What is Genieo and why did it appeared misteriosouly on my MacBook Pro?

Flash updates will never be advertised by pop ups in your browser. The only time you will be notified of needing an update within your broswer is when your flash is too old to run a certain piece of flash powered content and that content is replaces by an icon linking to Adobe's website (note that it will link you to a website where you get the file. It will not link you to the file itself.)

Flash updates are usually checkable outside of your browser by the method above.

I was fortunate enough to have this same thing occur again, and this time (with your post in mind) I took screen shots of the entire process to document it for you and hopefully help you determine why and who is doing this. I've got 4 screenshots here documenting the process, initially I was browsing the website Wowhead.com, and that is the first photo here, what I was doing just prior to this all happening:

[url=http://img706.imageshack.us/i/installgeniosneakattack.jpg/][img=http://img706.imageshack.us/img706/1316/installgeniosneakattack.th.jpg][/url]

Then, this tab popped up:

[url=http://img27.imageshack.us/i/installgeniosneakattack.jpg/][img=http://img27.imageshack.us/img27/1316/installgeniosneakattack.th.jpg][/url]

Upon clicking ok, the only option, it redirects to this page:

[url=http://img716.imageshack.us/i/installgeniosneakattack.jpg/][img=http://img716.imageshack.us/img716/1316/installgeniosneakattack.th.jpg][/url]

Finally, on that previous page, all of the links there ("See details...", "RECOMMENDED DOWNLOAD", and "INSTALL") prompt the immediate download of the file "InstallGenio.dmg" as shown in the fourth and final screenshot here:

[url=http://img827.imageshack.us/i/installgeniosneakattack.jpg/][img=http://img827.imageshack.us/img827/1316/installgeniosneakattack.th.jpg][/url]

I did not choose to open or save the disk image file, so I cannot tell you what happens from there. All I know is at that point I closed the tab and cancelled the download of the file, ending the entire encounter. I hope this helps you determine what is going on here. I know that other people have been getting this identical or nearly identical experience while browsing other websites, so I am sure it's not just "WoWhead.com" to blame.

In response to Gen_'s post, I personally have had legitimate pop-up or redirects to download Adobe Flash updates which were legitimate, bringing me directly to Adobe's website so I was sure it was on the level, and it always has been. Flash has been updated for me several times this way, downloading a .dmg which did indeed install a valid and latest version of Flash for me on my Mac running 10.8.3, so at least sometimes Adobe Flash updates do come this way when viewing a web page requiring a newer version of Flash than one is currently running. Just my personal experience.

Anyway, like I said, I hope this helps. Feel free to post any further questions about my post here, though I've tried to be as thorough as possible in documenting the experience with screen shots.

I apologize for some reason my HTML isn't working properly and my thumbnail photos for links to the actual screenshots failed, and I'm unable to edit my post a second time to try and fix it. In case the links to the photos are a total disaster, here is simply a link to the gallery of the 4 images, they are in chronological order so you can follow along with the description as intended -

http://imageshack.us/g/1/10158991/

Apologies again for making a mess of what should have been a very pretty and organized response!

I managed to grab enough of the URL from one of your screenshots to see the fake Flash alert... thanks for that, I hadn't been able to actually see this in action before. I haven't done much with it yet, but comparing it to the download straight from Genieo's web site shows it is mostly the same. There are just a few differences of a few kilobytes each. It could just be an older version of Genieo, though the version number hasn't been changed. Or it could be that it has malicious modifications that were made by a third party. Impossible to say yet.

Okay, I've had a chance to do a more in-depth analysis. I'm guessing, from what I found, that a Genieo "partner" is doing this in an attempt to get paid (by Genieo) for these installs. I would hope that Genieo is unaware of this and will put an end to it, and have informed them of the issue via e-mail... guess we'll see. The proof is in the pudding, as they say. Here's my full report:

Genieo adware downloaded through fake Flash updates

>>... the “real” Genieo installer (i.e., the one downloaded directly from the Genieo web site)...

Genieo host a genTugM version too, both 'real', unless their site's been compromised.

You say "The “real” Genieo installer does not do the same thing" , but they both seem to contact the same url with an active_partner key - naturally that key differs.

Did installing download codec-m or qtrax ?

Tahnk you.

The pics are realy in bad quallity and its hard to see whats in them. 😟

But, give me a few day to try and reproduce this and I promis to let you all know what we found and what If at all we are doing about this.

In General Gray rectangles without company logo like in your 2nd pic are not to be trusted.

Genieo host a genTugM version too, both 'real', unless their site's been compromised.

Where do you see that? The only download I've been able to find directly from the Genieo web site is the one that uses the partner ID "genieo." Of course, there's got to be a way for partners to get a modified copy of the installer for themselves, so I won't be surprised if there's somewhere you can download a copy with the "genTugM" ID (as well as a number of other IDs).

