What is Genieo and why did it appeared misteriosouly on my MacBook Pro?

GGATCC wrote:

Thank you, I think we're getting down to the brass tacks in this thread.

This topic is 17 pages long [edit: make that 18 now, with the addition of this post], 15 posts per page... we're long past brass tacks at this point.

Genieo is well-known adware at this point, and removal is well-documented, with the steps required having been posted here many, many times. For one example, see:

http://www.thesafemac.com/arg-genieo/

(Fair disclosure: I may receive compensation from links to my site and software, in the form of buttons allowing for donations. Donations are not required to use my site or software.)

Symantec identified a whole series of files it considers suspicious.

Don't bother with Symantec. Their anti-virus software is well-known for its ability to bring a healthy Mac to its knees, and it only does a moderate job of detecting Mac malware. It won't do an adequate job of removing Genieo, either... I'm not aware of any anti-virus software that removes every component of Genieo reliably. Further, there are some components that, if removed improperly, will cause your computer to crash and be unable to start up again. Some anti-virus software has been known to fail to remove these files properly, causing exactly this disaster.

Genieo is indeed adware/malware. I couldn't even access my Firefox browser. I had to take my iMac into an Apple specialist to uninstall it and now no problems with Firefox but having problem with Firefox add-on Print Edit! Whereas I didn't before all adware removed. Have to call him back......sigh! Beware of GoPhoto Jollywallet and Spigot, too! I'm sure there are a bunch of others as well....

This is my first time ever posting here, but I thought I'd post because I've just come across this Genieo thing. I downloaded a flash player update that I've been putting off because I'm lazy lol, and I went directly to adobe.com. I also checked the incoming download - macromedia.com. In my Downloads folder it's called install_flash_player_osx.dmg. No sign whatsoever that it contained anything else but my normal ordinary Flash Player update. I updated it like usual, and then a couple of hours later, a little installer notice pops up asking me to enter my password. I decline, and immediately go searching for the culprit. The actual installer popped up a couple of minutes later in Finder, and I discovered completer.app. That's when I went searching, and found out what it was, and that it was in my system, even if I hadn't actually installed it myself.

I've read every post on this thread, and noticed a lot of the time people commenting going 'well don't download crap from crap sites' etc etc. Well, I downloaded mine from the official site, and I still got it. Now I can't seem to delete a folder from my Applications folder called 'InstallMac'. Well, I can delete it, it contains a package called ResetSearch but it tells me it won't delete it because 'GenericApp.icns' is in use, but I can't seem to find it to delete it. Any idea of where I should be looking, folks? I've deleted everything else that I can going through a removal process.

A much safer way to update is by opening System Preferences->Flash Player->Advanced tab and clicking "Check Now".

You say you went to adobe.com, but it should have been get.adobe.com/flashplayer/. You also said you checked the incoming download from macromedia.com but that site has never been involved in any version of Flash Player that I have ever downloaded. The actual download url is https://get.adobe.com/flashplayer/download/?installer=FP_16_Mac_for_Safari_and_F irefox_-_NPAPI&os=OSX&browser_type=KHTML&browser_dist=Safari&d=Adobe_Photoshop_L ightroom_for_Macintosh&dualoffer=false and the name of the file in your Downloads folder should have been "AdobeFlashPlayerInstaller_16_ltrosxd_aaa_aih.dmg".

Mounting the .dmg gives you an app named "Install Adobe Flash Player" and running that downloads to /private/var/run/Adobe/AIH.a573d418ca493f3e1ef7fa23dfeba34d0a37007e/install_flas h_player_osx.dmg and then attempts to complete the actual installation.

Bottom line is that I'm not sure what you obtained from where. The only thing that is normally offered as an "opt-in" check box is the "Lightroom 5 trial".

I have never heard of a Genieo installation being delayed by two hours. They do have partnership agreements with lots of vendors and continue to recruit more, but have never been known to have an actual one with Adobe. A few users have reported receiving fake Flash Player installers that were actually Genieo, but they all came from unofficial sites. So I have to think that what happened to you was coincidental with your Flash Player update. If you are convinced that your installer is infected I would ask you to upload it to http://www.virustotal.com and I can also give you the address of my colleague at TheSafeMac who would be very interested in seeing it.

But back to you problem, all you need to do is reboot to release GenericApp.icns and empty the trash.

The fastest, most effective way to identify and optionally remove all currently known adware is by using AdwareMedic, developed by thomas_r. this Forum's malware guru, owner of TheSafeMac and a colleague of mine.

