What is Go My Media?
The Malwarebytes research team has determined that Go My Media is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one uses a proxy to displays advertisements.
How do I know if my computer is affected by Go My Media?
You may see this entry in your list of installed software:
and these warnings during install:
and you will see this startpage:
and these proxy settings:
How did Go My Media get on my computer?
Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.
How do I remove Go My Media?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-version.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Enable free trial of Malwarebytes Anti-Malware Premium
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- If an update is found, you will be prompted to download and install the latest version.
- Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes' Anti-Malware removes Go My Media completely.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Go My Media hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
Possible signs in FRST logs:
(The Privoxy team - www.privoxy.org) C:\Program Files (x86)\SecuredNet\oxy.exe (www.gomymedia.com) C:\Program Files (x86)\SecuredNet\Go-My-Media.exe HKLM-x32\...\Run: [Go My Media] => C:\Program Files (x86)\SecuredNet\Go-My-Media.exe [393216 2016-03-28] (www.gomymedia.com) ProxyEnable: [{current user ID}] => Proxy is enabled. ProxyServer: [{current user ID}] => 127.0.0.1:8118 HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.searchhub.info HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.searchhub.info HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.searchhub.info SearchScopes: HKCU -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02 SearchScopes: HKCU -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02 R2 NetSecure; C:\Program Files (x86)\SecuredNet\oxy.exe [373248 2016-01-22] (The Privoxy team - www.privoxy.org) [File not signed] C:\Program Files (x86)\SecuredNet Go My Media version 4.01.0 (HKLM-x32\...\{73DDE698-8B04-4E35-BB89-18ED39149383}_is1) (Version: 4.01.0 - www.searchhub.info) C:\Program Files (x86)\SecuredNet\mgwz.dllAlterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\SecuredNet Adds the file config.txt"="3/29/2016 3:52 AM, 407 bytes, A Adds the file default.action"="2/7/2016 6:40 PM, 21 bytes, A Adds the file default.filter"="3/31/2016 3:01 AM, 110 bytes, A Adds the file Go-My-Media.exe"="3/28/2016 4:43 AM, 393216 bytes, A Adds the file Interop.SHDocVw.dll"="3/19/2016 6:33 AM, 143360 bytes, A Adds the file mgwz.dll"="1/22/2016 5:15 PM, 86528 bytes, A Adds the file oxy.exe"="1/22/2016 5:15 PM, 373248 bytes, A Adds the file oxy.log"="4/12/2016 8:21 AM, 0 bytes, A Adds the file tbconfig.xml"="4/12/2016 8:22 AM, 4712 bytes, A Adds the file tbinfo.xml"="4/12/2016 8:22 AM, 1041 bytes, A Adds the file tblog.log"="4/12/2016 8:22 AM, 211 bytes, A Adds the file Trackerbird.Tracker.dll"="12/7/2015 5:30 PM, 20600 bytes, A Adds the file Trackerbird.Tracker.xml"="12/7/2015 5:29 PM, 20874 bytes, A Adds the file Trackerbird.x64.dll"="12/7/2015 5:30 PM, 1265784 bytes, A Adds the file Trackerbird.x86.dll"="12/7/2015 5:30 PM, 900216 bytes, A Adds the file unins000.dat"="4/12/2016 8:21 AM, 4481 bytes, A Adds the file unins000.exe"="4/12/2016 8:20 AM, 1088165 bytes, A Adds the file uninstall.bat"="3/29/2016 3:50 AM, 228 bytes, A Adds the file un-install.exe"="3/28/2016 5:20 AM, 393216 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Go My Media"="REG_SZ", ""C:\Program Files (x86)\SecuredNet\Go-My-Media.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{73DDE698-8B04-4E35-BB89-18ED39149383}_is1] "DisplayIcon"="REG_SZ", "C:\Users\Cosco\Downloads\google-wave.ico" "DisplayName"="REG_SZ", "Go My Media version 4.01.0" "DisplayVersion"="REG_SZ", "4.01.0" "EstimatedSize"="REG_DWORD", 4565 "HelpLink"="REG_SZ", "http://www.searchhub.info" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\SecuredNet" "Inno Setup: Icon Group"="REG_SZ", "(Default)" "Inno Setup: Language"="REG_SZ", "default" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20160412" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\SecuredNet\" "MajorVersion"="REG_DWORD", 4 "MinorVersion"="REG_DWORD", 1 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "www.searchhub.info" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\SecuredNet\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\SecuredNet\unins000.exe"" "URLInfoAbout"="REG_SZ", "http://www.searchhub.info" "URLUpdateInfo"="REG_SZ", "http://www.searchhub.info" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetSecure] "Description"="REG_SZ", "Secured Layered Network Service" "DisplayName"="REG_SZ", "NetSecure" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\SecuredNet\oxy.exe --service" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus] "setupapi.app.log"="REG_DWORD", 4096 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation] "CVListLastUpdateTime"="REG_DWORD", 3640254 "CVListPreviousDownloadUrl"="REG_SZ", "https://iecvlist.microsoft.com/IE11/1434748155000/iecompatviewlist.xml" "CVListXMLVersionLow REG_DWORD, 395188270 ==> REG_DWORD, 395188312 "IECompatVersionLow REG_DWORD, 395188270 ==> REG_DWORD, 395188312 "StaleCompatCache REG_DWORD, 0 ==> REG_DWORD, 1 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion] "NextUpdateDate"="REG_DWORD", 167207098 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames] "en-US"="REG_SZ", "en-US.1" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Local Page"= REG_SZ, "index.html" "Search Page"= REG_SZ, "http://www.searchhub.info" "Show_URLToolBar"= REG_SZ, "http://www.searchhub.info" "Start Page Redirect Cache"= REG_SZ, "http://www.searchhub.info" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}] "NTSuggestionsURL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02" "NTTopResultURL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02" "NTURL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02" "SuggestionsURL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02" "TopResultURL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02" "URL"= REG_SZ, "http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyEnable"= REG_DWORD, 1 "ProxyServer"="REG_SZ", "127.0.0.1:8118"Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 4/12/2016 Scan Time: 8:32 AM Logfile: mbamGoMyMedia.