Windows

Troubleshooting MyWebSearch: Adware or malware?

Mark Underwood discovered a stubborn problem with a user's computer that was preventing the Windows PC from accessing any search website. Adware or malware? Here's what his investigation found.

The presenting symptom for this Windows problem (which reared itself as an XP issue, but I suspect it could have been any version of Windows) was that the user couldn't access any search engine: not Google, not Bing, not Yahoo. Other non-search web sites? No problem. In fact, the user couldn't even ping the search sites. At first this seemed like a browser add-in problem, but the issue persisted regardless of any browser. Tracert would get part of the way to the site, but then time out. Since no other network issue was immediately apparent, my attention was drawn to MyWebSearch, a browser add-in which security vendors generously classify as adware.

The problem was that the adware wouldn't go away when the add-in was disabled. It would reappear, fully enabled, after every reboot.

Had the hosts file specified a different location for the search engines? With Windows Explorer I couldn't see any one at all. Suspicious. A download of a Qhosts removal tool suggested that Qhosts, some older malware known to mess with hosts, was not to blame.

I started with SuperAntiSpyware in safe mode. After a reboot, it removed some of the traces of the application, but I found that it wouldn't allow me to unhide and make readable the [%WINDOWS%]\system32\drivers\etc\hosts file. It should be possible to perform that from CMD using this command:

attrib -r -h -s hosts

("By design" per Microsoft, Windows Explorer cannot change the read-only attribute on this file even if the file is unhidden. The CMD window is the main vehicle to changing permissions on hosts.)

The file was hidden from Windows explorer, and even after it had been unhidden using attrib, it could only be opened in read-only mode with the CMD mode editor. I moved to MalwareBytes, which -- still in Safe mode -- found still more registry entries and files to remove. After making those removals, it was expected that this would clear things up.

Nope, the hosts file still could not be made readable or deleted.

Happily MalwareBytes provides a utility called the File Assassin, and this utility dealt MyWebSearch, or rather its apparent hosing of hosts, the coup de grace. The numerous lines that had been added to hosts were removed, leaving on this machine only 127.0.0.1 as shown in some versions of Windows as hosts.sam. An updated hosts was provided where the killed version had been doing its evil. Making it read-only again seemed prudent.

Tempting as it may be to classify MyWebSearch as malware, it's possible that it simply was "broken" or had been attacked by a different bit of malware. If so, it was very stubbornly broken and gave no hints as to how to correct the mess it made. The vendor's (yes, the vendor dares show his/herself on the net) FAQ offers no hints other than the usual browser plugin removal instructions.

Various forums and FAQs skimmed may be lacking a concise recipe to address this particular issue. Has anyone else run across this problem with MyWebSearch -- or a similar problem? How did you resolve your issue, if so?

About

Mark Underwood ("knowlengr") works for a small, agile R&D firm. He thinly spreads interests (network manageability, AI, BI, psychoacoustics, poetry, cognition, software quality, literary fiction, transparency) and activations (www.knowlengr.com) from...

8 comments
Lomax007
Lomax007

You should never connect to the internet in safe mode as all your security features like firewalls and AV are not running leaving you open to attacks and rootkits.

