Just wanted to write a short blog post before going back to coding. I just found another bundled adware called BuyNSave / BrickProvider and give you some removal instructions. If you got BuyNSave / BrickProvider on your computer, you will see BrickProvider.exe running in the Task Manager, an add-on named BuyNSave added into Internet Explorer and Mozilla Firefox and a new scheduled task called BrickProvider. Chrome dodged the adware. I’ll show how to remove BuyNSave / BrickProvider in this blog post with the FreeFixer removal tool.
Here’s BrickProvider.exe in the Task Manager:
BuyNSave add-on in Firefox:
And BuyNSave in Internet Explorer:
BuyNSave / BrickProvider is bundled in other software’s installers. Here’s how it was disclosed in the installer where I found it:
YouTubeAdBlocke was also included in the installer.
As always when I find some new bundled software I uploaded it to VirusTotal to test if the anti-malwares there find something. The detection rate is 11/55. Malwarebytes classifies BuyNSave / BrickProvider as PUP.Optional.MultiPlug, McAfee-GW-Edition calls it BehavesLike.Win32.PWSYunsip.bm and Qihoo-360 calls it HEUR/QVM30.1.Malware.Gen.
If you’d like to remove BuyNSave / BrickProvider you can do so with the FreeFixer removal tool. Just check the BuyNSave / BrickProvider files as the screenshots below shows. You may have to reboot your computer to complete the removal.
Hope that helped you with the removal.
I stumbled upon BuyNSave / BrickProvider while testing out some downloads that are known to bundled lots of unwanted software. Any idea how BuyNSave / BrickProvider was installed on your system? Please share by posting a comment. Thank you!
Hope you found this useful and thanks you for reading.
Update 2014-11-21: Found some variants that don’t use the BrickProvider name. Instead they are called:
BrickProlonger & SoftwareProlonger. SoftwareProlonger.exe shows up in the Task Manager. The file is located in c:\programdata\trusted publisher\softwareprolonger.
There are also alternative names for BuyNSave, one I have is BauyNSavE. I have tried multiple times to delete the chrome extension that appears every time chrome is opened. I checked FreeFixer and noticed a new file appears every time I restarted the computer after attempting to eradicate the program, I don’t know if this is a coincidence or not because they seem to not be related. Anyway, I ran FreeFixer and that couldn’t ever find anything close to named BuayNSavE or Brickprovider and any alternative names. I sought to my personal knowledge about hidden programs and secret “hidey holes” and wen’t on an adventure. As I suspected, ProgramData had a folder in it with a string of random characters, I opened it and 3 scripts, and a background.html and manifest.json file was inside. So I then I proceeded to check the manifest.json and here is showed as follows:
{
"name": "BauyNsavE",
"version": "3.64",
"description": "",
"manifest_version": 2,
"background": {"page": "background.html"},
"content_scripts": [
{
"all_frames": true,
"matches": ["http://*/*","https://*/*"],
"js": ["content.js"],
"run_at":"document_end"
}
],
"permissions": [
"http://*/*",
"https://*/*",
"tabs",
"cookies",
"management",
"notifications",
"contextMenus",
"management",
"storage"
]
}
Seems to me a lot of permissions are set to the program…
I promptly deleted the random-character folder and am still searching for similar events but so far, it seems everything has been fixed.
Hope this potentially helps some people,
Daniel.
Thanks a lot Daniel. I’m sure that will help other users with the BuyNSave removal.