Genieo adware proliferating
Published June 7th, 2015 at 9:00 AM EST , modified June 7th, 2015 at 9:00 AM EST

In recent months, several new variants of the Genieo adware have crossed my path. This adware is still pulling many of the same tricks – changing the search engine to Bing, and installing all kinds of junk that runs in the background and modifies browser behavior. However, it’s now using a variety of different names, perhaps in an attempt to make detection more difficult.
Until recently, variants of Genieo have only gone by two different names: Genieo and InstallMac. In the last few months, however, I’ve come across a number of new variants under new names: GoldenBoy, Texiday, and now Listchack.
In all these cases, a Safari extension by that name has been installed. In addition, these variants will install files in the user’s LaunchAgents folder having names and contents following predictable patterns. (LaunchAgents are used to keep processes running invisibly in the background at all times, even after restarting, or to run processes invisibly on a periodic basis.)
Some may question how I am able to connect these new names with Genieo. There are several ways. First, all of these variants include a Safari extension containing code that is identical in places to the older code found in Genieo’s Omnibar extension. All include the same three LaunchAgents, with minor changes to their names and content, that have been in use by Genieo and InstallMac for some time. And all seem to install the Genieo “Reset Search” app, a supposed uninstaller that has never done the job properly.
These Genieo variants are being installed through highly deceptive installers. In the case of the latest (Listchack), for example, the installer is downloaded from a site supposedly offering a download of the popular open-source VLC video player. The resulting download, however, is a disk image file called MPlayer.dmg, named for a different (and not legit) video player. Upon running the Installer app found on that disk image, the installer claims to be installing yet another player: Fast Player, one that I’ve never even heard of. And not a single one of these video players actually ends up being installed!
Avoiding these deceptive Genieo installers, and all other such adware installers, is fortunately quite easy: simply exercise care with what you download online. Only download from the developer’s site, and never download from other sites, especially “download aggregation” sites like Download.com and Softonic (which are both known to inject their own adware in many of their downloads). For more information on how to protect yourself from this kind of thing, see my Mac Malware Guide.
If you think you may have installed one of these new Genieo variants, you can remove it using my AdwareMedic app.
31 Comments
This post is more than 90 days old and has been locked. No further comments are allowed.
Just a notice (despite if you place this or not)
My browser is warning me for the fact that thesafemac is (probably) using Canvas fingerprinting!
https://en.wikipedia.org/wiki/Canvas_fingerprinting
Although this is a legitimate technique it’s in a way to spying on users too.
And we do not like spying, do we?
Cookies can be deleted, the combination of device hardware profile/browser profile is actually not easy to be changed and quite a questionable form of user tracking.
Is this collecting of user profiles really necessary and needed?
It reminded me of the built in complete Mac profile feedback report that could be sendet back in the first versions of your adware program. An anti-privacy option that you removed later on.
Please consider using other methods of tracking users, at least warn them or give them an option to choose to accept this.
That would be a bit more ethical behavior in the context of this site ; privacy is an important part of security.
By the wayy, how well is your collection of userdata protected against people that try to get those data? The more you posses and collect the more you have to protect.
Just some friendly ment feedback from a reader Thomas
I don’t do any tracking whatsoever of users on this site, regardless of technique. I don’t even require people to register in order to post comments. So, whatever is alerting you to this is either erroneous or it’s picking up something that is being injected into the page by a third-party. The latter would typically be due to adware.
Turns out that Tor Browser is triggering on the new emoji support code that was added in WordPress 4.2. I don’t use this, so I have disabled it. However, as you can see, this “feature” of Tor Browser is more than a bit flawed, since it will trigger on any WordPress site that 1) has updated to 4.2 or later, as should be done for security reasons, and 2) has not done anything to disable this emoji support code.
For WordPress site owners who don’t want Tor falsely accusing your site of wrongdoing, add the following lines to your functions.php file:
remove_action( ‘wp_head’, ‘print_emoji_detection_script’, 7 );
remove_action( ‘wp_print_styles’, ‘print_emoji_styles’ );
Thanks, looks like I was wrong with my assumption then… Also, thank you for the tip with the functions for WordPress.
Not having any inside knowledge, it might be related to the paypal donate button as well, although I think Adware is the most likely option.
@Canvas fingerprinting ?: you should do a Scan with Thomas’ Adware Medic app. If it is coming back clean, I would try deactivating other plugins. If it still shows, try other pages using the Paypal API for donation to see if that might be the one.
Canvas is no adware so Adware Medic cannot remove it. Based on Javascript and it is persistent (embeded) on many websites. Simply disable JavaScript in your browser or use any JavaScript-Blocker add-on that inform you about embedded Canvas JavaScript.
http://www.makeuseof.com/tag/canvas-fingerprinting-will-track-everywhere-go-heres-worried/
24 hours, no Genieo reps? Looks like they’ve learned their lesson… maybe…
In other news, thank you Thomas for the helpful info as always.
I wonder where and how you got the impression that MPlayer is not legit (or maybe I misinterpreted the sentence “…MPlayer.dmg, named for a different (and not legit) video player”).
See:
MPlayerX adware behaving like malware
MPlayerX as far as I know is by no means associated to the MPlayer project, whose home page is here https://www.mplayerhq.hu/. It is a highly renowned FOSS project started around the same time as FFmpeg, and it is older than VLC.
Personally I used MPlayer for a long time, mplayer2 (a now abandoned MPlayer fork) for about half a year, and later switched to mpv (an MPlayer and mplayer2 fork) and have been using it since then for about two years. These projects are all distributed in source form and there is simply no room for adware. Whatever nasty things downstream packagers do shouldn’t be attributed to the upstream.
