Apple Event: May 7th at 7 am PT
I have Sophos Anti-Virus program and it detected OSX/Geonei-A after I tried downloading something off the internet. I deleted the file I had downloaded (it was called something like mac_installer). Is there anything else I need to do? How does this affect my computer? My Sophos Anti-Virus is stuck "calculating" a scan and doesn't seem to be working properly. Please help, thanks!
MacBook Air (13-inch Mid 2011), Mac OS X (10.7.5)
You installed the "Genieo" scam product. There is an uninstaller, but as the developer is dishonest, you shouldn't use it. I suggest the tedious procedure below to disable Genieo.
Back up all data. You must know how to restore from a backup even if the system becomes unbootable. If you don't know how to do that, or if you don't have any backups, stop here and ask for guidance.
Quit the Genieo application, if it's running. Force quit if necessary.
Triple-click anywhere in the line below on this page to select it:
/etc/launchd.conf
Right-click or control-click the line and select
Services ▹ Reveal in Finder (or just Reveal)
from the contextual menu.
If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar, paste into the box that opens (command-V). You won't see what you pasted because a line break is included. Press return.
A folder may open with a file selected, or the file may not exist, in which case you'll get a message that it can't be found. If it does exist, it's a configuration file created or replaced by the Genieo installer. Any software installer that does this should be considered ipso facto malware. Move the file to the Trash. You'll be prompted for your administrator password.
IMPORTANT: If the launchd.conf file exists, you must move it to the Trash it before continuing. Otherwise the system will become unbootable. In that case, restore from your backup and start over. That's how badly Genieo has sabotaged your system.
Repeat with each of these lines:
/Applications/Genieo.app /Applications/Uninstall Genieo.app /Library/Frameworks/GenieoExtra.framework /Library/LaunchAgents/com.genieo.engine.plist /Library/LaunchAgents/com.genieoinnovation.macextension.plist /Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist /Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client /usr/lib/libgenkit.dylib /usr/lib/libimckit.dylib /usr/lib/libimckitsa.dylib
Again, some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.
Reboot and empty the Trash. Don't try to empty the Trash until you have rebooted.
Your web browser(s) should now function normally, and you should be able to reset the home page and search engine. If not, stop here and post your results.
From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall any extensions you don't know you need, including one called "Spigot" if it's present. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.
The Genieo installer may also install the "Silverlight" web plugin from Microsoft. If you have no use for that plugin, you can remove it according to Microsoft's instructions. Don't remove it if you subscribe to "Netflix" or any other video-streaming service that uses it.
This procedure may leave a few files behind, but it should deactivate Genieo. Make sure you don't repeat the mistake that led you to install it. Chances are you got it from one of the Internet's open sewers such as "Softonic" or "CNET Download." Never visit either of those sites again. You might also have downloaded it from an ad in a page on some other site.
Finally, be forewarned that when Genieo is mentioned on this site, the developer sometimes shows up under the name "Genieo support." If that happens, don't believe anything he says, but feel free to tell him what you think of his scam.
Sophos won't remove it for you because, believe it or not, it's a legitimate application signed with a valid Apple Developer ID, so even though you were almost certainly tricked into downloading and installing it, Sophos cannot simply assume you don't want it.
The fastest, most effective way to identify and optionally remove all currently known adware is by using AdwareMedic, developed by thomas_r. this Forum's malware guru, owner of TheSafeMac and a colleague of mine.
To understand why this happened an how to avoid such things in the future read John Galt's How to install adware.
I can't see your screenshots, due to long-standing bugs with the crummy Jive software powering this forum. So I can't see exactly what Sophos found.
However, I can provide a few general comments. First, note that Sophos will not properly remove any adware, nor will any other anti-virus software that I'm aware of. Anti-virus software may remove some components, and that may be enough to eliminate visible symptoms, but there will probably be leftovers still active in your system.
Second, be aware that AdwareMedic will only find and remove installed components of adware. It does not try to find installers, which anti-virus apps like Sophos may detect.
Finally, if there are things that your anti-virus software detects that AdwareMedic does not, you still should not allow the anti-virus software to remove it. To delete such things, see:
(Fair disclosure: I may receive compensation from links to my site and software, in the form of buttons allowing for donations. Donations are not required to use my site or software.)
This isn't in reply to a specific person, but to all who are having this problem. I just discovered this thread, and I want to share the solution I found in case it might help someone else.
Check to see if the installer volume (the item you downloaded) is still on your desktop. If it is, drag it to the Trash icon at the right end of the the Dock, where it will disappear instead of going into the Trash. When I did this, my copy of "OSX/Geonei-A" disappeared too; it was no longer in the Quarantine Manager, where I had been trying to get rid of it for about an hour.
Sophos had quarantined the copy of the threat that was inside the installer volume. There was no copy anywhere else to cause me any trouble, even though I had opened the dmg file and then the app itself.
That's the last time I will ever forget to dump the installer before I do anything at all with its contents. Apparently Sophos can "see" what's in there, including threats that don't go anywhere else.
cgadziko wrote:
Sophos had quarantined the copy of the threat that was inside the installer volume. There was no copy anywhere else to cause me any trouble, even though I had opened the dmg file and then the app itself.
When Sophos tells you that it has "Quarantined" an app, it just means that they disabled it and you will not be able to open it, not that it moved it to the "Quarantine Manager" which is simply a window that allows you to deal with the problem. Since Genieo is a legitimate application, signed with an Apple DeveloperID, Sophos won't allow you to delete it from the Quarantine Manager and gives you a list of files to remove on you own, in case you have accidentally installed it and don't want it.
Threat detected: OSX/Geonei-A. What do I do?
