Q: After downloading Mavericks Spibot has installed itself on my MacBook Pro

Spibot has installed itself on my Mac

How do you know that?

You may have installed the "InstallMac" trojan. I suggest the procedure below to disable it. This procedure may leave a few small files behind, but it will permanently deactivate the trojan (as long as you never reinstall it.)

Malware is always changing to get around the defenses against it. These instructions are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.

Back up all data before proceeding.

Step 1

From the Safari menu bar, select

          Safari ▹ Preferences... ▹ Extensions

Uninstall any extensions you don't know you need, including one called "Omnibar," and any that have the word "Conduit," "Spigot," or "InstallMac" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.

Step 2

In the Applications folder, there may be items named "Installer," "InstallMac," "Reset Search," or "Uninstall IM Completer." Drag each such item to the Trash.

Step 3

Triple-click anywhere in the line below on this page to select it:

~/Library/LaunchAgents/com.genieo.completer.download.plist

Right-click or control-click the line and select

          Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.

If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

A folder may open with an item named "com.genieo.completer.download.plist" selected. Move that item to the Trash.

In the same folder there may be an item named "com.genieo.completer.update.plist". Move it to the Trash as well.

Optionally, move this item, if it exists, to the Trash in the same way:

~/Library/Application Support/com.genieoinnovation.Installer

Log out or restart the computer and empty the Trash.

Make sure you don't repeat the mistake that led you to install this trojan. Chances are you got it from an Internet cesspit such as "Softonic" or "CNET Download." Never visit either of those sites again. You might also have downloaded it from an ad in a page on some other site. The ad has a large green button labeled "Download" or "Download Now" in white letters. The button is designed to confuse people who intend to download something else on the same page. If you ever download a file that isn't obviously what you expected, delete it immediately.

You may be wondering why you didn't get a warning from Gatekeeper about installing software from an unknown developer, as you should have. The reason is that the Internet criminal behind this attack has a codesigning certificate issued by Apple, which causes Gatekeeper to give the installer a pass. Apple could revoke the certificate, but as of this writing, has not done so, even though it's aware of the problem. This failure of oversight has compromised both Gatekeeper and the Developer ID program. You can't rely on Gatekeeper alone to protect you from harmful software.

The "Genieo" files may not be present. In that case, all you need to do is Step 1.

Please post a screenshot that shows what you mean. Be careful not to include any private information.

Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.