{"id":27924,"date":"2024-10-29T09:42:03","date_gmt":"2024-10-29T09:42:03","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=27924"},"modified":"2024-10-29T09:42:03","modified_gmt":"2024-10-29T09:42:03","slug":"puabundler-win32-mediaget-removal-guide","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/puabundler-win32-mediaget-removal-guide\/","title":{"rendered":"PUABundler:Win32\/MediaGet"},"content":{"rendered":"<p><strong>PUABundler:Win32\/MediaGet is a Russian potentially unwanted program<\/strong> designed for accessing pirated content. Like most similar software, it installs some unnecessary programs onto the system during installation and also turns the device into a proxy server in exchange for an ad-free experience.<\/p>\n<h2>MediaGet Virus Overview<\/h2>\n<p>PUABundler:Win32\/MediaGet is a detection of <a href=\"https:\/\/gridinsoft.com\/unwanted-program\">potentially unwanted software<\/a> associated with the program MediaGet, a BitTorrent client with Russian origin. The program was originally positioned as a torrent client, it now functions more like a player for pirated content.<\/p>\n<p>The main problem is that <strong>MediaGet installs a range of unwanted programs<\/strong>, which an inexperienced user may struggle to cancel. This is accomplished through the use of tricks, which I&#8217;ll talk about later.<\/p>\n<p>Although the program has its own official website, in most cases the user receives it as \u201crecommended software\u201d, bundled with other free programs. Alternatively, they may be recommended to use it on websites that, once again, spread unlicensed software of different kind. Once again: the program is not inherently malicious, it is the additional software it installs that may have undesirable and sometimes malicious properties.<\/p>\n<p>Even if the user uninstalls MediaGet, the additional software is not removed along with it, and some items are not displayed in the list of installed applications, which makes it very difficult to remove them. Because of these factors, the program <a href=\"https:\/\/www.virustotal.com\/gui\/file\/b4b7a10f86036f92e3129025c41e523e13c4da00110516ac7e52981ed29f06e7\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">has received the status<\/a> of potentially unwanted software and even a separate classifier PUABundler:Win32\/MediaGet.<\/p>\n<h2>How dangerous is it?<\/h2>\n<p>To avoid making unconfirmed claims, I decided to get my own experience with PUABundler:Win32\/MediaGet behaves, although on a virtual machine instead of a live system. The first thing that catches your eye is that <strong>Microsoft Defender immediately flags the downloaded file<\/strong> from the official website. The random character string in the file name appears to be a failed attempt to prevent detection back at the download stage.<\/p>\n<div class=\"su-image-carousel  su-image-carousel-has-spacing su-image-carousel-has-outline su-image-carousel-adaptive su-image-carousel-slides-style-default su-image-carousel-controls-style-dark su-image-carousel-align-center\" style=\"\" data-flickity-options='{\"groupCells\":true,\"cellSelector\":\".su-image-carousel-item\",\"adaptiveHeight\":true,\"cellAlign\":\"left\",\"prevNextButtons\":true,\"pageDots\":true,\"autoPlay\":5000,\"imagesLoaded\":true,\"contain\":false,\"selectedAttraction\":0.007,\"friction\":0.25}' id=\"su_image_carousel_696d03e5997b4\"><div class=\"su-image-carousel-item\"><div class=\"su-image-carousel-item-content\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" width=\"1709\" height=\"1069\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/1-mediaget-detected-as-pua.webp\" class=\"\" alt=\"MediaGet deteacted\" title=\"\"><span>MediaGet detected as unwanted app<\/span><\/div><\/div><div class=\"su-image-carousel-item\"><div class=\"su-image-carousel-item-content\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" width=\"1709\" height=\"1069\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/2-mediaget-detection-popup.webp\" class=\"\" alt=\"PUABundler:Win32\/MediaGet detection popup screenshot\" title=\"\"><span>PUABundler:Win32\/MediaGet detection popup<\/span><\/div><\/div><\/div><script id=\"su_image_carousel_696d03e5997b4_script\">if(window.SUImageCarousel){setTimeout(function() {window.SUImageCarousel.initGallery(document.getElementById(\"su_image_carousel_696d03e5997b4\"))}, 0);}var su_image_carousel_696d03e5997b4_script=document.getElementById(\"su_image_carousel_696d03e5997b4_script\");if(su_image_carousel_696d03e5997b4_script){su_image_carousel_696d03e5997b4_script.parentNode.removeChild(su_image_carousel_696d03e5997b4_script);}<\/script>\n<p>I selected \u201cAllow\u201d in the Defender menu and started installing the program. The first red flag was the program&#8217;s offer <strong>to provide the device\u2019s resources<\/strong> in exchange for an ad-free experience. I agree, I&#8217;m not sorry to share the resources of my gaming PC for the sake of a scientific experiment. We\u2019ll return to this point later; for now, let&#8217;s continue with the installation.