## Manual Removal Guide for eXact Advertising.BargainsBuddy

Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
• spyware

Description:
Bulls Eye is very pesistent. When downloaded, the software automatically installs itself without user consent!
The executeables nls.exe (NaviSearch), bargains.exe (BargainsBuddy) and cashback.exe (Cashback) are launched and connect to internet immediately.
They are also entered into autorun and hooked to windows explorer and will be launched when the Windows Explorer is used , for example if the user navigates through folders.
The sites it connects to include:
Supposed Functionality:
What is BullsEye?

BullsEye is eXact Advertising's contextual marketing software product that delivers relevant coupons and offers to users- in clearly marked separate windows- at a time when they are most likely to be receptive to receiving them. BullsEye’s goal is to deliver you the offers you want, when you want them. Millions of users currently use BullsEye, saving themselves hundreds of dollars a year. It is commonly distributed along with popular consumer download applications as a means of keeping them free to the public. Millions of users currently use BullsEye, saving themselves hundreds of dollars a year.

You probably downloaded BullsEye along with a free software program you downloaded on the Internet. To keep these programs free to users, the publishers have to earn some type of revenue stream to stay in business. The publishers include BullsEye with their program to keep them free, instead of charging the users a fee for use of the product.

BullsEye shows only very selective, relevant offers - the average is two offers per user per day. For example, a user searching for "wireless plans" at a search engine may receive a special offer or coupon from a wireless service provider. If you are searching for, or visiting websites related to, "tropical cruises", you may receive a special offer for "20% Off of Caribbean Cruises" from one of our advertisers.

All BullsEye offers are clearly identified as either BullsEye or BullsEye Network offers, and appear in an independent browser window to indicate that the offers are not associated with any websites the user may be viewing in a different window. This window is always outside any other windows that the user may be using to view sites or conduct other Internet activities.

BullsEye uses proprietary, privacy-protecting technology that applies an ad-selection logic directly to Internet elements that the user has chosen to have on their desktop at that moment, such as words, URLs, search terms, etc.

BullsEye is very easy to uninstall. It can easily be found in the Programs folder of a user's machine with a full set of uninstall instructions. Simply go to your control panel; click on “Add/Remove Programs”; click on “BullsEye” in the list of programs; and click “Remove”.

BullsEye protects user privacy. BullsEye does not track user. BullsEye uses proprietary, privacy-protecting technology that is based on real-time Internet elements - NOT on user information. Please review eXact Advertising’s Privacy Policy.

What BullsEye is NOT

BullsEye is NOT spy-ware.

BullsEye is an advertisement delivery system (ADS) for relevant coupons and offers, NOT spy-ware. There are very important differences between ADS and spy-ware:

ADS is legitimate product that clearly discloses its presence and what it does during the installation process. It also supports many popular download programs so that they can continue to be offered free to users. In addition, BullsEye serves ads that are clearly identified as a third party offer, protects user privacy, does not track user surfing habits, and is simple to uninstall.

Conversely, spy-ware does not adequately disclose its presence to users during the installation process and adds little or no value to the user experience. In addition, it is extremely difficult for the average user to identify. If it shows ads, they are not branded and origins are unclear. Most importantly, spy-ware tracks user click-stream and surfing habits, and reports them to a central server where they are stored.