I believe I also used MPlayerX for a brief period of time a few years ago and didn’t recall any adware offers (I’m usually very sensitive to this kind of stuff). I think “This is not particularly new, and has been described here before, although never with an installer downloaded directly from the MPlayerX site” in your article confirms my impression. Maybe things changed; or maybe the website was hacked. Not sure. In any case, the MPlayer projet shouldn’t take the blame.
Hi Anonymous,
This is not a case of the MPlayerX website being in anyway hacked, The publishers of this media player have planned this in advance.
The MPlayerX publishers really do have to take the blame and accept full responsibility for their despicable behavior.
I also must inform you that the blog for the MPlayerX on their website(http://blog.mplayerx.org/)
very clearly states that:
“The other thing is that, MPlayerX will start to utilize the installer to fulfill monetization.”
It is blatantly clear this is a deliberate decision by them to put this type of Adware/Malware into their products installer, They even went so far as to obfuscate the coding and took additional measures to ensure this stuff would NOT be detected when installed in any virtual machine environment.
They have also stated on that blog that:
“I knew it may bring many negative comments”
So it also clear they are also preparing for the inevitable Mac user backlash they will have to deal with.
Huh i just installed Adware Medic and erased the Adware/Malaware is was really easy BUT i did it immediately MPlayerX only affected my Minecraft when i cleared it 😛
Doesn’t matter, I don’t care. The point is MPlayerX is not MPlayer, and is not associated to MPlayer.
You say that these latest variants install a Safari extension… Doesn’t that require user interaction (are you sure you want to install the extension “___?”)? So are they just relying on people blindly allowing the extension to be installed, or have they found a way to circumvent that prompt?
Adware installers routinely install Safari extensions without any such warning. It simply involves putting the extension in Safari’s Extensions folder and modifying the Extensions.plist file, which can be done without any warning and without needing an admin password. All that would be required to activate it at that point would be to re-launch Safari, and it will be as if the extension was installed all along.
Genieo
((((((( Genius ))))))) …… thank you so much Thomas . I search for several hours in frustration until happily I came upon your site and ” Adwaremedic ” It solved the problem in short order . I sent along a small handful of cash , hope it helps .
Leif Ostlund
I have the listchack because I’m stupid and wanted to watch parks and rec finale a little too bad. I’m on an old osx and need to upgrade to get the app. Will it successfully get rid of listchack?
It should, but note that I don’t recommend upgrading Mac OS X just to run AdwareMedic. It is generally a good idea to upgrade from 10.6 to a newer system when possible, but that should be rushed. Mac OS X 10.6.8 was the last system to be able to run PowerPC apps. You’re probably going to need to also upgrade or replace some third-party apps that you depend on, and that could include things like drivers for printers or other hardware. Upgrading without adequate preparation could leave you in a bad place!
There are always the manual removal instructions from my Adware Removal Guide instead.
You are the greatest. All adware gone, even the ones I didn’t know. What’s bundlelore? Thanks man I’ll donate some money you’re the best!
Bundlore is just one of many adware threats out there right now. It may be one of the most slippery, with countless different variants having a wide variety of forms.
Does Adware Medic recognize a new Genieo variant called Inkeepr? See https://discussions.apple.com/thread/7069320?start=0&tstart=0
It should – it detects a number of other recent Genieo variants, such as GoldenBoy, Texiday, Listchack, and others. I have yet to confirm detection of InKeepr, however. If anyone finds that AdwareMedic doesn’t remove that, please don’t hesitate to contact me!
Looks like it detected most of InKeepr, but not quite all of it. That has now been corrected.
Please help with removing the Trovi adware from my MAC running 10.10 using Google. This is becoming a nightmare!
Use AdwareMedic:
http://www.adwaremedic.com
i have this on my mac. whenever i search something on google and then click a result it goes to listchack and then bing. how could i remove this?
If you have not already used AdwareMedic to remove Genieo, do so now:
http://www.adwaremedic.com
If you have, be aware that it will not reset your browser’s home page and search engine settings, so you still have to do that part manually once the adware is gone. See:
http://www.adwaremedic.com/kb/browsersettings.php
Thank you Thomas. I used your adware medic sucessfully to eliminate the tidal wave of pop up ads i was getting, presumably via the Java I foolishly allowed my son to download for the purposes of running games such as Goat Simulator (lesson learned).
But it apparently didn’t get rid of all the celipsow remnants. I was wondering how my search engine got switched over to BING. I just noticed that the Bing search address window starts with celipsow.bing or celipsow.google. I’ll run the adware app again to see if that eliminates it and reset my browser settings. Anything else I need to look for or should that do it>
PS. We love you. Sending donation!!!
AdwareMedic doesn’t change your browser’s home page or search engine settings. If that gets changed by adware, you have to change it back manually. See:
http://www.adwaremedic.com/kb/browsersettings.php
Hi Thomas,
Question for you. I am a Mac user and was recently scammed by adware/malware. My son was using the computer. A soon as he opened chrome an ad popped up sating we had a trojan virus and requested we call a number. I called the number (everything seemed really legit) and gave access to the computer through GoTo Assist. The “tech” was jumping around and pointed out my serial number, asked me to write it down then continued to show me my firewall settings and some other things. I got an uneasy feeling after about 5 minutes and disconnected the call. I just ran Adwaremedic and removed Genio software. My questions are, (1) what is the potential threat of allowing this “tech” to have access to file information, including serial number? (2) Should I install software protection like McAfee (or is there a better software you would recommend)? (3) does installing the software protect all User profiles automatically? I appreciate your feedback. We aren’t having any problems with the computer OS yet, but I’m certainly concerned. Thanks so much for your advise.
-Carlie
That was actually a scam. Since you let the scammer have access to the computer, you’ll need to erase the hard drive and reinstall everything from scratch. For details, see:
Tech support scam pop-ups