We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

InstallMac uninstaller antics

Published February 16th, 2014 at 10:01 PM EST , modified February 16th, 2014 at 10:01 PM EST

InstallMac is adware that I have written about before, as it is currently being added to some downloads available on Softonic. (Without the permission of the developers of the apps in question, I should note.) This adware, as well as the Genieo adware that powers it, has been known for some time to have a non-functional uninstaller. Although the uninstaller does appear to remove the software, it leaves behind some of the hidden components. It turns out, though, that the uninstaller’s behavior is worse than previously known!

Credit for this discovery goes to Andy Ball, who posted a note on Apple’s support forums detailing the fact that the InstallMac uninstaller will apparently install these hidden components, if they are not present! In other words, if someone thinks they have InstallMac and runs the uninstaller, or has removed it but runs the uninstaller “just to be sure,” they will actually end up with hidden Genieo components installed that were not there before.

I decided to test Andy’s findings myself, and found that it behaves exactly as described. I began by Googling “installmac uninstaller” which led me to an InstallMac FAQ page. From there, I found a link to the official InstallMac uninstaller and downloaded it.

InstallMac uninstaller 1Upon running the installer on a clean system, which had never had InstallMac (or any other variant of Genieo) installed before, I was asked to install Java. I did so, then continued with the process, providing my administrative account password when asked, even though the password request raised several red flags. As can be seen, it referred to installing a new “helper tool,” which was very suspicious for something claiming to be an uninstaller.

When the uninstaller finished, there were no obvious signs of anything amiss. However, on inspecting the system, I found that this “uninstaller” had actually installed hidden background processes:

InstallMac uninstaller 2InstallMac uninstaller 3InstallMac uninstaller 4InstallMac uninstaller 5InstallMac uninstaller 6

As can be seen from these screenshots, the GenieoExtra.framework file was installed. This package contains the deceptively-named “Application” process, seen in Activity Monitor, which is kept actively running by the LaunchAgent that was also installed. A privileged helper tool was also installed, and was kept loaded by a LaunchDaemon.

The Genieo uninstaller has been a problem for quite some time. Back in June of last year – almost 8 months ago – I wrote about the fact that it leaves these files behind as part of a story on deceptive Genieo installation. Since that time, Genieo representatives have claimed to be working on the problem, but a fix for the issue has never materialized. Now, although it seems that only the InstallMac uninstaller actually installs these files, serious questions must be raised about whether this behavior is a bug or intentional behavior.

Of all the adware I have seen and described in my Adware Removal Guide, Genieo (including the InstallMac variant of Genieo) has become the most prevalent piece of Mac adware out there. I receive more e-mail these days about Genieo removal than about all other malware and adware issues combined! It’s abundantly clear that users do not want this on their computers, and it’s equally clear that Genieo has no desire to make it easy for them to get rid of it.


Tags: , ,


  • Jay says:

    Interesting find. Oh good old Softonic, they never let us down 😉 Do you have a hash for the uninstaller in question or is it still live on Softonic?

    • Thomas says:

      It’s the InstallMac uninstaller, hosted on their own website. (I’d rather not provide a link for Google to suck down and increase the ranking of their site… but it’s easy enough to find.)

  • Chris says:

    oh Yeah.. “Softonic” , this domain is on my blacklist since ages ago

  • Charlotte L says:

    just wanted to say, thanks SO much for doing the work that you have and for explaining in detail what to do to resolve the genieo malware issues. I’m a middle aged, less than computer savvy macbookpro user who “caught” the genieo bug (?) this week when I used “frontrowsports [dot] eu” to stream an ESPNU basketball game that was blacked out here. I was so anxious to get past the outrageous number of pop ups and flashing advertisements that blocked my husband and I from watching the game, I’m sure that I clicked on things that just opened the door wide for the invader (Genieo). (I was also still living under a veil of ignorance, believing that macs were “safe” from things like this) It was frightening to see the immediate impact, and to be SO clueless about how to reverse or remove it. I combed through different apple forums and am glad that I didn’t “bite” on genieo links that promised the means to uninstall. I’m grateful for having discovered “The Safe Mac”. Reading your earlier step by step guide, including all the info on locating files, etc allowed me to do the clean up myself. You saved me BIG time in repair costs.. Thanks so much.

  • OneSovereignCitizen says:

    Thomas, RIGHT or WRONG, I filed a formal complaint with the Consumer Complaint Agency and asked them to look into it and refer it to DOJ, NSA, FBI, FCC, and ICANN or any other appropriate agency. I want a pound of flesh!

  • Orson says:

    The Genieo removal process (I’ve tried them all), while seeming to be successful, actually throttles “Chrome helper” – and thereby consumes CPU and disk space (and the fan runs ALL the time). I’m going to trash Chrome, re-install, and CAREFULLY re-install my fave extensions. It seems to be the only way to master this problem.

    • Thomas says:

      If you followed the removal instructions linked to in this article, that shouldn’t have any effect on Chrome consuming CPU and disk space. You have (had?) something else going on that’s causing that.

  • Orson says:

    Yeah. Maybe the fraudulent “uninstaller,” which I ran before discovering the ongoing apple support discussions that led me here.

    In addition to the hijacking of CPU use and disk space, it has also implanted a lot of annoying malware like a “utorrent” linked rectangular coupon in the upper right of my Chrome frame. And more annoyingly, a medium sized pop-up toggle box when I try to use the “back/forward” buttons on Chrome.

    This is all after, also, having done Linc Davis’ list of file trashing remedies, here

    After that, there is a longer, subtle list of Chrome changes and pop-ups. Especially a wait or kill interruption dialog box. I’ve been responding by simply closing more web pages. This seems to give me more usable online time, less fan usage, and more responsiveness of my system since yesterday

    The only daily change is that – somehow through the repeated hard restarts over the past day the clogging of the Chrome browser.

