Mark Underwood discovered a stubborn problem with a user's computer that was preventing the Windows PC from accessing any search website. Adware or malware? Here's what his investigation found.
The presenting symptom for this Windows problem (which reared itself as an XP issue, but I suspect it could have been any version of Windows) was that the user couldn't access any search engine: not Google, not Bing, not Yahoo. Other non-search web sites? No problem. In fact, the user couldn't even ping the search sites. At first this seemed like a browser add-in problem, but the issue persisted regardless of any browser. Tracert would get part of the way to the site, but then time out. Since no other network issue was immediately apparent, my attention was drawn to MyWebSearch, a browser add-in which security vendors generously classify as adware.
The problem was that the adware wouldn't go away when the add-in was disabled. It would reappear, fully enabled, after every reboot.
Had the hosts file specified a different location for the search engines? With Windows Explorer I couldn't see any one at all. Suspicious. A download of a Qhosts removal tool suggested that Qhosts, some older malware known to mess with hosts, was not to blame.
I started with SuperAntiSpyware in safe mode. After a reboot, it removed some of the traces of the application, but I found that it wouldn't allow me to unhide and make readable the [%WINDOWS%]\system32\drivers\etc\hosts file. It should be possible to perform that from CMD using this command:
attrib -r -h -s hosts
("By design" per Microsoft, Windows Explorer cannot change the read-only attribute on this file even if the file is unhidden. The CMD window is the main vehicle to changing permissions on hosts.)
The file was hidden from Windows explorer, and even after it had been unhidden using attrib, it could only be opened in read-only mode with the CMD mode editor. I moved to MalwareBytes, which — still in Safe mode — found still more registry entries and files to remove. After making those removals, it was expected that this would clear things up.
Nope, the hosts file still could not be made readable or deleted.
Happily MalwareBytes provides a utility called the File Assassin, and this utility dealt MyWebSearch, or rather its apparent hosing of hosts, the coup de grace. The numerous lines that had been added to hosts were removed, leaving on this machine only 127.0.0.1 as shown in some versions of Windows as hosts.sam. An updated hosts was provided where the killed version had been doing its evil. Making it read-only again seemed prudent.
Tempting as it may be to classify MyWebSearch as malware, it's possible that it simply was "broken" or had been attacked by a different bit of malware. If so, it was very stubbornly broken and gave no hints as to how to correct the mess it made. The vendor's (yes, the vendor dares show his/herself on the net) FAQ offers no hints other than the usual browser plugin removal instructions.
Various forums and FAQs skimmed may be lacking a concise recipe to address this particular issue. Has anyone else run across this problem with MyWebSearch — or a similar problem? How did you resolve your issue, if so?