PUA:Win32/MyWebSearch is a Microsoft Defender detection that refers to an unwanted browser modifier. This application adds add-ons and toolbars that in fact take control of the web browser, redirecting search queries and causing advertisements to appear. It usually spreads as add-on software in bundles and is often installed without the user’s explicit consent.
PUA:Win32/MyWebSearch Overview
PUA:Win32/MyWebSearch is a potentially unwanted application with browser hijacker elements that add extensions and toolbars to browsers. It replaces the current search engine and homepage with Mywebsearch[.]com, redirecting all the search queries through it. This obviously makes browsing uncomfortable, and may also lead to malware infections.
Usually, this unwanted software masquerades as various useful applications or browser extensions. However, its primary purpose is to collect information about the user’s online activity. This is done to further monetize this information through advertising networks and sales to third-party companies.
MyWebSearch is distributed in bundles with other programs. This method allows potentially unwanted software to be installed as “recommended software” with the main application. Another route is through ads and pop-ups on websites. PUA:Win32/MyWebSearch is often offered as a free or helpful browser extension via advertisements on websites with low credibility.
Technical Analysis
Let’s see how PUA:Win32/MyWebSearch behaves in the example of one of the samples. All samples of this family act similarly, so the information is relevant for any of them. As mentioned, this unwanted program does not enter the system purposefully.
Once launched, PUA performs some debugging/virtual environment/sandbox checks, a standard practice of any malware. It uses tricks like sleep (evasive loops) and also checks some registry keys:
HKEY_CURRENT_USER\Software\Microsoft\DirectX\UserGpuPreferences
This key contains information about using the graphics processing unit (GPU) in DirectX. In free versions of most virtualization software, there is no way to emulate a real graphics card, so the program will know it is running on a VM. Though, it is not clear why it needs this information: regardless of the result, it keeps running.
Privilege Escalation
To increase privileges, MyWebSearch changes some values in the registry, among them:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium
These keys may contain parameters or configurations that, if manipulated, could lead to privilege escalation. In addition, MyWebSearch can load additional DLLs and manipulate processes and files. Most file activity occurs in the temporary system folder at ProgramData\Microsoft\Windows\WER\Temp. And this is concerning, since playing with DLL sideloading and WER is a typical way for dropper malware to deliver other malicious programs.
Data Collection
Next, PUA:Win32/MyWebSearch collects some data about the user’s activity. This includes user activity hours, search queries, browser history, etc. It also checks device information, including software policies, keyboard layouts, volume data, and Windows system information.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CustomLocale
HKEY_CURRENT_USER\Keyboard Layout\Preload
It is worth noting that PUA does not steal passwords or other confidential information. Also, the application Creates a DirectInput object. However, this does not mean that it steals input data. Rather, it is a standard requirement for hotkeys to function.
Browser Modifications
PUA changes the web browser settings, replacing the homepage and the search engine with Mywebsearch[.]com[.]au. It is one of the websites that these malicious program use as command servers, with Mywebsearch[.]com being the main one.
It also adds a toolbar or extension to the browser, that will direct your search queries to a different search engine. This toolbar, at the same time, displays promoted services – another ad integration in this unwanted program.
How To Remove MyWebSearch?
It is recommended that an advanced antivirus solution be used to remove MyWebSearch. A regular system antivirus solution may not be enough since it is not malware but an unwanted application. So, GridinSoft Anti-Malware would be the best option because, besides removing PUA itself, it allows you to reset web browsers in two clicks, thus saving the user from having to clean browsers manually.
To remove it, run GridinSoft Anti-Malware, run a full scan, and just go with the flow. Next, go to the “Tools” tab and select “Reset Browser Settings”. Next, choose which browsers to reset and click “Reset”. In addition, you can also select further which settings you want to reset, for example, some system settings or the HOSTS file.