I had the same kind of delayed "InstallMac" and got two Installer volumes mounted containing a package "Double click to install"...never installed it. The weird things are two:

1. I don't remember installing anything, didn't a Flash manual update (but I think I have auto-update daemon activated)

2. The attack was delayed at least 2 hours since I left the mac afk.

Now I've removed everything with AdwareDoctor and installed Little Snitch to chase any backdoor. But I'm still unsure if my mac is compromised, if they could have overwritten any known daemon executable.

I have these logs from the time of the attack (I call it an attack since I'm starting to think this could have been triggered remotely, maybe from a website I left open in Chrome or from a backdoor):

17/12/14 03:52:15,287 authd[85]: Succeeded authorizing right 'system.privilege.taskport.safe' by client '/usr/libexec/taskgated' [73] for authorization created by '/usr/libexec/taskgated' [3217] (3,1)

17/12/14 03:53:32,310 authd[85]: Succeeded authorizing right 'com.apple.ServiceManagement.daemons.modify' by client '/usr/libexec/UserEventAgent' [16] for authorization created by '/usr/libexec/UserEventAgent' [16] (12,0)

17/12/14 04:02:00,180 Installer[3222]: >>>>>>>>>>>>>>>>>> InstallMac::: start application

17/12/14 04:02:00,180 Installer[3222]: >>>>>>>>>>>>>>>>>> InstallMac::: applicationPath == /Users/***/Library/Application Support/com.genieoinnovation.Installer/Completer.app/Contents/MacOS/Installer

17/12/14 04:02:00,183 Installer[3222]: >>>>>>>>>>>>>>>> [AppInfo getTriggerVal] == update

17/12/14 04:02:00,398 Installer[3222]: >>>>>>>>>>>>>>>> [[AppInfo appMountPoint] ==

17/12/14 04:02:01,223 Installer[3222]: $$$$$$$$$$$$$ <key>install_mc_offer_id</key> 0

17/12/14 04:02:01,434 Installer[3222]: $$$$$$$$$$$$$ <key>agent_update</key> 0

17/12/14 04:02:01,644 Installer[3222]: $$$$$$$$$$$$$ <key>disable_dynamic_update</key> 0

17/12/14 04:02:01,851 Installer[3222]: $$$$$$$$$$$$$ <key>server_version</key> 0

17/12/14 04:02:01,962 Installer[3222]: >>>>>InstallMac onNewRequest event

17/12/14 04:02:01,962 Installer[3222]: >>>>>InstallMac before set URL

17/12/14 04:02:01,964 Installer[3222]: >>>>>InstallMac onNewRequest event

17/12/14 04:02:01,964 Installer[3222]: >>>>>InstallMac onNewRequest URL : http://genieo-installer.appspot.com/install/agent_update?session_id=D5AAA440-B7C 9-4DE1-9195-80FD520A16C7&emid=a0f0957741fc51087bb91977dc567298&app_id=5350023&of fer_id=0&os_version=10.10.2&install_version=16855&r=2013957406&disable_dynamic_u pdate=0&keyboard_lang=it,en&os_lang=it

17/12/14 04:02:01,964 Installer[3222]: >>>>>InstallMac::: Analytics before reportAppLoaded

17/12/14 04:02:02,566 Installer[3222]: >>>>>InstallMac onNewRequest event

17/12/14 04:02:02,567 Installer[3222]: >>>>>InstallMac onNewRequest URL : about:blank

17/12/14 04:02:02,583 Installer[3222]: >>>>>InstallMac onNewRequest event

17/12/14 04:02:02,583 Installer[3222]: >>>>>InstallMac onNewRequest URL : action://accept?app=publisherApp&finish=1&language=

17/12/14 04:02:09,525 Installer[3222]: waitForCachedData http://genieo-installer.appspot.com/application/get_app_dmg?app_id=5350023&agent _update=true

17/12/14 04:02:09,000 kernel[0]: hfs: mounted Installer on device disk4s2

17/12/14 04:02:09,817 mds[32]: (Volume.Normal:2464) volume:0x7fad6c0c7400 ********** Bootstrapped Creating a default store:1 SpotLoc:(null) SpotVerLoc:(null) occlude:0 /Volumes/Installer 1

17/12/14 04:02:10,892 Installer[3222]: file is nil

17/12/14 04:02:10,893 Installer[3222]: &safari_install_err=0,&safari_install= 0

17/12/14 04:02:10,893 Installer[3222]: downLoadBrowser unknown

17/12/14 04:02:10,893 Installer[3222]: urlString: http://genieo-installer.appspot.com/monetize?session_id=D5AAA440-B7C9-4DE1-9195- 80FD520A16C7&emid=a0f0957741fc51087bb91977dc567298&os_version=10.10.2&predefined _app_id=5350023&predefined_offer_id=0&is_install_accepted=true&install_id=219000 1&admin_confirmed=false&install_download_start=true&install_download_success=tru e&install_exe_start=true&install_exe_done_status=0&download_url=unknown&download _browser=unknown&active_browser=unknown&default_browser=unknown&keyboard_lang=it ,en&os_lang=it&language=&safari_install_err=0&safari_install=0