<\/p>\n<figure id=\"attachment_27944\" aria-describedby=\"caption-attachment-27944\" style=\"width: 1709px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/3-mediaget-proxy.webp\" alt=\"mediaget install screenshot\" width=\"1709\" height=\"1069\" class=\"size-full wp-image-27944\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/3-mediaget-proxy.webp 1709w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/3-mediaget-proxy-300x188.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/3-mediaget-proxy-1024x641.webp 1024w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/3-mediaget-proxy-768x480.webp 768w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/3-mediaget-proxy-1536x961.webp 1536w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/3-mediaget-proxy-860x538.webp 860w\" sizes=\"auto, (max-width: 1709px) 100vw, 1709px\" \/><figcaption id=\"caption-attachment-27944\" class=\"wp-caption-text\">MediaGet tries to install proxy<\/figcaption><\/figure>\n<p>Next, the installer offers to install the web browser Opera. The problem is that there is <strong>a big green \u201cAccept\u201d button and a small gray \u201cDecline\u201d button<\/strong>. At first glance it may seem that the Decline button is inactive, but if you click on it the next installation screen appears with the next item of \u201crecommended software\u201d.<\/p>\n<p>This time, we see 360 Total Security installing &#8211; a Chinese antivirus notorious for being hard to remove from the system. Remember at the beginning I talked about the tricks that we would come to later? I was referring to this exact trick with the \u201cinactive\u201d Decline button, which an inexperienced user might not notice and click Accept.<\/p>\n<div class=\"su-image-carousel  su-image-carousel-has-spacing su-image-carousel-has-outline su-image-carousel-adaptive su-image-carousel-slides-style-default su-image-carousel-controls-style-dark su-image-carousel-align-center\" style=\"\" data-flickity-options='{\"groupCells\":true,\"cellSelector\":\".su-image-carousel-item\",\"adaptiveHeight\":true,\"cellAlign\":\"left\",\"prevNextButtons\":true,\"pageDots\":true,\"autoPlay\":5000,\"imagesLoaded\":true,\"contain\":false,\"selectedAttraction\":0.007,\"friction\":0.25}' id=\"su_image_carousel_696d03e59a04c\"><div class=\"su-image-carousel-item\"><div class=\"su-image-carousel-item-content\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" width=\"1709\" height=\"1069\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/4-mediaget-installer-pua1-.webp\" class=\"\" alt=\"Additional software screenshot\" title=\"\"><span>Additional software<\/span><\/div><\/div><div class=\"su-image-carousel-item\"><div class=\"su-image-carousel-item-content\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" width=\"1709\" height=\"1069\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/5-mediaget-installer-pua2.webp\" class=\"\" alt=\"Additional software screenshot\" title=\"\"><span>Additional software<\/span><\/div><\/div><\/div><script id=\"su_image_carousel_696d03e59a04c_script\">if(window.SUImageCarousel){setTimeout(function() {window.SUImageCarousel.initGallery(document.getElementById(\"su_image_carousel_696d03e59a04c\"))}, 0);}var su_image_carousel_696d03e59a04c_script=document.getElementById(\"su_image_carousel_696d03e59a04c_script\");if(su_image_carousel_696d03e59a04c_script){su_image_carousel_696d03e59a04c_script.parentNode.removeChild(su_image_carousel_696d03e59a04c_script);}<\/script>\n<p>After launching we can see an average client for watching pirated movies\/cartoons\/serials etc. Although the authors of the program do not mention the program&#8217;s origin anywhere on its official website, the presence of buttons of Russian services like VK (Vkontakte) and OK (Odnoklassniki) indicates <strong>the program&#8217;s Russian origin and target audience<\/strong>.<\/p>\n<p>In addition, this is <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">not the first incident<\/a> related to this program. It was previously reported that the program does have Russian roots. This is also due to the fact that most legitimate services in Russia are either blocked or non-functional.