimpopo Registered Member

    i got it when i downloaded install_ICQ
    instand chat q.. or something maybe this will help..? i have this damned problem also internet lags LOT..:cautious: :cautious: wtf why dont you have ungry emotics?
  17. cabaratz
    Offline

    cabaratz Registered Member

    Yeah... if you disable the Windows Live Toolbar from IE, then you'll see the search_glow disappear from the Task Manager.
    Thanx!
  18. Ronald_Hutch
    Offline

    Ronald_Hutch Registered Member

    Hello,
    I am new to Wilders Security Forums!
    I came across Wilders by running a Yahoo search for Search_Glow Running
    I have 12 instances of search_glow in task manager!
    I have read the posts by bigpeto , and Pieter_Arntz , and found them interesting !
    The Question I would like to ask is does combofix.exe , sort this Problem ?

    Or do I have to disable Windows Live Toolbar ?
    Regards,
    Ronald_Hutch.

    bigpeto October 2nd, 2006, 07:47 PM
    last week my computer starting running real slow, i opened up task manager and found "search_glow" listed 3 or 4 times in the applications section. since then i cannot access the security center and i also get a balloon saying that my firewall is down, i have ran search and destroy and it also noted that there has been registry changes to disable the firewall, i have also ran adaware se and it has noticed the "search_glow." today whatever is making the changes to my computer has now made changes to the security portion or my internet and intranet sections of my computer....need help please!!
    thanks
    --------------------------------------------------------------------------------
    Pieter_Arntz October 2nd, 2006, 07:55 PM
    1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you called combofix.log. Post the content of that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
    Regards,
    Pieter
    Last edited: Oct 26, 2007
  19. ccsito
    Offline

    ccsito Registered Member

    According to this link, search_glow is related to Windows Live Toolbar.

    http://ca.answers.yahoo.com/question/index?qid=20070506090306AA7Cf04
Thread Status:
Not open for further replies.