17/12/14 04:02:11,070 Installer[3222]: >>>>>>>> JSON string :{"status":400,"error":"Bad request"}

17/12/14 04:02:11,070 Installer[3222]: >>>>>>>> JSON dict :(null)

17/12/14 04:02:11,070 Installer[3222]: >>>>>>>> isMonetied :(null)

17/12/14 04:02:11,070 Installer[3222]: InstallMac >>>> installComplete : {"publisherApp":1,"isHideSplashWindow":0}

17/12/14 04:02:11,071 Installer[3222]: >>>>>InstallMac onNewRequest event

17/12/14 04:02:11,071 Installer[3222]: >>>>>InstallMac onNewRequest URL : action://terminate?language=

17/12/14 04:55:20,553 ReportCrash[3330]: Saved crash report for Installer[3319] version 2.0 (2) to /Users/***/Library/Logs/DiagnosticReports/Installer_2014-12-17-045520_iMac-di-* **.crash

Process: Installer [3319]

Path: /Users/USER/Library/Application Support/com.genieoinnovation.Installer/Completer.app/Contents/MacOS/Installer

Identifier: com.genieoinnovation.Installer

Version: 2.0 (2)

Code Type: X86-64 (Native)

Parent Process: ??? [1]

Responsible: Installer [3319]

User ID: 501

Date/Time: 2014-12-17 04:55:11.344 +0100

OS Version: Mac OS X 10.10.2 (14C81f)

Report Version: 11

Anonymous UUID: ***

Time Awake Since Boot: 160000 seconds

Crashed Thread: 5

Exception Type: EXC_BAD_ACCESS (SIGBUS)

Exception Codes: KERN_PROTECTION_FAILURE at 0x000000010665b958

beppethebresh wrote:

Now I've removed everything with AdwareDoctor and installed Little Snitch to chase any backdoor. But I'm still unsure if my mac is compromised, if they could have overwritten any known daemon executable.

Genieo is not malware in the sense that it does nothing to compromise the information on your computer or install a backdoor. It's still considered to be legitimate software signed with a valid Apple Developer ID. It's just adware that is intrusive and annoying, but will not cause any harm to you or your computer. AdwareMedic removed all the active components that it installed and if you have gotten rid of the installers, then there is nothing more you need to do.

Thank you, nice to hear that. Anyway, it's frightening to wake your mac and see this thing execute without intervention. I really would like to know how this thing got there...maybe they are spoofing traffic and downloading instead of legitimate Adobe or Google updates?

I've done a search in my Launch Daemons and found that I've only two daemons that launch at 3600secs (one hour) interval: fpsaud from Adobe and GoogleSoftwareUpdateAgent.

Hi everyone,

I've had a similar occurrence, with some behavior I haven't seen on any of this thread's 18 pages. To start, I had the regular Genieo version (not MacInstall). A while back, I started to get fake update notifications. The grammar was bad, so I didn't trust it, and I tried to swipe it away to ignore it. *But instead of giving the swipe notification, like it should, the app store opened up to the Updates section, and then the notification disappeared. I have tried this twice, to confirm it is not me mishandling my mouse. Other notifications are swippable, including past OSX updates. Once it appeared, it would not disappear until I chose the "Postpone" option, with the drop down menu option "Remind me tomorrow". I should also mention that I got a pop-up to update my Adobe, which I installed from the pop-up (my bad 😝, now I know to do it from system preferences). 4 days ago, my computer died, and a few hours after startup, a pop-up occurred saying "Application wants to install a helper tool. Please type your password". Thats when I knew I had to take action. I did not touch the popup, I only moved it off the screen, so I could install Norton (without issue). Once I proceeded to the log-in stage of the app, however, *the pop-up overrode all text input. Anything I typed went into the Username or Password input box on the pop-up. After trying for a minute or two in vain to login to Norton, the pop-up started to immediately become the frontmost window. Not in the normal manner, but it would become behind the Norton login or Safari (when I clicked on it), then visibly jump right back in front. I could not do anything. I ended up clicking Cancel on the pop-up, beaten. I continued to install Norton, which seemed to quarantine/delete a lot of the files (I should add that it did not delete the launchd.conf, nor could I find it) (I should also add it quarantined logmein.dmg, a very useful VPN software, which I downloaded from the official site, marked as Trogan.Gen.2). I manually deleted the Genieo folder from Applications (I did not check it's creation date), and headed here, and spent the past few days reading everything I could find relating to Genieo on this site and Thomas's. Yesterday, I found and downloaded (the very familiar) AdwareMedic, and discovered that there was a completely new version of Genieo, that was not there previously, in the form of InstallMac (not trying to accuse Thomas's app, I think Norton missed some active files that installed it). I have since tested Norton and Sophos, and neither were able to detect it. I did not remove it with AdwareMedic yet, because I wanted to report this irregular behavior (in my opinion) listed above (by *). I don't know if any of this means anything. Thanks for reading.

Btw, what antivirus should I use in the future? Also, what do you think got these files onto my computer- the forced update by the power out, the adobe install, or some other source? Again, thanks for the help.

Kilometerss wrote:

I should also mention that I got a pop-up to update my Adobe, which I installed from the pop-up (my bad 😝, now I know to do it from system preferences).

Depending on your settings and what the pop-up looked like, it could have been legit, but when in doubt you are smart to go to System Preferences.

4 days ago, my computer died, and a few hours after startup, a pop-up occurred saying "Application wants to install a helper tool. Please type your password".

That's a dialog box associated with InstallMac. The executable it uses is named "Application" which is what the OS uses in that dialog to inform you of what needs your permission for a helper tool.

Thats when I knew I had to take action. I did not touch the popup, I only moved it off the screen, so I could install Norton (without issue). Once I proceeded to the log-in stage of the app, however, *the pop-up overrode all text input. Anything I typed went into the Username or Password input box on the pop-up. After trying for a minute or two in vain to login to Norton, the pop-up started to immediately become the frontmost window. Not in the normal manner, but it would become behind the Norton login or Safari (when I clicked on it), then visibly jump right back in front. I could not do anything. I ended up clicking Cancel on the pop-up, beaten.

All perfectly normal. The dialog box itself comes from OS X any time an app requires admin privileges in order to proceed. You must deal with the dialog before you are allowed to do anything else.

As to the rest of you concerns, it is not unusual for A-V software to not find Adware since most do not consider it to be malicious, only annoying. Even those that do find the Genieo installer, won't remove anything for you since it is a legitimate application, signed with a valid Apple Developer ID. AdwareMedic is really the only app out there that will find and optionally remove all currently known adware. Apple does recognize a couple of Adware installers as being malware (FkCodec & Downlite), but I would not count on any A-V software to solve this problem. The best solution is to educate yourself. To understand why this happened and how to avoid it in the future see John Galt’s How to install adware.

Latest observation 1/23/15.

I had to use the support page to purge "genieo" related bits from, not only my limited user, but from system space as well. The last incident I recall was a spontaneous request to mount and install flash player (12/14 timeframe).

Today, I got spam, from supposedly "LinkedIn". I clicked on it, saw a bogus domain URL, logged out immediately as my limited user.

When I logged back in, I had two "Flash Player Installs" mounted. I could not unmount them. I could not cancel the request to open them, even w/o answering the Administrator's name & password. I resorted to "restart", to clear the CPU & RAM.

The last posts, and myself, speculate that this genieo malware is piggy backed on a bogus flash player update mount request. Once in, restart seems to be the only method of killing the deamon.

All of what you said is a possibility, of course, but to confuse things a bit, all Flash Player users who choose to be automatically updated in System Preferences will be given version 16.0.0.296 starting today. That version is a further patch of the 0-day vulnerability found last week and will not be available for separate download from any site until next week. See the UPDATE portion of this Adobe Security Bulletin.

UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.

Adding some more information and confirmation to MadMacs0's response. I examined my System Preferences, on all 3 of my Macs, one still on Snow Leopard. The Flash Player settings, (I assume) by default, were set to automatic. And, I have version 16.0.0.296, installed. That seems to have occurred transparently. Ergo, a desktop mounted flash player icon, with the above settings, is likely a dead giveaway, that someone has sneaked a temporary application into the process mix, without the user's knowledge. In my case, above, a faulty fraudulent LinkedIn email message.

Not necessarily. Part of the automatic update process involves downloading an encrypted file which when unencrypted leaves a file called decryptedFile.dmg in your Temp Directory. That file is mounted invisibly and the actual FlashPlayer installer is run from it. I just ran Disk Utility and I can see that it is mounted and contains two volumes, disk2s1 and Flash Player but it does not show up as mounted in a Finder window's SideBar nor on my desktop.

Nobody in the security business has ever reported the sequence of events you have outlined regarding a fake LinkedIn site. That's called a drive-by download and the as far as I know the only time that has ever happened was the FlashBack infection resulting from a Java vulnerability, eliminated almost three years ago.

https://support.norton.com/sp/en/us/home/current/solutions/v103415336_EndUserPro file_en_us

Here is the best solution i could find.

I have 14 of these quarantined with this exact Identity. Makes me wonder as well. I may have other issues as well, but this is a concern.