Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

Removal instructions for Go My Media

- - - - -

  • Please log in to reply
No replies to this topic

#1
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Content is republished with permission from Malwarebytes.

What is Go My Media?

The Malwarebytes research team has determined that Go My Media is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one uses a proxy to displays advertisements.

How do I know if my computer is affected by Go My Media?

You may see this entry in your list of installed software:

warning4.png

and these warnings during install:

main.png

warning1.png

and you will see this startpage:

warning2.png

and these proxy settings:

warning3.png

How did Go My Media get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove Go My Media?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of Go My Media?
  • No, Malwarebytes' Anti-Malware removes Go My Media completely.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Go My Media hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.

protection1.png


Technical details for experts

Possible signs in FRST logs:

 (The Privoxy team - www.privoxy.org) C:\Program Files (x86)\SecuredNet\oxy.exe
 (www.gomymedia.com) C:\Program Files (x86)\SecuredNet\Go-My-Media.exe
 HKLM-x32\...\Run: [Go My Media] => C:\Program Files (x86)\SecuredNet\Go-My-Media.exe [393216 2016-03-28] (www.gomymedia.com)
 ProxyEnable: [{current user ID}] => Proxy is enabled.
 ProxyServer: [{current user ID}] => 127.0.0.1:8118
 HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.searchhub.info
 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.searchhub.info
 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.searchhub.info
 SearchScopes: HKCU -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02
 SearchScopes: HKCU -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02
 R2 NetSecure; C:\Program Files (x86)\SecuredNet\oxy.exe [373248 2016-01-22] (The Privoxy team - www.privoxy.org) [File not signed]
 C:\Program Files (x86)\SecuredNet

Go My Media version 4.01.0 (HKLM-x32\...\{73DDE698-8B04-4E35-BB89-18ED39149383}_is1) (Version: 4.01.0 - www.searchhub.info)
C:\Program Files (x86)\SecuredNet\mgwz.dll
Alterations made by the installer:

File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Program Files (x86)\SecuredNet
       Adds the file config.txt"="3/29/2016 3:52 AM, 407 bytes, A
       Adds the file default.action"="2/7/2016 6:40 PM, 21 bytes, A
       Adds the file default.filter"="3/31/2016 3:01 AM, 110 bytes, A
       Adds the file Go-My-Media.exe"="3/28/2016 4:43 AM, 393216 bytes, A
       Adds the file Interop.SHDocVw.dll"="3/19/2016 6:33 AM, 143360 bytes, A
       Adds the file mgwz.dll"="1/22/2016 5:15 PM, 86528 bytes, A
       Adds the file oxy.exe"="1/22/2016 5:15 PM, 373248 bytes, A
       Adds the file oxy.log"="4/12/2016 8:21 AM, 0 bytes, A
       Adds the file tbconfig.xml"="4/12/2016 8:22 AM, 4712 bytes, A
       Adds the file tbinfo.xml"="4/12/2016 8:22 AM, 1041 bytes, A
       Adds the file tblog.log"="4/12/2016 8:22 AM, 211 bytes, A
       Adds the file Trackerbird.Tracker.dll"="12/7/2015 5:30 PM, 20600 bytes, A
       Adds the file Trackerbird.Tracker.xml"="12/7/2015 5:29 PM, 20874 bytes, A
       Adds the file Trackerbird.x64.dll"="12/7/2015 5:30 PM, 1265784 bytes, A
       Adds the file Trackerbird.x86.dll"="12/7/2015 5:30 PM, 900216 bytes, A
       Adds the file unins000.dat"="4/12/2016 8:21 AM, 4481 bytes, A
       Adds the file unins000.exe"="4/12/2016 8:20 AM, 1088165 bytes, A
       Adds the file uninstall.bat"="3/29/2016 3:50 AM, 228 bytes, A
       Adds the file un-install.exe"="3/28/2016 5:20 AM, 393216 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
       "Go My Media"="REG_SZ", ""C:\Program Files (x86)\SecuredNet\Go-My-Media.exe""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{73DDE698-8B04-4E35-BB89-18ED39149383}_is1]
       "DisplayIcon"="REG_SZ", "C:\Users\Cosco\Downloads\google-wave.ico"
       "DisplayName"="REG_SZ", "Go My Media version 4.01.0"
       "DisplayVersion"="REG_SZ", "4.01.0"
       "EstimatedSize"="REG_DWORD", 4565
       "HelpLink"="REG_SZ", "http://www.searchhub.info"
       "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\SecuredNet"
       "Inno Setup: Icon Group"="REG_SZ", "(Default)"
       "Inno Setup: Language"="REG_SZ", "default"
       "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (a)"
       "Inno Setup: User"="REG_SZ", "{username}"
       "InstallDate"="REG_SZ", "20160412"
       "InstallLocation"="REG_SZ", "C:\Program Files (x86)\SecuredNet\"
       "MajorVersion"="REG_DWORD", 4
       "MinorVersion"="REG_DWORD", 1
       "NoModify"="REG_DWORD", 1
       "NoRepair"="REG_DWORD", 1
       "Publisher"="REG_SZ", "www.searchhub.info"
       "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\SecuredNet\unins000.exe" /SILENT"
       "UninstallString"="REG_SZ", ""C:\Program Files (x86)\SecuredNet\unins000.exe""
       "URLInfoAbout"="REG_SZ", "http://www.searchhub.info"
       "URLUpdateInfo"="REG_SZ", "http://www.searchhub.info"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetSecure]
       "Description"="REG_SZ", "Secured Layered Network Service"
       "DisplayName"="REG_SZ", "NetSecure"
       "ErrorControl"="REG_DWORD", 1
       "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\SecuredNet\oxy.exe --service"
       "ObjectName"="REG_SZ", "LocalSystem"
       "Start"="REG_DWORD", 2
       "Type"="REG_DWORD", 16
       "WOW64"="REG_DWORD", 1
    [HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus]
       "setupapi.app.log"="REG_DWORD", 4096
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation]
       "CVListLastUpdateTime"="REG_DWORD", 3640254
       "CVListPreviousDownloadUrl"="REG_SZ", "https://iecvlist.microsoft.com/IE11/1434748155000/iecompatviewlist.xml"
       "CVListXMLVersionLow
        REG_DWORD, 395188270 ==> REG_DWORD, 395188312
       "IECompatVersionLow
        REG_DWORD, 395188270 ==> REG_DWORD, 395188312
       "StaleCompatCache
        REG_DWORD, 0 ==> REG_DWORD, 1
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion]
       "NextUpdateDate"="REG_DWORD", 167207098
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames]
       "en-US"="REG_SZ", "en-US.1"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
       "Local Page"= REG_SZ, "index.html"
       "Search Page"= REG_SZ, "http://www.searchhub.info"
       "Show_URLToolBar"= REG_SZ, "http://www.searchhub.info"
       "Start Page Redirect Cache"= REG_SZ, "http://www.searchhub.info"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
       "NTSuggestionsURL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
       "NTTopResultURL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
       "NTURL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
       "SuggestionsURL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
       "TopResultURL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
       "URL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
       "ProxyEnable"= REG_DWORD, 1
       "ProxyServer"="REG_SZ", "127.0.0.1:8118"

Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/12/2016
Scan Time: 8:32 AM
Logfile: mbamGoMyMedia.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.04.12.01
Rootkit Database: v2016.04.09.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 363564
Time Elapsed: 10 min, 4 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 2
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Go-My-Media.exe, 3916, Delete-on-Reboot, [2dc43d707623d066d61d0e9427dd837d]
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\oxy.exe, 1116, Delete-on-Reboot, [d51cbbf299007cbacb2ae6bc10f42fd1]

Modules: 2
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\mgwz.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Trackerbird.x86.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 

Registry Keys: 3
PUP.Optional.Privoxy, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{73DDE698-8B04-4E35-BB89-18ED39149383}_is1, Quarantined, [61902c81eaaf9e9803f1782aea1a3bc5], 
PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETSECURE, Quarantined, [d51cbbf299007cbacb2ae6bc10f42fd1], 
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Quarantined, [45acc8e5a4f58da9e610554d20e458a8], 

Registry Values: 9
PUP.Optional.Privoxy, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Go My Media, "C:\Program Files (x86)\SecuredNet\Go-My-Media.exe", Quarantined, [2dc43d707623d066d61d0e9427dd837d]
PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETSECURE|ImagePath, C:\Program Files (x86)\SecuredNet\oxy.exe --service, Quarantined, [d51cbbf299007cbacb2ae6bc10f42fd1]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TopResultURL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [45acc8e5a4f58da9e610554d20e458a8]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [539ea706a7f291a526d0ccd6ca3a54ac]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|SuggestionsURL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [ad44228b108950e6e214762cdd27f709]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|NTURL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [51a03974c5d4aa8c6492663c14f07987]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|NTTopResultURL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [d021e0cd396049ed29cdbbe7000440c0]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|NTSuggestionsURL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [27ca901decadc47254a2dec43bc9619f]
PUM.Optional.ProxyHijacker, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, 127.0.0.1:8118, Quarantined, [d41d4d603f5a46f0bc4ad0a0ed171de3]

Registry Data: 3
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Search Page, http://www.searchhub.info, Good: (www.google.com), Bad: (http://www.searchhub.info),Replaced,[05ece4c99affe15551fcfa3c719415eb]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://www.searchhub.info, Good: (www.google.com), Bad: (http://www.searchhub.info),Replaced,[c22f8825ddbc0630321bd363ee17bd43]
PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page Redirect Cache, http://www.searchhub.info, Good: (www.google.com), Bad: (http://www.searchhub.info),Replaced,[28c9d3dadfba191dc7864aec23e218e8]

Folders: 1
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 

Files: 20
PUP.Optional.SearchHub, C:\Users\{username}\Desktop\SearchHub.exe, Quarantined, [925f5558a5f4d165cd05d97d30d56799], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Go-My-Media.exe, Delete-on-Reboot, [2dc43d707623d066d61d0e9427dd837d], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\oxy.exe, Delete-on-Reboot, [d51cbbf299007cbacb2ae6bc10f42fd1], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\config.txt, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\default.action, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\default.filter, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Interop.SHDocVw.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\mgwz.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\oxy.log, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\tbconfig.xml, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\tbinfo.xml, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\tblog.log, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Trackerbird.Tracker.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Trackerbird.Tracker.xml, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Trackerbird.x64.dll, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Trackerbird.x86.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\un-install.exe, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\unins000.dat, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\unins000.exe, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 
PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\uninstall.bat, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], 

Physical Sectors: 0
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
  • 0

Advertisements





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.