Jump to content
Sign in to follow this  
Metallica

Removal instructions for Go My Media

Recommended Posts

What is Go My Media?

The Malwarebytes research team has determined that Go My Media is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one uses a proxy to displays advertisements.

How do I know if my computer is affected by Go My Media?

You may see this entry in your list of installed software:

warning4.png

and these warnings during install:

main.png

warning1.png

and you will see this startpage:

warning2.png

and these proxy settings:

warning3.png

How did Go My Media get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove Go My Media?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of Go My Media?
  • No, Malwarebytes' Anti-Malware removes Go My Media completely.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Go My Media hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.

 

protection1.png


Technical details for experts

Possible signs in FRST logs:

 
 (The Privoxy team - www.privoxy.org) C:\Program Files (x86)\SecuredNet\oxy.exe
 (www.gomymedia.com) C:\Program Files (x86)\SecuredNet\Go-My-Media.exe
 HKLM-x32\...\Run: [Go My Media] => C:\Program Files (x86)\SecuredNet\Go-My-Media.exe [393216 2016-03-28] (www.gomymedia.com)
 ProxyEnable: [{current user ID}] => Proxy is enabled.
 ProxyServer: [{current user ID}] => 127.0.0.1:8118
 HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.searchhub.info
 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.searchhub.info
 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.searchhub.info
 SearchScopes: HKCU -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02
 SearchScopes: HKCU -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02
 R2 NetSecure; C:\Program Files (x86)\SecuredNet\oxy.exe [373248 2016-01-22] (The Privoxy team - www.privoxy.org) [File not signed]
 C:\Program Files (x86)\SecuredNet

Go My Media version 4.01. (HKLM-x32\...\{73DDE698-8B04-4E35-BB89-18ED39149383}_is1) (Version: 4.01. - www.searchhub.info)
C:\Program Files (x86)\SecuredNet\mgwz.dll
Alterations made by the installer:
 
File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Program Files (x86)\SecuredNet
       Adds the file config.txt"="3/29/2016 3:52 AM, 407 bytes, A
       Adds the file default.action"="2/7/2016 6:40 PM, 21 bytes, A
       Adds the file default.filter"="3/31/2016 3:01 AM, 110 bytes, A
       Adds the file Go-My-Media.exe"="3/28/2016 4:43 AM, 393216 bytes, A
       Adds the file Interop.SHDocVw.dll"="3/19/2016 6:33 AM, 143360 bytes, A
       Adds the file mgwz.dll"="1/22/2016 5:15 PM, 86528 bytes, A
       Adds the file oxy.exe"="1/22/2016 5:15 PM, 373248 bytes, A
       Adds the file oxy.log"="4/12/2016 8:21 AM,  bytes, A
       Adds the file tbconfig.xml"="4/12/2016 8:22 AM, 4712 bytes, A
       Adds the file tbinfo.xml"="4/12/2016 8:22 AM, 1041 bytes, A
       Adds the file tblog.log"="4/12/2016 8:22 AM, 211 bytes, A
       Adds the file Trackerbird.Tracker.dll"="12/7/2015 5:30 PM, 20600 bytes, A
       Adds the file Trackerbird.Tracker.xml"="12/7/2015 5:29 PM, 20874 bytes, A
       Adds the file Trackerbird.x64.dll"="12/7/2015 5:30 PM, 1265784 bytes, A
       Adds the file Trackerbird.x86.dll"="12/7/2015 5:30 PM, 900216 bytes, A
       Adds the file unins000.dat"="4/12/2016 8:21 AM, 4481 bytes, A
       Adds the file unins000.exe"="4/12/2016 8:20 AM, 1088165 bytes, A
       Adds the file uninstall.bat"="3/29/2016 3:50 AM, 228 bytes, A
       Adds the file un-install.exe"="3/28/2016 5:20 AM, 393216 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
       "Go My Media"="REG_SZ", ""C:\Program Files (x86)\SecuredNet\Go-My-Media.exe""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{73DDE698-8B04-4E35-BB89-18ED39149383}_is1]
       "DisplayIcon"="REG_SZ", "C:\Users\Cosco\Downloads\google-wave.ico"
       "DisplayName"="REG_SZ", "Go My Media version 4.01.0"
       "DisplayVersion"="REG_SZ", "4.01.0"
       "EstimatedSize"="REG_DWORD", 4565
       "HelpLink"="REG_SZ", "http://www.searchhub.info"
       "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\SecuredNet"
       "Inno Setup: Icon Group"="REG_SZ", "(Default)"
       "Inno Setup: Language"="REG_SZ", "default"
       "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (a)"
       "Inno Setup: User"="REG_SZ", "{username}"
       "InstallDate"="REG_SZ", "20160412"
       "InstallLocation"="REG_SZ", "C:\Program Files (x86)\SecuredNet\"
       "MajorVersion"="REG_DWORD", 4
       "MinorVersion"="REG_DWORD", 1
       "NoModify"="REG_DWORD", 1
       "NoRepair"="REG_DWORD", 1
       "Publisher"="REG_SZ", "www.searchhub.info"
       "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\SecuredNet\unins000.exe" /SILENT"
       "UninstallString"="REG_SZ", ""C:\Program Files (x86)\SecuredNet\unins000.exe""
       "URLInfoAbout"="REG_SZ", "http://www.searchhub.info"
       "URLUpdateInfo"="REG_SZ", "http://www.searchhub.info"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetSecure]
       "Description"="REG_SZ", "Secured Layered Network Service"
       "DisplayName"="REG_SZ", "NetSecure"
       "ErrorControl"="REG_DWORD", 1
       "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\SecuredNet\oxy.exe --service"
       "ObjectName"="REG_SZ", "LocalSystem"
       "Start"="REG_DWORD", 2
       "Type"="REG_DWORD", 16
       "WOW64"="REG_DWORD", 1
    [HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus]
       "setupapi.app.log"="REG_DWORD", 4096
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation]
       "CVListLastUpdateTime"="REG_DWORD", 3640254
       "CVListPreviousDownloadUrl"="REG_SZ", "https://iecvlist.microsoft.com/IE11/1434748155000/iecompatviewlist.xml"
       "CVListXMLVersionLow
        REG_DWORD, 395188270 ==> REG_DWORD, 395188312
       "IECompatVersionLow
        REG_DWORD, 395188270 ==> REG_DWORD, 395188312
       "StaleCompatCache
        REG_DWORD, 0 ==> REG_DWORD, 1
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion]
       "NextUpdateDate"="REG_DWORD", 167207098
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames]
       "en-US"="REG_SZ", "en-US.1"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
       "Local Page"= REG_SZ, "index.html"
       "Search Page"= REG_SZ, "http://www.searchhub.info"
       "Show_URLToolBar"= REG_SZ, "http://www.searchhub.info"
       "Start Page Redirect Cache"= REG_SZ, "http://www.searchhub.info"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
       "NTSuggestionsURL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
       "NTTopResultURL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
       "NTURL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
       "SuggestionsURL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
       "TopResultURL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
       "URL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
       "ProxyEnable"= REG_DWORD, 1
       "ProxyServer"="REG_SZ", "127.0.0.1:8118"
Malwarebytes Anti-Malware log:
 