cooksii
cooksii

MyWebSearch is nasty, as it's not obvious exactly what it's doing... what else it may be downloading these days.. and what vulnerabilities it opens up. Just the fact that it's difficult to remove makes it extremely suspect.... and up to No Good. For all we know, it could have been something that was downloaded by some other virus that's taken up housekeeping in the computer... but I always suspect multiple infections when I see odd behavior, such as the pesky problem you're having with the hosts file. This all might be easier to deal with if you login as "Administrator". If you're deailing with XP Home (rather than XP Pro), that requires booting in Safe Mode. Then uninstall it (and anything that looks like a "helpful" web search program) from Add/Remove Programs... This really doesn't fix things, however... It's just the beginning. After logging in as Administrator, you can Take Ownership of \etc\hosts if you still cannot write to it. See http://support.microsoft.com/kb/308421. And I have never seen an UNCHANGEABLE read-only hosts file unless there's group policy restrictions (which malware sometimes imposes...). I generally make hosts read-only after adding a ton of undesirable sites pointing to 127.0.0.1. I wrote a little script that changes the attributes so I can write to it, pulls up the hosts file, and then when I finish editing hosts (I close it by CLOSING it, and THEN clicking Save in the dialog box, because it's too easy to rush through saving it--as a txt file), the script changes the attributes back to read only. If this doesn't immediately work, deal with it for after a bit of cleanup. At this point, I would suggest running HijackThis. You may have to look up a lot of things, especially in the R3, 02, 03, 04, 08, and 16 categories. If a program is a bunch of hex numbers, googling for the first bunch will turn up the information you need to determine whether it's a Bad Thing. hrm.. There's also a posting at http://www.pchell.com/support/mywebsearch.shtml that lists a HijackThis listing of MyWebSearch that might be useful if you've never used HJT. You may find some of the other trojans that this program may have "helpfully" installed for you in HJT's log... You basically click the boxes in front of the stuff you want to remove. It's quite helpful for BHO DLLs and many AutoRuns. Then the full scan with Malwarebytes AntiMalware and SUPERAntiSpyware... and for good measure, you could do a Spybot SD scan and an antivirus scan (if the thing didn't disable your antivirus and anti-spyware software). It sounds like the computer's acting really flaky, hiding and freezing the hosts file. For good measure, if you're feeling particularly brave, AND you suspect subversion of the system files, you could try gmer's rootkit remover, appropriately called "gmer" (or catchme, for the user mode types). If it were just Google that were affected, I'd steer you to a program called GooRed (google redirect)... but it looks like it's hitting all the major search engines. Another good thing to do is an online antivirus scan, such as TrendMicro's... or burn Avira's boot recovery CD (which uses Linux to scan a Windows machine) and boot the computer with it. And of course, if you actually manage to get rid of this little visitor, make sure that computer has SP3. It's probably respawning itself from one of the "startup" registry keys; Russinovich's Sysinternals has a very good utility called AutoRuns that covers just about all of these, and it's pretty intuitive. It's at http://technet.microsoft.com/en-us/sysinternals/bb842062. Once again, you click on boxes to stop processes from running at startup. Re: Rootkits. It's kind of hard for me to explain how to do this completely in Windows. Usually I use either a live Linux or BSD CD or flash drive to boot computers that I suspect are rootkitted, and then I go through them with a hex editor (and disassembler if there's good evidence of a virus) after comparing system file MD5s with a database of good MD5s. (If I find malware that looks kind of new, I copy it to a flash or to a floppy, but I doubt most people would bother with this, let alone with a disassembler.) Then I boot back into Windows and scan, and then repeat. Every time I get rid something that's hiding processes, etc, there's tons more surprises that appear on the Windows scans... And one thing I've noticed is that the malware writers are getting smarter over the years, which is quite alarming. With any luck, there's no rootkit, and it's just this one irritating issue. I wish you luck! -cooksii

bus66vw
bus66vw

My client called me in because his computer was locking up. I was just starting out as a support person and this was the first time I had a real problem that was not user error or hardware based. I had already managed to get the client to use an anti virus program which did its own updating. Keep in mind that this was back when AV companies saw malware an adware as an annoyance not a problem they had to stop. I had a copy of Adaware which I was able to install by putting the computer in safe mode. With the computer disconnected from the Internet I could run the scan but once the computer was reconnected, booted, and the browser opened the attack would start all over again. It was re-installing itself at reboot. By observing the files Adaware removed and the area they were found in I was able to setup the program to do a scan of that area at start-up which allowed the computer to function normally. The problem continued for over a month and was fixed via the corrupts being imprisoned and their malware shut down, Microsoft did some fixes, and Anti-Virus companies started taking malware as a real threat. The malware worked once the web browser was opened. It changed the home page to a strange web search page (it may have been "MyWebSearch", I just can't remember), clogged the computer up with pop-ups which stated the computer was infected, and buy the fix at their web site. Once they were shut down, I was able to turn the start-up scan of Adaware off. I then did a complete re-install of the OS and added other programs to harden the computer to the next attack. I still have bad feelings about the next time it will happen. Even with the new more secure OSs out there I feel that a truly motivated con artist will find a way to do it all over again and your write up has shown that whatever it was it is still out there.

ultimitloozer
ultimitloozer

I always take the easy way to remove this piece of crap from systems. I boot from a CD or USB device so I am running a pristine environment & run Malwarebytes from there. It has always been able to remove MWS in this manner (as well as any other garbage it finds).

Ninja Rabbi
Ninja Rabbi

I have also ran accross this. On one computer Malwarebytes identied nearly 211 issues with MWS. I always go to msconfig first to disable the startup command for anyhting that looks wrong. Next to IE to disable or remove the search engine, then add and remove programs, and (if needed) regedit to search for the key words. Finally, I get the most recent update for Malwarebytes (in safe mode with networking). For me, that has usually done it. Now I am thinking of using cccleaner as a final deathblow to any registry items that may be left behind.

joe_baron
joe_baron

I am usually able to get rid of that item, by running malwarebytes then editing the registry to remove all occurances of "mywebsearch"

Leonardo_C
Leonardo_C

I've never observed this particular behaviour with mws, perhaps looking at what process was locking/keeping hosts +r+s would've helped identify/confirm the culprit. I do always remove mws, but never considered it harmful.

rkuhn040172
rkuhn040172

Anything on a person's PC that I didn't put there or allow is considered malware by me. LOL!

Editor's Picks