OFFICIAL SECURITY BLOG
Tech News News Favorites Adware Medic Tech Guides About Us
Mac Malware GuideAdware Removal GuideMac Performance Guide

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Adware Removal Guide : Genieo

Published November 7th, 2013 at 5:22 PM EST , modified July 15th, 2015 at 7:44 PM EDT

InstallGenieo appGenieo (and InstallMac, another name for the same software) is perhaps the most prolific adware at the time of this writing (late 2013). It has been in active distribution for most of the year, with a very active Israeli company behind it. Although the installer is available through the company’s web site, it has also been seen numerous times being distributed through installers that pretend to be something they are not, such as fake Adobe Flash Player installers. This behavior has been blamed on third-party “partners” each time it has been observed.

Genieo has changed significantly over the time it has been in distribution. The list of files to be removed has grown since it was first seen. Unfortunately, the uninstaller has always been largely useless, in most cases leaving pieces behind that are actively running. Removal should not involve the uninstaller, which has been failing for months, with Genieo fully aware of the issue.

In addition to the issues with the uninstaller not functioning properly, the InstallMac uninstaller has been seen to actually install files that were not already present! Thus, using the uninstaller could actually install hidden components of this adware that were not there before. Although testing has not shown any other Genieo uninstaller behaving in the same manner, I would not make any assumptions that the InstallMac uninstaller is the only one misbehaving.

Automatic Removal

If you would rather not attempt the manual removal instructions, you can try Malwarebytes Anti-Malware for Mac.

Removal

If you have an old variant of Genieo, and you do not follow these directions exactly, you could cause your computer to freeze and to be unable to restart! This only affects very old versions of Genieo, as none of the recent variants use the dangerous method of installation that older variants did. I cannot stress enough the importance of reading carefully and following all steps precisely! If you make an error and cause this to happen, see the recovery instructions at the end of this article.

Be aware that these steps encompass a wide range of different Genieo variants, and you may find that you’re missing many of the things these instructions say to look for. That is normal.

quit Genieo

Step 1

Quit the Genieo app, if it is running. See the image at right. If you do not see the “house” icon in the menu bar, the Genieo app should not be running. Some variants of Genieo do not include a Genieo app, in which case this step is unnecessary.

If the app will not quit, open the Activity Monitor application (found in the Utilities folder in the Applications folder) and find the Genieo app. Select it, then click the toolbar button with a stop sign with an X in the middle to force it to quit.

Step 2

Move the following item to the trash. Note that, if you don’t know how to locate a file based on the path given below, you should read Locating files from paths. This will require administrator access, so you will need to be sure you are logged in to an admin account on your Mac. Failure to properly remove this file, if it is present, will result in your computer freezing and becoming unable to start up!

/private/etc/launchd.conf

If you fail to find this file, pause here. You may proceed, at your own risk, but need to exercise caution. If you are not absolutely sure you looked in the right place for the launchd.conf file, you must not remove any of the files ending in .dylib mentioned in step 3! Removing a .dylib file that is loaded by launchd.conf without removing (or editing) the launchd.conf file will cause your computer to freeze and become unable to restart.

There are many normal cases in which you will have neither the launchd.conf file nor any .dylib file installed. This can happen if you opt out of changing your browser’s home page during Genieo installation, if you have run the Genieo uninstaller, or if you have a newer variant of Genieo (recent variants do not install this file). Further, no recent variants of Genieo install these files.

Step 2a

If the launchd.conf file was found and removed, restart the computer. Otherwise, proceed without restarting.

Step 3

Move the following items to the trash. Some of them, including the Genieo application, may not be present; remove the ones that you do find. Note that removing many of these files will require administrator access, so you will need to be sure you are logged in to an admin account on your Mac. If you are not, you will be unable to remove some of them.

/Applications/Genieo
/Applications/InstallMac
/Applications/Uninstall Genieo
/Applications/Uninstall IM Completer.app
~/Library/Application Support/com.genieoinnovation.Installer/
~/Library/Application Support/Genieo/
~/Library/Application Support/IM.Installer/
/Library/LaunchAgents/com.genieoinnovation.macextension.plist
/Library/LaunchAgents/com.genieoinnovation.macextension.client.plist
/Library/LaunchAgents/com.genieo.engine.plist
/Library/LaunchAgents/com.genieo.completer.update.plist
/Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist
/Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client
/usr/lib/libgenkit.dylib
/usr/lib/libgenkitsa.dylib
/usr/lib/libimckit.dylib
/usr/lib/libimckitsa.dylib

If you successfully remove the launchd.conf file, but cannot find the other files listed above, that will not cause a problem. I would be suspicious, though, that you have made an error somewhere in such a case. See the Addendum below.

In addition to the files listed above, you should also look in the following folder:

~/Library/LaunchAgents/

In that folder, look for three files, all starting with the same thing and ending in “.download.plist”, “.ltvbit.plist” and “.update.plist”. Any such files should be moved to the trash. Examples include, but are not limited to, the following:

~/Library/LaunchAgents/com.genieo.completer.download.plist
~/Library/LaunchAgents/com.genieo.completer.update.plist
~/Library/LaunchAgents/com.genieo.completer.ltvbit.plist
~/Library/LaunchAgents/com.installer.completer.download.plist
~/Library/LaunchAgents/com.installer.completer.update.plist
~/Library/LaunchAgents/com.installer.completer.ltvbit.plist
~/Library/LaunchAgents/texiday.download.plist
~/Library/LaunchAgents/texiday.update.plist
~/Library/LaunchAgents/texiday.ltvbit.plist
~/Library/LaunchAgents/Listchack.download.plist
~/Library/LaunchAgents/Listchack.update.plist
~/Library/LaunchAgents/Listchack.ltvbit.plist

If you find an item starting with a name not mentioned here, go back and look for items with the same name in the following folders:

/Applications/
~/Library/Application Support/

Move any matching items to the trash. For example, if you find a LaunchAgent named “Inkeepr.ltvbit.plist”, you should look for and remove something named “InKeepr” in those two folders. Also, keep this name in mind in Step 5, when you are removing browser extensions.