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/12/2016
Scan Time: 8:32 AM
Logfile: mbamGoMyMedia.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.04.12.01
Rootkit Database: v2016.04.09.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 363564
Time Elapsed: 10 min, 4 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 2
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Go-My-Media.exe, 3916, Delete-on-Reboot, [2dc43d707623d066d61d0e9427dd837d]
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\oxy.exe, 1116, Delete-on-Reboot, [d51cbbf299007cbacb2ae6bc10f42fd1]

Modules: 2
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\mgwz.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Trackerbird.x86.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 

Registry Keys: 3
PUP.Optional.Privoxy, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{73DDE698-8B04-4E35-BB89-18ED39149383}_is1, Quarantined, [61902c81eaaf9e9803f1782aea1a3bc5], 
PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETSECURE, Quarantined, [d51cbbf299007cbacb2ae6bc10f42fd1], 
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Quarantined, [45acc8e5a4f58da9e610554d20e458a8], 

Registry Values: 9
PUP.Optional.Privoxy, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Go My Media, "C:\Program Files (x86)\SecuredNet\Go-My-Media.exe", Quarantined, [2dc43d707623d066d61d0e9427dd837d]
PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETSECURE|ImagePath, C:\Program Files (x86)\SecuredNet\oxy.exe --service, Quarantined, [d51cbbf299007cbacb2ae6bc10f42fd1]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TopResultURL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [45acc8e5a4f58da9e610554d20e458a8]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [539ea706a7f291a526d0ccd6ca3a54ac]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|SuggestionsURL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [ad44228b108950e6e214762cdd27f709]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|NTURL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [51a03974c5d4aa8c6492663c14f07987]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|NTTopResultURL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [d021e0cd396049ed29cdbbe7000440c0]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|NTSuggestionsURL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [27ca901decadc47254a2dec43bc9619f]
PUM.Optional.ProxyHijacker, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, 127.0.0.1:8118, Quarantined, [d41d4d603f5a46f0bc4ad0a0ed171de3]

Registry Data: 3
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Search Page, http://www.searchhub.info, Good: (www.google.com), Bad: (http://www.searchhub.info),Replaced,[05ece4c99affe15551fcfa3c719415eb]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://www.searchhub.info, Good: (www.google.com), Bad: (http://www.searchhub.info),Replaced,[c22f8825ddbc0630321bd363ee17bd43]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page Redirect Cache, http://www.searchhub.info, Good: (www.google.com), Bad: (http://www.searchhub.info),Replaced,[28c9d3dadfba191dc7864aec23e218e8]

Folders: 1
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 

Files: 20
PUP.Optional.SearchHub, C:\Users\{username}\Desktop\SearchHub.exe, Quarantined, [925f5558a5f4d165cd05d97d30d56799], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Go-My-Media.exe, Delete-on-Reboot, [2dc43d707623d066d61d0e9427dd837d], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\oxy.exe, Delete-on-Reboot, [d51cbbf299007cbacb2ae6bc10f42fd1], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\config.txt, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\default.action, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\default.filter, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Interop.SHDocVw.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\mgwz.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\oxy.log, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\tbconfig.xml, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\tbinfo.xml, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\tblog.log, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Trackerbird.Tracker.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Trackerbird.Tracker.xml, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Trackerbird.x64.dll, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Trackerbird.x86.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\un-install.exe, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\unins000.dat, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\unins000.exe, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\uninstall.bat, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 

Physical Sectors: 
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Edited by Metallica

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.