<\/p>\n<div class=\"su-image-carousel  su-image-carousel-has-spacing su-image-carousel-has-outline su-image-carousel-adaptive su-image-carousel-slides-style-default su-image-carousel-controls-style-dark su-image-carousel-align-center\" style=\"\" data-flickity-options='{\"groupCells\":true,\"cellSelector\":\".su-image-carousel-item\",\"adaptiveHeight\":true,\"cellAlign\":\"left\",\"prevNextButtons\":true,\"pageDots\":true,\"autoPlay\":5000,\"imagesLoaded\":true,\"contain\":false,\"selectedAttraction\":0.007,\"friction\":0.25}' id=\"su_image_carousel_696d03e59a8e7\"><div class=\"su-image-carousel-item\"><div class=\"su-image-carousel-item-content\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" width=\"1709\" height=\"1069\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/6-mediaget-interface.webp\" class=\"\" alt=\"MediaGet interface screenshot\" title=\"\"><span>MediaGet interface<\/span><\/div><\/div><div class=\"su-image-carousel-item\"><div class=\"su-image-carousel-item-content\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" width=\"1709\" height=\"1069\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/7-offer-to-share-on-social-media.webp\" class=\"\" alt=\"\" title=\"\"><span>Russian social media links<\/span><\/div><\/div><\/div><script id=\"su_image_carousel_696d03e59a8e7_script\">if(window.SUImageCarousel){setTimeout(function() {window.SUImageCarousel.initGallery(document.getElementById(\"su_image_carousel_696d03e59a8e7\"))}, 0);}var su_image_carousel_696d03e59a8e7_script=document.getElementById(\"su_image_carousel_696d03e59a8e7_script\");if(su_image_carousel_696d03e59a8e7_script){su_image_carousel_696d03e59a8e7_script.parentNode.removeChild(su_image_carousel_696d03e59a8e7_script);}<\/script>\n<h3>Additional Payload<\/h3>\n<p>As for the additional programs MediaGet installs along the way, the Opera browser and 360 Total Security antivirus were fairly typical over several consecutive runs. But I would like to take a closer look at the payload that PUABundler:Win32\/MediaGet installs to allocate PC resources to third parties. This is <strong>the file highsocks.exe<\/strong>, which is added to autorun after installation and runs with the system.<\/p>\n<figure id=\"attachment_27948\" aria-describedby=\"caption-attachment-27948\" style=\"width: 724px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/7-task-manager-autorun.webp\" alt=\"MediaGet and highsocks.exe in the Autorun\" width=\"724\" height=\"612\" class=\"size-full wp-image-27948\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/7-task-manager-autorun.webp 724w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/7-task-manager-autorun-300x254.webp 300w\" sizes=\"auto, (max-width: 724px) 100vw, 724px\" \/><figcaption id=\"caption-attachment-27948\" class=\"wp-caption-text\">MediaGet and highsocks.exe starts with the system<\/figcaption><\/figure>\n<p>Remarkably, after uninstalling MediaGet, this file remains in the system and still works. Moreover, it is not in the list of installed applications, making it difficult for the user to detect and remove.<\/p>\n<figure id=\"attachment_27949\" aria-describedby=\"caption-attachment-27949\" style=\"width: 654px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/8-highsocks-in-autorun.webp\" alt=\"highsocks.exe screenshot\" width=\"654\" height=\"739\" class=\"size-full wp-image-27949\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/8-highsocks-in-autorun.webp 654w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/8-highsocks-in-autorun-265x300.webp 265w\" sizes=\"auto, (max-width: 654px) 100vw, 654px\" \/><figcaption id=\"caption-attachment-27949\" class=\"wp-caption-text\">highsocks.exe still run in the system<\/figcaption><\/figure>\n<p>I decided to have a closer look at this file in more detail. Apparently, this program makes the victim&#8217;s device <a href=\"https:\/\/gridinsoft.com\/proxy\">a proxy server<\/a>. Alongside with that, highsocks.exe injects itself into the legitimate system process WMIADAP.EXE and also terminates the svchost.exe process with the parameter WerSvcGroup. The program also executes the shell command:<\/p>\n<p><code style=\"font-size: 14px\">C:\\Windows\\System32\\wuapihost.exe -Embedding<\/code><\/p>\n<p>This could indicate an attempt to mask its activity. The program is primarily running in memory rather than on disk, which suggests that this is an attempt to avoid detection by antivirus tools. But well, all the technical details aside, I can confidently say that this program is proxyware.