OFFICIAL SECURITY BLOG
Tech News News Favorites Adware Medic Tech Guides About Us
Mac Malware GuideAdware Removal GuideMac Performance Guide

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Adware Removal Guide : Bundlore

Published November 22nd, 2014 at 12:07 PM EST , modified September 8th, 2015 at 10:59 AM EDT

The Bundlore adware is a collection of related adware programs with widely varying names, but that all appear to be made by the same group.

Removal

Delete all of the following browser extensions that you find: Shopy Mate, FlashMall, Cinema-Plus Pro (and variants like CinemaPlus, CinemaProCinema + HD, Cinema + Plus + or Cinema Ploos). (See Identifications > Examine Browser Extensions for instructions on how to locate your browser extensions.)

Move the following items to the trash. Note that, if you don’t know how to locate a file or folder based on the paths that I will give in the instructions, you should read Locating files from paths. Removing many of these files will require administrator access, so you will need to be sure you are logged in to an admin account on your Mac. If you are not, you will be unable to remove some of them.

/Applications/WebTools.app
/Applications/WebShopper.app
~/Applications/WebTools.app
~/Applications/WebShopper.app
/Library/cinemapro1-2/
~/Library/cinemapro1-2/
~/Library/WebTools/
~/Library/Application Support/webHelperApp/
~/Library/Application Support/WebShopper/
~/Library/LaunchAgents/WebServerSocketApp
~/Library/LaunchAgents/UpdateDownloder
~/Library/LaunchAgents/com.webhelper.plist
~/Library/LaunchAgents/com.webtools.update.agent.plist
~/Library/LaunchAgents/com.webtools.uninstaller.plist

Some of these items can only be deleted by an admin user, and will require entry of that admin user’s password to delete. You may not find all these items, but should remove all that you do find.

Next, look in the following folders:

/Applications
~/Applications

These are actually two different Applications folders, be sure to check both. Move any applications in either folder having names similar to Shopy Mate, Flashmall, CinemaPlus or CinemaPro to the trash.

There may also be a number of related files in the user LaunchAgents folder. Go to the following folder:

~/Library/LaunchAgents

(Note that, if you don’t know how to locate a file or folder based on the path, you should read Locating files from paths.)

In that folder, look for files like the following and move them to the trash:

Safari Security
shopy-mate_enabler.plist
shopy-mate_enabler.sh
shopy-mate_updater.plist
shopy-mate_updater.sh
shopy-mate.ver
com.crossrider.wssXXXX.agent.plist
com.extensions.updaterXXXXX.agent.plist
com.extensions.updaterXXXXX.ver
com.WebTools.YYYYY.helpd.plist
com.WebTools.YYYYY.plist
com.WebShopper.YYYYY.helpd.plist
com.WebShopper.YYYYY.plist

The “Safari Security” file appears to always have the same name. The others will have names that vary depending on the name of the browser extension you have installed, such as “cinemas-+-plus-+_enabler.plist” or “flashmall_enabler.plist”. Any files like these should be removed. Items like “com.crossrider.wssXXXX.agent.plist” file will have numbers in place of each X. Items like “com.WebTools.YYYYY.plist” will have a string of letters and numbers, such as “oiuqw343sQ9a”, in place of the “YYYYY”.

Also look in the following folder:

/Library/LaunchDaemons

In this folder, you may find a file named something like “com.cinemapro1-2.daemon.plist”. The exact name will vary according to the name of whatever browser extensions you find installed. Move this file to the trash.

When you are done, restart your computer.

<- Back to Adware Removal Guide