BullsEye doesn't use a lot of bandwidth or memory on a users PC. It shares memory (RAM) with your Internet Explorer browser, and uses very little additional memory beyond that needed for your browser. Little bandwidth is used since there is no persistent communication between a users desktop and eXact's servers and since BullsEye does NOT track where individual users go and what users do online.
Privacy Statement:
BullsEye protects and respects your privacy. We collect no personally identifiable information about you or your surfing habits.
Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.
• Entries named "NaviSearch" and pointing to "<$PROGRAMFILES>\NaviSearch\bin\nls.exe". • Entries named "msxct" and pointing to "msxct.exe". • Entries named "BullsEye Network" and pointing to "<$PROGRAMFILES>\BullsEye Network\bin\bargains.exe".
• Entries named "CashBack" and pointing to "<$PROGRAMFILES>\CashBack\bin\cashback.exe". • Entries named "BullsEye Network" and pointing to "<$PROGRAMS>\BullsEye Network\bin\bargains.exe".
• Entries named "CashBack" and pointing to "<$PROGRAMS>\CashBack\bin\cashback.exe". • Entries named "NaviSearch" and pointing to "<$PROGRAMS>\NaviSearch\bin\nls.exe".
• Entries named "BullsEye Network" and pointing to "<$PROGRAMFILES>\BullsEye Network\bin\bargains.exe". • Entries named "BullsEye Network" and pointing to "<$PROGRAMFILES>\BullsEye Network\bin\bargains.exe".
• Entries named "BullsEye Network" and pointing to "<$PROGRAMFILES>\BullsEye Network\bin\bargains.exe". • Entries named "CashBack" and pointing to "<$PROGRAMFILES>\CashBack\bin\cashback.exe".
• Entries named "NaviSearch" and pointing to "<$PROGRAMFILES>\NaviSearch\bin\nls.exe". • Entries named "Bargains". Installed Software List: You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D or RunAlyzer to locate and get rid of these entries. • Products that have a key or property named "BargainBuddy". • Products that have a key or property named "Bargain Buddy". • Products that have a key or property named "CashBack". • Products that have a key or property named "NaviSearch". • Products that have a key or property named "Bargain Buddy". Files: Please use Windows Explorer or another file manager of your choice to locate and delete these files. • The file at "<$SYSDIR>\exclean.exe".
• The file at "<$WINDIR>\inst_adperform.exe". • The file at "<$LOCALSETTINGS>\Temp\~DFBBC.tmp".
• The file at "<$LOCALSETTINGS>\Temp\optimize.exe". • The file at "<$WINDIR>\exdl.exe".
• The file at "<$WINDIR>\installer_SIAC.exe". • The file at "<$SYSDIR>\exclean.exe".
• The file at "<$SYSDIR>\exdl1.exe". • The file at "<$SYSDIR>\explorer6s4.exe".
• The file at "<$SYSDIR>\pvt6gjl3.exe". • The file at "<$SYSDIR>\pvt6gjl3.ini".
• The file at "<$SYSDIR>\symcsvc.exe". • A file with an unknown location named "bb.exe". • The file at "<$SYSDIR>\msxct.exe".
• The file at "<$WINDIR>\msxct1.ini". • The file at "<$LOCALSETTINGS>\Temp\bb.exe".
• The file at "<$WINDIR>\autoheal.exe". • The file at "<$SYSDIR>\exdl.exe".
• The file at "<$SYSDIR>\exdl0.exe". • The file at "<$SYSDIR>\exdl2.exe".
• The file at "<$SYSDIR>\exdl3.exe". • The file at "<$SYSDIR>\exul2.exe".
• The file at "<$SYSDIR>\javex80.vxd". • The file at "<$SYSDIR>\mqexdlm.srg".
• The file at "<$SYSDIR>\msbe.dll". • The file at "<$SYSDIR>\mscb.dll".
• The file at "<$SYSDIR>\nvms.dll". • The file at "<$SYSDIR>\vx2.nls".
• The file at "<$SYSDIR>\vx2x.nls". • The file at "<$SYSDIR>\exclean.exe".
• The file at "<$WINDIR>\ahadp.exe". • The file at "<$SYSDIR>\msbe.dll".
• A file with an unknown location named "bb.exe".
