The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Adware Removal Guide : Genieo

Published November 7th, 2013 at 5:22 PM EDT, modified April 9th, 2014 at 8:29 PM EDT

InstallGenieo appGenieo (and InstallMac, another name for the same software) is perhaps the most prolific adware at the time of this writing (late 2013). It has been in active distribution for most of the year, with a very active Israeli company behind it. Although the installer is available through the company’s web site, it has also been seen numerous times being distributed through installers that pretend to be something they are not, such as fake Adobe Flash Player installers. This behavior has been blamed on third-party “partners” each time it has been observed.

Genieo has changed significantly over the time it has been in distribution. The list of files to be removed has grown since it was first seen. Unfortunately, the uninstaller has been largely useless for months. It removes most outward signs that the adware is installed, while leaving behind a number of hidden components (including one deceptively named “Application”) in active operation. Removal should not involve the uninstaller, which has been failing for months, with Genieo fully aware of the issue.

In addition to the issues with the uninstaller not functioning properly, the InstallMac uninstaller has been seen to actually install files that were not already present! Thus, using the uninstaller could actually install hidden components of this adware that were not there before. Although testing has not shown any other Genieo uninstaller behaving in the same manner, I would not make any assumptions that the InstallMac uninstaller is the only one misbehaving.

Removal

If you do not follow these directions exactly, you could cause your computer to freeze and to be unable to restart!

There have been numerous cases of this happening recently. I cannot stress enough the importance of reading carefully and following all steps precisely! If you make an error and cause this to happen, see the recovery instructions at the end of this article.

quit Genieo

Step 1

Quit the Genieo app, if it is running. See the image at right. If you do not see the “house” icon in the menu bar, the Genieo app should not be running. Some variants of Genieo do not include a Genieo app, in which case this step is unnecessary.

If the app will not quit, open the Activity Monitor application (found in the Utilities folder in the Applications folder) and find the Genieo app. Select it, then click the toolbar button with a stop sign with an X in the middle to force it to quit.

Step 2

Move the following item to the trash. Note that, if you don’t know how to locate a file based on the path given below, you should read Locating files from paths. This will require administrator access, so you will need to be sure you are logged in to an admin account on your Mac. Failure to properly remove this file, if it is present, will result in your computer freezing and becoming unable to start up!

/private/etc/launchd.conf

If you fail to find this file, pause here. You may proceed, at your own risk, but need to exercise caution. If you have run the Genieo uninstaller, this is normal, as it will remove the launchd.conf file, and you can safely remove any of the files in step 3 ending in “.dylib”. If you are not absolutely sure you looked in the right place for the launchd.conf file, you must not remove any of those files! Removing any .dylib file without removing the launchd.conf file will cause your computer to freeze and become unable to restart.

It is possible that you will have neither the launchd.conf file nor any .dylib file installed. This can happen if you opt out of changing your browser’s home page during Genieo installation, and some newer variants of Genieo do not install this file.

Step 2a

If the launchd.conf file was found and removed, restart the computer. Otherwise, proceed without restarting.

Step 3

Move the following items to the trash. Some of them, including the Genieo application, may not be present; remove the ones that you do find. Note that removing many of these files will require administrator access, so you will need to be sure you are logged in to an admin account on your Mac. If you are not, you will be unable to remove some of them.

/Applications/Genieo
/Applications/Uninstall Genieo
/Applications/Uninstall IM Completer.app
~/Library/Application Support/com.genieoinnovation.Installer/
~/Library/Application Support/Genieo/
~/Library/LaunchAgents/com.genieo.completer.download.plist
~/Library/LaunchAgents/com.genieo.completer.update.plist
/Library/LaunchAgents/com.genieoinnovation.macextension.plist
/Library/LaunchAgents/com.genieoinnovation.macextension.client.plist
/Library/LaunchAgents/com.genieo.engine.plist
/Library/LaunchAgents/com.genieo.completer.update.plist
/Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist
/Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client
/usr/lib/libgenkit.dylib
/usr/lib/libgenkitsa.dylib
/usr/lib/libimckit.dylib
/usr/lib/libimckitsa.dylib

If you successfully remove the launchd.conf file, but cannot find the other files listed above, that will not cause a problem. I would be suspicious, though, that you have made an error somewhere in such a case. See the Addendum below.

Step 4

Restart your computer. After it starts back up, move the following item to the trash, if present. This will also require an admin password.

