MacOS Bundlore Virus (Mac)

Also Known As: MacOS Bundlore (Crossrider) adware
Type: Mac Virus
Distribution: Moderate
Damage level: Medium

How to remove MacOS Bundlore from Mac?

What is MacOS Bundlore?

MacOS Bundlore (also known as Crossrider) or is a family of deceptive software installers that allow criminals to proliferate ("bundle") adware-type applications (such as CinemaPlusPro, FlashMall, MyShopcoupon, etc.) together with regular apps. Adware-type apps typically offer 'useful features' and most may seem legitimate. After infiltration, however, these programs deliver intrusive advertisements and gather sensitive information.

MacOS Bundlore scam

Adware-type apps deliver intrusive advertisements using tools that enable placement of third party graphical content on any site. Therefore, coupons, banners, pop-ups, and other ads that often conceal underlying content, thereby significantly diminishing the browsing experience. Furthermore, they can lead to malicious websites and execute scripts that download and install malware. Even a single click can result in high-risk computer infections. As mentioned, adware-type apps also collect user-system information. Internet Protocol (IP) addresses, queries entered into search engines, URLs of visited pages and other information that may include personal details. It is common that those details are shared with third parties (potentially, cyber criminals). Third parties misuse shared information to generate revenue. Research shows that apps from Bundlore family target details such as a unique identifier for the computer, user name, macOS version, Safari and Chrome version, list of entries in the Applications folder, list of installed agents and daemons, list of installed system configuration profiles and/or version of the installed antivirus software or other security software that is designed to remove malware. Also, apps from this family often get installed as browser extensions and collect data that is displayed on websites or is entered into forms on a websites. It is possible that those apps may be capable of accessing sensitive data, such as usernames, passwords, and credit card numbers. Therefore, having data-tracking apps installed on your computer can lead to serious privacy issues or even identity theft. We strongly recommend that you uninstall all adware-type applications immediately.

Threat Summary:
Name MacOS Bundlore (Crossrider) adware
Threat Type Mac malware, Mac virus
Detection Names Avast (MacOS:Bundlore-CJ [Adw]), DrWeb (Adware.Mac.Bundlore.227), Kaspersky (Not-a-virus:HEUR:AdWare.OSX.Bnodlero.x), NANO-Antivirus (Riskware.Script.Adware.fvryso), Full List (VirusTotal)
Symptoms Your Mac became slower than normal, you see unwanted pop-up ads, you get redirected to shady websites.
Distribution methods Deceptive pop-up ads, free software installers (bundling), fake flash player installers, torrent file downloads.
Damage Internet browsing tracking (potential privacy issues), displaying of unwanted ads, redirects to shady websites, loss of private information.
Malware Removal (Mac)

To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner for Mac
To use full-featured product, you have to purchase a license for Combo Cleaner. Limited three days free trial available.

There are hundreds of adware-type applications, all of which are very similar. As mentioned, these programs typically offer "useful features". In doing so, potentially unwanted applications (PUAs) attempt to give the impression of legitimacy, however, their only purpose is to generate revenue for the developers. Rather than giving any real value for regular users, PUAs deliver intrusive advertisements and gather sensitive information, thereby posing a direct threat to your privacy and Internet browsing safety.

How did potentially unwanted programs install on my computer?

As mentioned, MacOS Bundlore's installers "bundle" adware. Therefore, due to the lack of knowledge and careless behavior of many users, potentially unwanted applications often infiltrate systems without consent. Developers do not disclose PUA installations properly. Therefore, adware-type apps are often concealed within various sections (e.g., "Custom/Advanced" settings) of the download or installation processes. Furthermore, many users are likely to rush these procedures and skip steps, thereby exposing systems to risk of various infections and putting users' privacy at risk.

How to avoid installation of potentially unwanted applications?

The key to computer safety is caution. Therefore, to prevent system infiltration by potentially unwanted applications, be very cautious when downloading/installing software and browsing the Internet. Select "Custom/Advanced" settings and carefully analyze each window of the download/installation dialogs. Opt-out of all additionally-included programs and decline offers to download/install them. We advise you to download software from official sources only, using direct download links. Unofficial downloaders/installers should never be used, since developers monetize them by promoting ("bundling") PUAs. As well as using the "bundling" method, adware developers often proliferate these programs using intrusive advertisements. Developers invest many resources into intrusive ad design, thereby making them seem legitimate, however, the ads often lead to dubious websites (gambling, adult dating, pornography, and so on). If you encounter these ads, immediately eliminate all dubious applications and browser plug-ins. If your computer is already infected with PUPs, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate them.

