What is Genieo and why did it appeared misteriosouly on my MacBook Pro?

Sorry... here's what happened:

Verifying permissions for "Macintosh HD"

Warning: SUID file "System/Library/CoreServic...nt" has been modified and will not be repaired.

There is also a form of malware that comes as a Flash Player Update under the name Genieo apparently. See this thread:

https://discussions.apple.com/thread/4763160?start=0&tstart=0

Make sure that nothing funny is happening on your browser.

See thread

Here

https://discussions.apple.com/thread/4816624?answerId=21272879022#21272879022

and uninstall Genieo

http://www.genieo.com/faq/#uninstall

If your uninstall is missing then down load it

here

On Mac:

• From the Applications folder, open "Uninstall Genieo" and follow the instructions.
• If from any reason the uninstall is missing you can download it from here.

Remove Genieo from your browser's home-page & default search:Once you completed uninstalling, you can remove Genieo from your homepage and search provider. Please refer to the instructions that matches your browser. We strongly advise you to restart your PC before taking these actions.

• Remove from Chrome
• Remove from Internet Explorer
• Remove from Firefox
  To change the default search please follow these instructions:
  • Type “about:config” into the address bar and click “Enter”.
  • Click the “I’ll be careful, I promise!” button.
  • Type “keyword.URL” into the search box that appears.
  • Right-click on the “keyword.URL” entry and click “Modify”
  • Delete the text in the box and click “OK”
• Remove from Safari, Safari 5.X

On Mac:

• From the Applications folder, open "Uninstall Genieo" and follow the instructions.
• If from any reason the uninstall is missing you can download it from here.

Remove Genieo from your browser's home-page & default search:Once you completed uninstalling, you can remove Genieo from your homepage and search provider. Please refer to the instructions that matches your browser. We strongly advise you to restart your PC before taking these actions.

• Remove from Chrome
• Remove from Internet Explorer
• Remove from Firefox
  To change the default search please follow these instructions:
  • Type “about:config” into the address bar and click “Enter”.
  • Click the “I’ll be careful, I promise!” button.
  • Type “keyword.URL” into the search box that appears.
  • Right-click on the “keyword.URL” entry and click “Modify”
  • Delete the text in the box and click “OK”
• Remove from Safari, Safari 5.X

PaXifica wrote:

I then ran Disk Utilities to clean up my mess.

Warning: SUID file "System/Library/CoreServic...nt" has been modified and will not be repaired.

Disk Utility's Repair Disk Permissions messages that you can safely ignore.

And I don't really see that there was any reason to use Disk Utility to fix the problem you described, in any case.

"Warning: SUID file "System/Library/CoreServic...nt" has been modified and will not be repaired."

This is a well known OS bug (for years !) ; apple support says to simply ignore warning messages from repair permission utility : http://support.apple.com/kb/TS1448

I too had Genieo on my iMac running OS X 10.08.3. I use a freeware program named AppCleaner.app, which is a drag and drop delete program that seems to work very well. It will uninstall the main culprit and associated sub files by dragging the unwanted application to a "bullseye" and then hitting the delete button when the files pop up on your screen. No more Genieo on my iMac, took about thirty seconds to delete.

I just went a couple of rounds with Genieo too and it definitely 'hijacked' me. I was streaming msnbc through the WWHD Boston tv website and it started popping up saying I couldn't keep watching unless I updated Flash. I hit ok, got the Genieo dmg, then the installer - at that point I could no longer choose to quit it and it changed my homepage to Genieo. It opens on startup without showing up as a startup app and there appears to be no way to quit it except through Activity Monitor - and it won't stay quit. I finally used CleanMyMac which seems to have worked fine. We'll see.

Genieo is a computer virus, or malware according to Malwarebytes Anti-Malwar PRO.

To manually remove the Genieo virus and stop your browser from redirecting to search.genieo.com and other websites for free you can use these instructions for Mac and PC: http://botcrawl.com/how-to-remove-the-genieo-virus/

Mac OS X Uninstall - Genieo Mac uninstall

1. Launch Activity Monitor and change “My Processes” at the top to “All Processes”, then make sure Genieo is not running. If it is, quit the process before proceeding.
2. Launch Finder and search for Genieo. You can narrow the search to specific folders or search your whole Mac. Searching “File Name” vs “Contents” usually provides better results.
3. Click the + button below the search term to add criteria
4. Click the search criteria drop-down and select “Other…”, then “System files”
5. Click the “don’t include” and change to “include”
6. Sort by name, kind, date, etc. to identify components of the app, such as folders, .plist files, cache files. etc.
7. Delete all files and folders related to the app.
8. Don’t empty your Trash until you’ve determined that everything is working OK, in case you need to restore something you deleted by accident.
9. A reboot might be necessary to completely remove some apps.