You say "The “real” Genieo installer does not do the same thing" , but they both seem to contact the same url with an active_partner key - naturally that key differs.

Yes, that was my mistake. I was tired when I posted last night, and had been looking at the wrong bit of code. I corrected my article this morning.

Did installing download codec-m or qtrax ?

?

No, it just installs a copy of Genieo customized with the partner ID, so that that partner can get paid by Genieo.

OK, apparently my previous choice for hosting the screenshots decreased their quality or size, so here are what SHOULD be 4 full size, full quality images. I'm really sorry that what should have been so simple has now stretched over 3 posts. See my post from yesterday for the explanation, though the series is pretty self explanatory.

http://i1332.photobucket.com/albums/w601/mikep480/InstallGenioPage1_zps2a5f4488. jpg

http://i1332.photobucket.com/albums/w601/mikep480/InstallGenioPage2_zpsa56f5499. jpg

http://i1332.photobucket.com/albums/w601/mikep480/InstallGenioPage3_zps541e22f7. jpg

http://i1332.photobucket.com/albums/w601/mikep480/InstallGenioPage4_zpsaa70eac6. jpg

I'm not used to hosting images and apparently free hosting sites like to decrease the dimensions of photos but at least these are still high quality so one can download and zoom in on them to see the URLs involved a bit easier.

To insert screenshots here, just click the camera icon in the forum post editor's toolbar, then upload the photos. You can't link to photos on external sites here anymore.

That said, simply clicking the links labeled with "url=" in your first post should go to the imageshack page and allow you to see the images full-size. That's how I got the URL that I did.

Ahh, I see those URLs in the installer's executable file. Last time I tested Genieo, it did not install either of those things. I'm not sure why those URLs are found inside the executable file. I'll do some digging.

As for the download on page 2 of this topic, that just looks like the customized installer provided for that partner. Genieo undoubtedly provides that download site so that their partners can link to a copy of the Genieo installer that will give them compensation. As far as I can tell, that's not something you'd be able to find easily, unless a partner referred you there. In any case, the issue here is not the actual download, but the way the partner is getting people to download it.

Genieo is only barely "legitimate". It does not come bundled with Firefox, nor with any other browser, and is considered malware by many people. It will hijack your browser. See http://botcrawl.com/how-to-remove-the-genieo-virus/ . I ran into it just a while ago when a website my browser was parked on threw up a pop-up telling me that I needed to update Adobe Flash. The buttons presented to accomplish this linked to a Genieo host.

Genieo does not hide the fact that it is going to "hijack" your browser, so the term "hijack" wouldn't be appropriate. Although I don't find Genieo useful, and don't recommend it, it's also NOT malware. Any kind of software like this is frequently mis-labeled as malware.

As for the fake Flash notice, see the more recent discussions on this topic. The post you responded to is from November of last year.

I"m sorry, Thomas, but I consider this kind of program to be malware, as do many people. It's described on Wikipedia as a "malware type program". If it looks like a duck, and quacks like a duck ..... At very least, it's behavior is unethical - right up there with the Domain Registry of America 🙂

Any program that attempts to install itself on my computer through deception deserves the terms "malware" and "hijack". Genieo is reportedly very difficult to uninstall, and is apparently flagged as malware by anti-virus programs such as Malwarebytes. You may not call it "malware" but I and many other people will disagree with you. Do a little research on it.

When and where the original comment on the fake Flash notice was posted has no bearing on my reply since the thread is ongoing.

I"m sorry, Thomas, but I consider this kind of program to be malware, as do many people.

Most people don't understand the basic concept of malware properly to begin with. You shouldn't care what someone with no particular expertise is saying about it on Wikipedia.

Any program that attempts to install itself on my computer through deception deserves the terms "malware" and "hijack".

And if you would read the more recent posts on this topic, you will see that we now know what is going on (to some degree, at least), and that this appears to be the doing of one of Genieo's partners trying to cheat the system and get paid for bogus installs. See the Previous and Next links at the top and bottom of the page.

Genieo is reportedly very difficult to uninstall

Genieo is actually very easily uninstalled, using the provided uninstaller.

and is apparently flagged as malware by anti-virus programs such as Malwarebytes.

I'm not sure where you're getting that information. Here's a report for the Genieo installer I just submitted to VirusTotal:

https://www.virustotal.com/en/file/8de20e6fa6556d4536e4ff0feb34ded000f125948634b 0e859c5c4f34be29e53/analysis/1369241326/

As you can see, it's not considered malware by any of the engines VirusTotal uses, including Malwarebytes.

Do a little research on it.

I have, as you would see if you read the rest of this topic and not just the first page.