Step 4

Restart your computer. After it starts back up, move the following item to the trash, if present. This will also require an admin password.

/Library/Frameworks/GenieoExtra.framework

It is now safe to empty the trash, to delete all the removed files.

Step 5

Remove any browser extensions named Omnibar, GoldenBoy, Texiday, Listchack, InKeepr, Celipsow or Nariabox, if present. (See Identifications > Examine Browser Extensions for instructions on how to locate your browser extensions.)

If you found the three LaunchAgents at the end of step 3, and they had names not mentioned in this guide, look for and remove an extension having the same name. For example, if you removed a LaunchAgent named “Blah.ltvbit.plist”, look for and remove a browser extension named “Blah.”

Step 6

Change the home page and possibly the search engine settings in your browser’s preferences.

If you have Firefox installed, go to the following folder:

~/Library/Application Support/Firefox/Profiles/

Inside that folder, you will find another folder whose name begins with a series of random characters and ends with “.default”. Open that folder, and look for a folder named searchplugins. Inside that folder, delete the “my-homepage.xml” file, if present.

Addendum

Some people have reported not being able to find any of the files mentioned in these removal instructions. If this is the case for you, there are several possible explanations:

  • You have made an error. Go back through all the steps again, paying especially close attention to the exact locations of these files and how to locate them. Many people have failed to find files because they are looking in the wrong places (such as the wrong Library folder – there are three Library folders, in three different places, but the instructions only refer to one of them).
  • You forgot a step. Most notably, people often seem to forget steps 5 and 6, which is part of the reason I broke it down into numbered steps.
  • You don’t actually have Genieo installed. Having found a Genieo installer on your hard drive does not necessarily mean it’s installed, for example. There are also many different adware programs and even network compromises that can cause similar symptoms, so you may be affected by something else. Go to Eliminating browser redirects and advertisements.
  • Some other software has removed them already, such as anti-virus software, cleaning software or even the Genieo uninstaller (though the latter will definitely not remove all the files listed here).
  • You may have responded “No” to certain things during installation, such as when it asks if you want to change your home page. In some cases, this can result in many files never being installed.
  • You have a brand new, undiscovered variant of Genieo. I only mention this as a possibility… it has yet to actually ever be the case for anyone who has had this issue, so this is very unlikely.

Please do not e-mail me just because you are unable to find the files mentioned! It’s not that I don’t want to help, I simply cannot keep up with the flood of e-mail from people who are wondering if they have done things wrong. As already indicated, there are cases where most of these files may not be present, and it’s quite normal for some of them to be absent. The list of files is representative of a combination of all variants of Genieo, not one in particular.

If you have followed these directions, but are still having searches redirected, you either didn’t do something correctly or you have some other adware installed in addition to (or instead of) Genieo.

Recovering a computer that cannot start up

If you made the mistake I repeatedly warned about above and caused your computer to crash and to be unable to start up again, the issue is that you failed to remove the launchd.conf file, which is still trying to load what are now non-existent .dylib files, and this fails. This is a very low-level process that Genieo really should not have been tampering with.

The easiest way to recover from this is to erase your hard drive and restore from a backup made prior to the failed removal attempt. (Or, even better, prior to installing Genieo in the first place!) If you are using Time Machine, you can follow the excellent guide by the late James Pond, found here:

How do I restore my entire system?

If you are using some other backup system, you will need to consult its documentation.

If this is not an option, there is another way to remove the launchd.conf file, but it requires some work in the Unix shell, via the Terminal. If this is not something you feel comfortable with, and you don’t have backups, you should seek professional assistance.

First, assuming you are using Mac OS X 10.7 (aka Lion) or later, you need to start up in recovery mode by holding command-R at startup. Once in recovery mode, you need to choose Terminal from the Utilities menu. When the Terminal opens, you need to enter the following command, modified to include your hard drive name in place of “your HD name.”

rm /Volumes/"your HD name"/private/etc/launchd.conf

The quotes must be included if your hard drive name contains spaces or other special characters. As an example, if your hard drive still has the default name, Macintosh HD, you would use the following:

rm /Volumes/"Macintosh HD"/private/etc/launchd.conf

If you do not remember the exact name of your hard drive, enter the following command:

ls -l /Volumes

(Note that that is, in lowercase, LS -L… those are Ls, not the number 1 or the uppercase letter i.)

Executing this command will display a series of items, with one volume per line, looking like this:

lrwxr-xr-x  1 root  admin  1 Jan 25 11:15 Hyperion

The part at the end (Hyperion for my computer) is the name of the hard drive.

After you have executed the “rm” command successfully, you should be able to restart the computer successfully.  If you get an error saying “No such file or directory,” you have made an error somewhere in the file path and will need to correct it. If you cannot figure out how to correct it, seek professional assistance.

<- Back to Adware Removal Guide