    Over the past 24 hours, I also often see a thin rectangular function box in the Chrome browser page corner. It very briefly pops up “waiting for available socket” for some sub-system to find info (eg, “to secure connection” or “extension” and “Waiting for” and “Waiting for…” or “Establishing secure….” background functions). This seems to imply that the altered programs are failing to function to completely or efficiently takeover my system like yesterday because of the advice here and elsewhere. My guess is that this is connected to my rMPB’s improved usability in the last 24-hours, eg, more hours between restarts.* But I claim no authority.

    I’m still expecting to do a trash and full re-install shortly. But AFTER I do some switching off/on of extensions and safe-restarts or something. I’m prowling threads for additional ideas to pursue.

    THANKS for so adroitly monitoring and responding to your traffic, here, Thomas!
    PS Genieo has also infected my ancient 2006 MBP. Another project awaits!
    *Doing a quite look at the “javascript console” yields this:
    “[blocked] The page at ‘[redacted]’ was loaded over HTTPS, but ran insecure content from ‘[redacted]’: this content should also be loaded over HTTPS.

    event.returnValue is deprecated. Please use the standard event.preventDefault() instead.”

    [Edited to remove URLs from JavaScript Console output]

  • Orson says:

    SORRY – BAD EDIT – see ellipsis and CAPS added:
    “The only daily change is that – somehow through the repeated hard restarts over the past day – the clogging of the Chrome browser HAS DIMMINISHED

  • Orson says:

    I managed to snag this faux Chrome navigation box, a useful description of what I discussed above: Chrome round icon with “Confirm Naviagation” in bold, then:


    Are you sure you don’t want to take advantage of the “RVTL Anti-Aging” and Equinox Trial?

    Don’t forget – they will only be available for a LIMITED TIME. Since these trials are so cheap, there is no risk to you. You can also give them away if you’d like. Or give it a shot, like Olivia did, and get “RVTL Anti-Aging” for less than $10.

    If you are wondering why these trials are so cheap, the simple answer is because the manufacturers are confident that their products will help you, and that you will continue to use their products, and refer friends and family.


    Are you sure you want to leave this page?”
    THEN two buttons “Stay on this Page” and “:eave this Page”

  • Orson says:

    CORRECTION “Leave this Page”

  • Victoria says:

    I think the ‘Thomas’ guy is working for or with Genieo. It’s the same guy that’s on all the apple forums about this Genieo thing, he always responds by telling others to continue to download the ‘uninstallation’ and insist there is nothing wrong with their program or that it was downloaded due to another reason. I unknowingly downloaded it when I was looking to install a completely different program, I should’ve noticed the red flags. I tried to delete all of it including the ‘uninstallation’ that I fell for by trashing it all and emptying it, and then changing the homepage to default. I’m still worried that the Genieo bug is still in my Macbook air. Could anyone inform me whether this has done any damage? Or how I could check if it is still in my computers system?

    • Thomas says:

      Which “Thomas” guy is this? The only guy going by that name on Apple’s forum is me, but I definitely wouldn’t recommend the uninstaller. What is the username of this “Thomas” guy? As for removal, see the Adware Removal Guide.

  • Ava says:

    Hi. I have never written anything on these forums but am completely stuck. I’ve read all details in the ad removal guide but my problem is my computer has slowed down so much so that I can’t actually follow any of the steps. I sit here with my iPad and try to follow the steps but it takes forever to open anything, if it will open at all! I downloaded genieo a few weeks ago and I’m assuming that is why my computer is stuffed after reading your posts. Is there anything I can do or will I need to fork out money and get a professional. I don’t have much of a clue when it comes to computers!

  • Naomi says:

    I also did have this Installmac ended up in my mac. I am relatively new to mac, only been using it less than 6 months and still learning. I also downloaded the uninstaller but the installmac search page always open, whether in safari or chrome. How can we delete this once and for all? I’m so annoyed with this Installmac.

  • Marie says:

    Your information sounds very familiar, I recognize the name “Genieo” – probably from when I thought I was uninstalling a recently downloaded app [I thought mistakenly that Outlook was free app and attempted to download such]. Then I tried to uninstall, then noticed my browser redirected, so followed instructions to fix, but my computer has been stalling terribly ever since – e.g. when downloading attachments using my newly installed Microsoft Outlook (Office 2011).
    I just now found that I have an app: “Uninstall IM Completer”, installed probably the day my troubles began. Is this the same/similar malware?
    if so, how to get rid of it.

  • Oliver Hartwig says:

    Hi, Thomas,

    it took me several hours today to get my mac (OS 10.9.2.) rid off an autolaunched process called “installer”. Your uninstall instruction did´t match my problem, but it convinced me that i have a malware problem. The point ist, i couldn’t either find the source or any application file in my library. Neither an uninstaller. Only the process analyzer told me, that there is a infall process called com.genioinnovation/Installer/

    I downloaded the Uninstaller from the genii-site ( , and now it seems, launchcd abandoned the process. But thank you for your work!

  • bas says:

    Tried to download software to capture movies from youtube today. How dumb… My always clean Mac was suddenly running TUNEUPMYMAC and from there on it went worse. GenieO (?) was my starndard broser and starting page. Have now resetted browser homepage and standard search. Most interesting part came via email: blockchain (where I keep my bitcoins) asking me whether i would give permission for an unknown broser to enter my Wallet. Requested by… Dangerous stuff and would be very happy to get rid of it!

This post is more than 90 days old and has been locked. No further comments are allowed.