Most commonly adware from "Bundlore" family install via fake Adobe Flash Player updaters:

Appearance of MacOS Bundlore scam (GIF)

List of .plist files modified by MacOS Bundlore virus:

  • ~/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.Extensions.plist
  • ~/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist
  • ~/Library/Preferences/com.apple.Safari.SandboxBroker.plist
  • ~/Library/Preferences/com.google.Chrome.plist
  • ~/Library/Safari/Bookmarks.plist
  • ~/Library/Safari/Extensions/Extensions.plist

List of domains related to MacOS Bundlore virus:

  • auctioneer.50million[.]club
  • cdn.macmymacupdater[.]com
  • cdn.mycouponsmartmac[.]com
  • cdn.myshopcouponmac[.]com
  • events.blitzbarbara[.]win
  • events.macinstallerinfo[.]com
  • events.mycouponsmartmac[.]com
  • events.ponystudent[.]com
  • otcct.beforeoctavia[.]site
  • secure.mycouponsmartmac[.]com
  • service.ezsoftwareupdater[.]com
  • service.macinstallerinfo[.]com
  • software.macsoftwareserver05[.]com

List of adware-type applications relating to MacOS Bundlore virus:

BestSmart Shoppers BestWebShoppers
CoolShopper Couponizer
Easy-Shopper EasyShopper
FlashMall HotShoppy
LiveShoppers MyCouponize
MyShopBot MyShopcoupon
MyShopMate ShopTool
Shopperify Shoppinizer
Smart-Shoppy SmartShoppy
SurfBuyer SurfMate
WebShoppers WebShoppy

Update September 13, 2019 - Cyber criminals have updated MacOS Bundlore a number of times since it first release and, thus, its behavior has changed. First of all, MacOS Bundlore uses a different technique to manipulate web browsers' search settings. In the past, MacOS Bundlore was using malicious browser extensions. Since MacOS 10.13 release, however, MacOS Bundlore achieves this by creating new device profiles, because the previous method is no longer working due to newly-added MacOS security features. Now it is worth mentioning that MacOS Bundlore performs a chain of actions to inject rogue applications into the system. Initially, a bash script ("Install.sh") connects to a remote server and downloads an archive containing an app named "mm-install-macOS". Once executed, this app connects to a remote server and downloads/executes scripts necessary to install unwanted applications. Now it is worth mentioning that password of the user is necessary for MacOS Bundlore to communicate with the system. In order to extract the password, MacOS Bundlore prompts a pop-up window pretending to be MacOS and asks user to enter the password. Once entered, the password is saved and used for further actions. MacOS Bundlore consists of three main components: 1) MyMacUpdater (responsible for communication with Command & Control (C&C) server in order to keep the infection up-to-date); 2) WebTools (responsible for bypassing MacOS security, changes of browsers' behavior, persistence achievement, and installation of ad-delivering tools), and; 3) ad-delivering tool which injects JavaScript into browsers by using AppleScript.

Update June 29, 2020 - MacOS Bundlore has been updated in order to target the newest version of the Safari browser. Since Safari 13 is longer compatible with the old Safari Extension format (.safariextz), developers of both legitimate and questionable software have been pushed to update their products in accordance. These changes in formatting have not escaped the notice of MacOS Bundlore developers. Several new installers have been released containing payloads compatible with the new Safari App Extension format (.appex).

IMPORTANT NOTE! As mentioned above, MacOS Bundlore uses device profiles to alter web browsers' behavior. Therefore, before taking any further removal steps, perform these actions:
1) Click the "Preferences" icon in the menu bar and select "Profiles"

pavadinimas preferences step 1

2) Select the "AdminPrefs" profile and delete it.

pavadinimas preferences step 2

3) Perform a full system scan with Combo Cleaner anti-virus suite.

After performing these actions, you can proceed with further removal steps for this browser hijacker.

Instant automatic Mac malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited three days free trial available.