/Library/Frameworks/GenieoExtra.framework

It is now safe to empty the trash, to delete all the removed files.

Step 5

Remove the Omnibar browser extension, if present. (See Identifications > Examine Browser Extensions for instructions on how to locate your browser extensions.)

Step 6

Change the home page and possibly the search engine settings in your browser’s preferences.

If you have Firefox installed, go to the following folder:

~/Library/Application Support/Firefox/Profiles/

Inside that folder, you will find another folder whose name begins with a series of random characters and ends with “.default”. Open that folder, and look for a folder named searchplugins. Inside that folder, delete the “my-homepage.xml” file, if present.

Addendum

Some people have reported not being able to find any of the files mentioned in these removal instructions. If this is the case for you, there are several possible explanations:

  • You have made an error. Go back through all the steps again, paying especially close attention to the exact locations of these files and how to locate them. Many people have failed to find files because they are looking in the wrong places (such as the wrong Library folder – there are three Library folders, in three different places, but the instructions only refer to one of them).
  • You forgot a step. Most notably, people often seem to forget steps 5 and 6, which is part of the reason I broke it down into numbered steps.
  • You don’t actually have Genieo installed. Having found a Genieo installer on your hard drive does not necessarily mean it’s installed, for example. There are also many different adware programs and even network compromises that can cause similar symptoms, so you may be affected by something else. Go to Eliminating browser redirects and advertisements.
  • Some other software has removed them already, such as anti-virus software, cleaning software or even the Genieo uninstaller (though the latter will definitely not remove all the files listed here).
  • You may have responded “No” to certain things during installation, such as when it asks if you want to change your home page. In some cases, this can result in many files never being installed.
  • You have a brand new, undiscovered variant of Genieo. I only mention this as a possibility… it has yet to actually ever be the case for anyone who has had this issue, so this is very unlikely.

Please do not e-mail me just because you are unable to find the files mentioned! It’s not that I don’t want to help, I simply cannot keep up with the flood of e-mail from people who are wondering if they have done things wrong. As already indicated, there are cases where most of these files may not be present, and quite normal for some of them to be absent. The list of files is representative of a combination of all variants of Genieo, not one in particular.

If you have followed these directions, but are still having searches redirected, you either didn’t do something correctly or you have some other adware installed in addition to (or instead of) Genieo.

Recovering a computer that cannot start up

If you made the mistake I repeatedly warned about above and caused your computer to crash and to be unable to start up again, the issue is that you failed to remove the launchd.conf file, which is still trying to load what are now non-existent .dylib files, and this fails. This is a very low-level process that Genieo really should not have been tampering with.

The easiest way to recover from this is to erase your hard drive and restore from a backup made prior to the failed removal attempt. (Or, even better, prior to installing Genieo in the first place!) If you are using Time Machine, you can follow the excellent guide by the late James Pond, found here:

How do I restore my entire system?

If you are using some other backup system, you will need to consult its documentation.

If this is not an option, there is another way to remove the launchd.conf file, but it requires some work in the Unix shell, via the Terminal. If this is not something you feel comfortable with, and you don’t have backups, you should seek professional assistance.

First, assuming you are using Mac OS X 10.7 (aka Lion) or later, you need to start up in recovery mode by holding command-R at startup. Once in recovery mode, you need to choose Terminal from the Utilities menu. When the Terminal opens, you need to enter the following command, modified to include your hard drive name in place of “your HD name.”

rm /Volumes/"your HD name"/private/etc/launchd.conf

The quotes must be included if your hard drive name contains spaces or other special characters. As an example, if your hard drive still has the default name, Macintosh HD, you would use the following:

rm /Volumes/"Macintosh HD"/private/etc/launchd.conf

If you do not remember the exact name of your hard drive, enter the following command:

ls -l /Volumes

(Note that that is, in lowercase, LS -L… those are Ls, not the number 1 or the uppercase letter i.)

Executing this command will display a series of items, with one volume per line, looking like this:

lrwxr-xr-x  1 root  admin  1 Jan 25 11:15 Hyperion

The part at the end (Hyperion for my computer) is the name of the hard drive.

After you have executed the “rm” command successfully, you should be able to restart the computer successfully.  If you get an error saying “No such file or directory,” you have made an error somewhere in the file path and will need to correct it. If you cannot figure out how to correct it, seek professional assistance.

<- Back to Adware Removal Guide

Post to Twitter


This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.