• The file at "<$WINDIR>\..\temp\bb_welcome1.swf". • The file at "<$SYSDIR>\basexinfo.txt".
• The file at "<$SYSDIR>\basexuk.txt". • The file at "<$SYSDIR>\mac80ex.idf".
• The file at "<$SYSDIR>\mqexdlm.srg". • The file at "<$SYSDIR>\msbe.dll".
• The file at "<$SYSDIR>\mscb.dll". • The file at "<$SYSDIR>\netut80ex.vxd".
• The file at "<$SYSDIR>\psis80ex.ax". • The file at "<$SYSDIR>\vx0.nls".
• The file at "<$SYSDIR>\vx1.nls". • The file at "<$SYSDIR>\vx1x.nls".
• The file at "<$SYSDIR>\vx3.nls". • The file at "<$SYSDIR>\vx3x.nls".
• A file with an unknown location named "BargainBuddy.exe".
• The file at "<$SYSDIR>\angelex.exe". • The file at "<$SYSDIR>\exclean.exe".
• The file at "<$SYSDIR>\exdl.exe". • The file at "<$SYSDIR>\mqexdlm.srg".
• The file at "<$SYSDIR>\exul.exe". • The file at "<$SYSDIR>\javex80.vxd".
• The file at "<$SYSDIR>\javexulm.vxd". • The file at "<$SYSDIR>\mac80ex.idf".
• The file at "<$SYSDIR>\msbe.dll". • The file at "<$SYSDIR>\mscb.dll".
• The file at "<$SYSDIR>\nvms.dll". • The file at "<$SYSDIR>\psis80ex.ax".
• The file at "<$WINDIR>\autoheal.exe". • The file at "<$WINDIR>\zeta.exe".
• The file at "<$LOCALSETTINGS>\Temp\bb.exe". • The file at "<$WINDIR>\ahadp.exe".
• The file at "<$WINDIR>\zeta.exe". • The file at "<$SYSDIR>\angelex.exe".
• The file at "<$SYSDIR>\exclean.exe". • The file at "<$SYSDIR>\exdl.exe".
• The file at "<$SYSDIR>\exdl0.exe". • The file at "<$SYSDIR>\exdl1.exe".
• The file at "<$SYSDIR>\exul.exe". • The file at "<$SYSDIR>\exul1.exe".
• The file at "<$SYSDIR>\trkgif.exe". • The file at "<$SYSDIR>\javexulm.vxd".
• The file at "<$SYSDIR>\mac80ex.idf". • The file at "<$SYSDIR>\mac80ex.idf".
• The file at "<$SYSDIR>\netut80ex.vxd". • The file at "<$SYSDIR>\netut80ex.vxd".
• The file at "<$SYSDIR>\vx0.nls". • The file at "<$SYSDIR>\vx0.nls".
• The file at "<$SYSDIR>\vx1.nls". • The file at "<$SYSDIR>\vx1.nls".
• The file at "<$SYSDIR>\vx1x.nls". • The file at "<$SYSDIR>\vx1x.nls".
• The file at "<$SYSDIR>\mqexdlm.srg". • The file at "<$SYSDIR>\msbe.dll".
• A file with an unknown location named "bb.exe".
• A file with an unknown location named "bb.exe".
• The file at "<$PROGRAMFILES>\BullsEye Network\Uninstall.exe". • The file at "<$PROGRAMFILES>\BullsEye Network\bin\adv.exe".
• The file at "<$PROGRAMFILES>\BullsEye Network\bin\adx.exe". • The file at "<$PROGRAMFILES>\BullsEye Network\bin\bargains.exe".
• The file at "<$WINDIR>\ahadp.exe". • The file at "<$WINDIR>\bbchk.exe".
• The file at "<$SYSDIR>\angelex.exe". • The file at "<$SYSDIR>\bbchk.exe".
• The file at "<$SYSDIR>\exdl.exe". • The file at "<$SYSDIR>\exdl0.exe".
• The file at "<$SYSDIR>\exul.exe". • The file at "<$SYSDIR>\instsrv.exe".
• The file at "<$SYSDIR>\javexulm.vxd". • The file at "<$SYSDIR>\mac80ex.idf".
• The file at "<$SYSDIR>\mqexdlm.srg". • The file at "<$SYSDIR>\msbe.dll".
• The file at "<$SYSDIR>\msexreg.exe". • The file at "<$SYSDIR>\netut80ex.vxd".
• The file at "<$SYSDIR>\vx0.nls". • The file at "<$SYSDIR>\vx1.nls".
• The file at "<$SYSDIR>\vx1x.nls". • A file with an unknown location named "bargain3.exe". • The file at "<$WINDIR>\bargain3.exe".
• The file at "<$WINDIR>\..\temp\bb_auto_wider.swf". • The file at "<$WINDIR>\..\temp\bb_click_wider.swf".
• The file at "<$WINDIR>\..\temp\bb_welcome.html". • The file at "<$WINDIR>\..\temp\bb_welcome1.swf".
• The file at "<$WINDIR>\..\temp\blank.gif". • The file at "<$WINDIR>\..\temp\exTmp0.html".
• The file at "<$WINDIR>\..\temp\icon.gif". • The file at "<$WINDIR>\..\temp\logo.gif".
• The file at "<$WINDIR>\Downloaded Program Files\cbinstall.exe". • The file at "<$WINDIR>\Downloaded Program Files\setup.inf".