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.04.12.01 Rootkit Database: v2016.04.09.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 363564 Time Elapsed: 10 min, 4 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 2 PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Go-My-Media.exe, 3916, Delete-on-Reboot, [2dc43d707623d066d61d0e9427dd837d] PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\oxy.exe, 1116, Delete-on-Reboot, [d51cbbf299007cbacb2ae6bc10f42fd1] Modules: 2 PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\mgwz.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Trackerbird.x86.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], Registry Keys: 3 PUP.Optional.Privoxy, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{73DDE698-8B04-4E35-BB89-18ED39149383}_is1, Quarantined, [61902c81eaaf9e9803f1782aea1a3bc5], PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETSECURE, Quarantined, [d51cbbf299007cbacb2ae6bc10f42fd1], PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Quarantined, [45acc8e5a4f58da9e610554d20e458a8], Registry Values: 9 PUP.Optional.Privoxy, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Go My Media, "C:\Program Files (x86)\SecuredNet\Go-My-Media.exe", Quarantined, [2dc43d707623d066d61d0e9427dd837d] PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETSECURE|ImagePath, C:\Program Files (x86)\SecuredNet\oxy.exe --service, Quarantined, [d51cbbf299007cbacb2ae6bc10f42fd1] PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TopResultURL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [45acc8e5a4f58da9e610554d20e458a8] PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [539ea706a7f291a526d0ccd6ca3a54ac] PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|SuggestionsURL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [ad44228b108950e6e214762cdd27f709] PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|NTURL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [51a03974c5d4aa8c6492663c14f07987] PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|NTTopResultURL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [d021e0cd396049ed29cdbbe7000440c0] PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|NTSuggestionsURL, http://www.searchhub.info/index.php?a=web&q={searchTerms}&src=IE-SearchBox&FORM=IESR02, Quarantined, [27ca901decadc47254a2dec43bc9619f] PUM.Optional.ProxyHijacker, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, 127.0.0.1:8118, Quarantined, [d41d4d603f5a46f0bc4ad0a0ed171de3] Registry Data: 3 PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Search Page, http://www.searchhub.info, Good: (www.google.com), Bad: (http://www.searchhub.info),Replaced,[05ece4c99affe15551fcfa3c719415eb] PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://www.searchhub.info, Good: (www.google.com), Bad: (http://www.searchhub.info),Replaced,[c22f8825ddbc0630321bd363ee17bd43] PUP.Optional.SearchHub, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page Redirect Cache, http://www.searchhub.info, Good: (www.google.com), Bad: (http://www.searchhub.info),Replaced,[28c9d3dadfba191dc7864aec23e218e8] Folders: 1 PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], Files: 20 PUP.Optional.SearchHub, C:\Users\{username}\Desktop\SearchHub.exe, Quarantined, [925f5558a5f4d165cd05d97d30d56799], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Go-My-Media.exe, Delete-on-Reboot, [2dc43d707623d066d61d0e9427dd837d], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\oxy.exe, Delete-on-Reboot, [d51cbbf299007cbacb2ae6bc10f42fd1], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\config.txt, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\default.action, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\default.filter, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Interop.SHDocVw.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\mgwz.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\oxy.log, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\tbconfig.xml, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\tbinfo.xml, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\tblog.log, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Trackerbird.Tracker.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Trackerbird.Tracker.xml, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Trackerbird.x64.dll, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\Trackerbird.x86.dll, Delete-on-Reboot, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\un-install.exe, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\unins000.dat, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\unins000.exe, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], PUP.Optional.Privoxy, C:\Program Files (x86)\SecuredNet\uninstall.bat, Quarantined, [e40d6b42cacf31051755e27f35d0e61a], Physical Sectors: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention