I had the same kind of delayed "InstallMac" and got two Installer volumes mounted containing a package "Double click to install"...never installed it. The weird things are two:
1. I don't remember installing anything, didn't a Flash manual update (but I think I have auto-update daemon activated)
2. The attack was delayed at least 2 hours since I left the mac afk.
Now I've removed everything with AdwareDoctor and installed Little Snitch to chase any backdoor. But I'm still unsure if my mac is compromised, if they could have overwritten any known daemon executable.
I have these logs from the time of the attack (I call it an attack since I'm starting to think this could have been triggered remotely, maybe from a website I left open in Chrome or from a backdoor):
17/12/14 03:52:15,287 authd[85]: Succeeded authorizing right 'system.privilege.taskport.safe' by client '/usr/libexec/taskgated' [73] for authorization created by '/usr/libexec/taskgated' [3217] (3,1)
17/12/14 03:53:32,310 authd[85]: Succeeded authorizing right 'com.apple.ServiceManagement.daemons.modify' by client '/usr/libexec/UserEventAgent' [16] for authorization created by '/usr/libexec/UserEventAgent' [16] (12,0)
17/12/14 04:02:00,180 Installer[3222]: >>>>>>>>>>>>>>>>>> InstallMac::: start application
17/12/14 04:02:00,180 Installer[3222]: >>>>>>>>>>>>>>>>>> InstallMac::: applicationPath == /Users/***/Library/Application Support/com.genieoinnovation.Installer/Completer.app/Contents/MacOS/Installer
17/12/14 04:02:00,183 Installer[3222]: >>>>>>>>>>>>>>>> [AppInfo getTriggerVal] == update
17/12/14 04:02:00,398 Installer[3222]: >>>>>>>>>>>>>>>> [[AppInfo appMountPoint] ==
17/12/14 04:02:01,223 Installer[3222]: $$$$$$$$$$$$$ <key>install_mc_offer_id</key> 0
17/12/14 04:02:01,434 Installer[3222]: $$$$$$$$$$$$$ <key>agent_update</key> 0
17/12/14 04:02:01,644 Installer[3222]: $$$$$$$$$$$$$ <key>disable_dynamic_update</key> 0
17/12/14 04:02:01,851 Installer[3222]: $$$$$$$$$$$$$ <key>server_version</key> 0
17/12/14 04:02:01,962 Installer[3222]: >>>>>InstallMac onNewRequest event
17/12/14 04:02:01,962 Installer[3222]: >>>>>InstallMac before set URL
17/12/14 04:02:01,964 Installer[3222]: >>>>>InstallMac onNewRequest event
17/12/14 04:02:01,964 Installer[3222]: >>>>>InstallMac onNewRequest URL : http://genieo-installer.appspot.com/install/agent_update?session_id=D5AAA440-B7C 9-4DE1-9195-80FD520A16C7&emid=a0f0957741fc51087bb91977dc567298&app_id=5350023&of fer_id=0&os_version=10.10.2&install_version=16855&r=2013957406&disable_dynamic_u pdate=0&keyboard_lang=it,en&os_lang=it
17/12/14 04:02:01,964 Installer[3222]: >>>>>InstallMac::: Analytics before reportAppLoaded
17/12/14 04:02:02,566 Installer[3222]: >>>>>InstallMac onNewRequest event
17/12/14 04:02:02,567 Installer[3222]: >>>>>InstallMac onNewRequest URL : about:blank
17/12/14 04:02:02,583 Installer[3222]: >>>>>InstallMac onNewRequest event
17/12/14 04:02:02,583 Installer[3222]: >>>>>InstallMac onNewRequest URL : action://accept?app=publisherApp&finish=1&language=
17/12/14 04:02:09,525 Installer[3222]: waitForCachedData http://genieo-installer.appspot.com/application/get_app_dmg?app_id=5350023&agent _update=true
17/12/14 04:02:09,000 kernel[0]: hfs: mounted Installer on device disk4s2
17/12/14 04:02:09,817 mds[32]: (Volume.Normal:2464) volume:0x7fad6c0c7400 ********** Bootstrapped Creating a default store:1 SpotLoc:(null) SpotVerLoc:(null) occlude:0 /Volumes/Installer 1
17/12/14 04:02:10,892 Installer[3222]: file is nil
17/12/14 04:02:10,893 Installer[3222]: &safari_install_err=0,&safari_install= 0
17/12/14 04:02:10,893 Installer[3222]: downLoadBrowser unknown
17/12/14 04:02:10,893 Installer[3222]: urlString: http://genieo-installer.appspot.com/monetize?session_id=D5AAA440-B7C9-4DE1-9195- 80FD520A16C7&emid=a0f0957741fc51087bb91977dc567298&os_version=10.10.2&predefined _app_id=5350023&predefined_offer_id=0&is_install_accepted=true&install_id=219000 1&admin_confirmed=false&install_download_start=true&install_download_success=tru e&install_exe_start=true&install_exe_done_status=0&download_url=unknown&download _browser=unknown&active_browser=unknown&default_browser=unknown&keyboard_lang=it ,en&os_lang=it&language=&safari_install_err=0&safari_install=0
17/12/14 04:02:11,070 Installer[3222]: >>>>>>>> JSON string :{"status":400,"error":"Bad request"}
17/12/14 04:02:11,070 Installer[3222]: >>>>>>>> JSON dict :(null)
17/12/14 04:02:11,070 Installer[3222]: >>>>>>>> isMonetied :(null)
17/12/14 04:02:11,070 Installer[3222]: InstallMac >>>> installComplete : {"publisherApp":1,"isHideSplashWindow":0}
17/12/14 04:02:11,071 Installer[3222]: >>>>>InstallMac onNewRequest event
17/12/14 04:02:11,071 Installer[3222]: >>>>>InstallMac onNewRequest URL : action://terminate?language=
17/12/14 04:55:20,553 ReportCrash[3330]: Saved crash report for Installer[3319] version 2.0 (2) to /Users/***/Library/Logs/DiagnosticReports/Installer_2014-12-17-045520_iMac-di-* **.crash
Process: Installer [3319]
Path: /Users/USER/Library/Application Support/com.genieoinnovation.Installer/Completer.app/Contents/MacOS/Installer
Identifier: com.genieoinnovation.Installer
Version: 2.0 (2)
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: Installer [3319]
User ID: 501
Date/Time: 2014-12-17 04:55:11.344 +0100
OS Version: Mac OS X 10.10.2 (14C81f)
Report Version: 11
Anonymous UUID: ***
Time Awake Since Boot: 160000 seconds
Crashed Thread: 5
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x000000010665b958