Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

remove installmac

How do I remove installmac

iMac (27-inch Mid 2010), OS X Mavericks (10.9.1)

Posted on Sep 29, 2014 9:32 AM

Reply
Question marked as Best reply

Posted on Sep 29, 2014 9:33 AM

One way would be to run AdwareMedic: http://adwaremedic.com/index.php.

31 replies

Sep 29, 2014 12:48 PM in response to ssacrist

There is no need to download anything to solve this problem.

You installed the "InstallMac" trojan. I suggest the procedure below to disable it. This procedure may leave a few small files behind, but it will permanently deactivate the trojan (as long as you never reinstall it.)

Malware is constantly changing to get around the defenses against it. The instructions in this comment are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.

Back up all data before proceeding.

Step 1

From the Safari menu bar, select

Safari Preferences... Extensions

Uninstall any extensions you don't know you need, including one called "Omnibar," and any that have the word "Conduit," "Spigot," or "InstallMac" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.

Step 2

In the Applications folder, there may be an item named "Installer" or "InstallMac." If so, drag it to the Trash.

Step 3

Triple-click anywhere in the line below on this page to select it:

~/Library/LaunchAgents/com.genieo.completer.download.plist

Right-click or control-click the line and select

Services Reveal in Finder (or just Reveal)

from the contextual menu.

If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

A folder should open with an item named "com.genieo.completer.download.plist" selected. Move that item to the Trash.

In the same folder is an item named "com.genieo.completer.update.plist". Move it to the Trash as well.

Log out or restart the computer and empty the Trash.

Make sure you don't repeat the mistake that led you to install this trojan. Chances are you got it from an Internet cesspit such as "Softonic" or "CNET Download." Never visit either of those sites again. You might also have downloaded it from an ad in a page on some other site. The ad has a large green button labeled "Download" or "Download Now" in white letters. The button is designed to confuse people who intend to download something else on the same page. If youever download a file that isn't obviously what you expected, delete it immediately.

You may be wondering why you didn't get a warning from Gatekeeper about installing software from an unknown developer, as you should have. The reason is that the Internet criminal behind this attack has a codesigning certificate issued by Apple, which causes Gatekeeper to give the installer a pass. Apple could revoke the certificate, but as of this writing, has not done so, even though it's aware of the problem. This failure of oversight has compromised both Gatekeeper and the Developer ID program. You can't rely on Gatekeeper alone to protect you from harmful software.

Sep 30, 2014 3:01 PM in response to ssacrist

It's important for you to understand that that the advice you've been given by others in this thread doesn't solve the underlying problem, which is the behavior that led you to install the malware. If you continue that behavior, you will be infected again, and next time the damage may not be so easy to undo.

Never take the word of strangers on the Internet that any unknown software is safe. That's just a continuation of the same behavior that got you into trouble in the first place. Whether the software is safe is something you have to decide by your own research.

You do not need to run any program to remove adware. Even if it works, or seems to work, this time, you'll be getting very much the wrong idea if you think you can always rely on it to work in the future. The only safety lies in changing the way you use the computer.

Oct 20, 2014 12:40 PM in response to Ron_can

You may have a new variant Adware Medic can't yet fix. Tom does a great job trying to keep the app updated, but as the knuckleheads of the world found an easy way to get adware and other garbage onto Macs (almost 100% as junk attached to illegal downloads), they are following the same track as the Windows virus writers. And that is constantly changing the file names, folders the junk gets installed to, and other similar tricks to make it difficult to easily find and remove. It's the same reason Linc's instructions go out of date, which he states as, They won't necessarily be valid in the future.

Oct 20, 2014 1:37 PM in response to Ron_can

Doesn't work how? Be aware that AdwareMedic doesn't fix everything... in particular, it does not currently try to change your browser's home page and search engine settings for you, and InstallMac will have definitely tampered with those. You've still got to change those manually:


http://www.adwaremedic.com/kb/browsersettings.php


If AdwareMedic didn't find anything, your problem may not actually be due to InstallMac. There are many other things that can cause pop-up ads and redirects other than adware. For some other possible solutions, see:


http://www.adwaremedic.com/kb/unsolved.php


Finally, as Kurt points out, it's possible you have adware that I've never seen before, and thus AdwareMedic doesn't detect yet. If all else fails, use AdwareMedic to take a system snapshot and submit it to me. It will contain information about your system and the typical places that adware hides, so I can look for anything suspicious.


(Fair disclosure: I may receive compensation from links to my site and software, in the form of buttons allowing for donations. Donations are not required to use my site or software.)

Oct 20, 2014 2:00 PM in response to thomas_r.

I called Apple support and found help. The tech support person was most helpful and we removed lots of files and cleaned Safari of installmac. Google works cleanly now except for an occasional popping up of Bing and the installmac icon on the menu bar. I will continue to pursue the culprit and get it out of my life. Thanks to all for your responses (at least 4K files were trashed to get it off Safari).

Oct 20, 2014 2:29 PM in response to Ron_can

Ron_can wrote:


Google works cleanly now except for an occasional popping up of Bing and the installmac icon on the menu bar.


In that case, whatever you did did not remove it. It's still there.


(at least 4K files were trashed to get it off Safari).


Most of those files did not actually need to be deleted. There are only 22 items I'm aware of installed by variants of Genieo (aka InstallMac), and no variant of Genieo installs all of them.


I'm guessing the tech had you delete Safari's caches, which was unnecessary.

remove installmac

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.