• The file at "<$SYSDIR>\exdl.exe". • The file at "<$SYSDIR>\exul.exe".
• The file at "<$SYSDIR>\msbe.dll". • The file at "<$SYSDIR>\mscb.dll".
• The file at "<$SYSDIR>\nvms.dll". • The file at "<$PROGRAMFILES>\Bargain Buddy\ad.dat".
• The file at "<$PROGRAMFILES>\Bargain Buddy\bbchk.exe". • The file at "<$PROGRAMFILES>\Bargain Buddy\bin\apuc.dll".
• The file at "<$PROGRAMFILES>\Bargain Buddy\bin\bargains.exe". • The file at "<$WINDIR>\bargain.exe".
• The file at "<$WINDIR>\temp\superbarsetup.exe". • A file with an unknown location named "bb.exe". Make sure you set your file manager to display hidden and system files. If eXact Advertising.BargainsBuddy uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins. You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files! Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them. Folders: Please use Windows Explorer or another file manager of your choice to locate and delete these folders. • The directory at "<$PROGRAMS>\NaviSearch".
• The directory at "<$PROGRAMS>\BullsEye Network". • The directory at "<$PROGRAMFILES>\NaviSearch".
• The directory at "<$PROGRAMFILES>\BullsEye Network". • The directory at "<$PROGRAMFILES>\BullsEye Network\bin".
• The directory at "<$PROGRAMFILES>\CashBack". • The directory at "<$PROGRAMFILES>\CashBack\bin".
• The directory at "<$PROGRAMFILES>\NaviSearch\bin". • The directory at "<$PROGRAMFILES>\Bargain Buddy".
Make sure you set your file manager to display hidden and system files. If eXact Advertising.BargainsBuddy uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
• Delete the registry key "{8EEE58D5-130E-4CBD-9C83-35A0564E1357}" at "HKEY_CLASSES_ROOT\Interface\".
• Delete the registry key "{C6906A23-4717-4E1F-B6FD-F06EBED11357}" at "HKEY_CLASSES_ROOT\Interface\".
• Delete the registry key "{8EEE58D5-130E-4CBD-9C83-35A0564E2468}" at "HKEY_CLASSES_ROOT\Interface\".
• Delete the registry key "{C6906A23-4717-4E1F-B6FD-F06EBED12468}" at "HKEY_CLASSES_ROOT\Interface\".
• Delete the registry key "{136E344A-9B05-11D4-A9CD-0050DA1EDBCA}" at "HKEY_CLASSES_ROOT\CLSID\".
• Delete the registry key "{136E344C-9B05-11D4-A9CD-0050DA1EDBCA}" at "HKEY_CLASSES_ROOT\CLSID\".
• Delete the registry key "{136E344E-9B05-11D4-A9CD-0050DA1EDBCA}" at "HKEY_CLASSES_ROOT\CLSID\".
• Delete the registry key "{3AEDDDD6-165B-11D5-B2E1-0050DA1EDCBD}" at "HKEY_CLASSES_ROOT\CLSID\".
• Delete the registry key "{4347C525-93F3-11D4-B2E1-00A0CC5B0D29}" at "HKEY_CLASSES_ROOT\CLSID\".
• Delete the registry key "{88F046D1-9F82-11D4-B2E2-000102746343}" at "HKEY_CLASSES_ROOT\CLSID\".
• A key in HKEY_CLASSES_ROOT\ named "core.IkenaCore", plus associated values.
• A key in HKEY_CLASSES_ROOT\ named "core.IkenaCore.1", plus associated values.
• A key in HKEY_CLASSES_ROOT\ named "Core.IkenaMessage", plus associated values.
• A key in HKEY_CLASSES_ROOT\ named "Core.IkenaMessage.1", plus associated values.
• A key in HKEY_CLASSES_ROOT\ named "Core.IkenaXMLAttribute", plus associated values.
• A key in HKEY_CLASSES_ROOT\ named "Core.IkenaXMLAttribute.1", plus associated values.
• A key in HKEY_CLASSES_ROOT\ named "Core.IkenaXMLElement", plus associated values.
• A key in HKEY_CLASSES_ROOT\ named "Core.IkenaXMLElement.1", plus associated values.
• A key in HKEY_CLASSES_ROOT\ named "IM.IkenaIM", plus associated values.
• A key in HKEY_CLASSES_ROOT\ named "IM.IkenaIM.1", plus associated values.
• Delete the registry key "{277893A0-9F84-11D4-B2E2-000102746343}" at "HKEY_CLASSES_ROOT\TypeLib\".
• Delete the registry key "{3AEDDDC9-165B-11D5-B2E1-0050DA1EDCBD}" at "HKEY_CLASSES_ROOT\TypeLib\".
