Parasite: BargainBuddy

This record last updated Tue Sep 20 2005 00:34:14

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

Bargain Buddy consists of an IE Browser Helper Object, and a process set to run at startup. The BHO monitors web pages requested and terms entered into forms. If there is a match with a preset list of sites and keywords, an advertisement may be shown. The process can contact its maker’s server to download updates to the list of adverts and to the software itself.

Variants

BargainBuddy/Apuc, original version whose BHO is stored in its own Program Files ‘Bargain Buddy’ folder. BargainBuddy/Versn, the BHO is a file inside the host application whilst the updater is still in ‘Bargain Buddy’. BargainBuddy/adp uses the folder name ‘adp’ in Program Files. BargainBuddy/Apuc2 is the same as Apuc, but constantly tries to restart itself if you kill it.

Also known as

Bargains (process name), Ikena (the server it connects to).

Distribution

Is included in Net2Phone CommCenter, lately the Versn variant as CC_Versn.dll. The Adp variant is installed by the mail.com Alerts software and vCatch, an anti-virus tool. BargainBuddy/Apuc was also installed by some versions of LimeWire, MThree MP3 tools and the FavoriteMan parasite.

What it does

Advertising

Yes. On a known URL or keyword entered into a form, a pop-up window opens containing advertising.

Privacy violation

Some. When an advert is served, the advertiser will likely know which site was visited/keyword was entered, and DoubleClick can track these with cookies. However there is no evidence that the current version of the software sends browsing logs of pages unaffected by the extra adverts.

Security issues

Yes. BargainBuddy updates itself silently through connections to adp.ikena.com. The latest version of the software does now include code-signing, at least.

Stability problems

None known.

Removal

Some versions can be removed from the Add/Remove Programs option in the Control Panel. This option seems to be missing in the newer Net2Phone version.

Manual removal

Before you can delete it, the DLL file must be deregistered.

In BargainBuddy/Apuc, this DLL is inside the Bargain Buddy folder in ‘Program Files’. Here there will be one or more ‘bin’ folders, one of which will contain a file called apuc.dll. If, for example, it’s in ‘bin2’, the commands to enter (from a DOS command prompt window, under Start->Programs->Accessories) would be:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Bargain Buddy\bin2\apuc.dll"

(If your ‘Program Files’ directory has a different name (for example, on a non-English version of Windows), or is on a different drive, you’ll have to substitute that in the path above.)

In BargainBuddy/Version, the file you have to get rid of is instead called ‘CC_Versn.dll’, and it’s inside the ‘Net2Phone CommCenter’ folder in Program Files. The commands to get rid of it are:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Net2Phone CommCenter\CC_Versn.dll"

After the deregistration, end the ‘Bargains’ process from the Task Manager (ctrl-alt-delete). Having successfully done this you should be able to delete the entire ‘Bargain Buddy’ folder. To clean up the registry, run regedit and delete the value in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run that refers to Bargain Buddy. You can also delete the key HKEY_LOCAL_MACHINE\Software\Bargains; in the Adp variant this is HKEY_LOCAL_MACHINE\Software\Microsoft\adp instead.

Partial installs

An installer executable may be included with the host application which attempts to download enough of the software to run so that it then updates itself fully. If this fails or has not yet run, you will only have the ‘bargains’ process. Kill this from the Task Manager (ctrl-alt-del) and remove the ‘Run’ value mentioned above, then you can delete the entire Bargain Buddy directory manually.