The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Continue to boycott Softonic

Posted on December 6th, 2013 at 6:55 AM EDT

warning

Softonic has been a problem before, as outlined in a previous article, Boycott Softonic. In a nutshell, Softonic was wrapping some software downloaded from their site in an adware installer, which installed the ChatZum adware. Worse, the adware was installed regardless of whether you declined this “optional” software. Although Softonic quickly removed these installers when caught, they obviously did not learn the error of their ways. Adware-riddled installers are back!

I was alerted by someone who ended up redirected to installmac.com in Safari, who identified a copy of Gimp downloaded from Softonic as the culprit. Sure enough, downloading Gimp from Softonic results in the download of a file named “installgimp.dmg,” but that disk image does not contain the Gimp app as it would if downloaded directly from the official Gimp website. Instead, it contains a file generically named “Installer.”

InstallMac TOSThis installer looks like an official Apple installer package (a .pkg file, which would open in Apple’s installer app), but it is actually an application that is using the icon for Apple’s .pkg file type. Upon opening it and proceeding with the installation, the screen shown at right will be encountered. The information shown here does not clearly state that additional software will be installed. This could be interpreted as deceptive, especially given the Gimp icon at the top and the description of Gimp at the bottom, making it seem like a simple license agreement.

On clicking the Next button, however, there is a drop-down window that asks whether you want to change your search page in Safari. If you decline, the adware will not be installed, unlike Softonic’s previous foray into adware installers. However, the default is to accept this optional installation.

Accepting and continuing results in the installation of a version of the Genieo adware. However, unlike the normal Genieo installer, there is nothing installed anywhere that the user can see. There’s no Genieo app, and no uninstaller. (However flawed the Genieo uninstaller may be, at least they provide one normally.) All the user can see is that their searches are briefly redirected to installmac.com, which then redirects to bing.com, and no reason for this can be found.

There are some serious ethical, and probably legal, issues at play here. Softonic has no ownership of the apps that they are wrapping in these installers, and do not have permission from the developers in question. In any case, though, I strongly recommend boycotting Softonic for the foreseeable future. Do not download from them, avoid their website and warn your friends!

Adware is becoming a serious problem for Mac users, and we all need to do our parts to fight this blight! Softonic is not the only download site resorting to such underhanded tricks. See Boycott CNET’s Download.com.

Removal

Because this InstallMac adware is powered by Genieo, removal instructions can be found in the Genieo removal section of my Adware Removal Guide. Keep in mind that not all the files described there will be present, so don’t be surprised or alarmed when you cannot find a file that the guide says to remove.

Tags: , , ,


16 Comments

  • aa says:

    Did you note the following – ‘active’ files with .png added to the names ?.

    libimckit.dylib.png
    libimckitsa.dylib.png
    Omnibar5.safariextz.png
    Omnibar6.safariextz.png

    • Thomas says:

      I see those within the installer app package. I’m not finding them installed anywhere on the system, though. I’m guessing the .png is just a diversion, and it is removed when the files are copied to the system.

      Interesting to see the Omnibar in there… that’s part of ChatZum, and doesn’t actually appear to get installed. I’ll have to check for some of the other components of ChatZum.

    • Thomas says:

      Just checked… none of the other known components of ChatZum are installed on my test system. Strange that the installer app contains copies of the ChatZum Omnibar extension, but it doesn’t actually get installed!

      • Jay says:

        Maybe it depends on OS version and browser? For example Genieo started showing pop-ups (that they make look like a system preferences dialog) stating to be compatible with Mavericks it needs to upgrade itself. The test system I had it on is still on 10.8.5 so looks like they are preparing their software so it will still work once I upgrade. If ChatZum is not compatible it may explain why it is left out on your test system.

  • bentkitty100 says:

    Question for Thomas or for anyone who knows:

    Why do people do this stuff? Wrap adware in installers and all? Are people really that money-centric?

    • Thomas says:

      Yup, that’s basically it… they want money, and pushing ads on people is an easy way to get some without too much work.

      • bentkitty100 says:

        …. so sad :( Wish people as smart as this used their brilliance to make money without pissing people off.

        I suppose that’s a delusion, though…

    • Al says:

      The Internet is not free, it just seems that way. The only way a company can afford to provide Internet services is by selling something. Internet sales are easy to understand, but for others that cannot provide content for free, they must rely on advertising. As users find ways to block ads, new and more invasive ways are being used to demand our attention. Even most of the true malware delivered today relies on being paid by advertisers to divert our attention. There are also botnets being established for the sole purpose of generating fake clicks on legitimate advertiser links. The user never sees the ad, but the botnet operator still gets paid for the click anyway.

  • Gus Caldas says:

    I have installed the Genieo adware and was trying to remove it, strictly following your instructions on the Adware Removal Guide. But after moving the first files to trash, when I was supposed to restart the computer, it just didn’t. Nor will it turn off. I have tried reinstall them from trash, they won’t. It just keep “preparing to move”. THEN, I found this in your update comments:
    June 21, 2013 @ 8:27 pm EST: A colleague has warned me that removing the /usr/lib/libgenkit.dylib without also removing /etc/launchd.conf will brick the computer! This is a good point… be sure not to make this mistake. Note that the uninstaller seems to properly unload those libraries, avoiding this problem, even if it fails utterly in other ways. I have clarified this above to prevent unfortunate accidents.
    There’s no reference to this file in your adware removal guide. And it appears to me that my computer has been “bricked”. And I am afraid now to turn it off “hard” and it won’t turn on.
    So… What should I do?

    • Thomas says:

      That file actually is referenced in the Genieo removal instructions, at its full path “/private/etc/launchd.conf” rather than the shortcut path referred to in that comment. The removal instructions very specifically state that not following them precisely will cause your computer to be unable to start up.

      I have just made another round of edits to those removal instructions, in hopes that this will stop people from making this mistake.

      • Gus Caldas says:

        Thomas, I think I´ve found the problem. The way it is written, the “/private/etc/launchd.conf” string appeared to me (apparently to others also) as a continuation of the line above, the end of which is not shown. Only now, that I have the problem and the name of the file is in my mind, have I recognized it as a separate file… Fu**…
        So, I would like to ask you: is there a solution for my situation?
        Tks

        • Thomas says:

          The easiest solution is to erase the hard drive and restore everything from a full backup prior to installing Genieo.

          If that’s not an option, the other options are more difficult. One would be to start up in recovery mode, then open the Terminal from the Utilities menu. In the Terminal, you’ll need to execute the following command, replacing “your HD name” with the name of your system hard drive, leaving it inside the quotes:

          rm /Volumes/"your HD name"/private/etc/launchd.conf

          I’ll also look into fixing the page so those lines don’t go outside the margin and overlap… I’ve never seen that in any browser I use, but I can imagine it could happen with some browser configurations.

  • PK Hunter says:

    Please report them to Google Malware list. As a Chrome user, I really don’t even want to visit Softonic.

  • leslie Trott says:

    Hi Thomas, i have a problem. if you can help me i will be so happy, I know i have some kind of virus, because this is what happens when i right click on an icon on my desk top, a box comes up and it says in the box… adwareinstaller I quickley click cancell because it starts to download, I think the file name is Ad-wareinstaller.dll, I shopped on line today, after i closed the sale, I was watching a utube video, when a message at the bottom of that video said you havent finished your order, order still waiting, or something like that, I new i had finished the order because i got a confirmation email from the store. also i have this file i think could be itC:\program files\lavasoft\Ad-ware Anrivirus\Ad-ware antivirus\ 11.15354.0 any help you can give me i would he so happy.

    Leslie

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.