Avast WEBforum
Consumer Products => Avast Mac Security => Topic started by: REDACTED on October 11, 2018, 08:12:11 AM
-
Popup alerted that Filesystem Shield blocked
Infection: MacOS:Bundlore-BG [Adw]
Process: /Applications/Safari.app/Contents/MacOS/Safari
File: /Users/ME/Library/Safari/Extensions/.dat.nosync018b.ot4Rpk
I searched the forums for Bundlore-BG and had no hits, and only four for Bundlore (from 2012-2015).
Is there any way of knowing what website was responsible? I had opened a new window and opened a set of saved tabs that I look at regularly. Repeated this later and had no Avast alerts.
Using: Avast 13.11, Virus Definitions 18101000; MacOS 10.13.6, Safari 12.0
Extensions installed: Blur (Abine), Adblock Plus
P.S. It might be convenient to put the version of Avast and the Virus Definitions on the pop-up window.
-
It looks to possibly be a safari extension based on the file path reported. Can you check that there are no installed extensions that you did not install yourself? Check the extensions tab in the Safari preferences.
-
I also got the same alert 4 days ago. I've gone to some trouble to figure out what happened since I did not actually install anything that day. I haven't had much luck finding anything helpful.
-
Hi MisterX,
Yes shopping/coupon extensions and add-ons are often associated with Adware like Bundlore, and many themselves could be called adware in the purest sense. I suspect its a similar scenario for Stubb
Cheers,
Mac
-
I thought that it might have been installed by a Safari extension update. But after checking the dates of recent updates, nothing matches when Avast found Bundlore-BG. I've edited my previous post.
-
Often its bundled with some free applications, as a way for them to monetize the app. Luckily extensions are the easier form of adware to remove.
If you get any further detection, post a screenshot and we can assist with removal.
-
The extensions I have had installed for some time are BLUR (by Abine, tracker blocking, masked e-mails) and AdBlock Plus. There were no unwanted surprises in Preferences (nor in System Preferences LogIn items).
I deleted the quarantined file, reran AV and malware scans. Have not had any alerts.
Just for information, what currently appears in ~/Library/Safari/Extensions are Extensions.plist and Blur.safariextz. The .plist file is incomprehensible but does contain a block of stuff about Blur.
�����������������\Apple-signed_��Hash of Content Blocker String_��Bundle Directory Name_��Added Non-Default Toolbar Items_��Archive File Name_��Bundle Identifier_��Developer Identifier[Hidden Bars_��Removed Default Toolbar ItemsWEnabledYSignature_��Has Called canLoad �_��Blur-2.safariextension†_��Blur-2.safariextz_��com.abine.dntpsafariZ82M4SELZCB††......
The next blob goes on and on and with many URL sort of things that either have something to do with AdBlock or whose presence makes no sense. Since I've never examined this file before, I can't know.
I think I'll uninstall those extensions, make sure the files get trashed and reinstall. I'll report back to confirm whether the stuff in ~/Library/Safari/Extensions looks okay or not.
Update:
Appears the long blob is from the adblocker. I was also having trouble with very slow response in Hotmail which I thought might be related to this in an indirect way. Uninstalling everything associated with AdBlock Plus eliminated that issue. I installed a new one, uBlock Origin, which seems to play well with everyone. Checking Extensions.plist, once again there is a long list of stuff; that must all come from the ad blockers.
p.s. The audio Verification option doesn't work. The captchas do because I can't read some of them.