how to get rid of BGAUpsell ?

Question

Hi,

Despite running antivirus software I seem to have picked up a Virus listed as BGAUpsell.exe

it keeps popping up annoying messages about various programs to buy.

it is not listed under installed Apps, and I was wondering if anyone had seen this before, and knew how to get rid of it?
running Windows 11 Home 22H2 build 22621.1555

Answer 1

BGAUpsell.exe is adware from Microsoft to push installing Bing as your default search engine in Google Chrome. I noticed it after getting a popup and checking the Details tab in Task Manager, and confirming it disappeared after I selected not to do so in the popup.

Microsoft shouldn't be pushing this junk in this roundabout way, presumably just because users have chosen to use Chrome instead of Edge so that Microsoft can't push it directly through their browser.

I'm currently using a relatively new laptop while on holiday overseas, and have gone to the trouble of installing Avast One Essential antivirus (which I use on my desktop at home, and just hadn't got around to installing) and have manually added BGAUpsell.exe to its Quarantine.

You could also just end the process in Task Manager and delete the file from your Windows\Temp\MUBSTemp folder.

Two middle fingers up to you for this, Microsoft 🙃

Answer 2

The file seems to be a C# WinForms Application and is signed by Microsoft. I think it was downloaded when one of the cumulative updates were installed (KB5029244 and KB5029649). It´s frustrating that Microsoft tries everything to force users to use their bing search-engine. This is the most unprofessional way from such a big company. Windows is turning into adware.

Answer 3

I also want to confirm.

BGAUpsell.EXE

File information:

Size: 16.7 MB (17,535,408 bytes)

MD5: 8E18E83CE4CAEFD65BC069C1E719AA78

SHA1: 65058C10CA85BB865499A85DFDF2D43101792CB7

SHA256: F4918583F0B669FC13CFFC92CCF647F0160870C48B4DBC2B397239841BE9E73C

Signers:

Name Microsoft Corporation

Issuer Microsoft Code Signing PCA 2011

Valid Usage Microsoft Publisher, Code Signing

Algorithm sha256RSA

Thumbprint 72105B6D5F370B62FD5C82F1512F7AD7DEE5F2C0

Serial Number 33 00 00 03 4E B5 3C 7A C1 84 6F EB 2B 00 00 00 00 03 4E

The BGAUpsell process try connect to IP 184.24.80.219:443.

Ip Info: https://ipinfo.io/AS20940/184.24.0.0/13-184.24.80.0/22

Virus scan report: https://www.virustotal.com/gui/file/f4918583f0b669fc13cffc92ccf647f0160870c48b4dbc2b397239841be9e73c

With the above info it looks like this seems to be something from Microsoft, because that EXE is signed from Microsoft.

I don't have a full trace of the BGAUpsell because I'm a bit scared too, so I abort it as soon as I get an internet connection report, and save a backup to recheck later.

Because I'm not sure if the signature is added to my system by the application, after all it has already been executed.

Even though this article spans from April to today's August, but it doesn't seem to explain much about BGAUpsell.

If Microsoft can have a query platform that can query the path where the file should be located, the file size and the fingerprint of the file(such as MD5+SHA256), I think this can effectively relieve my little panic, lol...

Answer 4

I wonder whether this file is actually a virus or rather adware by MS. Can an MS employee shine light on this?

I got a notification-esque popup today on my Windows 11 machine that advertised Bing. The taskbar did not show any window relating to that popup. Taskmanager showed BGAUpsell without exe. After Killing that process the popup vanished.

Searching my C: drive, I found the BGAUpsell.exe file in a temp folder and deleted it. Windows defender did not recognize the file as malicious.

Answer 5

!BGAUpsell.exe C:\Windows\Temp\MUBSTemp\BGAUpsell.exe
You can delete it after end this task in Task manager.

To disable it you have to open regedit and go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.

You have to do just 1 thing. So just delete it and they can't auto run it.

Not sure if Windows Update will bring it back anytime they want.