• Delete the registry key "{62E4BD0E-9161-11D4-B2E1-00A0CC5B0D29}" at "HKEY_CLASSES_ROOT\TypeLib\".
• Delete the registry key "{EFA234E1-EC6B-438C-8B7D-DAFE11C7E18E}" at "HKEY_CLASSES_ROOT\TypeLib\".
• Delete the registry key "{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}" at "HKEY_CLASSES_ROOT\TypeLib\".
• Delete the registry key "CashBack" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
• Delete the registry key "ZESOFT" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
• Delete the registry key "ZESOFT" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
• Delete the registry key "ZESOFT" at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\".
• A key in HKEY_CLASSES_ROOT\ named "ADP.UrlCatcher", plus associated values.
• A key in HKEY_CLASSES_ROOT\ named "ADP.UrlCatcher.1", plus associated values.
• Delete the registry key "{F4E04583-354E-4076-BE7D-ED6A80FD66DA}" at "HKEY_CLASSES_ROOT\CLSID\".
• Delete the registry key "{8EEE58D5-130E-4CBD-9C83-35A0564E5678}" at "HKEY_CLASSES_ROOT\Interface\".
• Delete the registry key "{C6906A23-4717-4E1F-B6FD-F06EBED15678}" at "HKEY_CLASSES_ROOT\Interface\".
• Delete the registry key "{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}" at "HKEY_CLASSES_ROOT\TypeLib\".
• Delete the registry key "{F4E04583-354E-4076-BE7D-ED6A80FD66DA}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
• Delete the registry key "ISEXEng" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
• Delete the registry key "ISEXEng" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
• Delete the registry key "ISEXEng" at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\".
• Delete the registry key "Bargains" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
• Delete the registry key "eXactUtil" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
• Delete the registry key "{8EEE58D5-130E-4CBD-9C83-35A0564EA119}" at "HKEY_CLASSES_ROOT\Interface\".
• A key in HKEY_CLASSES_ROOT\ named "CB.UrlCatcher", plus associated values.
• A key in HKEY_CLASSES_ROOT\ named "CB.UrlCatcher.1", plus associated values.
• Delete the registry key "{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}" at "HKEY_CLASSES_ROOT\CLSID\".
• Delete the registry key "{CE188402-6EE7-4022-8868-AB25173A3E14}" at "HKEY_CLASSES_ROOT\CLSID\".
• A key in HKEY_CLASSES_ROOT\ named "NLS.UrlCatcher", plus associated values.
• A key in HKEY_CLASSES_ROOT\ named "NLS.UrlCatcher.1", plus associated values.
• Delete the registry key "{0878B424-1F95-4E26-B5AB-F0D349D89650}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\".
• Delete the registry key "{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
• Delete the registry key "{CE188402-6EE7-4022-8868-AB25173A3E14}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
• Delete the registry key "NaviSearch" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
• A key in HKEY_CLASSES_ROOT\ named "Ikena.IkenaVersion", plus associated values.
• A key with a likely random name in HKEY_CLASSES_ROOT\CLSID\ that has "IkenaVersion Class" as its default value data.
• A key in HKEY_CLASSES_ROOT\ named "Apuc.UrlCatcher", plus associated values.
• A key in HKEY_CLASSES_ROOT\ named "Apuc.UrlCatcher.1", plus associated values.
• Delete the registry key "{C6906A23-4717-4E1F-B6FD-F06EBED14177}" at "HKEY_CLASSES_ROOT\Interface\".
• Delete the registry key "{4EB7BBE8-2E15-424B-9DDB-2CDB9516A2A3}" at "HKEY_CLASSES_ROOT\TypeLib\".
• Delete the registry key "{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\".
If eXact Advertising.BargainsBuddy uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.