Quick menu:

Video showing how to remove adware and browser hijackers from a Mac computer:

Potentially unwanted programs removal:

Remove PUP-related potentially unwanted applications from your "Applications" folder:

mac adware removal from applications folder

Click the Finder icon. In the Finder window, select “Applications”. In the applications folder, look for “MPlayerX”,“NicePlayer”, or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

Remove macos bundlore (crossrider) adware related files and folders:

Finder go to folder command

Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...

step1Check for adware-generated files in the /Library/LaunchAgents folder:

removing adware from launch agents folder step 1

In the Go to Folder... bar, type: /Library/LaunchAgents

removing adware from launch agents folder step 2
In the “LaunchAgents” folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - “installmac.AppRemoval.plist”, “myppes.download.plist”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plist”, etc. Adware commonly installs several files with the same string.

step2Check for adware generated files in the /Library/Application Support folder:

removing adware from application support folder step 1

In the Go to Folder... bar, type: /Library/Application Support

removing adware from application support folder step 2
In the “Application Support” folder, look for any recently-added suspicious folders. For example, “MplayerX” or “NicePlayer”, and move these folders to the Trash.

step3Check for adware-generated files in the ~/Library/LaunchAgents folder:

removing adware from ~launch agents folder step 1


In the Go to Folder bar, type: ~/Library/LaunchAgents

removing adware from ~launch agents folder step 2

In the “LaunchAgents” folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - “installmac.AppRemoval.plist”, “myppes.download.plist”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plist”, etc. Adware commonly installs several files with the same string.

step4Check for adware-generated files in the /Library/LaunchDaemons folder:

removing adware from launch daemons folder step 1
In the Go to Folder... bar, type: /Library/LaunchDaemons

removing adware from launch daemons folder step 2
In the “LaunchDaemons” folder, look for recently-added suspicious files. For example “com.aoudad.net-preferences.plist”, “com.myppes.net-preferences.plist”, "com.kuklorest.net-preferences.plist”, “com.avickUpd.plist”, etc., and move them to the Trash.

step 5 Scan your Mac with Combo Cleaner:

If you have followed all the steps in the correct order you Mac should be clean of infections. To be sure your system is not infected run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file double click combocleaner.dmg installer, in the opened window drag and drop Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates it's virus definition database and click "Start Combo Scan" button.

scan-with-combo-cleaner-1

Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide, otherwise it's recommended to remove any found infections before continuing.

scan-with-combo-cleaner-2

After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.

MacOS Bundlore (Crossrider) adware removal from Internet browsers:

safari browser iconRemove malicious extensions from Safari:

Remove macos bundlore (crossrider) adware related Safari extensions:

safari browser preferences

Open Safari browser, from the menu bar, select "Safari" and click "Preferences...".

safari extensions window

In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for normal browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.

firefox browser iconRemove malicious plug-ins from Mozilla Firefox:

Remove macos bundlore (crossrider) adware related Mozilla Firefox add-ons:

accessing mozilla firefox add-ons

Open your Mozilla Firefox browser. At the top right corner of the screen, click the "Open Menu" (three horizontal lines) button. From the opened menu, choose "Add-ons".

removing malicious add-ons from mozilla firefox

Choose the "Extensions" tab and look for any recently-installed suspicious add-ons. When located, click the "Remove" button next to it/them. Note that you can safely uninstall all extensions from your Mozilla Firefox browser - none are crucial for normal browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.

chrome-browser-iconRemove malicious extensions from Google Chrome:

Remove macos bundlore (crossrider) adware related Google Chrome add-ons:

removing malicious google chrome extensions step 1

Open Google Chrome and click the "Chrome menu" (three horizontal lines) button located in the top-right corner of the browser window. From the drop-down menu, choose "More Tools" and select "Extensions".

removing malicious Google Chrome extensions step 2

In the "Extensions" window, look for any recently-installed suspicious add-ons. When located, click the "Trash" button next to it/them. Note that you can safely uninstall all extensions from your Google Chrome browser - none are crucial for normal browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
MacOS Bundlore (Crossrider) adware QR code
A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of MacOS Bundlore (Crossrider) adware on your mobile device.
We Recommend:

Get rid of Mac malware infections today:

▼ REMOVE IT NOW
Download Combo Cleaner for Mac

Platform: macOS

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. Limited three days free trial available.