<\/p>\n<h3>Collecting System Information<\/h3>\n<p>In addition to the above activities, highsocks also collects certain system information, including language and region settings:<\/p>\n<p><code style=\"font-size: 14px\">HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US<br \/>\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\CustomLocale<br \/>\nHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\MUI\\Settings\\LanguageConfiguration<br \/>\nHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\MUI\\UILanguages<br \/>\nHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\MUI\\UILanguages\\PendingDelete<br \/>\nHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\NLS\\Language<br \/>\nHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option<\/code><\/p>\n<p>Although this information might have legitimate uses, when combined with other red flags, it appears more like unwanted activity. This information can also be used to prevent execution in certain &#8220;friendly&#8221; territories, which is standard practice for malware.<\/p>\n<h2>How To Remove PUABundler:Win32\/MediaGet<\/h2>\n<p>Although PUABundler:Win32\/MediaGet is not malware in the truest sense of the word, its monetization and installation methods are not fully clear and secure. As for removing the program and its traces, this can be difficult without specialized tools. I recommend using GridinSoft Anti-Malware, as it is an advanced anti-malware solution that will help you clean your system of unwanted software in two clicks. Just follow the instructions below:<\/p>\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main.webp\" alt=\"GridinSoft Anti-Malware main screen\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-22665\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main.webp 886w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main-300x233.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main-768x597.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/>\n<p>Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.<\/p>\n<div style=\"text-align:center\"><a href=\"\/download\/antimalware\" class=\"btn border-black\" rel=\"nofollow\">Download Anti-Malware<\/a><\/div>\n<p>After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click \"Advanced mode\" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.<\/p>\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result.webp\" alt=\"Scan results screen\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-22666\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result.webp 886w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result-300x233.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result-768x597.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/>\n<p>Click \"Clean Now\" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.<\/p>\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean.webp\" alt=\"Removal finished\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-22667\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean.webp 886w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean-300x233.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean-768x597.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/>\n","protected":false},"excerpt":{"rendered":"<p>PUABundler:Win32\/MediaGet is a Russian potentially unwanted program designed for accessing pirated content. Like most similar software, it installs some unnecessary programs onto the system during installation and also turns the device into a proxy server in exchange for an ad-free experience. MediaGet Virus Overview PUABundler:Win32\/MediaGet is a detection of potentially unwanted software associated with the [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":27958,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[17],"tags":[474,223],"class_list":{"0":"post-27924","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-labs","8":"tag-unwanted-programs","9":"tag-windows-defender"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/What-is-PUABundler-Win32MediaGet.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/27924","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=27924"}],"version-history":[{"count":23,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/27924\/revisions"}],"predecessor-version":[{"id":27989,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/27924\/revisions\/27989"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/27958"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=27924"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=27924"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=27924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}