MaryArias wrote:

Genieo is a computer virus, or malware according to Malwarebytes Anti-Malwar PRO.

I think most users would consider it to be a Potentially Unwanted Application in that they chose to install it without fully understanding what it was.

http://botcrawl.com/how-to-remove-the-genieo-virus/

botcrawl.com has as bad a reputation as genieo does according to WOT.

I suppose the instructions you posted will work, but IMHO the uninstaller provided appears to work perfectly and is much easier to accomplish. It is still necessary to go into each browser and change the "home page" settings, with either approach.

Note that this conversation has been going on for over five months now.

MaryArias, thanks for easy explanation. There was nothing on my mac, it is a relieve for me to know this. Probably my antivirus avast killed it straight away.

"That's the first I've heard of such behavior. Can you provide additional information about where/how you learned this?"

A few minutes ago, I had a window that appeared to be a Flash update notice.

I actually *read* the text in the window, and noticed that the description of the update was really vague. "Better performance", that sort of thing.

There was a "Update Details" link. I clicked it. installgenieo.dmg was downloaded. (I didn't install)

I'm not surprised that some bottomfeeder is doing this. It was pretty much inevitable, given how frequently Flash asks you to update, that some cretins would pretend to be Flash.

Amusing that Genieo people troll around forums like this, issuing denials. Scum.

"I think most users would consider it to be a Potentially Unwanted Application in that they chose to install it without fully understanding what it was."

It's a trojan, in that it tries to pass itself off as a Flash update. Some people won't notice anything wrong about a Flash update called "installgenieo.dmg" - maybe they'd think Adobe changed the name or something.

Jonathan Hendry wrote:

It's a trojan, in that it tries to pass itself off as a Flash update. Some people won't notice anything wrong about a Flash update called "installgenieo.dmg" - maybe they'd think Adobe changed the name or something.

First off, thank you for posting your description of all you observed on this. It's the clearest one I've seen posted anywhere.

You are certainly entitled to your opinion on this, but it doesn't seem to be shared by any of the A-V community. There seems to be no sign of it having been submitted to a site such as VirusTotal and there have been no blog write-ups or definitions posted that I can find that label this as any soft of malware. From what you have told us it would seem as if the only thing wrong here is that Genieo or a 3rd party hired by them is engaged in sleazy advertisement. The clearest example of this was when you went to a fake ClamXav or ProtectMac site and if you were convinced it some something you wanted you would click on a big green "Download" button and receive MacKeeper, instead. Although many in this Forum labeled that malware, it never held up as anything but crash advertisement.

Had the downloaded file, the installer icon on the mounted image file or the Installer app itself said or appeared to have anything to do with "Flash" then you would be well within your rights to label it as malware and probably a Trojan.

There is a precedent to labeling some forms of "adware" as malware. One such example is OSX/FkCodec-A which I stumbled across thanks to some users here and submitted to VirusTotal several months before it was finally labeled malware. In this case you were told you needed to download a Codec to view certain videos. In the process the name changed from Codec-A to Codec-V and the download was Codec-M, but all it did was change your default search site (sound familiar?). Interestingly, they too provided an uninstaller on the .dmg. Oh, and you still weren't able to view those videos after you installed the "Codec."

In the future, if you really feel that strongly about it, I would encourage you to submit that file to VirusTotal to let the community have a look at it.

Hi Thomas - I can add some informaion to the mystery as well. Yesterday, I was browsing wowhead.com, a data reference site for World of Warcraft which is well known and respected and I've never heard of anyhing shady originating from them, so I thought nothing of it when suddenly the page I was on had a message float across it stating that my copy of Adobe Flash must be updated in order to view the content on the page. There are often flash-based video ads in the margins, so this did not arrouse my suspicion, that plus the fact that Flash seems to update once a week anyway.

A few strange things occured though that tipped me off that this was not genuine. First, there were several link buttons on this little floater, such as Flash Players alleged home page, one saying "Best version for your sysem" and just a simple "Download Now", and all 3 linked to downloading a file named "InstallGenio.dmg", ~700k file.

Obviously, this is not a Flash Player installer, and I stayed the **** away from it. So it seems to be getting on to people's compuers insidiously, masquerading as Flash Player. This was my experience, anyway, and I emailed the admin of the WoWhead site to make sure they are aware that it is getting out through their site, as I expeced they were probably clueless as it likely hitched a ride in on one of their advertisers pieces of content displayed on the wowhead user pages.

Based on all the stories here, I'd imagine this thing is running rampant or at least near full on rampant all over the web due to the many different sources people obtained it from. Everyone had better sound the alarm and let their less savy and observant friends NOT to accept any Flash Player updates unless it's from Adobe's webpage itself, for now at least.